LIVE Instructor-Led Courses
Dismiss

Secure Web Application Development training course

Code highly secure web applications to OWASP standards and protect your organisations against cyber attack

JBI training course London UK

" We tried to cover a lot of bases here from people who had no experience of SQL injection to people who had very specific questions and Tim balanced that really well in the timeframe. He's very knowledgeable on the subject and managed questions really well. " 

RK, Developer, Secure Web Development,  Dec 2022

Public Courses

20/05/24 - 2 days
£1500 +VAT
01/07/24 - 2 days
£1500 +VAT
12/08/24 - 2 days
£1500 +VAT

Customised Courses

* Train a team
* Tailor content
* Flex dates
From £1200 / day
EDF logo Capita logo Sky logo NHS logo RBS logo BBC logo CISCO logo
JBI training course London UK

  • Understanding Web Applications                
  • Information Security & Cybersecurity Fundamentals        
  • Remediating Common Web Application Vulnerabilities    
  • Introducing WebAppSec Good Practices                
  • Secure Web App Development Lifecycles & Supporting Tools    
  • A04 Insecure Design & A02 Cryptographic Failures            
  • A03 Injection & A10 Server-Side Request Forgery            
  • A07 ID & Authentication Failures & A01 Broken Access Control    
  • A05 Security Misconfiguration & A06 Outdated Components        
  • A08 Integrity Failures & A09 Logging & Monitoring Failures        
  • Supporting continuous Web Application Security improvements

Module 1:    Introductions, course overview & starting surveys         

- targeted WebAppSec quizzes with instant feedback to activate delegates’ learning  
- connecting to & getting familiar with the course’s hands-on Linux lab environment
- previews of Day 1 & Day 2 content to prepare delegates to engage with WebAppSec
Practicals: each delegate will access an individual cloud-hosted Linux VM via RDP or HTTPS

Module 2:    Understanding Web Applications               
- exploring HTML, Cascading Style Sheets & JavaScript using Modern Web Browsers  
- understanding legal, ethical & data protection considerations related to WebAppSec
- inspecting HTTP verbs, Headers, Cookies & data using ZED Attack Proxy (ZAP)
Practicals: delegates will perform all of this module’s activities in their Linux VM labs

Module 3:    Information Security & Cybersecurity Fundamentals        
- appreciating the significance of availability, confidentiality & integrity for Web Apps
- performing simulated phishing attacks using SE Toolkit & BEEF Project
- understanding the meaning of threats, vulnerabilities, exploits, incidents & controls
Practicals: delegates will perform the simulated phishing activities in their Linux VM labs  

Module 4:    Remediating Common Web Application Vulnerabilities    
- identifying & remediating the “Click Jacking” (missing X-OPTIONS-HEADER) weakness
- identifying & remediating the Cross-Site Request Forgery (XSRF) vulnerability
- Securing Cookies with HttpOnly & Secure Flags
Practicals: delegates will perform all of this module’s activities in their Linux VM labs

Module 5:    Introducing WebAppSec Good Practices                
- introducing OWASP & the OWASP Top 10 Web Application Threat model
- performing Threat Modelling of a Web Application using STRIDE  
- understanding relationships between OWASP, CWEs, CVEs, CVSS & MITRE ATT&CK
 Practicals: important Threat Modelling group practicals will not rely on the Linux VM labs   

Module 6:    Secure Web App Development Lifecycles & Supporting Tools    
- reviewing 4 leading SSDLC models: Microsoft SDL, OpenSAMM, BSIMM, SafeCode
- understanding the value of OWASP’s Application Security Verification Standard (ASVS)
- considering how IAST tools (like ZAP & Burp Suite) differ from SAST & DAST tools
 Practicals: SSDLC activities not Lab-based but Linux VM labs will be used for ZAP & BurpSuite

Module 7:     A04 Insecure Design & A02 Cryptographic Failures            
        - reinforcing need for Threat Model driven WebAppSec lifecycle (as per Modules 5 & 6)
- breaking TLS security by installing untrusted Root Certificates in Firefox lab environment
- understanding the WebAppSec design challenges of secure cryptographic key management
Practicals: delegates will perform cryptographic security activities in their Linux VM labs  

Module 8:    A03 Injection & A10 Server-Side Request Forgery            
- appreciating how injection attacks occur from poor data/code separation & input validation  
- experiencing the significance of Cross-Site Scripting (XSS) attacks with hands-on examples
- how to identify & mitigate SQL Injection & SSRF vulnerabilities
Practicals: delegates will perform XSS, SQL Injection & SSRF activities in their Linux VM labs  

Module 9:     A07 ID & Authentication Failures & A01 Broken Access Control    
- understanding the nature of Identification, Authentication & Access Control
- performing attacks on authentication using spoofing, cookie stealing & hash cracking
- how to design secure Web Apps based on proven Identity & Access Control methods
Practicals: delegates will perform authentication attack activities in their Linux VM labs   


Module 10:    A05 Security Misconfiguration & A06 Outdated Components        
- using legal Open Source Intelligence (OSINT) methods to identify exposed vulnerabilities
- showing how DNS, Shodan & Certificate Transparency records can expose internal assets
- exploring good practices for hardening & patching Web Applications
Practicals: OSINT activities may be performed either using Linux VM labs or own computer


Module 11:    A08 Integrity Failures & A09 Logging & Monitoring Failures        
- examining the meaning & impacts of software integrity failures
- performing simulated attack using malicious file upload & insecure de-serialisation
- understanding the causes & impacts of the Log4J vulnerability
Practicals: delegates will Log4J & Syslog monitoring activities in their Linux VM


Module 12:    Supporting continuous Web Application Security improvements
- reflecting on learnings from this course & how to improve WebAppSec within the BBC
- signposting trusted sources of further relevant information about WebAppSec
- completing end-of-course feedback to improve future runs of this course
Practicals: delegates will access online surveys & quizzes to reinforce their learning

 

Resources:
•    Cloud Hosted Ubuntu Linux Virtual Machines – 1 per delegate (up to 10 delegates)
•    Selected Kali Linux tools e.g. SE Toolkit, HashCat, BEEF Project, ZAP Proxy
•    Selected elements of vulnerable apps e.g. OWASP Juice Shop, DVWA, Google XSS-Game & Gruyere.
•    Selected Websites & OSINT sources e.g. OWASP, MITRE, NIST CVE, FIRST CVSS, SafeCode, Shodan

 

JBI training course London UK

Developers from various language backgrounds who wish to know how to develop secure web applications that follow the OWASP standards

5 star

4.8 out of 5 average

" We tried to cover a lot of bases here from people who had no experience of SQL injection to people who had very specific questions and Tim balanced that really well in the timeframe. He's very knowledgeable on the subject and managed questions really well. " 

RK, Developer, Secure Web Development,  Dec 2022



“JBI  did a great job of customizing their syllabus to suit our business  needs and also bringing our team up to speed on the current best practices. Our teams varied widely in terms of experience and  the Instructor handled this particularly well - very impressive”

Brian F, Team Lead, RBS, Data Analysis Course, April 2022

 

 

JBI training course London UK

Newsletter

 

Sign up for the JBI Training newsletter to stay updated with world-class technology training opportunities, including Analytics, AI, ML, DevOps, Web, Backend and Security. Our Power BI Training Course is especially popular.  Gain new skills, useful tips, and validate your expertise with an industry-leading organisation, all tailored to your schedule and learning preferences.



OWASP 2017 standards - this Java secure coding training course is led by an Application Security expert instructor and delivers focused and customised guidance on how to secure Applications (from code to cloud), covering the technology stack currently used by the delegates (web, mobile, cloud, java, Javascript, AngularJS android, node, etc...).

A highly popular course with plenty of discussion, demos and interactive Labs to demonstrate the issues faced by modern software development teams.

An optional threat modelling session can also precede the course delivery.

CONTACT
+44 (0)20 8446 7555

[email protected]

SHARE

 

Copyright © 2023 JBI Training. All Rights Reserved.
JB International Training Ltd  -  Company Registration Number: 08458005
Registered Address: Wohl Enterprise Hub, 2B Redbourne Avenue, London, N3 2BS

Modern Slavery Statement & Corporate Policies | Terms & Conditions | Contact Us

POPULAR

Rust training course                                                                          React training course

Threat modelling training course   Python for data analysts training course

Power BI training course                                   Machine Learning training course

Spring Boot Microservices training course              Terraform training course

Kubernetes training course                                                            C++ training course

Power Automate training course                               Clean Code training course