SANS SEC522: Application Security: Securing Web Apps, APIs, and Microservices

در دوره SANS SEC522: Application Security: Securing Web Apps, APIs, and Microservices : دفاع از برنامه های کاربردی وب ضروریات امنیتی است برای همه کسانی که وظیفه پیاده سازی ، مدیریت یا محافظت از برنامه های وب را بر عهده دارند. اگر از برنامه های وب سنتی یا خدمات وب مدرن تر برای طیف گسترده ای از برنامه های کاربردی مانند برنامه های تلفن همراه پشتیبانی می کنید، این دوره برای شما مفید خواهد بود.

اهداف دوره SANS SEC522:

• چگونه می توان آسیب پذیری های رایج برنامه وب را به طور جامع برطرف کرد.
• نحوه اعمال برنامه های کاربردی طراحی و برنامه نویسی دفاعی برای جلوگیری از آسیب پذیری های امنیتی.
• پروتکل HTTP و فن آوری های جدید مانند HTTP/2 ، QUIC (HTTP/3) ، و وب سایت هایی که روی پشته پروتکل تأثیر می گذارند.
• چگونه می توان از اصول اولیه امنیت برنامه های کاربردی تحت وب “اعتبار بیشتر” فاصله گرفت و کنترل های امنیتی م effective را در برابر آسیب پذیری هایی که اعتبارسنجی ورودی به سادگی آنها را برطرف نمی کند ، پیاده کرد.
• نحوه سفارشی سازی ، پیاده سازی و حفظ استاندارد امنیت پایه برای چرخه عمر توسعه برنامه های تحت وب (چک لیست SANS SWAT) ، بهبود امنیت و کاهش قرار گرفتن در معرض آسیب پذیری های رایج مانند 10 ریسک برتر OWASP.
• چگونه می توان از حفاظت سطح HTTP برای استفاده از سیستم های دفاعی قوی در سمت سرویس گیرنده با ایجاد یک لایه دفاعی دیگر در بالای برنامه نویسی امن در سمت سرور استفاده کرد.
• نحوه طراحی معماری امنیتی بهتر و قوی تر که شامل جنبه های زیرساختی در فرایند طراحی باشد.
• چگونه می توان از ویژگی های امنیتی مدرن در مرورگر وب استفاده کرد و امنیت کلی برنامه را افزایش داد.

Date: 2022
Price: $8,275 USD
Publisher: SANS
Format: Video + eBooks
By: Jason Lam , Dr. Johannes Ullrich

Web Applications are increasingly distributed. What used to be a complex monolithic application hosted on premise has become a distributed set of services incorporating on-premise legacy applications along with interfaces to cloud-hosted and cloud-native components. Because of this coupled with a lack of security knowledge, web applications are exposing sensitive corporate data. Security professionals are asked to provide validated and scalable solutions to secure this content in line with best industry practices using modern web application frameworks. Attending this class will not only raise awareness about common security flaws in modern web applications, but it will also teach students how to recognize and mitigate these flaws early and efficiently. This course offers 20 Hands-On Labs + Defend the Flag Game in Section 6.

What You Will Learn

Not A Matter of “If” but “When”. Be Prepared For A Web Attack. We’ll Teach You How.

During the course, we demonstrate the risks of web applications and the extent of sensitive data that can be exposed or compromised. From there, we offer real world solutions on how to mitigate these risks and effectively evaluate and communicate residual risks.

After attending the class, students will be able to apply what they learned quickly and bring back techniques to not only better secure their applications, but also do so efficiently by adding security early in the software development life cycle, “shifting left” security decisions and testing, thus saving time, money, and resources for the organization.

“If you want to know everything about web apps and web app security, this is the perfect course!” – Chris Kansas, ThreatX

BUSINESS TAKEAWAYS:

• Comply with PCI DSS 6.5 requirements
• Reduce the overall application security risks, protect company reputation
• Adopt the “shifting left” mindset where security issues addressed early and quickly. This avoids the costly rework.
• Ability to adopt modern apps with API and microservices in a secure manner
• This course prepares students for the GWEB certification

SKILLS LEARNED:

• Defend against the attacks specified in OWASP Top 10
• Infrastructure security and configuration management
• Securely integrating cloud components into a web application
• Learn about Authentication and authorization mechanisms, including single sign-on patterns
• Understand cross-domain web request security
• Leverage protective HTTP headers
• Defending SOAP, REST and GraphQL APIs
• Securely implement Microservice architecture
• Defending against input related flaws such as SQL injection, XSS and CSRF

HANDS-ON TRAINING:

The provided VM lab environment contains realistic application environment to explore the attacks and the effects of the defensive mechanisms. The exercise is structured in a challenge format with hints available along the way. The practical hands-on exercises help students gain experience to hit the ground running back at the office. There are 20 labs in section 1 to section 5 of the class and in the last section, there is a capstone exercise called Defending the Flag where there is 3-4 hours of dedicated competitive exercise time.

• Section 1: HTTP Basics, HTTP/2 traffic inspection and spoofing, Environment isolation, SSRF and credential-stealing
• Section 2: SQL Injection, Cross Site Request Forgery, Cross Site Scripting, Unicode and File Upload
• Section 3: Authentication vulnerabilities and defense, Multifactor authentication, Session vulnerabilities and testing, Authorization vulnerabilities and defense, SSL vulnerabilities and testing, Proper encryption use in web application
• Section 4: WSDL enumerations, Cross Domain AJAX, Front End Features and CSP (Content Security Policy), Clickjacking
• Section 5: Deserialization and DNS rebinding, GraphQL, API gateways and JSON, SRI and Log review
• Section 6: Defending the Flag capstone exercise

SYLLABUS SUMMARY:

• Section 1: Understand web application architecture, vulnerability and configuration management.
• Section 2: Detect, mitigate and defend input related threats.
• Section 3: Authentication, Authorization and Cryptography
• Section 4: Front end security with modern scripting engines
• Section 5: REST & GraphQL API with microservice architecture
• Section 6: Defending the Flag exercise