Not A Matter of "If" but "When". Be Prepared For A Web Attack. We'll Teach You How.
During the course, we demonstrate the risks of web applications and the extent of sensitive data that can be exposed or compromised. From there, we offer real world solutions on how to mitigate these risks and effectively evaluate and communicate residual risks.
After attending the class, students will be able to apply what they learned quickly and bring back techniques to not only better secure their applications, but also do so efficiently by adding security early in the software development life cycle, "shifting left" ecurity decisions and testing, thus saving time, money, and resources for the organization.
"If you want to know everything about web apps and web app security, this is the perfect course!" - Chris Kansas, ThreatX
- Comply with PCI DSS 6.5 requirements
- Reduce the overall application security risks, protect company reputation
- Adopt the "shifting left" mindset where security issues addressed early and quickly. This avoids the costly rework.
- Ability to adopt modern apps with API and microservices in a secure manner
- This course prepares students for the GWEB certification
- Defend against the attacks specified in OWASP Top 10
- Infrastructure security and configuration management
- Securely integrating cloud components into a web application
- Authentication and authorization mechanisms, including single sign-on patterns
- Cross-domain web request security
- Protective HTTP headers
- Defending SOAP, REST and GraphQL APIs
- Securely implement Microservice architecture
- Defending against input related flaws such as SQL injection, XSS and CSRF
The provided VM lab environment contains realistic application environment to explore the attacks and the effects of the defensive mechanisms. The exercise is structured in a challenge format with hints available along the way. The practical hands-on exercises help students gain experience to hit the ground running back at the office. There are 20 labs in section 1 to section 5 of the class and in the last section, there is a capstone exercise called Defending the Flag where there is 3-4 hours of dedicated competitive exercise time.
- SECTION 1: HTTP Basics, HTTP/2 traffic inspection and spoofing, Environment isolation, SSRF and credential-stealing
- SECTION 2: SQL Injection, Cross Site Request Forgery, Cross Site Scripting, Unicode and File Upload
- SECTION 3: Authentication vulnerabilities and defense, Multifactor authentication, Session vulnerabilities and testing, Authorization vulnerabilities and defense, SSL vulnerabilities and testing, Proper encryption use in web application
- SECTION 4: WSDL enumerations, Cross Domain AJAX, Front End Features and CSP (Content Security Policy), Clickjacking
- SECTION 5: Deserialization and DNS rebinding, GraphQL, API gateways and JSON, SRI and Log review
- SECTION 6: Defending the Flag capstone exercise
"Labs were fun and challenging." - Linh Sithihao, Dignity Health
"[Labs are] thought out and easy to follow with good practical knowledge learned." - Barbara Boone, CDC
"Lots of good hands-on exercises using real world examples." - Nicolas Kravec, Morgan Stanley
"The labs were very informative and useful to teach us the basics." - Omar Alshair, TRA
"The exercises are a good indicator of understanding the material. They worked flawlessly for me." - Robert Fratila, Microsoft
- Section 1 - Understand web application architecture, vulnerability and configuration management.
- Section 2 - Detect, mitigate and defend input related threats.
- Section 3 - Authentication, Authorization and Cryptography
- Section 4 - Front end security with modern scripting engines
- Section 5 - REST & GraphQL API with microservice architecture
- Section 6 - Defending the Flag exercise
ADDITIONAL FREE RESOURCES:
WHAT YOU WILL RECEIVE:
- Printed and electronic courseware
- Exercise workbook with over 100 pages of detailed step-by-step instructions
- A virtual machine with Linux operating system and multiple container environments simulating various vulnerable conditions for students to explore during class exercise
- A poster containing the summary of the most crucial defensive techniques covered in the course in a checklist format which can be used as a baseline Web defensive framework/standard for your organization.
- MP3 audio files of the complete course lecture
WHAT COMES NEXT:
Offensive Operations Professionals:
Important! Bring your own system configured according to these instructions!
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
CRITICAL NOTE: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.
It is imperative that you back-up your system before class and it is also strongly advised that you do not bring a system storing any sensitive data.
System Hardware Requirements
- CPU: Your system's processor must be a 64-bit Intel i5 or i7 2.0 GHz processor or higher. Your CPU and OS must support a 64-bit quest virtual machine.
- Windows users can use this article to learn more about their CPU and OS capabilities.
- Apple users should validate the OS version is at least 11.6+
- BIOS: Intel's VT (VT-x) hardware virtualization technology should be enabled in your system's BIOS or UEFI settings. You must be able to access your system's BIOS throughout the class. If your BIOS is password-protected, you must have the password.
- USB: If taking the course in-person, at least one available USB 3.0 Type-A port is required for copying large data files from the USB 3.0 drives we provide in class. The USB port must not be locked in hardware or software. Some newer laptops may have only the smaller Type-C ports. In this case, you will need to bring a USB Type-C to Type-A adapter.
- RAM: 8 GB RAM is required for the best experience. To verify on Windows 10, press Windows key + "I" to open Settings, then click "System", then "About." Your RAM information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click "About this Mac."
- Hard Drive Free Space: 60 GB of FREE space on the hard drive is critical to hose the VMs and additional files we distribute. SSD drives are also highly recommended, as they allow virtual machines to run much faster than mechanical hard drives.
- Operating System: Latest version of Windows 10, macOS 11.6.x or later, or Linux that also can install and run VMware virtualization products described below.
Additional Hardware Requirements
The requirements below are in addition to baseline requirements provided above. Prior to the start of class, you must install virtualization software and meet additional hardware and software requirements as described below. If you do not carefully read and follow these instructions, you will leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course.
- Network, Wireless Connection: A wireless 802.11 B, G, N or AC network adapter is required. This can be the internal wireless adapter in your system or an external USB wireless adapter. A wireless adapter allows you to connect to the network without any cables. If you can surf the Internet on your system without plugging in a network cable, you have wireless.
Additional Software Requirements
- VMWare Workstation Pro 15.5.X, VMWare Player 15.5.X or Fusion 11.5+ is mandatory. It should not be installed on a system you are planning to use for this class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial online.
- Credential Guard: If your host computer is running Windows, Credential Guard may interfere with the ability to run VMs. It is important that you start up VMware prior to class and confirm that virtual machines can run. It is required that Credential Guard is turned off prior to coming to class.
Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
If you have additional questions about the laptop specifications, please contact email@example.com.
"Too many websites are getting compromised. The goal of SEC522 is to arm students with real-world defensive strategies that work. You can apply these techniques immediately, regardless of your role in protecting these precious assets exposed online. We all know it is very difficult to defend a web application because there are so many different types of vulnerabilities and attack channels. Overlook one thing and your web app is owned. The defensive perimeter needs to extend far beyond just the coding aspects of web application. This course covers the security vulnerabilities so that students have a good understanding of the problems at hand. We then provide the defensive strategies and tricks, as well as the overall architecture that has been proven to help secure sites. I have also included some case studies throughout the course so that we can learn from the mistakes of others and make our defense stronger. The exercises in class are designed to help you further your understanding and help you retain this knowledge through hands-on practice. By the end of the course, you will have the practical skills and understanding of the defensive strategies to lock down existing applications and build more secure applications in the future." - Jason Lam and Johannes Ullrich
"I am very glad I took this course because there are not many instructors on platforms like Udemy or YouTube that have the knowledge the instructor has. He is very knowledgeable and when asking a question, he goes in-depth about the concept. What I love the most is that his professional experience working in the field helps us understand more about real-life examples." - Alisa C.