Application Security Course

Prepared by Omar-Abdalhamid (Oct .2022)

Application security refers to security precautions used at the application level to prevent the theft or hijacking of data or code within the application. It includes security concerns made during application development and design, as well as methods and procedures for protecting applications once they've been deployed.

Course Overview Application security is the process of developing, adding, and testing security features within applications to prevent security vulnerabilities against threats such as unauthorized access and modification.

All tasks that introduce a secure software development life cycle to development teams are included in application security shortly known as AppSec. Its ultimate purpose is to improve security practices and, as a result, detect, repair, and, ideally, avoid security flaws in applications. It covers the entire application life cycle, including requirements analysis, design, implementation, testing, and maintenance.

Course Outline

Day
Description

Day 1

Application Security Introduction

Day 2

Methodologies & VAPT

Day 3

Secure Coding [ input validation & Session Management ]

Day 4

Risk Rating , Threat Modeling , Encryption and Hashing

Day 5

DevSecOps

Course content

Day 1 : Application Security Introduction

Overview: The first section of the course will set the stage for the course with the fundamentals of web applications such as the HTTP protocol and the various mechanisms that make web applications work. We then transition over to the architecture of the web applications which plays a big role in securing the application.

Topics:

  • Application Security Introduction

  • Application Security Terms and Definitions

  • Application Security Goals

  • OWASP WebGoat Demo

  • Introduction to OWASP Top 10

  • SANS Top 25 Threat

Day 2: Methodologies & VAPT.

Methodologies for developing secure code:

  • Risk analysis

  • Threat modeling

  • Lab : Threat modeling - exercise

  • OWASP community Guidelines for secure coding

  • Verification testing .

VAPT (Vulnerability Assessment and Penetration Test)

  • Introduction to HTTP Protocol

  • Overview of Web Authentication Technologies

  • Web Application Architecture

  • Recent Attack Trends

  • Web Infrastructure Security/Web Application Firewalls

  • Managing Configurations for Web Apps

  • Lab : using Burp proxy to test web applications

Day 3 : Secure Coding [ input validation & Session Management ]

Secure Coding input validation:

  • SQL Injection vulnerability

  • Lab : SQL Injection vulnerability Lab

  • LDAP and XPath Injection vulnerabilities

  • Cross-Site Scripting (XSS) vulnerability

  • Lab : Cross-Site Scripting (XSS) vulnerability Lab

  • OS Command Injection vulnerability

  • Lab : OS Command Injection vulnerability Lab

  • LFI (Local File Inclusion) and RFI (Remote File Inclusion) vulnerabilities

  • Lab : LFI / RFI vulnerabilities Lab

  • Invalidated File Upload vulnerability

  • Lab : Invalidated File Upload vulnerability Lab

  • Buffer Overflow vulnerabilities

  • XXE (XML External Entities) Vulnerabilities

  • Lab : XXE (XML External Entities)

  • Insecure Deserialization

Day 4 : Risk Rating , Threat Modeling , Encryption and Hashing

Risk Rating and Threat Modeling:

  • Risk Rating Introduction

  • Lab : Risk Rating Demo

  • Introduction to Threat Modeling

  • Type of Threat Modeling

  • Introduction to Manual Threat Modeling

  • Lab : Manual Threat Model demo

Encryption and Hashing:

  • Encryption Overview

  • Encryption Use Cases Hashing

  • Lab : Overview Hashing Demo PKI (Public Key Infrastructure)

  • Password Management

  • Lab : Password Demo

Day 5 : DevSecOps

  • SAST (Static Application Security Testing)

  • Lab : Spot Bugs Demo .

  • SCA (Software Composition Analysis)

  • Lab : Snyk Open-Source (SCA)

  • DAST (Dynamic Application Security Testing)

  • Lab : OWASP ZAP Scanning .

  • IAST (Interactive Application Security Testing)

  • RASP (Runtime Application Self-Protection)

  • WAF (Web Application Firewall) Penetration Testing

  • SCA (Software Composition Analysis)

Last updated