" We tried to cover a lot of bases here from people who had no experience of SQL injection to people who had very specific questions and Tim balanced that really well in the timeframe. He's very knowledgeable on the subject and managed questions really well. "
RK, Developer, Secure Web Development, Dec 2022
Module 1: Introductions, course overview & starting surveys
- targeted WebAppSec quizzes with instant feedback to activate delegates’ learning
- connecting to & getting familiar with the course’s hands-on Linux lab environment
- previews of Day 1 & Day 2 content to prepare delegates to engage with WebAppSec
Practicals: each delegate will access an individual cloud-hosted Linux VM via RDP or HTTPS
Module 2: Understanding Web Applications
- exploring HTML, Cascading Style Sheets & JavaScript using Modern Web Browsers
- understanding legal, ethical & data protection considerations related to WebAppSec
- inspecting HTTP verbs, Headers, Cookies & data using ZED Attack Proxy (ZAP)
Practicals: delegates will perform all of this module’s activities in their Linux VM labs
Module 3: Information Security & Cybersecurity Fundamentals
- appreciating the significance of availability, confidentiality & integrity for Web Apps
- performing simulated phishing attacks using SE Toolkit & BEEF Project
- understanding the meaning of threats, vulnerabilities, exploits, incidents & controls
Practicals: delegates will perform the simulated phishing activities in their Linux VM labs
Module 4: Remediating Common Web Application Vulnerabilities
- identifying & remediating the “Click Jacking” (missing X-OPTIONS-HEADER) weakness
- identifying & remediating the Cross-Site Request Forgery (XSRF) vulnerability
- Securing Cookies with HttpOnly & Secure Flags
Practicals: delegates will perform all of this module’s activities in their Linux VM labs
Module 5: Introducing WebAppSec Good Practices
- introducing OWASP & the OWASP Top 10 Web Application Threat model
- performing Threat Modelling of a Web Application using STRIDE
- understanding relationships between OWASP, CWEs, CVEs, CVSS & MITRE ATT&CK
Practicals: important Threat Modelling group practicals will not rely on the Linux VM labs
Module 6: Secure Web App Development Lifecycles & Supporting Tools
- reviewing 4 leading SSDLC models: Microsoft SDL, OpenSAMM, BSIMM, SafeCode
- understanding the value of OWASP’s Application Security Verification Standard (ASVS)
- considering how IAST tools (like ZAP & Burp Suite) differ from SAST & DAST tools
Practicals: SSDLC activities not Lab-based but Linux VM labs will be used for ZAP & BurpSuite
Module 7: A04 Insecure Design & A02 Cryptographic Failures
- reinforcing need for Threat Model driven WebAppSec lifecycle (as per Modules 5 & 6)
- breaking TLS security by installing untrusted Root Certificates in Firefox lab environment
- understanding the WebAppSec design challenges of secure cryptographic key management
Practicals: delegates will perform cryptographic security activities in their Linux VM labs
Module 8: A03 Injection & A10 Server-Side Request Forgery
- appreciating how injection attacks occur from poor data/code separation & input validation
- experiencing the significance of Cross-Site Scripting (XSS) attacks with hands-on examples
- how to identify & mitigate SQL Injection & SSRF vulnerabilities
Practicals: delegates will perform XSS, SQL Injection & SSRF activities in their Linux VM labs
Module 9: A07 ID & Authentication Failures & A01 Broken Access Control
- understanding the nature of Identification, Authentication & Access Control
- performing attacks on authentication using spoofing, cookie stealing & hash cracking
- how to design secure Web Apps based on proven Identity & Access Control methods
Practicals: delegates will perform authentication attack activities in their Linux VM labs
Module 10: A05 Security Misconfiguration & A06 Outdated Components
- using legal Open Source Intelligence (OSINT) methods to identify exposed vulnerabilities
- showing how DNS, Shodan & Certificate Transparency records can expose internal assets
- exploring good practices for hardening & patching Web Applications
Practicals: OSINT activities may be performed either using Linux VM labs or own computer
Module 11: A08 Integrity Failures & A09 Logging & Monitoring Failures
- examining the meaning & impacts of software integrity failures
- performing simulated attack using malicious file upload & insecure de-serialisation
- understanding the causes & impacts of the Log4J vulnerability
Practicals: delegates will Log4J & Syslog monitoring activities in their Linux VM
Module 12: Supporting continuous Web Application Security improvements
- reflecting on learnings from this course & how to improve WebAppSec within the BBC
- signposting trusted sources of further relevant information about WebAppSec
- completing end-of-course feedback to improve future runs of this course
Practicals: delegates will access online surveys & quizzes to reinforce their learning
Resources:
• Cloud Hosted Ubuntu Linux Virtual Machines – 1 per delegate (up to 10 delegates)
• Selected Kali Linux tools e.g. SE Toolkit, HashCat, BEEF Project, ZAP Proxy
• Selected elements of vulnerable apps e.g. OWASP Juice Shop, DVWA, Google XSS-Game & Gruyere.
• Selected Websites & OSINT sources e.g. OWASP, MITRE, NIST CVE, FIRST CVSS, SafeCode, Shodan
" We tried to cover a lot of bases here from people who had no experience of SQL injection to people who had very specific questions and Tim balanced that really well in the timeframe. He's very knowledgeable on the subject and managed questions really well. "
RK, Developer, Secure Web Development, Dec 2022
“JBI did a great job of customizing their syllabus to suit our business needs and also bringing our team up to speed on the current best practices. Our teams varied widely in terms of experience and the Instructor handled this particularly well - very impressive”
Brian F, Team Lead, RBS, Data Analysis Course, April 2022
Sign up for the JBI Training newsletter to stay updated with world-class technology training opportunities, including Analytics, AI, ML, DevOps, Web, Backend and Security. Our Power BI Training Course is especially popular. Gain new skills, useful tips, and validate your expertise with an industry-leading organisation, all tailored to your schedule and learning preferences.
OWASP 2017 standards - this Java secure coding training course is led by an Application Security expert instructor and delivers focused and customised guidance on how to secure Applications (from code to cloud), covering the technology stack currently used by the delegates (web, mobile, cloud, java, Javascript, AngularJS android, node, etc...).
A highly popular course with plenty of discussion, demos and interactive Labs to demonstrate the issues faced by modern software development teams.
An optional threat modelling session can also precede the course delivery.
CONTACT
+44 (0)20 8446 7555
Copyright © 2024 JBI Training. All Rights Reserved.
JB International Training Ltd - Company Registration Number: 08458005
Registered Address: Wohl Enterprise Hub, 2B Redbourne Avenue, London, N3 2BS
Modern Slavery Statement & Corporate Policies | Terms & Conditions | Contact Us