Course Description
Operating an Internet web site is a necessity in today’s eBusiness environment; however, there are many important CyberSecurity risks that come with web applications. Increasingly demanding regulatory requirements, litigations, and intensified lethal attacks on Web-based applications, along with traditional information asset protection, have significantly raised the stakes on the importance of secure application design, testing, certification/accreditation, and audit. Additionally, CyberSpace (IT) applications have become more complex and frequently rushed to market by poorly trained commercial CyberSpace (IT) product and internal developers, increasing the business risks and the challenges to applying and verifying reliable CyberSecurity safeguards.
In this information-packed workshop, we will cover key building blocks and significant risks, and systematically sort through the available CyberSecurity safeguards in today’s complex Web-enabled, multi-tiered applications.
NOTE: Several demonstrations in the course will optionally afford the opportunity for students to try the associated procedures on the Internet with their own computers. Students are invited to bring their own computers to replicate some of the procedures and/or research useful resource sites on the Internet.
Learning Objectives
- Identify and assess CyberSecurity control points and software building blocks in a multi-tiered web application
- Understand the risks and causes associated with different types of CyberAttacks on web applications
- Evaluate different methods of CyberSecruity testing CyberAuditing web applications throughout the System Development Life Cycle (SDLC) and after they go into production
- Gain familiarity with industry best practices for secure web application design and operation
Course Outline
Web Application Audit Planning
- CyberSecurity risks to business applications
- Planning CyberSecurity audits for web applications
Auditing the Legacy/“Monolith” Web Application Environment
- Distributed computing models
- Web applications and control points
- Web applications and associated security architecture
- Client/Server—Middleware
- Virtualization
- Cloud computing
- Single sign-on for web applications
Auditing the Modern Cloud-Native Web Environment
- Service Oriented Architecture (SOA)
- Microservices
- Application programming interfaces (APIs)
- Container virtualization
- Serverless computing
- Documenting and analyzing distributed web applications
Securing and Auditing Your Web Storefront – HTTP Servers
- Hypertext transfer protocol (HTTP) and state management
- Web server host enumeration
- Auditing web (http) server configuration/policies
- Auditing web server session encryption (SSL/TLS)
Auditing Secure Design and Testing of Web Applications
- CyberSecurity in software design and testing
- Common web application risks, attacks, and countermeasures
- CyberSecurity in software design and testing throughout the SDLC
Summary Wrap-up
- Summary audit points
- Sources of information, checklists, and tools
Additional Information
Who Should Attend
- IT Auditors
- Information Security Managers, Analysts, and Architects
- IT Architects
- Web Site System Administrators
- Application Developers and Analysts
- Consultants
Learning Level
Intermediate
Delivery
Group Live or Group Internet-Based
Field
Auditing
Advanced Preparation
None
Recommended Prerequisites
Auditing IT Application Systems (AA02) or equivalent training. A basic understanding of IT audit controls and terminology is assumed.
Session Duration
On Site: 3 days
CPE Credits: 24