Course 491:
Web and Mobile Application Security

(2 days)

 

Course Description

The security of an application can be compromised in many different ways. Programmers can make coding errors that allow hackers into the system. Networks and firewalls can be configured incorrectly or security patches may not be installed. Improper or inadequate use of encryption can expose sensitive data to unintended users. User error can compromise otherwise secure systems.

It is essential for anyone working on modern applications to understand how their systems can be compromised. This course covers a broad range of vulnerabilities affecting web and mobile applications and how developers and administrators can prevent these attacks.

Learning Objectives

  • Understand the fundamentals of securing web and mobile applications
  • Identify, test for, and mitigate the most common web application vulnerabilities
  • Secure mobile devices, their data, and applications
  • Leverage encryption technologies to ensure data confidentiality, message integrity, and authorization
  • Maintain a secure server infrastructure with TLS, firewalls, and intrusion detection
  • Test for application vulnerabilities using automated security analysis tools

Case Study Deliverable

Another team has developed an application that will run in the browser and on mobile devices. However, they are new to developing web-based applications, and don’t understand how these applications can be hacked. They want you to help make sure that before the site goes live it is secure and that they are following security best practices.

You need to scan the site for vulnerabilities, assess the quality of the code, and make recommendations on how to fix any mistakes that leave the site open to attack. You also need to recommend how the application should be deployed to ensure it is both secure and fault tolerant.

Technologies Covered

  • CIAs of Security
  • Securing Code
  • OWASP Top 10 Web Vulnerabilities
  • OWASP Top 10 Mobile Vulnerabilities
  • Encryption
  • Hashing
  • Digital Certificates
  • TLS (Transport Layer Security)
  • Firewalls
  • Intrusion Detection
  • Vulnerability Scanners

Course Outline

1. Web Security Fundamentals

  • CIAs of Security
  • Securing Networks and Servers
  • Writing Secure Code
  • Users and Security
  • Web Application Security
  • Mobile Application Security
  • OWASP Introduction

2. The OWASP Web Top 10

  • Injection
  • Broken Authentication and Session Management
  • Cross-Site Scripting
  • Insecure Direct Object Reference
  • Security Misconfiguration
  • Sensitive Data Exposure
  • Missing Function Level Access Control
  • Cross-Site Request Forgery
  • Using Components with Known Vulnerabilities
  • Unvalidated Redirects and Forwards

3. OWASP Mobile Top Ten

  • Improper Platform Usage
  • Insecure Data Storage
  • Insecure Communication
  • Insecure Authentication
  • Insufficient Cryptography
  • Insecure Authorization
  • Client Code Quality
  • Code Tampering
  • Reverse Engineering
  • Extraneous Functionality

4. Encryption

  • Encryption Basics
  • Symmetric Key Encryption
  • Asymmetric Encryption
  • Hashing
  • Digital Certificates
  • 509 Certificate

5. Securing Servers

  • Secure Architecture
  • Server Configuration
  • Firewalls
  • Port Scanning
  • Intrusion Detection
  • Transport Layer Security

6. Security Testing

  • Tools
  • OWASP ZAP

Please Contact Your ROI Representative to Discuss Course Tailoring!