Web Security Testing - Security and Testing of Web Applications using OWASP Training Course

Android is an open platform for mobile devices such as handsets and tablets. It offers a wide range of security features designed to simplify the development of secure software; however, it also lacks certain security aspects found in other handheld platforms. This course provides a comprehensive overview of these features and highlights the most critical shortcomings to be aware of, particularly those related to the underlying Linux system, the file system, and the broader environment, as well as the use of permissions and other Android software development components.

Typical security pitfalls and vulnerabilities are examined for both native code and Java applications, accompanied by recommendations and best practices to prevent and mitigate them. In many cases, the issues discussed are illustrated with real-world examples and case studies. Finally, the course offers a brief overview of how to use security testing tools to uncover programming bugs with security implications.

Participants attending this course will

• Understand fundamental concepts of security, IT security, and secure coding
• Learn about the security solutions available on Android
• Gain proficiency in using various security features of the Android platform
• Acquire information on recent vulnerabilities affecting Java on Android
• Learn to identify typical coding mistakes and how to avoid them
• Develop an understanding of native code vulnerabilities on Android
• Recognise the serious consequences of insecure buffer handling in native code
• Understand architectural protection techniques and their inherent weaknesses
• Access sources and further reading materials on secure coding practices

Audience

Professionals

Building a secure networked application can be challenging, even for developers who have previously worked with various cryptographic components such as encryption and digital signatures. To help participants grasp the role and application of these cryptographic primitives, the course first establishes a solid foundation covering the core requirements of secure communication—secure acknowledgment, integrity, confidentiality, remote identification, and anonymity. It also explores typical issues that can compromise these requirements, along with real-world solutions.

As cryptography is a critical pillar of network security, the course examines key algorithms in symmetric cryptography, hashing, asymmetric cryptography, and key agreement. Rather than delving into complex mathematical theory, these topics are presented from a developer's perspective, featuring practical use cases and considerations such as the implementation of public key infrastructures. The course introduces security protocols across various domains of secure communication, with in-depth coverage of widely used protocol families like IPSEC and SSL/TLS.

Common cryptographic vulnerabilities are examined, including those affecting specific algorithms and protocols such as BEAST, CRIME, TIME, BREACH, FREAK, Logjam, Padding Oracle, Lucky Thirteen, POODLE, and the RSA timing attack. For each vulnerability, practical implications and potential consequences are outlined, again avoiding deep mathematical detail.

Finally, as XML plays a central role in data exchange for networked applications, the course addresses XML security. This includes the use of XML in web services and SOAP messages, along with protective measures such as XML signature and XML encryption. It also highlights weaknesses in these protections and XML-specific security threats, including XML injection, XML External Entity (XXE) attacks, XML bombs, and XPath injection.

Participants attending this course will

• Understand basic concepts of security, IT security and secure coding
• Understand the requirements of secure communication
• Learn about network attacks and defenses at different OSI layers
• Have a practical understanding of cryptography
• Understand essential security protocols
• Understand some recent attacks against cryptosystems
• Get information about some recent related vulnerabilities
• Understand security concepts of Web services
• Get sources and further readings on secure coding practices

Audience

Developers, Professionals

This three-day course covers the fundamentals of securing C/C++ code against malicious users who may exploit numerous vulnerabilities, particularly those related to memory management and input handling. The course explores the principles of writing secure code.

Even seasoned Java developers do not fully master the diverse security services offered by Java, nor are they always aware of the various vulnerabilities pertinent to Java-based web applications.

Beyond introducing the security components of the Standard Java Edition, this course addresses security challenges in Java Enterprise Edition (JEE) and web services. Discussions of specific services are preceded by foundational concepts in cryptography and secure communication. A range of practical exercises explores both declarative and programmatic security techniques within JEE, while also covering transport-layer and end-to-end security for web services. All components are demonstrated through hands-on exercises, allowing participants to experiment with the discussed APIs and tools first-hand.

The course also examines and explains the most common and severe programming flaws inherent to the Java language and platform, as well as web-related vulnerabilities. In addition to typical errors made by Java developers, the security issues covered include both language-specific concerns and those arising from the runtime environment. All vulnerabilities and associated attacks are illustrated through clear, easy-to-follow exercises, followed by recommended coding guidelines and potential mitigation strategies.

Participants attending this course will

• Understand the fundamental concepts of security, IT security, and secure coding
• Learn about web vulnerabilities beyond the OWASP Top Ten and how to prevent them
• Grasp the security concepts underlying web services
• Gain proficiency in using various security features within the Java development environment
• Develop a practical understanding of cryptography
• Understand the security solutions provided by Java EE
• Identify common coding mistakes and learn how to avoid them
• Access information on recent vulnerabilities in the Java framework
• Acquire hands-on experience with security testing tools
• Obtain resources and further reading materials on secure coding practices

Audience

Developers

Description

The Java language and the Runtime Environment (JRE) were designed to be free from the most problematic common security vulnerabilities seen in other languages, such as C/C++. However, software developers and architects should not only understand how to leverage the various security features of the Java environment (positive security) but also remain aware of the numerous vulnerabilities that still affect Java development (negative security).

The introduction to security services is preceded by a concise overview of the foundations of cryptography, establishing a common baseline for understanding the purpose and operation of relevant components. These components are explored through a series of practical exercises, allowing participants to experiment with the discussed APIs firsthand.

The course also examines and explains the most frequent and serious programming flaws in the Java language and platform, covering both typical mistakes made by Java developers and issues specific to the language and its environment. All vulnerabilities and associated attacks are demonstrated through easy-to-understand exercises, followed by recommended coding guidelines and possible mitigation techniques.

Participants attending this course will

• Understand fundamental concepts of security, IT security, and secure coding
• Learn about web vulnerabilities beyond the OWASP Top Ten and how to avoid them
• Learn to utilise various security features of the Java development environment
• Gain a practical understanding of cryptography
• Learn about typical coding mistakes and how to prevent them
• Receive information on recent vulnerabilities in the Java framework
• Access resources and further reading on secure coding practices

Audience

Developers

Today, numerous programming languages are available to compile code for the .NET and ASP.NET frameworks. While this environment offers powerful capabilities for security development, developers must understand how to apply architecture- and code-level programming techniques to implement the desired security functionality, avoid vulnerabilities, and limit their exploitation.

This course aims to equip developers through extensive hands-on exercises with the skills to prevent untrusted code from performing privileged actions, protect resources through robust authentication and authorisation, manage remote procedure calls, handle sessions, implement various solutions for specific functionality, and much more.

The introduction to different vulnerabilities begins by examining typical programming issues encountered when using .NET, while the discussion of ASP.NET vulnerabilities also covers various environment configurations and their impacts. Finally, the topic of ASP.NET-specific vulnerabilities addresses not only general web application security challenges but also specialised issues and attack methods, such as attacking ViewState or string termination attacks.

Participants attending this course will

• Understand fundamental concepts of security, IT security, and secure coding
• Learn about web vulnerabilities beyond the OWASP Top Ten and how to avoid them
• Learn to utilise various security features within the .NET development environment
• Gain practical knowledge in using security testing tools
• Learn about common coding mistakes and how to prevent them
• Receive information on recent vulnerabilities in .NET and ASP.NET
• Access resources and further readings on secure coding practices

Audience

Developers

This course introduces key security concepts, provides an overview of the nature of vulnerabilities irrespective of programming languages or platforms, and explains how to manage software security risks across the various phases of the software development lifecycle. While not delving deeply into technical specifics, it highlights some of the most compelling and pressing vulnerabilities across diverse software development technologies, outlines the challenges of security testing, and presents practical techniques and tools for identifying existing issues in code.

Participants attending this course will

• Understand fundamental concepts of security, IT security, and secure coding
• Gain insight into web vulnerabilities on both server and client sides
• Recognise the serious consequences of insecure buffer handling
• Be informed about recent vulnerabilities affecting development environments and frameworks
• Learn about common coding mistakes and how to avoid them
• Understand security testing approaches and methodologies

Audience

Managers

This course equips PHP developers with essential skills to build applications resilient against modern internet-based attacks. Web vulnerabilities are explored through PHP-focused examples that extend beyond the OWASP Top Ten, covering a range of injection attacks, script injections, session handling exploits in PHP, insecure direct object references, file upload issues, and more. PHP-specific vulnerabilities are introduced and categorised under standard vulnerability types such as missing or improper input validation, incorrect error and exception handling, misuse of security features, and time- and state-related issues. For the latter, we examine attacks like open_basedir circumvention, denial-of-service via magic floats, and hash table collision attacks. In each scenario, participants will become familiar with the most critical techniques and functions needed to mitigate these risks.

Special attention is given to client-side security, addressing security concerns related to JavaScript, Ajax, and HTML5. A variety of PHP security-related extensions are introduced, including hash, mcrypt, and OpenSSL for cryptography, as well as Ctype, ext/filter, and HTML Purifier for input validation. Best practices for hardening are presented in the context of PHP configuration (setting php.ini), Apache, and server-level settings. Finally, an overview is provided of various security testing tools and techniques available to developers and testers, including security scanners, penetration testing frameworks, exploit packs, sniffers, proxy servers, fuzzing tools, and static source code analyzers.

Both the introduction of vulnerabilities and the configuration practices are reinforced through numerous hands-on exercises. These demonstrate the real-world impact of successful attacks, illustrate how to apply mitigation techniques, and introduce the use of various extensions and tools.

Participants attending this course will

• Understand fundamental concepts of security, IT security, and secure coding
• Learn about web vulnerabilities beyond the OWASP Top Ten and how to prevent them
• Gain knowledge of client-side vulnerabilities and secure coding practices
• Develop a practical understanding of cryptography
• Learn how to utilise various PHP security features
• Identify typical coding mistakes and learn how to avoid them
• Stay informed about recent vulnerabilities in the PHP framework
• Gain hands-on experience with security testing tools
• Access resources and further reading materials on secure coding practices

Audience

Developers

The Combined SDL core training offers insight into secure software design, development and testing through the Microsoft Secure Development Lifecycle (SDL). It provides a Level 100 overview of the fundamental building blocks of SDL, followed by design techniques to detect and rectify flaws in the early stages of the development process.

Focusing on the development phase, the course gives an overview of typical security-relevant programming bugs in both managed and native code. Attack methods are presented for the discussed vulnerabilities, along with associated mitigation techniques, all explained through a series of hands-on exercises that provide live hacking experiences for participants. An introduction to different security testing methods is followed by demonstrations of the effectiveness of various testing tools. Participants can understand how these tools operate through practical exercises, applying them to the vulnerable code previously discussed.

Participants attending this course will

Understand basic concepts of security, IT security and secure coding

Become familiar with the essential steps of the Microsoft Secure Development Lifecycle

Learn secure design and development practices

Learn about secure implementation principles

Understand security testing methodology

• Gain access to sources and further reading on secure coding practices

Audience

Developers, Managers

Having become familiar with vulnerabilities and attack methods, participants will explore the general approach and methodology for security testing, along with techniques designed to uncover specific vulnerabilities. Security testing begins with gathering information about the system (the Target of Evaluation, or ToC), followed by a comprehensive threat modelling exercise to identify and prioritise all potential threats, ultimately leading to a risk analysis-driven test plan that is both appropriate and effective.

Security evaluations can be conducted at various stages of the Software Development Life Cycle (SDLC). Accordingly, this course covers design reviews, code reviews, reconnaissance and information gathering, testing of implementations, and the testing and hardening of environments for secure deployment. A range of security testing techniques are explored in detail, including taint analysis, heuristic-based code review, static code analysis, dynamic web vulnerability testing, and fuzzing. Participants will also be introduced to a variety of tools that can automate the security evaluation of software products. These tools are reinforced through hands-on exercises where participants apply them to analyse previously discussed vulnerable code. Numerous real-world case studies further enhance understanding of different types of vulnerabilities.

This course equips testers and QA staff with the practical skills needed to plan and execute security tests effectively, select and apply the most suitable tools and techniques to uncover even the most elusive security flaws, and immediately apply these skills in their day-to-day work.

Participants attending this course will

• Understand fundamental concepts of security, IT security, and secure coding
• Learn about web vulnerabilities beyond the OWASP Top Ten and how to prevent them
• Gain knowledge of client-side vulnerabilities and secure coding practices
• Understand security testing approaches and methodologies
• Acquire practical expertise in using security testing techniques and tools
• Access resources and further reading materials on secure coding practices

Audience

Developers, Testers

Safeguarding web-accessible applications demands security professionals who are thoroughly prepared and constantly attuned to the latest attack methods and emerging trends. A wide array of technologies and environments now enables comfortable development of web applications. It is essential not only to understand the security issues specific to these platforms but also to recognise the general vulnerabilities that apply regardless of the development tools used.

This course provides an overview of applicable security solutions for web applications, with particular emphasis on understanding the most critical cryptographic measures to implement. Web application vulnerabilities are examined on both the server side (aligned with the OWASP Top Ten) and the client side, illustrated through relevant attack scenarios, followed by recommended coding practices and mitigation strategies to prevent associated risks. The topic of secure coding is concluded by exploring common security-related programming errors in areas such as input validation, improper use of security features, and code quality.

Testing plays a vital role in ensuring the security and resilience of web applications. Various approaches—from high-level auditing and penetration testing to ethical hacking—can be employed to uncover different types of vulnerabilities. However, if you aim to go beyond the easily discoverable low-hanging fruit, security testing must be meticulously planned and competently executed. Remember: security testers ideally need to identify all bugs to protect a system, whereas adversaries only require finding one exploitable vulnerability to breach it.

Practical exercises will deepen your understanding of web application vulnerabilities, programming mistakes, and, most importantly, mitigation techniques. Through hands-on trials with a range of testing tools—from security scanners and sniffers to proxy servers, fuzzing utilities, and static source code analyzers—this course delivers essential practical skills that can be applied immediately in the workplace.

Participants attending this course will

• Understand fundamental concepts of security, IT security, and secure coding
• Learn about web vulnerabilities beyond the OWASP Top Ten and how to avoid them
• Gain knowledge of client-side vulnerabilities and secure coding practices
• Develop a practical understanding of cryptography
• Understand security testing approaches and methodologies
• Acquire practical knowledge of using security testing techniques and tools
• Be informed about recent vulnerabilities across various platforms, frameworks, and libraries
• Access resources and further readings on secure coding practices

Audience

Developers, Testers

In this instructor-led, live course in New Zealand, participants will learn how to formulate the appropriate security strategy to address the DevOps security challenge.

The EC-Council Certified DevSecOps Engineer (ECDE) is a practical course designed to equip professionals with the skills needed to embed security throughout the DevOps lifecycle, enabling secure software development from initial planning through to deployment.

This instructor-led, live training (available online or on-site) is tailored for intermediate-level software and DevOps professionals who aim to integrate security practices into CI/CD pipelines, ensuring secure and compliant code delivery.

By the conclusion of this training, participants will be able to:

• Grasp the core principles and practices of DevSecOps.
• Secure each stage of the CI/CD pipeline using automated tools.
• Implement secure coding standards and conduct vulnerability scanning.
• Prepare for the ECDE certification through hands-on labs and review sessions.

Course Format

• Interactive lectures and group discussions.
• Practical application of DevSecOps tools within simulated pipelines.
• Guided exercises focused on secure development and deployment.

Course Customisation Options

• To request a customised training session for this course based on your team's workflows or toolchain, please contact us to make arrangements.

This course in New Zealand aims to support the following: 

1. Help developers master secure coding techniques
2. Assist software testers in evaluating application security before deployment to the production environment
3. Enable software architects to understand the risks associated with applications
4. Support team leaders in establishing security baselines for developers
5. Aid web administrators in configuring servers to prevent misconfigurations

This course covers secure coding concepts and principles in Java through the Open Web Application Security Project (OWASP) methodology of testing. The Open Web Application Security Project is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the field of web application security.