mile2® Store

Certified Secure Web Application Engineer Secure Web
Application
Engineer

 

Course Overview

  • 4 Days
  • $3,500
  • 32 CPE Credits

The Certified Secure Web Application Engineer course is designed to equip students with the knowledge and tools needed to identify and defend against security vulnerabilities in software applications. Students will put theory to practice by completing real world labs that include testing applications for software vulnerabilities, identifying weaknesses in design through architecture risks analysis and threat modeling, conducting secure code reviews and more.

On the final day of training, students will complete a real world hacking exercise on a live web application.

These secure coding skills are in desperate need today because the internet is one of the most dangerous places to do business; there are countless cases of valuable information being stolen from businesses because there was a vulnerability in their web applications. When programmers don't understand the principles of secure coding, doors are open to those who do.

 

Upon Completion

Students will have knowledge to:

  • Perform web application penetration testing to expose vulnerabilities.
  • Design & implement controls to defend against application vulnerabilities.
  • Integrate security best practices into the software development lifecycle
  • Be ready to sit for the C)SWAE certification exam.

 

Course Content

The C)SWAE is a four day course that will cover secure coding practices and testing for web applications. It is comprised of 10 Modules and an appendix which includes extra practice labs to perform outside of class to solidify secure coding practices.

Students will put theory to practice by completing real world labs that include testing applications for software vulnerabilities, identifying weaknesses in design through architecture risks analysis and threat modelling, conducting secure code reviews and more.

On the final day of training, students will complete a real world hacking exercise on a live web application.

The course kit includes:

C)SWAE Student Workbook Key Concepts/Definitions Booklet
Certificate of completion Mile2® T-shirt & Pen

Click on a module its agenda.

Course: Modules & Labs Appendix: Labs

1: Web Application Security

Web Application Security
Web Application Technologies and Architecture
Secure Design Architecture
Application Flaws and Defense Mechanisms
Defense In-Depth
Secure Coding Principles
Lab: Environment Setup - Lab

2: OWASP TOP 10

The Open Web Application Security Project (OWASP)
OWASP TOP 10 2013
Lab: Environment Setup - Lab

3: Threat Modeling & Risk Management

Threat Modeling Tools & Resources
Identify Threats
Identify Countermeasures
Choosing a Methodology
Post Threat Modeling
Analyzing and Managing Risk
Incremental Threat Modeling
Identify Security Requirements
Understand the System
Root Cause Analysis
Lab: Threat Modeling and Architecture Risk Analysis
Lab: Quick Threat Modeling (the Doctor use case)

4: Application Mapping

Application Mapping
Web Spiders
Web Vulnerability Assessment
Discovering other content
Application Analysis
Application Security Toolbox
Setting up a Testing Environment
Lab: Web Application Mapping using Ethical Hacking Tools

5: Authentication and Authorization attacks

Authentication
Different Types of Authentication (HTTP, Form)
Client Side Attacks
Authentication Attacks
Authorization
Modeling Authorization
Least Privilege
Access Control
Authorization Attacks
Access Control Attacks
User Management
Password Storage
User Names
Account Lockout
Passwords
Password Reset
Client-Side Security
Anti-Tampering Measures
Code Obfuscation
Anti-Debugging
Lab: Client Side, Authentication and Authorization Attacks

6: Session Management attacks

Session Management Attacks
Session Hijacking
Session Fixation
Environment Configuration Attacks
Lab: Session Management, Access Controls and Configuration Attacks

7: Application Logic attacks

Application Logic Attacks
Information Disclosure Exploits
Data Transmission Attacks
Lab: Application Logic, Information Disclosure and Data Transmission Attacks

8: Data Validation

Input and Output Validation
Trust Boundaries
Common Data Validation Attacks
Data Validation Design
Validating Non-Textual Data
Validation Strategies & Tactics
Errors & Exception Handling
Structured Exception Handling
Designing for Failure
Designing Error Messages
Failing Securely
Lab: Cert Java Oracle Secure Coding IDS

9: AJAX attacks

AJAX Attacks
Web Services Attacks
Application Server Attacks
Lab: AJAX, Web Services and Server Attacks

10: Code Review and Security Testing

Insecure Code Discovery and Mitigation
Testing Methodology
Client Side Testing
Session Management Testing
Developing Security Testing Scripts
Pentesting a Web Application
Lab: Performing Code review and Building Security Test Scripts

11: Web Application Penetration Testing

Insecure Code Discovery and Mitigation
Benefits of a Penetration Test
Current Problems in WAPT
Learning Attack Methods
Methods of Obtaining Information
Passive vs. Active Reconnaissance
Footprinting Defined
Introduction to Port Scanning
OS Fingerprinting
Web Application Penetration Methodologies
The Anatomy of a Web Application Attack
Fuzzers
Lab: Performing Web Application PenTesting steps

12: Secure SDLC

Secure-Software Development Lifecycle (SDLC)
Methodology
Web Hacking Methodology
Lab: Case Study and Web Penetration Testing Assignment

13: Cryptography

Overview of Cryptography
Key Management
Cryptography Application
True Random Generators (TRNG)
Symmetric/Asymmetric Cryptography
Digital Signatures and Certificates
Hashing Algorithms
XML Encryption and Digital Signatures
Authorization Attacks
Lab: Encryption in Secure Coding (Example for Java, PHP and .NET)

Introduction & Instructions

Exercise 1: Logging into WebGoat
Exercise 2: Running WebScarab
Exercise 3: Manipulating Data

1: Spoofing Authentication Cookies

Details not disclosed.

2: How to Perform Cross Site Scripting (XSS)

Details not disclosed.

3: Injection flaws

Exercise 1: SQL Injection
Exercise 2: String SQL Injection
Exercise 3: String SQL Injection

4: Improper Error Handling

Exercise 1 - Fail Open Authentication

5: Parameter Tampering

Details not disclosed.

6: Denial of Service

Details not disclosed.

7: Writing Java Secure Code

Input Validation and Data Sanitization (IDS)
IDS00-J. Sanitize untrusted data passed across a trust boundary
Input Validation and Data Sanitization (IDS)
IDS02-J. Canonicalize path names before validating them
Input Validation and Data Sanitization (IDS)
IDS03-J. Do not log unsanitized user input
Input Validation and Data Sanitization (IDS)
IDS04-J. Safely extract files from ZipInputStream
Input Validation and Data Sanitization (IDS)
IDS07-J. Do not pass untrusted, unsanitized data to the Runtime.exec() method

 

Class Format Options

Mile2 offers courses around the year and around the globe. You can attend in these ways:


 

Who Should Attend

The Certified Secure Web Application Engineer Certification Course is designed for those have a background in web application development and want to have the skill set to make their applications secure. While not required, we recommend being familiar with general cyber security topics, including those taught in our C)ISSO: Information Systems Security Officer course.

 

Exam Information

The Certified Secure Web Application Engineer Certification Exam is taken online through Mile2’s Assessment and Certification System (“MACS”), which is accessible on your mile2.com account. The exam will take 2 hours and consist of 100 multiple choice questions. The cost is $300 USD and must be purchased from the store on Mile2.com

Purchase the exam