Unit 1: Application Types
- Client/Server Applications
- Components of Client/Server Applications (Logical & Physical Architecture)
- Web Applications
- About Web Applications
- Technologies used to create Web Applications
- Components of Web Application Architecture
- Data Warehouse Applications
- About DW Applications
- Uses
- Physical & Logical Architecture
- Management Information Systems
Unit 2: Web application security
- Introduction to web application
- Primer
- OWASP Top 10 vulnerabilities
- Mitigation techniques
- Web Application Security Fundamentals
- What Do We Mean By Security?
- The Foundations of Security
- Threats, Vulnerabilities, and Attacks Defined
- How to Build a Secure Web Application
- Secure Your Network, Host, and Application
- Securing Your Network
- Network Component Categories
- Securing Your Host
- Host Configuration Categories
- Securing Your Application
- Application Vulnerability Categories
- Security Principles
Unit 3: Threats and Countermeasures
- Overview: Anatomy of an Attack
- Survey and Assess
- Exploit and Penetrate
- Escalate Privileges
- Maintain Access
- Deny Service
- Understanding Threat Categories
- STRIDE
- STRIDE Threats and Countermeasures
- Network Threats and Countermeasures
- Information Gathering
- Sniffing
- Spoofing
- Session Hijacking
- Denial of Service
- Host Threats and Countermeasures
- Viruses, Trojan Horses, and Worms
- Footprinting
- Password Cracking
- Denial of Service
- Arbitrary Code Execution
- Unauthorized Access
- Application Threats and Countermeasures
- Input Validation
- Buffer Overflows
- Cross-Site Scripting
- SQL Injection
- Canonicalization
- Authentication
- Network Eavesdropping
- Brute Force Attacks
- Dictionary Attacks
- Cookie Replay Attacks
- Credential Theft
- Authorization
- Elevation of Privilege
- Disclosure of Confidential Data
- Data Tampering
- Luring Attacks
- Configuration Management
- Unauthorized Access to Administration Interfaces
- Unauthorized Access to Configuration Stores
- Retrieval of Plaintext Configuration Secrets
- Lack of Individual Accountability
- Over-privileged Application and Service Accounts
- Sensitive Data
- Access to Sensitive Data in Storage
- Network Eavesdropping
- Data Tampering
- Session Management
- Session Hijacking
- Session Replay
- Man in the Middle Attacks
- Cryptography
- Poor Key Generation or Key Management
- Weak or Custom Encryption
- Checksum Spoofing
- Parameter Manipulation
- Query String Manipulation
- Form Field Manipulation
- Cookie Manipulation
- HTTP Header Manipulation
- Exception Management
- Attacker Reveals Implementation Details
- Denial of Service
- Auditing and Logging
- User Denies Performing an Operation
- Attackers Exploit an Application Without Leaving a Trace
- Attackers Cover Their Tracks
Unit 4: Mobile application security
- Mobile Platforms
- Top issues facing mobile devices
- Secure Mobile application development
- Android security
- iOS Security
- Windows, Blackberry & Java Mobile Security
- Symbian OS security
- WebOS security
- WAP and mobile HTML Security
- Bluetooth security
- SMS Security
- Mobile Geolocation
- Enterprise Security on Mobile OS
- Mobile Malwares
- Mobile security penetration security
- Encryption and authentications
- Mobile privacy concerns
Unit 5: Threat Modeling
- Overview
- Threat Modeling Principles
- The Process
- The Output
- Step 1. Identify Assets
- Step 2. Create an Architecture Overview
- Identify What the Application Does
- Create an Architecture Diagram
- Identify the Technologies
- Step 3. Decompose the Application
- Identify Trust Boundaries
- Identify Data Flow
- Identify Entry Points
- Identify Privileged Code
- Document the Security Profile
- Step 4. Identify the Threats
- Identify Network Threats
- Identify Host Threats
- Identify Application Threats
- Using Attack Trees and Attack Patterns
- Step 5. Document the Threats
- Step 6. Rate the Threats
- Risk = Probability * Damage Potential
- High, Medium, and Low Ratings
- DREAD
- What Comes After Threat Modeling?
- Generating a Work Item Report
Unit 6: Application security standards and checklist
- Application security checklist NIST
- OWASP security checklist
- OWASP Application Security Verification Standard