CUSTOMISED
Expert-led training for your team
Dismiss

Web Application Security Fundamentals training course

Comprehensive Web Application Security Fundamental Training. Dive into WebAppSec with interactive modules on HTML, cybersecurity fundamentals, and vulnerability remediation. Hands-on labs using cloud-hosted Linux VMs and tools like ZAP Proxy and Burp Suite ensure practical, real-world experience.

JBI training course London UK

"Our tailored course provided a well rounded introduction and also covered some intermediate level topics that we needed to know. Clive gave us some best practice ideas and tips to take away. Fast paced but the instructor never lost any of the delegates"

Brian Leek, Data Analyst, May 2022

Public Courses

31/10/24 - 2 days
£1995 +VAT
12/12/24 - 2 days
£1995 +VAT
23/01/25 - 2 days
£1995 +VAT

Customised Courses

* Train a team
* Tailor content
* Flex dates
From £1200 / day
EDF logo Capita logo Sky logo NHS logo RBS logo BBC logo CISCO logo
JBI training course London UK

Web Application Security Fundamentals

  • Introductions, course overview & starting surveys    
  • Introducing WebAppSec Good Practices         
  • Understanding Web Applications 
  • Information Security & Cybersecurity Fundamentals 
  • Remediating Common Web Application Vulnerabilities 
  • Secure Web App Development Lifecycles & Supporting Tools     
  • Supporting continuous Web Application Security improvements
  • Explore Secure Web App Development Lifecycles & Supporting Tools

Module 1: Introductions, course overview & starting surveys                     

  • targeted WebAppSec quizzes with instant feedback to activate delegates’ learning 
  • connecting to & getting familiar with the course’s hands-on Linux lab environment
  • previews of Day 1 & Day 2 content to prepare delegates to engage with WebAppSec
  • Practicals: each delegate will access an individual cloud-hosted Linux VM via RDP or HTTPS

Module 2: Understanding Web Applications                                                   

  • Exploring HTML, Cascading Style Sheets & JavaScript using Modern Web Browsers 
  • understanding legal, ethical & data protection considerations related to WebAppSec
  • inspecting HTTP verbs, Headers, Cookies & data using ZED Attack Proxy (ZAP)
  • Practicals: delegates will perform all of this module’s activities in their Linux VM labs

Module 3: Information Security & Cybersecurity Fundamentals                 

  • appreciating the significance of availability, confidentiality & integrity for Web Apps
  • performing simulated phishing attacks using SE Toolkit & BEEF Project
  • understanding the meaning of threats, vulnerabilities, exploits, incidents & controls
  • Practicals: delegates will perform the simulated phishing activities in their Linux VM labs 

Module 4:  Remediating Common Web Application Vulnerabilities       

  • identifying & remediating the “Click Jacking” (missing X-OPTIONS-HEADER) weakness
  • identifying & remediating the Cross-Site Request Forgery (XSRF) vulnerability
  • Securing Cookies with HttpOnly & Secure Flags
  • Practicals: delegates will perform all of this module’s activities in their Linux VM labs

Module 5: Introducing WebAppSec Good Practices                     

  • introducing OWASP & the OWASP Top 10 Web Application Threat model
  • performing Threat Modelling of a Web Application using STRIDE 
  • understanding relationships between OWASP, CWEs, CVEs, CVSS & MITRE ATT&CK
  •  Practicals: important Threat Modelling group practicals will not rely on the Linux VM labs  

Module 6:  Secure Web App Development Lifecycles & Supporting Tools         

  • reviewing 4 leading SSDLC models: Microsoft SDL, OpenSAMM, BSIMM, SafeCode
  • understanding the value of OWASP’s Application Security Verification Standard (ASVS)
  • considering how IAST tools (like ZAP & Burp Suite) differ from SAST & DAST tools
  •  Practicals: SSDLC activities not Lab-based but Linux VM labs will be used for ZAP & BurpSuite
  • OWASP Top 10:2021 Vulnerabilities & Mitigations

Module 7: A04 Insecure Design & A02 Cryptographic Failures                     

  • reinforcing need for Threat Model driven WebAppSec lifecycle (as per Modules 5 & 6)
  • breaking TLS security by installing untrusted Root Certificates in Firefox lab environment
  • understanding the WebAppSec design challenges of secure cryptographic key management
  • Practicals: delegates will perform cryptographic security activities in their Linux VM labs 

Module 8:  A03 Injection & A10 Server-Side Request Forgery                            

  • appreciating how injection attacks occur from poor data/code separation & input validation 
  • experiencing the significance of Cross-Site Scripting (XSS) attacks with hands-on examples
  • how to identify & mitigate SQL Injection & SSRF vulnerabilities
  • Practicals: delegates will perform XSS, SQL Injection & SSRF activities in their Linux VM labs 

Module 9:    A07 ID & Authentication Failures & A01 Broken Access Control     

  • understanding the nature of Identification, Authentication & Access Control
  • performing attacks on authentication using spoofing, cookie stealing & hash cracking
  • how to design secure Web Apps based on proven Identity & Access Control methods
  • Practicals: delegates will perform authentication attack activities in their Linux VM labs   

 

 

Module 10:  A05 Security Misconfiguration & A06 Outdated Components               

  • using legal Open Source Intelligence (OSINT) methods to identify exposed vulnerabilities
  • showing how DNS, Shodan & Certificate Transparency records can expose internal assets
  • exploring good practices for hardening & patching Web Applications
  • Practicals: OSINT activities may be performed either using Linux VM labs or own computer

 

Module 11: A08 Integrity Failures & A09 Logging & Monitoring Failures            

  • examining the meaning & impacts of software integrity failures
  • performing simulated attack using malicious file upload & insecure de-serialisation
  • understanding the causes & impacts of the Log4J vulnerability
  • Practicals: delegates will Log4J & Syslog monitoring activities in their Linux VM

Module 12:  Supporting continuous Web Application Security improvements    

  • reflecting on learnings from this course & how to improve WebAppSec within the BBC
  • signposting trusted sources of further relevant information about WebAppSec
  • completing end-of-course feedback to improve future runs of this course
  • Practicals: delegates will access online surveys & quizzes to reinforce their learning

Resources:

  • Cloud Hosted Ubuntu Linux Virtual Machines – 1 per delegate (up to 10 delegates)
  • Selected Kali Linux tools e.g. SE Toolkit, HashCat, BEEF Project, ZAP Proxy
  • Selected elements of vulnerable apps e.g. OWASP Juice Shop, DVWA, Google XSS-Game & Gruyere.
  • Selected Websites & OSINT sources e.g. OWASP, MITRE, NIST CVE, FIRST CVSS, SafeCode, Shodan
JBI training course London UK

This course is designed for web developers, cybersecurity professionals, and anyone involved in securing web applications.

It is suitable for individuals looking to enhance their understanding and practical skills in web application security.


5 star

4.8 out of 5 average

"Our tailored course provided a well rounded introduction and also covered some intermediate level topics that we needed to know. Clive gave us some best practice ideas and tips to take away. Fast paced but the instructor never lost any of the delegates"

Brian Leek, Data Analyst, May 2022



“JBI  did a great job of customizing their syllabus to suit our business  needs and also bringing our team up to speed on the current best practices. Our teams varied widely in terms of experience and  the Instructor handled this particularly well - very impressive”

Brian F, Team Lead, RBS, Data Analysis Course, 20 April 2022

 

 

JBI training course London UK

Newsletter

 

Sign up for the JBI Training newsletter to stay updated with world-class technology training opportunities, including Analytics, AI, ML, DevOps, Web, Backend and Security. Our Power BI Training Course is especially popular.  Gain new skills, useful tips, and validate your expertise with an industry-leading organisation, all tailored to your schedule and learning preferences.



Explore essential topics in Web Application Security (WebAppSec) over two intensive days.

Covering HTML, JavaScript, cybersecurity fundamentals, and practical vulnerability remediation using tools like ZAP Proxy and Burp Suite.

Participants engage in hands-on labs with cloud-hosted Linux VMs, ensuring practical, real-world skill development.

Who should attend this course?

This course is ideal for web developers, cybersecurity professionals, and anyone involved in securing web applications.

What will I learn from this course?

Participants will gain proficiency in identifying and mitigating web application vulnerabilities, understanding cybersecurity fundamentals, and using tools like ZAP Proxy and Burp Suite.

Are there any prerequisites for this course?

Basic knowledge of web technologies (HTML, CSS, JavaScript) and familiarity with Linux environments is beneficial but not required.

How are practical sessions conducted?

Practical sessions are held in cloud-hosted Linux virtual machines, allowing participants to simulate real-world scenarios using tools such as ZAP Proxy and Burp Suite.

What resources are provided during the course?

Participants have access to cloud-hosted Ubuntu Linux VMs, selected Kali Linux tools (e.g., SE Toolkit, BEEF Project), and vulnerable applications for practical exercises.

How can I prepare for the course?

Familiarize yourself with basic web technologies and Linux environments. Reviewing introductory cybersecurity concepts would also be beneficial.

Is there any post-course support or resources available?

Participants will have access to recommended sources for further learning and improvement in web application security practices.

What distinguishes this course from others?

This course emphasizes hands-on learning through practical labs in a cloud-based environment, focusing on current web application security challenges and best practices.

CONTACT
+44 (0)20 8446 7555

[email protected]

SHARE

 

Copyright © 2023 JBI Training. All Rights Reserved.
JB International Training Ltd  -  Company Registration Number: 08458005
Registered Address: Wohl Enterprise Hub, 2B Redbourne Avenue, London, N3 2BS

Modern Slavery Statement & Corporate Policies | Terms & Conditions | Contact Us

POPULAR

Rust training course                                                                          React training course

Threat modelling training course   Python for data analysts training course

Power BI training course                                   Machine Learning training course

Spring Boot Microservices training course              Terraform training course

Kubernetes training course                                                            C++ training course

Power Automate training course                               Clean Code training course