Securing Web Applications, Services and Servers: Hands-On

What is this course about?

Organisations today increasingly rely on the Internet and networked systems to conduct business. At the same time, cyber crime and security violations pose an ever-growing threat to business-critical functions and data. If Web applications are not enabled with the appropriate security countermeasures, third parties are able to eavesdrop and compromise the integrity of information passed to and from your Web applications. For organisations that share proprietary data across the Internet, intranets or other public networks, this is of particular concern.

This course systematically exposes potential security threats, provides proven solutions and shows you the steps you can take today to help ensure the integrity and privacy of your Web applications. Special attention is paid to the Open Web Application Security Project (OWASP) Top Ten security issues.

Who will benefit from this course?

This course is valuable for anyone who wants to protect their Web applications from attack. Specifically, this course is geared for those directly involved in the development, maintenance or auditing of Web applications, including Web application developers, software QA personnel, Web application security testers and auditors, and security administrators, as well as those involved in the cybersecurity measures and implementation.

What background do I need?

Basic knowledge of Web application operation and Web server administration are assumed. You should have knowledge at the level of Course 470, Developing a Web Site: Hands-On. For example, you should have an understanding of Web browser/server operation, session management and basic HTML. In addition, experience with server-side Web application development and security knowledge is helpful.

What Web servers are covered in this course?

This course provides a choice between the two most commonly deployed Web servers: Microsoft Internet Information Services on Windows or Apache on Windows.

What Web programming languages are covered in this course?

This course covers most Web application security issues in a language-independent format. The information provided is applicable to most environments used today. During the hands-on exercises, you choose between using ASP.NET with C# or Java EE.

Will I learn how to enable HTTPS in this course?

Yes, this course covers configuring a Web server to use HTTPS. This includes obtaining a digital certificate from a certification authority, as well as self-signing. Participants are given a choice of using IIS or Apache for the hands-on exercise.

Does this course cover the OWASP Top Ten?

Yes, this course goes into detail on the Open Web Application Security Project (OWASP) Guide and the Top Ten security issues. These include: SQL injection flaws, cross-site scripting (XSS), session ID hijacking, Cross Site Request Forgery (CSRF), information leakage, improper error handling, insecure cryptographic storage and failure to restrict URL access.

I've heard a lot about cybersecurity lately. Does this course cover cybersecurity?

Yes, this course provides hands-on experience discovering and protecting the most common Web-based cybersecurity risks.

Will I learn how to secure Web services in this course?

Yes. Topics covered include protecting XML message content with WS-Security and ensuring integrity with XML schemas.

Does this course cover securing Web servers?

Yes. While this course does not cover detailed configuration of a Web server, several Web server security topics are covered. These topics include enabling HTTPS on a Web server, configuring file permissions, detecting file-system changes, and restricting Web server acceptance of HTTP methods.

How much time is spent on each topic?

How much of this course is hands-on?

Approximately 50 percent of class time is spent in hands-on exercises. Based on an evolving case study, you gain practical experience securing applications. Exercises include intercepting and modifying a signed SOAP message, detecting unauthorised file system modification, and preventing code injection with input validation.

Does this course cover scanning for vulnerabilities?

Yes. In this course, you learn how to scan Web applications to detect vulnerabilities within the Web application layer. Web application scanners are used to scan deployed Web applications and determine possible vulnerabilities.

For coverage of network and system vulnerability scanning, which are not covered in this course, you should consider Course 589, Hands-On Vulnerability Assessment: Protecting Your Organisation.

Will I learn to hack?

No. While this course covers vulnerabilities and exploitation, it does not focus on hacking techniques or tools. For more information on hacking, see Course 589, Hands-On Vulnerability Assessment: Protecting Your Organisation, or Course 537, Penetration Testing: Tools and Techniques.

Will I learn to develop Web applications in this course?

No. This course assumes previous knowledge of Web application development. The primary focus of this course is on securing against common vulnerabilities.

How does this course relate to other Learning Tree courses?

In addition to the aforementioned Course 470, the following courses may be of interest:

• In Course 589, Hands-On Vulnerability Assessment: Protecting Your Organisation, you learn how to detect and respond to vulnerabilities that put your organisation at risk
• Course 537, Penetration Testing: Tools and Techniques, provides the skills to deploy ethical hacking to expose weaknesses in your organisation and use countermeasures
• Course 1220, Securing the Cloud: Hands-On, offers the knowledge and skills to analyse, manage and implement security for public and private clouds
• In Course 577, Building XML Web Services with Java: Hands-On, you develop and deploy Web services with Java and XML
• Course 2601, Programming .NET Web Services: A Comprehensive Hands-On Introduction, provides the skills to program the full range of .NET Web services with Visual Studio
• In Course 986, Developing Ajax Web 2.0 Applications: Hands-On, you learn how to develop Ajax-powered interactive and dynamic Web sites
• Course 424, Service-Oriented Architecture (SOA): A Comprehensive Hands-On Introduction, provides the skills to model, design and implement Service-Oriented Architecture (SOA)
• Course 289, Disaster Recovery Planning: Ensuring Business Continuity, offers the skills to create, document and test continuity arrangements for your organisation
• In Course 340, Project Management for Software Development, you gain the skills to deliver successful software projects that support your organisation's strategic goals
• Course 286, Project Risk Management, provides the skills to effectively manage project risk to deliver successful projects that meet stakeholder needs

UK Dates

US East Coast Dates