SEC522: Defending Web Applications Security Essentials
A large part of this class consists of hands-on exercises. Please make sure your laptop is appropriately configured (see the official SANS site above for details). We also have a test virtual machine for you.
If you are reaching this site from within the class virtual machine: Please notify your instructor or SANS On-Demmand support. Your machine is likely misconfigured.
This is the course to take if you have to defend web applications! The quantity and importance of data entrusted to web applications is growing, and defenders need to learn how to secure them. Traditional network defenses, such as firewalls, fail to secure web applications. SEC522 covers the OWASP Top 10 Risks and will help you better understand web application vulnerabilities, thus enabling you to properly defend your organization's web assets. Mitigation strategies from an infrastructure, architecture, and coding perspective will be discussed alongside real-world applications that have been proven to work. The testing aspect of vulnerabilities will also be covered so that you can ensure your application is tested for the vulnerabilities discussed in class. To maximize the benefit for a wider range of audiences, the discussions in this course will be programming language agnostic. Focus will be maintained on security strategies rather than coding-level implementation. SEC522: Defending Web Applications Security Essentials is intended for anyone tasked with implementing, managing, or protecting Web applications. It is particularly well suited to application security analysts, developers, application architects, pen testers, auditors who are interested in recommending proper mitigations for web security issues, and infrastructure security professionals who have an interest in better defending their web applications. The course will also cover additional issues the authors have found to be important in their day-to-day web application development practices. The topics that will be covered include:
- Infrastructure security
- Server configuration
- Authentication mechanisms
- Application language configuration
- Application coding errors like SQL injection and cross-site scripting
- Cross-site request forging
- Authentication bypass
- Web services and related flaws
- Web 2.0 and its use of web services
- XPATH and XQUERY languages and injection
- SOAP and REST
- OAUTH
- Business logic flaws
- Protective HTTP headers