COURSE OBJECTIVE:
After completing this course you should be able to:
• Understand secure SDLC and secure SDLC models in-depth
• Apply the knowledge of OWASP Top 10, threat modelling, SAST and DAST
• Capture security requirements of an application in development
• Define, maintain and enforce application security best practices
• Perform manual and automated code review of application
• Conduct application security testing for web applications to assess the vulnerabilities
• Drive the development of a holistic application security program
• Rate the severity of defects and publishing comprehensive reports detailing associated risks and mitigations
• Work in teams to improve security posture
• Use Application security scanning technologies such as AppScan, Fortify, WebInspect, static application security testing (SAST), dynamic application security testing (DAST), single sign-on, and encryption
• Follow secure coding standards that are based on industry-accepted best practices such as OWASP Guide, or CERT Secure Coding to address common coding vulnerabilities.
• Create a software source code review process that is a part of the development cycles (SDLC, Agile, CI/CD)
TARGET AUDIENCE:
Individuals involved in the role of developing, testing, managing, or protecting a wide area of applications or individuals hoping to become application security engineers/analysts/testers
COURSE PREREQUISITES:
To be eligible to apply to sit for the CASE exam the candidate must either:
• Attend the official EC-Council CASE training through an accredited EC-Council Partner (Accredited Training Centre/ iWeek/ iLearn) (All candidates are required to pay the USD100 application fee unless your training fee already includes this) or
• Be an ECSP (.NET/ Java) member in good standing or
• Have a minimum of 2 years working experience in InfoSec/ Software domain or
• Have any other industry equivalent certifications such as GSSP .NET/Java
COURSE CONTENT:
Understanding Application Security, Threats and Attacks
• What is a Secure Application
• Need for Application Security
• Most Common Application Level Attacks
• Why Applications become Vulnerable to Attacks
• What Consistutes Comprehensive Application Security ?
• Insecure Application: A Software Development Problem
• Software Security Standards, Models and Frameworks
Security Requirements Gathering
• Importance of Gathering Security Requirements
• Security Requirement Engineering (SRE)
• Abuse Case and Security Use Case Modeling
• Abuser amd Security Stories
• Security Quality Requirements Engneering (SQUARE)
• Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)
Secure Application Design and Architecture
• Relative Cost of Fixing Vulnerabilities at Different Phases of SDLC
• Secure Application Design and Architecture
• Goal of Secure Design Process
• Secure Design Actions
• Secure Design Principles
• Threat Modeling
• Decompose Application
• Secure Application Architecture
Secure Coding Practices for Input Validation
• Input Validation
• Why Input Validation ?
• Input Validation Specification
• Input Validation Approaches
• Input Filtering
• Secure Coding Practices for Input Validation: Web Forms
• Secure Coding Practices for Input Validation: ASP.NET Core
• Secure Coding Practices for Input Validation: MVC
Secure Coding Practices for Authentication and Authorization
• Authentication and Authorization
• Common Threats on User Authentication and Authorization
• Authentication and Authorization: Web Forms
• Authentication and Authorization: ASP .NET Core
• Authentication and Authorization: MVC
• Authentication and Authorization Defensive Techniques : Web Forms
• Authentication and Authorization Defensive Techniques : ASP .NET Core
• Authentication and Authorization Defensive Techniques : MVC
Secure Coding Practices for Cryptography
• Cryptographic
• Ciphers
• Block Ciphers Modes
• Symmetric Encryption Keys
• Asymmetric Encryption Keys
• Functions of Cryptography
• Use of Cryptography to Mitigate Common Application Security Threats
• Cryptographic Attacks
• Techniques Attackers Use to Steal Cryptographic Keys
• What should you do to Secure .Net Applications for Cryptographic Attacks
• .NET Cryptographic Name Spaces
• .NET Cryptographic Class Hierarchy
• Symmetric Encryption
• Symmetric Encryption: Defensive Coding Techniques
• Asymmetric Encryption
• Asymmetric Encryption: Defensive Coding Techniques
• Hashing
• Digital Signatures
• Digital Certificates
• XML SIgnatures
• ASP.NET Core Specific Secure Cryptography Practices
Secure Coding Practices for Session Management
• What are Exceptions/Runtime Errors ?
• Need for Secure Error/Exception Handling
• Consequences of Detailed Error Message
• Exposing Detailed Error Messages
• Considerations: Designing Secure Error Messages
• Secure Exception Handling
• Handling Exceptions in an Application
• Defensve Coding practices against Information Disclosure
• Defensive Coding practices against Improper Error Handling
• ASP .NET Core: Secure Error Handling Practices
• Secure Auditing and Logging
• Tracing .NET
• Auditing and Logging Security Checklists
Static and Dynamic Application Security Testing (SAST and DAST)
• Static Application Security Testing
• Manual Secure Code Review for Most Common Vulnerabilities
• Code Review: Check List Approach
• SAST Finding
• SAST Report
• Dynamic Application Security Testing
• Automated Application Vulnerability Scanning Tools
• Proxy-based Security Testing Tools
• Choosing between SAST and DAST
Secure Deployment and Maintenance
• Secure Deployment
• Prior Deployment Activity
• Deployment Activities: Ensuring Security at Various Levels
• Ensuring Security at Host Level
• Ensuring Security at Network Level
• Ensuring Security at Application Level
• Web Application Firewall (WAF)
• Ensuring Security at IIS Level
• Sites and Virtual Directories
• ISAPI Filters
• Ensuring Security at .NET Level
• Ensuring Security at SQL Server Level
• Security Maintenance and Monitoring
FOLLOW ON COURSES:
Not available. Please contact.