Internal Audit Training, IT Audit Training Courses, Information Security Training - CPE Interactive

Continuing Professional Education for Audit, Assurance, & Info Security

Course Description

Operating an Internet web site is a necessity in today’s eBusiness environment; however, there are many important CyberSecurity risks that come with web applications. Increasingly demanding regulatory requirements, litigations, and intensified lethal attacks on Web-based applications, along with traditional information asset protection, have significantly raised the stakes on the importance of secure application design, testing, certification/accreditation, and audit. Additionally, CyberSpace (IT) applications have become more complex and frequently rushed to market by poorly trained commercial CyberSpace (IT) product and internal developers, increasing the business risks and the challenges to applying and verifying reliable CyberSecurity safeguards.

In this information-packed workshop, we will cover key building blocks and significant risks, and systematically sort through the available CyberSecurity safeguards in today’s complex Web-enabled, multi-tiered applications.

Learning Objectives

  • Identify and assess CyberSecurity control points and software building blocks in a multi-tiered web application
  • Understand the risks and causes associated with different types of CyberAttacks on web applications
  • Evaluate different methods of CyberSecruity testing CyberAuditing web applications throughout the System Development Life Cycle (SDLC) and after they go into production
  • Gain familiarity with industry best practices for secure web application design and operation

Course Outline

Web Application Architectures and Building Blocks

  • Client/server architectures and middleware concepts
  • Web application building blocks and CyberSecurity control points: old and new
  • CyberSecurity risks affecting web enabled applications
  • HTTP protocol and state management fundamentals
  • Web application markup languages: HTML, XML, and more
  • SSL/TLS session encryption
  • Single sign-on (SSO) and federated authentication for web applications

Building CyberSecurity in the Web Application Software Development Life Cycle

  • Server-side Web page programming security risks and countermeasures
  • Client-side and Rich Internet Application (RIA) software security risks and safeguards*
  • Common web application attacks vectors: cross-site scripting, SQL injection, buffer overflow, cross-site request forgeries
  • OWASP, PCI DSS and other industry CyberSecurity standards and best practices for secure web application design, configuration, and operation
  • Importance of strong input validation and aggressive application CyberSecurity testing
  • Software change controls and configuration management
  • Software testing tools and techniques
  • Web application CyberSecurity vulnerability tracking resources and testing tools
  • Change control and CyberSecurity risks associated with remote Web application development and real-time site content changes
  • Important CyberSecurity add-ons: web application firewalls, SSL proxies, log management, and intrusion prevention systems
  • Tools and techniques for CyberSecurity assurance in application design

Web (HTTP) Server CyberSecurity and Audit*

  • Web server configuration: operational and CyberSecurity features
  • Comparing and contrasting CyberSecurity features for prominent web HTTP servers: Apache, Microsoft IIS
  • Perils and protections for remote Web application development
  • Tools, techniques, and checklists for securing and auditing Web servers

Web Application (Middleware) Server CyberSecurity and Audit*

  • Roles, architecture, and security control points for XML-oriented development environments and associated Web application servers
  • Declarative and programmatic CyberSecurity API calls
  • Assessing available CyberSecurity services and associated design best practices for the two prevailing Web application server environments: Java and Microsoft .NET
  • Web services and Service Oriented Architectures (SOA): facts and fiction
  • Tools and techniques auditing CyberSecurity controls for Web application servers and web services

*Included in 3-day lecture/demo and 5-day hands-on class only-

Additional Information

Who Should Attend

In this information-packed workshop, we will cover key building blocks and significant risks, and systematically sort through the available safeguards in today's complex Web-enabled, multi-tiered applications

Learning Level






Advanced Preparation


Recommended Prerequisites

Auditing IT Application Systems (AA02) or equivalent training. A basic understanding of IT audit controls and terminology is assumed.

Session Duration

Online: N/A

On Site: Lecture: 2 or 3 days; Hands-On: 5 days

CPE Credits: Lecture: 16 or 24; Hands-on: 40