COURSE OBJECTIVE:
After completing this course you should be able to: • Understand secure SDLC and secure SDLC models in-depth • Apply the knowledge of OWASP Top 10, threat modelling, SAST and DAST • Capture security requirements of an application in development • Define, maintain and enforce application security best practices • Perform manual and automated code review of application • Conduct application security testing for web applications to assess the vulnerabilities • Drive the development of a holistic application security program • Rate the severity of defects and publishing comprehensive reports detailing associated risks and mitigations • Work in teams to improve security posture • Use Application security scanning technologies such as AppScan, Fortify, WebInspect, static application security testing (SAST), dynamic application security testing (DAST), single sign-on, and encryption • Follow secure coding standards that are based on industry-accepted best practices such as OWASP Guide, or CERT Secure Coding to address common coding vulnerabilities. • Create a software source code review process that is a part of the development cycles (SDLC, Agile, CI/CD)
TARGET AUDIENCE:
Individuals involved in the role of developing, testing, managing, or protecting a wide area of applications or individuals hoping to become application security engineers/analysts/testers
COURSE PREREQUISITES:
To be eligible to apply to sit for the CASE exam the candidate must either: • Attend the official EC-Council CASE training through an accredited EC-Council Partner (Accredited Training Centre/ iWeek/ iLearn) (All candidates are required to pay the USD100 application fee unless your training fee already includes this) or • Be an ECSP (.NET/ Java) member in good standing or • Have a minimum of 2 years working experience in InfoSec/ Software domain or • Have any other industry equivalent certifications such as GSSP .NET/Java
COURSE CONTENT:
Understanding Application Security, Threats and Attacks • What is a Secure Application • Need for Application Security • Most Common Application Level Attacks • Why Applications become Vulnerable to Attacks • What Consistutes Comprehensive Application Security ? • Insecure Application: A Software Development Problem • Software Security Standards, Models and FrameworksSecurity Requirements Gathering • Importance of Gathering Security Requirements • Security Requirement Engineering (SRE) • Abuse Case and Security Use Case Modeling • Abuser amd Security Stories • Security Quality Requirements Engneering (SQUARE) • Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)Secure Application Design and Architecture • Relative Cost of Fixing Vulnerabilities at Different Phases of SDLC • Secure Application Design and Architecture • Goal of Secure Design Process • Secure Design Actions • Secure Design Principles • Threat Modeling • Decompose Application • Secure Application ArchitectureSecure Coding Practices for Input Validation • Input Validation • Why Input Validation ? • Input Validation Specification • Input Validation Approaches • Input Filtering • Secure Coding Practices for Input Validation: Web Forms • Secure Coding Practices for Input Validation: ASP.NET Core • Secure Coding Practices for Input Validation: MVCSecure Coding Practices for Authentication and Authorization • Authentication and Authorization • Common Threats on User Authentication and Authorization • Authentication and Authorization: Web Forms • Authentication and Authorization: ASP .NET Core • Authentication and Authorization: MVC • Authentication and Authorization Defensive Techniques : Web Forms • Authentication and Authorization Defensive Techniques : ASP .NET Core • Authentication and Authorization Defensive Techniques : MVC Secure Coding Practices for Cryptography • Cryptographic • Ciphers • Block Ciphers Modes • Symmetric Encryption Keys • Asymmetric Encryption Keys • Functions of Cryptography • Use of Cryptography to Mitigate Common Application Security Threats • Cryptographic Attacks • Techniques Attackers Use to Steal Cryptographic Keys • What should you do to Secure .Net Applications for Cryptographic Attacks • .NET Cryptographic Name Spaces • .NET Cryptographic Class Hierarchy • Symmetric Encryption • Symmetric Encryption: Defensive Coding Techniques • Asymmetric Encryption • Asymmetric Encryption: Defensive Coding Techniques • Hashing • Digital Signatures • Digital Certificates • XML SIgnatures • ASP.NET Core Specific Secure Cryptography PracticesSecure Coding Practices for Session Management • What are Exceptions/Runtime Errors ? • Need for Secure Error/Exception Handling • Consequences of Detailed Error Message • Exposing Detailed Error Messages • Considerations: Designing Secure Error Messages • Secure Exception Handling • Handling Exceptions in an Application • Defensve Coding practices against Information Disclosure • Defensive Coding practices against Improper Error Handling • ASP .NET Core: Secure Error Handling Practices • Secure Auditing and Logging • Tracing .NET • Auditing and Logging Security ChecklistsStatic and Dynamic Application Security Testing (SAST and DAST) • Static Application Security Testing • Manual Secure Code Review for Most Common Vulnerabilities • Code Review: Check List Approach • SAST Finding • SAST Report • Dynamic Application Security Testing • Automated Application Vulnerability Scanning Tools • Proxy-based Security Testing Tools • Choosing between SAST and DASTSecure Deployment and Maintenance • Secure Deployment • Prior Deployment Activity • Deployment Activities: Ensuring Security at Various Levels • Ensuring Security at Host Level • Ensuring Security at Network Level • Ensuring Security at Application Level • Web Application Firewall (WAF) • Ensuring Security at IIS Level • Sites and Virtual Directories • ISAPI Filters • Ensuring Security at .NET Level • Ensuring Security at SQL Server Level • Security Maintenance and Monitoring
FOLLOW ON COURSES:
Not available. Please contact.