Secure Web Application Development training course

Module 1:    Introductions, course overview & starting surveys         

- targeted WebAppSec quizzes with instant feedback to activate delegates’ learning  
- connecting to & getting familiar with the course’s hands-on Linux lab environment
- previews of Day 1 & Day 2 content to prepare delegates to engage with WebAppSec
Practicals: each delegate will access an individual cloud-hosted Linux VM via RDP or HTTPS

Module 2:    Understanding Web Applications               
- exploring HTML, Cascading Style Sheets & JavaScript using Modern Web Browsers  
- understanding legal, ethical & data protection considerations related to WebAppSec
- inspecting HTTP verbs, Headers, Cookies & data using ZED Attack Proxy (ZAP)
Practicals: delegates will perform all of this module’s activities in their Linux VM labs

Module 3:    Information Security & Cybersecurity Fundamentals        
- appreciating the significance of availability, confidentiality & integrity for Web Apps
- performing simulated phishing attacks using SE Toolkit & BEEF Project
- understanding the meaning of threats, vulnerabilities, exploits, incidents & controls
Practicals: delegates will perform the simulated phishing activities in their Linux VM labs  

Module 4:    Remediating Common Web Application Vulnerabilities    
- identifying & remediating the “Click Jacking” (missing X-OPTIONS-HEADER) weakness
- identifying & remediating the Cross-Site Request Forgery (XSRF) vulnerability
- Securing Cookies with HttpOnly & Secure Flags
Practicals: delegates will perform all of this module’s activities in their Linux VM labs

Module 5:    Introducing WebAppSec Good Practices                
- introducing OWASP & the OWASP Top 10 Web Application Threat model
- performing Threat Modelling of a Web Application using STRIDE  
- understanding relationships between OWASP, CWEs, CVEs, CVSS & MITRE ATT&CK
 Practicals: important Threat Modelling group practicals will not rely on the Linux VM labs   

Module 6:    Secure Web App Development Lifecycles & Supporting Tools    
- reviewing 4 leading SSDLC models: Microsoft SDL, OpenSAMM, BSIMM, SafeCode
- understanding the value of OWASP’s Application Security Verification Standard (ASVS)
- considering how IAST tools (like ZAP & Burp Suite) differ from SAST & DAST tools
 Practicals: SSDLC activities not Lab-based but Linux VM labs will be used for ZAP & BurpSuite

Module 7:     A04 Insecure Design & A02 Cryptographic Failures            
        - reinforcing need for Threat Model driven WebAppSec lifecycle (as per Modules 5 & 6)
- breaking TLS security by installing untrusted Root Certificates in Firefox lab environment
- understanding the WebAppSec design challenges of secure cryptographic key management
Practicals: delegates will perform cryptographic security activities in their Linux VM labs  

Module 8:    A03 Injection & A10 Server-Side Request Forgery            
- appreciating how injection attacks occur from poor data/code separation & input validation  
- experiencing the significance of Cross-Site Scripting (XSS) attacks with hands-on examples
- how to identify & mitigate SQL Injection & SSRF vulnerabilities
Practicals: delegates will perform XSS, SQL Injection & SSRF activities in their Linux VM labs  

Module 9:     A07 ID & Authentication Failures & A01 Broken Access Control    
- understanding the nature of Identification, Authentication & Access Control
- performing attacks on authentication using spoofing, cookie stealing & hash cracking
- how to design secure Web Apps based on proven Identity & Access Control methods
Practicals: delegates will perform authentication attack activities in their Linux VM labs   

Module 10:    A05 Security Misconfiguration & A06 Outdated Components        
- using legal Open Source Intelligence (OSINT) methods to identify exposed vulnerabilities
- showing how DNS, Shodan & Certificate Transparency records can expose internal assets
- exploring good practices for hardening & patching Web Applications
Practicals: OSINT activities may be performed either using Linux VM labs or own computer

Module 11:    A08 Integrity Failures & A09 Logging & Monitoring Failures        
- examining the meaning & impacts of software integrity failures
- performing simulated attack using malicious file upload & insecure de-serialisation
- understanding the causes & impacts of the Log4J vulnerability
Practicals: delegates will Log4J & Syslog monitoring activities in their Linux VM

Module 12:    Supporting continuous Web Application Security improvements
- reflecting on learnings from this course & how to improve WebAppSec within the BBC
- signposting trusted sources of further relevant information about WebAppSec
- completing end-of-course feedback to improve future runs of this course
Practicals: delegates will access online surveys & quizzes to reinforce their learning

Resources:
•    Cloud Hosted Ubuntu Linux Virtual Machines – 1 per delegate (up to 10 delegates)
•    Selected Kali Linux tools e.g. SE Toolkit, HashCat, BEEF Project, ZAP Proxy
•    Selected elements of vulnerable apps e.g. OWASP Juice Shop, DVWA, Google XSS-Game & Gruyere.
•    Selected Websites & OSINT sources e.g. OWASP, MITRE, NIST CVE, FIRST CVSS, SafeCode, Shodan