Security Training
Security Certification
Internet Storm Center
Cyber Security Graduate School
Security Awareness Training
Penetration Testing
Industrial Control Systems
Cyber Defense Foundations
IT Audit
Computer Forensics
Software SecurityDEV522: Defending Web Applications Security Essentials
- Contents | Schedule | Additional Info
- Instructor: Johannes Ullrich, Ph.D.
- GWEB Certification
- 36 CPE/CMU
- Laptop Required
This is the course to take if you have to defend web applications!
Traditional network defenses, such as firewalls, fail to secure web applications. The quantity and importance of data entrusted to web applications is growing, and defenders need to learn how to secure it. DEV522 covers the OWASP Top 10 and will help you to better understand web application vulnerabilities, thus enabling you to properly defend your organization's web assets.
Mitigation strategies from an infrastructure, architecture, and coding perspective will be discussed alongside real-world implementations that really work. The testing aspect of vulnerabilities will also be covered so you can ensure your application is tested for the vulnerabilities discussed in class.
To maximize the benefit for a wider range of audiences, the discussions in this course will be programming language agnostic. Focus will be maintained on security strategies rather than coding level implementation.
DEV522: Defending Web Applications Security Essentials is intended for anyone tasked with implementing, managing, or protecting Web applications. It is particularly well suited to application security analysts, developers, application architects, pen testers, and auditors who are interested in recommending proper mitigations to web security issues and infrastructure security professionals who have an interest in better defending their web applications.
The course will cover the topics outlined by OWASP's Top 10 risks document as well as additional issues the authors found of importance in their day-to-day web application development practice. The topics that will be covered include:
- Infrastructure Security
- Server Configuration
- Authentication mechanisms
- Application language configuration
- Application coding errors like SQL Injection and Cross-Site Scripting
- Cross-Site Request Forging
- Authentication Bypass
- Web services and related flaws
- Web 2.0 and its use of web services
- XPATH and XQUERY languages and injection
- Business logic flaws
- Protective HTTP Headers
The course will make heavy use of hands-on exercises. It will conclude with a large defensive exercise, reinforcing the lessons learned throughout the week.
| Course Contents | Instructors | Schedule |
|---|---|---|
| DEV522.1: Web Basics and Authentication Security | Johannes Ullrich, Ph.D. |
Mon Sep 16th, 2013 9:00 AM - 5:00 PM |
OverviewWe begin day one with an overview of the recent web application attack trends and and security. We follow that up with an overview of the essential technologies that are at play in Web applications. You can't win the battle if you don't understand what you are trying to defend. We arm you with the right information so you can understand how Web applications work and the security concepts related to them. We discuss the authentication aspect of Web applications in depth. The vulnerability of authentication is covered, followed by examples of exploitation and the mitigations that could be implemented in the short and long term. We complete the discussion by giving information on how to discover and test for the vulnerabilities. Authorization is the last topic of discussion for the day. Making sure the application properly controls access to the appropriate resources is the goal of the discussion. You will learn the right way to plan for access during the development life cycle and the common pitfalls with access control. Similar to the discussion in authentication, we start with the vulnerabilities and then move on to mitigations and testing, followed by a section on the best practice on authorization. CPE/CMU Credits: 6 Topics
|
||
| DEV522.2: Web Application Common Vulnerabilities and Mitigations | Johannes Ullrich, Ph.D. |
Tue Sep 17th, 2013 9:00 AM - 5:00 PM |
OverviewSince the Internet does not guarantee secrecy of information being transferred, encryption is commonly used to protect the integrity and secrecy of information on the Web. We cover the security of data in transit or on disk and how encryption can help with securing that information in the context of Web application security. We continue with a discussion about session management in Web applications. We will go over a hacker's technique in attacking the session mechanism and related defense strategies. The best practice of session security will be discussed to ensure your application's session management is as strong as possible. Advanced session topics like Cross-Site Request Forgery will also be covered. Next we will cover business logic flaws and concurrency. These are difficult topics to detect by automated scanners, so it is essential for the security personnel to understand these problems and avoid them at all costs. The day ends with some basic input-related flaws, as well as SQL injection. The basic mechanics of these vulnerabilities are covered, followed by the real-world attack trends. Most importantly, we delve into the mitigation of these vulnerabilities and the best practice in avoiding these critical vulnerabilities. CPE/CMU Credits: 6 Topics
|
||
| DEV522.3: Proactive Defense and Operation Security | Johannes Ullrich, Ph.D. |
Wed Sep 18th, 2013 9:00 AM - 5:00 PM |
OverviewDay three begins with a detailed discussion on Cross-Site Scripting, related mitigation, and testing strategy, as well as HTTP response splitting. The code in an application may be totally locked down; however, if the server setting is insecure, the server running the application can be easily compromised. Locking down the Web environment is an essential topic for discussion, so this basic concept of defending the platform and host is covered. To enable any detection of intrusion, logging, and error handling must be done correctly. We will discuss the correct approach to handling incidents and handling logs. We even dive further to cover the intrusion detection aspect of Web application security. In the afternoon we turn our focus to the proactive defense mechanism so that we are ahead of the bad guys in the game of hack and defend. Topics such as file upload handling, intrusion detection, honeypot, redirection, extra in-depth authentication information, and practical input validation strategy will be covered. The afternoon material is designed to give you the extra edge in defending your application. CPE/CMU Credits: 6 Topics
|
||
| DEV522.4: AJAX and Web Services Security | Johannes Ullrich, Ph.D. |
Thu Sep 19th, 2013 9:00 AM - 5:00 PM |
OverviewDay four of the course is dedicated to AJAX and Web services security. Asynchronous JavaScript and XML (AJAX) and Web services are currently the most active areas in Web application development. Security issues continue to arise as organizations are diving head first into insecurely implementing new Web technologies without first understanding them. We cover the security issues, mitigation strategies, and general best practices for implementing AJAX and Web Services. We also examine real-world attacks and trends to give you a better understanding of exactly what you're protecting against. Discussion focuses on the Web services in the morning and AJAX technologies in the afternoon. CPE/CMU Credits: 6 Topics
|
||
| DEV522.5: Cutting Edge Web Security | Johannes Ullrich, Ph.D. |
Fri Sep 20th, 2013 9:00 AM - 5:00 PM |
OverviewDay five has a strong focus of cutting edge web application technologies and current research area. Topics such as Clickjacking and DNS rebinding are covered. These vulnerabilities are difficult to defend against and require multiple defense strategies to be successful. Another topic of discussion is the new generation of single sign on solution such as OpenID. We cover the implication of using these authentication systems and the common gotchas to avoid. With the Web2.0 adoption, the use of Java applet, Flash, ActiveX and Silverlight are on the increase. The security strategies of defending these technologies are discussed so these client side technologies can be locked down properly. CPE/CMU Credits: 6 Topics
|
||
| DEV522.6: Capture & Defend the Flag Exercise | Johannes Ullrich, Ph.D. |
Sat Sep 21st, 2013 9:00 AM - 5:00 PM |
OverviewDay six starts with an introduction to the secure software development life cycle and how to apply it to web development. But the major focus of Day six is a large lab. This lab will tie the lessons learned during the week together and reinforce the lessons by practicing them hands on. The student is provided with a virtual machine implementing a complete database driven dynamic web site. In addition, a custom tool is used to enumerate security vulnerabilities and simulate a vulnerability assessment of the web site. It will be up to the student to decide which vulnerabilities are real and which are false positives. The student is then asked to mitigate the vulnerabilities. The scanner will score the student as vulnerabilities are eliminated or checked off as false positives. Advanced students will be able to extend this exercise and find vulnerabilities not presented by the scanner. The student will learn hands on how to secure the web application, starting with the operating system, the web server, finding configuration problems in the application language setup, finding and fixing coding problems in the site. CPE/CMU Credits: 6 Topics
|
||
| Additional Information | ||
| Laptop Required | ||
|
It cannot be stressed enough that if your laptop does not meet minimum configuration requirements, you will not be able to participate in this course. Students attending this course are required to bring their own laptops pre-configured per the instructions below. This must be done before class starts. Mandatory Laptop Hardware Requirements:
A laptop with Windows 2000, XP, Vista, 7, or 8 is required with the latest Service Packs and patches. Install VMware Player or VMware Workstation on the laptop. (GSX and ESX will not work.) VMware player can be downloaded for free at http://www.vmware.com. VMWare Fusion for Mac OS X can be used for Apple MacBooks provided the hardware requirements above are met. You must have administrative privileges on the laptop with the ability to disable the host firewall (Windows firewall or other third party firewall) and anti-virus running on your desktop. At the beginning of class you will be given a Linux VMWare image. This image will be booted within VMware as a virtual machine for all the exercises. If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org. |
||
| Who Should Attend | ||
This class requires a basic understanding of web application technology and concepts such as HTML and JavaScript. |
||
