Share Description
In this course, you will :
- Discover how to become a champion of application security.
- What are the OWASP Top 10 vulnerabilities and how do you defend against them?
- Threat modelling is used to identify threats and mitigate them in development features.
- How to run a threat model against an application.
- How to do an application vulnerability scan.
- Security vulnerabilities are rated using conventional and open processes.
- How to address common security flaws in programming.
- How application security fits into a broader cyber security strategy.
- Integrating security across the software development life cycle.
Syllabus :
1. Introduction to OWASP Top 10 and more terms.
- Introduction to OWASP Top 10
- SANS Top 25
- Threat actors and more definitions
- Defense in Depth
- Proxy Tools
- Demo of Fiddler with JuiceShop
- API Security
2. Dive into the OWASP Top 101
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server-Side Request Forgery
3. Defenses and Tools
- OWASP ZAP (Zed Attack Proxy)
- Running a ZAP scan
- Cross Site Scripting
- CSP (Content Security Policy)
- CSP Demo
- Security Models
- SKF (Security Knowledge Framework)
- SKF Demo
- SKF Labs Demo
- Source Code Review
4. Session Management
- Introduction to session management
- Web sessions
- JWT (JSON Web Token)
- JWT Example
- OAuth
- OpenID & OpenID Connect
5. Risk Rating and Threat Modeling
- Risk Rating Introduction
- Risk Rating Demo
- Introduction to Threat Modeling
- Type of Threat Modeling
- Introduction to Manual Threat Modeling
- Manual Threat Model demo
- Prepping for Microsoft Threat Model Tool
- Microsoft Threat Model Tool demo
6. Encryption and Hashing
- Encryption Overview
- Encryption Use Cases
- Hashing Overview
- Hashing Demo
- PKI (Public Key Infrastructure)
- Password Management
- Password Demo
7. Frameworks and Process
- HIPAA (Health Insurance Portability and Accountability Act)
- PCI DSS (Payment Card Industry Data Security Standard)
- DevOps
- DevSecOps
- Use, Abuse, and Misuse cases
8. Security Scanning and Testing
- SAST (Static Application Security Testing)
- Spot Bugs Demo
- DAST (Dynamic Application Security Testing)
- IAST (Interactive Application Security Testing)
- RASP (Runtime Application Self-Protection)
- WAF (Web Application Firewall)
- Penetration Testing
- SCA (Software Composition Analysis)
