WEB APPLICATION SECURITY TESTING

(1)

W

EB

A

PPLICATION

(2)

WEB APPLICATION SECURITY TESTING

Introduction

Nowadays every organization faces the threat of attacks on web applications. Research shows that more than half of all data breaches are initiated in web applications. The goals of these attacks are information theft or abuse of resources. The reasons these attacks are successful can be broken down in technical and human causes. In this one-day course, all your employees are trained to become aware of the problems and dangers related to the security of web applications and shown the basic steps how to test for them.

Intended audience

This course is intended for every person in an organization involved in, or just curious about, testing the security of web applications, its potential impacts, and possible solutions. While all developers need to know the basics of web application security testing, application security testers need to know all the advanced techniques for finding and diagnosing security problems in web applications. Although the same techniques can be used as for functional testing, testing web application security requires special skills and insights of testers and developers. Participants of this course will learn how to scope a security test and prioritize the work, understand the benefits and drawbacks of both manual and automated tools, know the techniques available and when to apply them, and learn how to determine the real risk value. In order to achieve these goals, students will assess the OWASP Top Ten security areas within a real world application. This interactive course is taught by an experienced web application security tester.

Prerequisites

Although no prior experience with or knowledge about web application security is necessary, a basic understanding of the mechanisms of web applications and a basic awareness of web related security is assumed.

On completion participants will

The aim of this course is to create awareness in the field of web application security testing. During the course, interaction and discussion are encouraged. After this training, your employees are better able to:

 Understand the specific problems in web applications

 Understand and describe the OWASP top 10 vulnerabilities

 Understand the basics of testing for vulnerabilities in web applications

 Scope a security test and prioritize the work

 Understand the benefits and drawbacks of both manual and automated tools

 Understand the techniques available and when to apply them

(3)

Course outline (1 day) includes the following modules: Understanding web applications

This module explains why security should be considered when developing or deploying web applications. It identifies the locations of current security problems with web applications. During the introduction a definition of web application security is given. Trends that are influencing the current state of web application insecurity are also explained. This module will provide a high level overview of the working of web applications:

 Web applications explained

o HTTP communication essentials o Client-side logic

 HTML, CSS, Javascript  Rich Internet Applications o Browsers and Safe Surfing

o Sniffing and the problems of wireless networks

 Authentication, Authorization and Sessions management

o Authentication mechanisms

 Basic / Digest authentication  Form based authentication  Other forms of authentication o Session management

 Misunderstandings about security of web applications

o Firewalls and network security o Authentication and access control

o Encrypted connections and data encryption

Web application vulnerabilities explained

In order to successfully test the security of a system an understanding of the potential weak points is essential. The OWASP top 10 represents the areas where security mistakes are most frequently made. These areas can be used as a framework when evaluating the security of a Web application and allow you to focus on the key design and implementation choices that most affect your application's security. This module will provide on a high level how to test the most common problems in web applications:

 Man-in-the-middle attacks

 Tools for testing

o Browsers, Proxies

o Automated Vulnerability Scanners and specialized tools

 OWASP Top 10

o Input validation errors

 A1 – Cross-site scripting (XSS)  A2 – SQL injection

 A10 – unvalidated redirects and forwards o Broken identity management

(4)

 A6 – security misconfiguration  A7 – insecure cryptographic storage  A9 – insufficient transport layer protection

During this module demonstrations will be given by attacking a deliberately insecure application and exercises will be done on real-world applications.

Testing web applications

Although the same techniques as used for functional testing are applicable, additional skills are needed in web application security testing. Knowing the vulnerabilities, how to detect them, and what tools to use, next to a risk-based approach are essential for a successful test execution. This module presents a high-level overview of various testing techniques that can be employed when building a testing program.

 Differences with functional testing

 Black-box vs white-box

 Test Methodology and Approach

o Structured testing o Risk-based testing o Exploratory testing

 Integration into the software development lifecycle; when to test ?

o Waterfall based environments o Agile based environments

 Sources of information

How to continue your training

Web application security testing takes time to learn and needs constant practice. Not many people have access to web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals

frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised and to train in using them. All of this needs to happen in a safe and, more important, legal environment. Even if your intentions are good, you should never attempt to find vulnerabilities without permission. This module will provide options for setting up a safe testing environment and provide sources for further

(5)

Price information & course details

 Course hours: 9:00 to 17:30 and lunch breaks from 12:30 to 13:30;

 ps_testware provides laptops and USB sticks for each participant;

Course fee: EUR 595,-

Includes handouts, refreshments and lunch. Group discount:

3rd participant (-5%), 4th participant (-10%), 5th and 6th participant (-15%)

Flemish participants can obtain a 50% reduction via the “KMO-portefeuille” by using our accreditation number DV.O104235.

(6)

REGISTRATION FORM

Name of course: ________________________________________________________ Course location: ____________________________Course Date(s):________________ Course Fee: €__________x __ = € _______

Exam Fee: €___N/A____x __ = € ________

TOTAL:

= € _________

Registrant(s):

Full name Email Phone Exam

N/A N/A N/A Organisation: __________________________________________________________ Contact person (if not registrant): ___________________ Phone No: ______________ Contact Email Address: ___________________________________________________ Invoice address: ________________________________________________________ ______________________________________________________________________ Our reference number: ___________________________________________________ VAT number: ___________________________________________________________ I have read, understood and agreed to ps_testware Terms and Conditions, related to courses, as outlined in the accompanying document. Payment will be done based on the received invoice for this registration.

Signature: _________________________________ Date: ______________________

Please fax this completed to either:

Fax: +32-16-35.93.88 for courses being held in Belgium Fax: +33-3-59.30.42.02 for courses being held in France

(7)

Terms & Conditions ps_testware courses

A signed registration form, returned to one of the ps_testware offices indicates that you have read and agreed to the terms and conditions set out below:

1. A place on any course is reserved only upon receipt of a signed course

registration form accompanied by a purchase order (if applicable) for an amount equal to the quoted course fee.

2. Full payment for all course activities will be done according payment conditions as will be indicated on the invoice.

3. ps_testware reserves the right to cancel or re-schedule courses. In the event of such cancellation all paid fees will be credited towards the next available course. 4. In the event of customer cancellation, 25% of course fee will be invoiced if

registration is cancelled within 1 month before the course and 100% of course fee will be invoiced if registration is cancelled within two weeks before the course. Course participants can be replaced at no cost. There is no refund possible for the exam fee in case of (exam) cancellation.

5. Specific course details (introduction, intended audience, results, course outline,

time table) can be found on our website (www.pstestware.com – services -

training) or in the applicable course flyer;

6. Our courses can also be organized on demand, on site at your premises or online;

7. All courses include lunch and refreshments;

8. Course material and exams are in English. Courses are given in the applicable local language. However when not all participants speak the same language, then the English language is used;

9. All prices are excluding VAT;

10. The following group discount is applicable: 3rd participant (-5%), 4th participant (-10%), 5th and 6th participant (-15%);

11. In case of the ISTQB courses, an exam (certification) is chosen to be part of the course, then the exam fee(s) requires to be part of the total quoted course fee. The exam fee for Foundation is €200,00 and for Advanced is €250,00;