Extended web application security in Java (EWASEC-J) – Outline
Detailed Course Outline
Day 1
- Cyber security basics
- What is security?
- Threat and risk
- Cyber security threat types - the CIA triad
- Consequences of insecure software
- The OWASP Top Ten 2021
- The OWASP Top 10 2021
- A01 - Broken Access Control
- Access control basics
- Confused deputy
- File upload
- Open redirects and forwards
- A02 - Crytographic Failures
- Information exposure
- Cryptography for developers
Day 2
- A03 - Injection
- Input validation
- Injection
- SQL injection
- SQL injection best practices
- Parameter manipulation
- Code injection
- Script injection
- Dangerous file inclusion
- HTML injection - Cross-site scripting (XSS)
Day 3
- A04 - Insecure Design
- The STRIDE model of threats
- Secure design principles of Saltzer and Schroeder
- Client-side security
- A05 - Security Misconfiguration
- Configuration principles
- Server misconfiguration
- Cookie security
- XML entities
- A06 - Vulnerable and Outdated Components
- Using vulnerable components
- Assessing the environment
- Hardening
- Untrusted functionality import
- Vulnerability management
- A07 - Identification and Authentication Failures
- Authentication
- Session management
Day 4
- A07 - Identification and Authentication Failures (continued)
- A08 - Software and Data Integrity Failures
- Integrity protection
- Subresource integrity
- Insecure deserialization
- A09 - Security Logging and Monitoring Failures
- Logging and monitoring principles
- Insufficient logging
- Case study - Plaintext passwords at Facebook
- Log forging
- Logging best practices
- A10 - Server-Side Request Forgery (SSRF)
- Server-side Request Forgery (SSRF)
- Case study - SSRF and the Capital One Breach
- Web application security beyond the Top Ten
- Wrap up
- Secure coding principles
- And now what?
