Not A Matter of "If" but "When". Be Prepared For A Web Attack. We'll Teach You How.
The quantity and importance of data entrusted to web applications is increasing, and defenders need to learn how to secure these critical data. Traditional network defenses such as firewalls fail to secure web applications. In covering the OWASP Top 10 Risks and beyond, SEC522 will help you better understand web application vulnerabilities, thus enabling you to properly defend your organization's web assets.
The course will present mitigation strategies from an infrastructure, architecture, and coding perspective alongside real-world techniques that have been proven to work. We'll introduce the nature of each vulnerability to help you understand why it happens, then we'll show you how to identify the vulnerability and provide options to mitigate it.
To maximize the benefit for a wider range of audiences, the discussions in this course will be programming language agnostic. The focus will be maintained on security strategies rather than coding-level implementation.
SEC522: Defending Web Applications Security Essentials is intended for anyone tasked with implementing, managing, or protecting web applications. You will find the course useful if you are supporting or creating either traditional web applications or more modern web services for a wide range of front ends like mobile applications. The course is particularly well suited to application security analysts, developers, application architects, pen testers, auditors who are interested in recommending proper mitigations for web security issues, and infrastructure security professionals who have an interest in enhancing the defense of web applications.
The course will also cover additional issues the authors have found to be important in their day-to-day web application development practices. The topics that will be covered include:
- The OWASP Top 10
- Selected specific web application issues from the Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors
- Infrastructure security and configuration management
- Securely integrating cloud components into a web application
- Authentication and authorization mechanisms, including single sign-on patterns
- Application language configuration
- Application coding errors like SQL injection, cross-site request forgery, and cross-site scripting
- Web 2.0 and its use of web services (REST/SOAP)
- Cross-domain web request security
- Business logic flaws
- Protective HTTP headers
The SEC522 course features full-day lab with hands-on exercises on how to secure a web application, starting with securing the operating system and web server, finding configuration problems in the application language setup, and finding and fixing coding problems in the site.The course makes heavy use of hands-on exercises and will conclude with a large defensive exercise that reinforces the lessons learned throughout the week.
You Will Learn:
- How to comprehensively remediate common web application vulnerabilities.
- How to apply defensive application design and coding practices to avoid security vulnerabilities.
- The HTTP protocol and new technologies such as HTTP/2, QUIC (HTTP/3), and Websockets that affect the protocol stack.
- How to move away from basic web application security principles of "validating more" and implement effective security controls against vulnerabilities that input validation simply does not fix.
- How to customize, implement, and maintain a baseline security standard for the web applications development lifecycle (SANS SWAT checklist), improving security and reducing exposure to common vulnerabilities such as the OWASP Top 10 Risks.
- How to leverage HTTP header-level protection to apply strong defense systems on the client side by building another layer of defense on top of secure coding on the server side.
- How to design better and stronger security architecture that includes infrastructure aspects in the design process.
- How to leverage and uplift the modern security features in the web browser to further enhance the overall security of the application
You Will Be Able To:
- Understand the major risks and common vulnerabilities related to web applications through real-world examples.
- Mitigate common security vulnerabilities in web applications using proper coding techniques, software components, configurations, and defensive architecture.
- Understand the best practices in various domains of web application security such as authentication, access control, and input validation.
- Fulfill the training requirement as stated in PCI DSS 6.5.
- Deploy and consume web services (SOAP and REST) in a more secure fashion.
- Proactively deploy cutting-edge defensive mechanisms such as defensive HTTP response headers and Content Security Policy to improve the security of web applications.
- Strategically roll out a web application security program in a large environment.
- Incorporate advanced web technologies such as HTML5 and AJAX cross-domain requests into applications in a safe and secure manner.
- Develop strategies to assess the security posture of multiple web applications.
- HTTP Basics
- Insepcting HTTP/2 traffic and crafting requests
- Service Isolation
- SSRF and Credential Stealing Services
- SQL Injection
- Guestbook CSRF
- Cross Site Scripting
- Unicode and File Upload
- Authentication Exercise
- Session Fixation and Session Breaking
- OAuth and Access Control
- Inspecting SSL Traffic with Wireshark
- WSDL Enumeration and Parameter Tampering
- XMLHttpRequest and Same Origin Policy
- Content Security Policy
- DNS Rebinding
- Subresource Integrity
- Logging and Incident Response
- Defending the Flag
What You Will Receive:
- A Ubuntu Linux VMWare virtual machine containing:
- Virtual server environment consisting of a DNS, FTP, web server, and database to simulate
- Multiple sample applications for the in-class exercises
- Pre-installed security tools (e.g., brute forcing, manipulating proxy, and exploiting tools)
- Printed and Electronic Courseware for the six days of lecture
- MP3 audio files of the complete course lecture
Other Courses Students Have Taken
Courses that lead in SEC522:
Courses that are good follow-ups to SEC522:
Please note that we have changed the prefix of this course from "DEV" to "SEC" to more accurately reflect the audience. Going forward, the course will be known as "SEC522: Defending Web Applications Security Essentials". If you are browsing the SANS website or reviewing a brochure and notice the new prefix change, please note this change has NO IMPACT on the content of the course.
Important! Bring your own system configured according to these instructions!
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
It is critical that you back-up your system before class and it is also strongly advised that you do not bring a system storing any sensitive data.
System Hardware Requirements
- CPU: Your system's processor must be a 64-bit Intel i5 or i7 2.0 GHz processor or higher. Your CPU and OS must support a 64-bit quest virtual machine.
- VMware provides a free tool for Windows that will detect whether or not your host supports 64-bit guest virtual machines.
- Windows users can use this article to learn more about their CPU and OS capabilities.
- Apple users can use this support page to learn more information about Mac 64-bit capability
- BIOS: Inte'ls VT (VT-x) hardware virtualization technology should be enabled in your system's BIOS or UEFI settings. You must be able to access yoru system's BIOS throughout the class. If your BIOS is password-protected, you must have the password.
- USB: At least one available USB 3.0 Type-A port is required for copying large data files from the USB 3.0 drives we provide in class. The USB port must not be locked in hardware or software. Some newer laptops may hav eonly the smaller Type-C ports. In this case, you will need to bring a USB Type-C to Type-A adapter.
- RAM: 8 GB RAM is required for the best experience. To verify on Windows 10, press Windows key + "I" to open Settings, then click "System", then "About." Your RAM information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click "About this Mac."
- Hard Drive Free Space: 60 GB of FREE space on the hard drive is critical to hose the VMs and additional files we distribute. SSD drives are also highly recommended, as they allow virtual machines to run much faster than mechanical hard drives.
- Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.
- Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.
Additional Hardware Requirements
The requirements below are in addition to baseline requirements provided above. Prior to the start of class, you must install virtualization software and meet additional hardware and software requirements as described below. If you do not carefully read and follow these instructions, you will leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course.
- Network, Wireless Connection: A wireless 802.11 B, G, N or AC network adapter is required. This can be the internal wireless adapter in your system or an external USB wireless adapter. A wireless adapter allows you to connect to the network without any cables. If you can surf the Internet on your system without plugging in a network cable, you have wireless.
Additional Software Requirements
- VMware Workstation Pro 15.5.X+ or Fusion 11.5+ is mandatory. VMware Player will not meet this requirement. You must have the ability to take virtual machine snapshots and you cannot do this with VMware Player. VirtualBox is not supported and may interfere with our labs. It should not be installed on a system you are planning to use for this class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial online.
- Credential Guard: If your host computer is running Windows, Credential Guard may interfere with the ability to run VMs. It is important that you start up VMware prior to class and confirm that virtual machines can run. It is required that Credential Guard is turned off prior to coming to class.
If you have additional questions about the laptop specifications, please contact email@example.com.
Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.