Center for Qualified CyberSecurity Excellence & Mastery

"Where Qualified Cyber Education Happens"

In this 72 hour class, is all about the web as the internet's killer app. Web servers ARE the target of choice for hackers, making them “King of the Internet”. 97% of all web applications are vulnerable and better network security isn't the only answer. We will explore a model for web application testing as well as web application concerns including accountability, availability, confidentiality and integrity. We will go well beyond the OWASP 10, looking at 19 specific web application attacks including attacking the client, state, data and the server.

Class Fee: $3,990
Time: 72 hrs
Learning Level: Entry
Contact Hours: 40 hr Lecture 32 hr labs
Prerequisites: Understanding of TCP/IP Protocols
Credits: 72 CPE / 3 CEU
Method of Delivery: Residential (100% face-to-face) or Hybrid
Instructor: TBD
Method of Evaluation: 95 % attendance 2. 100 % completion of Lab
Grading: Pass = Attendance+ labs & quizzes Fail > 95% Attendance

Sample Job Titles:
Analyst Programmer/Computer Programmer
Configuration Manager
Database Developer/Engineer/Architect
Information Assurance (IA) Engineer
Information Assurance (IA) Software Developer
Information Assurance (IA) Software Engineer
Research & Development Engineer
Secure Software Engineer/Security Engineer
Software Developer/Software Engineer/Architect
Systems Analyst/Web Application Developer

 

Text Materials: Class handbook, lab, SU resource CD’s and attack handouts

This 72 hour accelerated class is taught using face to face modality or hybrid modality. Class includes 72 hours of contact studies, labs, reading assignments and final exam - passing the final exam is a requirement for graduation.

Who Should Attend -Software testers, software developers, development and test managers, Information Security and IT managers; Information Assurance Programmers; Information Security Analysts and Consultants; Internal Auditors and Audit Consultants; QA Specialists.

Machines a Dual Core 4M Ram, 350 Gig drives, running MS OS, linux, and VMWare Workstation

Tools for class - Whois, Google Hacking, Nslookup , Sam Spade, Traceroute  , NMap , HTTrack , Superscan , Nessus, PSTool, Nbtstat, Solarwinds ,Netcat , John the ripper , Nikto/Wikto ,Web Scarab , HTTP Tunnel (hts.exe) , LCP   ,Cain and Abel, Ettercap system hacking ,John the Ripper Wireshark  sniffers, TCP dump, D sniff , tcpdump, Metasploit, ISS exploit, web app,Core Impact , Snort , Infostego, Etherape ,Firefox with plugins (Hackbar, XSSme...) ,, ebgoat, ounce, Fortify, ISS real secure, X Wget, Cyrpto tool, 'Curl'

KU Outcomes

Learning Objectives

Access Control-  The student will demonstrate understanding of access control attacks and mitigation strategies, as well as applying the best practice in avoiding access control issues.

AJAX Technologies and Security Strategies -  The student will demonstrate an understanding of  JavaScript and XML (AJAX) architecture, common attacks against AJAX technologies and best practices for securing applications using AJAX.

Authentication -   The student will demonstrate understanding of web authentication, single sign on methods, third party session sharing and common weaknesses, as well as how to develop test strategies, and apply best practices.

Business Logic and Concurrency -   The student will demonstrate a general understanding of business logic flaws and concurrency issues in web applications, and how to test for and mitigate against these weaknesses.

Cross Origin Policy Attacks and Mitigation -  The student will demonstrate an understanding of methods attackers use to circumvent single origin policy enforcement and best practices for preventing, detecting or mitigating these attacks in web applications.

Cross Site Scripting-  The student will demonstrate an understanding of what cross site scripting is and how to use best practices and browser controls to prevent it.

CSRF-  The student will demonstrate understanding of the conditions that make a CSRF attack possible, the steps an attacker takes and how to mitigate CSRF attacks.Encryption and Protecting Sensitive Data-   The student will demonstrate understanding of how cryptographic components work together to protect web application data in transit and in storage and also when and where to use encryption or tokenization to protect sensitive information.

Incident Detection and Handling - The student will demonstrate an understanding of the controls and processes used to log errors and events, how to mitigate automated bot and spam scripts, and how to detect and respond to incidents in the web application environment.

Input Validation and Encoding-  The student will demonstrate understanding of the threats related to user inputs of web applications and the strategies and general practice to handle user input properly to mitigate input related attacks.

Rich Interface Addon Security - The student will demonstrate an understanding of common Rich InterfaceApplication (RIA) platforms (such as Flash, Silverlight, HTML5), common attacks against these technologies and best practices for securing applications using RIA.

Session Management-  The student will demonstrate understanding of what sessions are, how to test and mitigate common weaknesses, and how to properly implement session tokens and cookies in a web application.SQL Injection - The student will demonstrate an understanding of what SQL Injection is and how to use best practices to prevent it.

Vulnerability Management and Penetration Testing -  The student will demonstrate understanding of at a high level the processes for managing vulnerabilities and penetration testing a web application.Web Environment Configuration Hardening - The student will demonstrate an understanding of environmental controls and operational procedures needed to secure servers and services that host web applications.

Web Mechanism and Architecture Security-  The student will demonstrate understanding of the building blocks of web applications and how components work together to provide HTTP content as well as high level attack trends.

Web Services Security-  The student will demonstrate an understanding of Service Oriented Architecture (SOA), common attacks against web services components (SOAP, XML, WSDL, etc) and best practices for securing web services.

CLICK TO ROLL DOWN OUR CLASS SYLLABUS