Understanding Web Application Security – A Technical Overview (TT8020)

Understanding Web Application Security is an essential application security training course for technical leads, project managers, testing/QA personnel and other stakeholders who need to understand the issues and concepts associated with secure web applications. During this one day dynamic seminar, students learn the best practices for designing, implementing, and deploying secure web applications. Perhaps just as significantly, students learn about current, real examples that illustrate the potential consequences of not following these best practices. A key component to our Best Defense Security Training Series, this workshop is a companion course with several developer-oriented courses and seminars. Although this edition of the course is language-agnostic, it may also be presented using Java, .Net or other programming languages or environments.

Retail Price: $895.00

Next Date: Request Date

Course Days: 1


Request a Date

Request Custom Course


About This Course

Understanding Web Application Security is an essential application security training course for technical leads, project managers, testing/QA personnel and other stakeholders who need to understand the issues and concepts associated with secure web applications.  During this one day dynamic seminar, students learn the best practices for designing, implementing, and deploying secure web applications. Perhaps just as significantly, students learn about current, real examples that illustrate the potential consequences of not following these best practices. 

A key component to our Best Defense Security Training Series, this workshop is a companion course with several developer-oriented courses and seminars.   Although this edition of the course is language-agnostic, it may also be presented using Java, .Net or other programming languages or environments.

Audience Profile

This is course designed for web application project stakeholders who wish to get up and running on developing well defended web applications.  Attendees should have a minimum of 2 years working knowledge in the IT industry, and ideally, students should have a basic understanding of web applications and the associated technologies. Actual development working knowledge is helpful but not necessary.

At Course Completion

Working in an interactive learning environment, attendees will learn to:

  • Understand the concepts and terminology behind defensive, secure, coding
  • Appreciate the magnitude of the problems associated with web application security and the potential risks associated with those problems
  • Understand the use of Threat Modeling as a tool in identifying software vulnerabilities based on realistic threats against meaningful assets
  • Understand the consequences for not properly handling untrusted data such as denial of service, cross-site scripting, and injections
  • Understand the vulnerabilities of associated with authentication and authorization
  • Understand techniques and measures that can used to harden web and application servers as well as other components in your infrastructure
  • Relate to the potential vulnerabilities and defenses for the processing of XML in web services and Ajax

Course Outline

Introduction: Misconceptions

  • Security: The Complete Picture
  • Seven Deadly Assumptions
  • Anthem, Sony, Target, Heartland, and TJX Debriefs
  • Causes of Data Breaches
  • Meaning of Being Compliant
  • Verizon’s 2015 Data Breach Report
  • 2015 PCI Compliance Report

Session: Security Concepts

  • Motivations: Costs and Standards
  • Open Web Application Security Project
  • Web Application Security Consortium
  • CERT Secure Coding Standards
  • Assets are the Targets
  • Security Activities Cost Resources
  • Threat Modeling
  • System/Trust Boundaries

Session: Principles of Information Security

  • Security Is a Lifecycle Issue
  • Minimize Attack Surface Area
  • Layers of Defense: Tenacious D
  • Compartmentalize
  • Consider All Application States
  • Do NOT Trust the Untrusted

Session: Vulnerabilities

  • Unvalidated Input
  • Broken Access Control
  • Broken Authentication
  • Cross Site Scripting (XSS)
  • Injection
  • Error Handling and Information Leakage
  • Insecure Data Handling
  • Insecure Configuration Management
  • Direct Object Access
  • Spoofing and Redirects

Session: Understanding What’s Important

  • Common Vulnerabilities and Exposures
  • OWASP Top Ten for 2013
  • CWE/SANS Top 25 Most Dangerous SW Errors
  • Monster Mitigations
  • Strength Training: Project Teams/Developers
  • Strength Training: IT Organizations 

Session: Defending XML, Services, and Rich Interfaces

  • Safe XML Processing
  • Web Service Security Exposures
  • WS-Security Roadmap
  • XWSS Provides Many Functions
  • Three Basic Tenets for Safe Rich Interfaces
  • OWASP REST Security Recommendations

Session: Secure Software Development (SDL)

  • SDL Process Overview
  • Applying Processes and Practices
  • Threat Modelling

Session: Security Testing

  • Testing Principles
  • Reviews as Form of Testing
  • Testing
  • Tools
  • Testing Practices


Sorry! It looks like we haven’t updated our dates for the class you selected yet. There’s a quick way to find out. Contact us at 502.265.3057 or email info@training4it.com


Request a Date