Application Security Course
Prepared by Omar-Abdalhamid (Oct .2022)
Application security refers to security precautions used at the application level to prevent the theft or hijacking of data or code within the application. It includes security concerns made during application development and design, as well as methods and procedures for protecting applications once they've been deployed.
Course Overview Application security is the process of developing, adding, and testing security features within applications to prevent security vulnerabilities against threats such as unauthorized access and modification.
All tasks that introduce a secure software development life cycle to development teams are included in application security shortly known as AppSec. Its ultimate purpose is to improve security practices and, as a result, detect, repair, and, ideally, avoid security flaws in applications. It covers the entire application life cycle, including requirements analysis, design, implementation, testing, and maintenance.
Course Outline
| Day | Description |
|---|---|
Day 1 | Application Security Introduction |
Day 2 | Methodologies & VAPT |
Day 3 | Secure Coding [ input validation & Session Management ] |
Day 4 | Risk Rating , Threat Modeling , Encryption and Hashing |
Day 5 | DevSecOps |
Course content
Day 1 : Application Security Introduction
Overview: The first section of the course will set the stage for the course with the fundamentals of web applications such as the HTTP protocol and the various mechanisms that make web applications work. We then transition over to the architecture of the web applications which plays a big role in securing the application.
Topics:
Application Security Introduction
Application Security Terms and Definitions
Application Security Goals
OWASP WebGoat Demo
Introduction to OWASP Top 10
SANS Top 25 Threat
Day 2: Methodologies & VAPT.
Methodologies for developing secure code:
Risk analysis
Threat modeling
Lab : Threat modeling - exercise
OWASP community Guidelines for secure coding
Verification testing .
VAPT (Vulnerability Assessment and Penetration Test)
Introduction to HTTP Protocol
Overview of Web Authentication Technologies
Web Application Architecture
Recent Attack Trends
Web Infrastructure Security/Web Application Firewalls
Managing Configurations for Web Apps
Lab : using Burp proxy to test web applications
Day 3 : Secure Coding [ input validation & Session Management ]
Secure Coding input validation:
SQL Injection vulnerability
Lab : SQL Injection vulnerability Lab
LDAP and XPath Injection vulnerabilities
Cross-Site Scripting (XSS) vulnerability
Lab : Cross-Site Scripting (XSS) vulnerability Lab
OS Command Injection vulnerability
Lab : OS Command Injection vulnerability Lab
LFI (Local File Inclusion) and RFI (Remote File Inclusion) vulnerabilities
Lab : LFI / RFI vulnerabilities Lab
Invalidated File Upload vulnerability
Lab : Invalidated File Upload vulnerability Lab
Buffer Overflow vulnerabilities
XXE (XML External Entities) Vulnerabilities
Lab : XXE (XML External Entities)
Insecure Deserialization
Day 4 : Risk Rating , Threat Modeling , Encryption and Hashing
Risk Rating and Threat Modeling:
Risk Rating Introduction
Lab : Risk Rating Demo
Introduction to Threat Modeling
Type of Threat Modeling
Introduction to Manual Threat Modeling
Lab : Manual Threat Model demo
Encryption and Hashing:
Encryption Overview
Encryption Use Cases Hashing
Lab : Overview Hashing Demo PKI (Public Key Infrastructure)
Password Management
Lab : Password Demo
Day 5 : DevSecOps
SAST (Static Application Security Testing)
Lab : Spot Bugs Demo .
SCA (Software Composition Analysis)
Lab : Snyk Open-Source (SCA)
DAST (Dynamic Application Security Testing)
Lab : OWASP ZAP Scanning .
IAST (Interactive Application Security Testing)
RASP (Runtime Application Self-Protection)
WAF (Web Application Firewall) Penetration Testing
SCA (Software Composition Analysis)
Last updated