Help your team gain an in-depth understanding
of secure application development processes with
interactive Application security training.

Objectives

Understand and learn the security concepts in-depth to write secure codes.

Course Outcome

Understand security issues and use SCW platform to identify security issues in code and identify the right approach to prevent them.
Understand the importance of OWASP top 10 vulnerabilities along with SAST, and DAST processes
    Get familiar with tools like:
    • Security knowledge framework
    • WebGoat
    • Fiddler
    • BurpSuite
    • Owasp Juice shop
    • DVWA

Why Mazenet?



  • Expert Faculty

    Our Faculty comprises of 300+ SMEs with many years of experience. All our trainers possess a minimum of 8+ years of experience.

  • Proven Track Record

    We have served over 200+ global corporate clients, consistently maintaining a 99% success rate in meeting training objectives for 300+ technologies with quick turnaround time.

  • Blended Learning

    We provide course content over any platform that our clients prefer. You can choose an exclusive platform or a combination of ILT, VILT, and DLP.

  • Learning Paths

    The learning paths are very defined with clear benchmarks. Quantitative assessments at regular intervals measure the success of the learning program.

  • Case Study

    We have amassed over 10,000 case studies to support training delivery. Candidates will be trained to work on any real-time business vertical immediately after the training.

  • 24*7 Global Availability

    We are equipped to conduct training on any day, date or time. We have delivered training pan India, Singapore, North America, Hong Kong, Egypt and Australia.

Key Features

  • Customized Training Modules

    Training programs are highly flexible with module customizations to suit the requirements of the business units.

  • Certification

    The training can be supplemented with appropriate certifications that are recognized across the industry.

  • Multi-language Support

    Course content can be delivered in English, Spanish, Japanese, Korean or any other language upon request.

  • Personalized Training Reports

    Candidates are assessed individually at regular intervals and are provided unique learning suggestions to suit their learning calibre.

  • Industry-Oriented Training

    Industry-oriented training, completing which, candidates can be immediately deployed for billable projects.

  • Diverse Training Platforms

    Choose from Instructor-Led Training, Virtual Instructor-Led Training, Digital Learning Platform and Blended Training platforms

Course Preview

Application Security Basics

  • Why do we need Application Security?
  • Understanding OWASP TOP 10 2017 & 2021

Understanding the HTTP Protocol

  • Understanding HTTP/HTTPS protocol
    • Lab: Configure Burpsuite to intercept HTTP/HTTPS traffic
  • Understanding Requests and Responses
    • Lab: Manipulating HTTP headers
    • Demo: Host Header Injection
    • Mitigation Techniques
  • Attack Surface detection

Understanding the HTTP Protocol

  • Information Gathering
  • Configuration and Deployment Management Testing
  • Identity Management Testing
  • Authentication Testing
  • Authorization Testing
  • Session Management Testing
  • Input Validation Testing
  • Testing for Error Handling
  • Business Logic Testing
  • Client-side Testing
  • API Testing

Security Misconfigurations

  • Common misconfigurations in Web Applications
  • Sensitive Information exposure and how tavoid it
  • Using Softwares with known vulnerabilities
  • Dem: Struts2 RCE

Insufficient Logging and Monitoring

  • Types of Logging
  • Introduction to F-ELK

Authentication Flaws

  • Password Complexity
    • Lab: Bruteforce using Burpsuite Intruder
  • Anti-Automation Techniques
    • Mitigating brute-force attacks
  • Password Storage
    • Crash Course on Cryptography
    • Introduction to HashiCorp Vault
  • Password Recovery – Best Practices
  • NoSQL Security
    • Lab: Bypass NoSQL Authentication
    • Mitigating NoSQL Injections
  • Understanding WebAuthn – Passwordless Authentication Framewor

Authorization Bypass Techniques

  • Parameter Manipulation
    • Common Pitfalls and Mitigations
  • API Authentication – JWT
    • Introduction to JWT
    • Lab : Cracking JWT tokens
    • Common JWT Attacks
    • Mitigating JWT Attacks
  • SSO Authentication – OAuth
    • Introduction to OAuth
    • OAuth Flow
    • Lab: Bypass OAuth
    • Common OAuth Attacks
    • Mitigating OAuth Attacks
  • RBAC Bypasses and mitigations
  • Mass Assignment Vulnerability
    • Understanding Mass Assigning/Auto binding
    • Lab: Exploiting Mass Assignment
    • Mitigating Mass Assignment vulnerability
  • Insecure Direct Object References (IDOR)
    • Mitigating IDORs
  • Local file Inclusion (LFI)
    • Lab: Download internal files
    • Mitigating LFI

Cross-Site Scripting (XSS)

  • Understanding XSS
  • Reflected XSS
    • Lab: Exploiting Reflected XSS
    • Demo: Session Hijacking
  • Stored XSS
    • Lab: Exploiting Stored XSS
  • How not to Mitigate XSS
    • Lab: Pitfalls in XSS Defenses
  • Mitigating XSS

Cross-Site Request Forgery Scripting

  • Understanding CSRF
    • Lab: Exploiting CSRF
  • Mitigating CSRF

Server-Side Request Forgery (SSRF)

  • Understanding SSRF
    • Lab: Exploiting SSRF
    • SSRF in Cloud
  • Mitigating SSRF

SQL Injection

  • Understanding SQL Injection
    • Lab: Error-Based SQL Injection
    • Lab: Blind SQL Injection
  • Mitigating SQL Injection
  • ORM Frameworks

XML External Entity (XXE) Attacks

  • Understanding XML Entities
  • Understanding XXE Vulnerability
    • Lab: Exploiting XXE Vulnerability
  • Mitigating XXE

Unrestricted File Uploads

  • File Upload functionality
    • Lab: Uploading webshells
  • Mitigating File upload vulnerability

Deserialization Vulnerabilities

  • What is Serialization?
  • PHP Object Serialization
    • Demo: PHP Object Deserialization
    • Lab: Exploit PHP Deserialization
  • Java Object Serialization
    • Demo: Java Binary Deserialization
    • Other Java Deserialization
  • Detecting deserialization functions
  • Mitigation for deserialization vulnerabilities

Client-Side Security Concerns

  • Understanding Same Origin Policy
  • Understanding CORS (Cross-Origin Resource Sharing)
    • Demo: CORS
    • Excessive CORS
  • Transport Layer Protection: HSTS
  • Securing Cookies
    • Demo: Clickjacking
  • Iframe Security
  • Content-Security Policy
  • Referrer Policy

Source Code Review

OWASP code review guidelines and case studies

  • Manual Code Review
    • SQL Injection
    • Identify vulnerable libraries
    • Identify Authorization Flaws
    • Log Injections
    • File Handling
    • Insecure Cryptography
  • Automated Code Review
    • Demo: FindSecBugs/CAT.NET
  • CTF