Additional Information

Additional Information

Account Navigation

Account Navigation

Currency - All prices are in AUD

Currency - All prices are in AUD
 Loading... Please wait...

CSWAE - Secure Web Application Engineer


CSWAE - Secure Web Application Engineer


Product Description


The Certified Secure Web Application Engineer 4 day course is designed to equip students with the knowledge and tools needed to identify and defend against security vulnerabilities in software applications. Students will put theory to practice by completing real world labs that include testing applications for software vulnerabilities, identifying weaknesses in design through architecture risks analysis and threat modeling, conducting secure code reviews and more.
On the final day of training, students will complete a real world hacking exercise on a live web application.
These secure coding skills are in desperate need today because the internet is one of the most dangerous places to do business; there are countless cases of valuable information being stolen from businesses because there was a vulnerability in their web applications. When programmers don't understand the principles of secure coding, doors are open to those who do.


Students will:

• Perform web application penetration testing to expose vulnerabilities.
• Design & implement controls to defend against application vulnerabilities.
• Integrate security best practices into the software development lifecycle
• Be ready to sit for the C)SWAE certification exam.


• Proficiency in web app programming in a language of your choice


• Software Engineer
• Web Application Developer
• Mobile App Developer
• Security Consultant


Module 1 : Web Application Security

  • Web Application Security
  • Web Application Technologies and Architecture
  • Secure Design Architecture
  • Application Flaws and Defense Mechanisms
  • Defense In-Depth
  • Secure Coding Principles
  • Lab: Environment Setup – Lab

Module 2: OWASP TOP 10

  • The Open Web Application Security Project (OWASP)
  • OWASP TOP 10 2013
  • Lab: Environment Setup – Lab

Module 3: Threat Modeling & Risk Management

  • Threat Modeling Tools & Resources
  • Identify Threats
  • Identify Countermeasures
  • Choosing a Methodology
  • Post Threat Modeling
  • Analyzing and Managing Risk 
  • Incremental Threat Modeling
  • Identify Security Requirements
  • Understand the System
  • Root Cause Analysis
  • Lab: Threat Modeling and Architecture Risk Analysis
  • Lab: Quick Threat Modeling (the Doctor use case)

Module 4: Application Mapping

  • Application Mapping
  • Web Spiders
  • Web Vulnerability Assessment 
  • Discovering other content
  • Application Analysis
  • Application Security Toolbox
  • Setting up a Testing Environment
  • Lab: Web Application Mapping using Ethical Hacking Tools

Module 5: Authentication and Authorization attacks

  • Authentication
  • Different Types of Authentication (HTTP, Form)
  • Client Side Attacks
  • Authentication Attacks
  • Authorization
  • Modeling Authorization
  • Least Privilege
  • Access Control
  • Authorization Attacks
  • Access Control Attacks
  • User Management
  • Password Storage 
  • User Names
  • Account Lockout 
  • Passwords
  • Password Reset
  • Client-Side Security
  • Anti-Tampering Measures 
  • Code Obfuscation
  • Anti-Debugging
  • Lab: Client Side, Authentication and Authorization Attacks

Module 6: Session Management Attacks

  • Session Management Attacks
  • Session Hijacking
  • Session Fixation
  • Environment Configuration Attacks
  • Lab: Session Management, Access Controls and Configuration Attacks

Module 7: Application Logic Attacks

  • Application Logic Attacks
  • Information Disclosure Exploits
  • Data Transmission Attacks
  • Lab: Application Logic, Information Disclosure and Data Transmission Attacks

Module 8: Data Validation

  • Input and Output Validation 
  • Trust Boundaries 
  • Common Data Validation Attacks 
  • Data Validation Design 
  • Validating Non-Textual Data 
  • Validation Strategies & Tactics
  • Errors & Exception Handling 
  • Structured Exception Handling 
  • Designing for Failure
  • Designing Error Messages 
  • Failing Securely 
  • Lab: Cert Java Oracle Secure Coding IDS

Module 9: AJAX Attacks

  • AJAX Attacks
  • Web Services Attacks
  • Application Server Attacks
  • Lab: AJAX, Web Services and Server Attacks

Module 10: Code Review and Security Testing

  • Insecure Code Discovery and Mitigation
  • Testing Methodology
  • Client Side Testing
  • Session Management Testing
  • Developing Security Testing Scripts
  • Pentesting a Web Application
  • Lab: Performing Code review and Building Security Test Scripts

Module 11: Web Application Penetration Testing

  • Insecure Code Discovery and Mitigation
  • Benefits of a Penetration Test
  • Current Problems in WAPT
  • Learning Attack Methods
  • Methods of Obtaining Information
  • Passive vs. Active Reconnaissance
  • Footprinting Defined
  • Introduction to Port Scanning
  • OS Fingerprinting
  • Web Application Penetration Methodologies
  • The Anatomy of a Web Application Attack
  • Fuzzers
  • Lab: Performing Web Application PenTesting steps

Module 12: Secure SDLC

  • Secure-Software Development Lifecycle (SDLC) 
  • Methodology 
  • Web Hacking Methodology
  • Lab: Case Study and Web Penetration Testing Assignment

Module 13: Cryptography

  • Overview of Cryptography
  • Key Management 
  • Cryptography Application 
  • True Random Generators (TRNG)
  • Symmetric/Asymmetric Cryptography 
  • Digital Signatures and Certificates 
  • Hashing Algorithms
  • XML Encryption and Digital Signatures 
  • Authorization Attacks
  • Lab: Encryption in Secure Coding (Example for Java, PHP and .NET)

Appendix: Labs

  • Lab 1: Spoofing Authentication Cookies
  • Lab 2: How to Perform Cross Site Scripting (XSS)
  • Lab 3: Injection Flaws
    • Exercise 1: SQL Injection
    • Exercise 2: String SQL Injection 
    • Exercise 3: String SQL Injection
  • Lab 4: Improper Error Handling
    • Exercise 1 - Fail Open Authentication
  • Lab 5: Parameter Tampering
  • Lab 6: Denial of Service
  • Lab 7: Writing Java Secure Code
    • Input Validation and Data Sanitization (IDS)
    • IDS00-J. Sanitize untrusted data passed across a trust boundary
    • Input Validation and Data Sanitization (IDS)
    • IDS02-J. Canonicalize path names before validating them
    • Input Validation and Data Sanitization (IDS)
    • IDS03-J. Do not log unsanitized user input
    • Input Validation and Data Sanitization (IDS)
    • IDS04-J. Safely extract files from ZipInputStream
    • Input Validation and Data Sanitization (IDS)
    • IDS07-J. Do not pass untrusted, unsanitized data to the Runtime.exec() method

Product Reviews

Find Similar Products by Category