Web Application Security Course

You will learn about the main security risks that exist today. In addition, you will learn techniques for the detection, validation, and mitigation of potential risks of applications, which will allow you to develop secure Web applications with GeneXus.
Classroom Training
Live online
Español   |   English   |  Português
Objective
The objective of this course is to create awareness among those involved in the development of software solutions with GeneXus about the importance of security and techniques for the detection, validation, and mitigation of potential risks in applications.

It is mainly focused on GeneXus users, from analysts, developers, and testers to project managers, who want to learn more about the main security risks existing today. 
The latest publication of the OWASP Top 10 ranking is used as a reference and guide for the course. This publication includes the most common risks facing applications today.

Oriented at
The course is oriented mainly at individuals who work with GeneXus, such as analysts, developers and testers, and also project managers who wish to be informed of the main security risks of today. 

Recommended background
A minimum of 6 months of development experience with GeneXus Web is recommended.

Modes
This level is available in the following modes:

  Classroom 
Classes are taught by a GeneXus instructor and students must attend all of them in person. The total duration of the course is 24 hours, and it is divided into six four-hour instances. 
 
  • Requirements: Participants must attend the course with their own computers, which must include the possibility of wire or wireless connection to the testing environment that will be deployed. Access is through remote desktop. 
  • Exam: The in-person exam takes place on a PC, including multiple choice and True/False questions intended for verifying whether the student has actually comprehended the basic concepts dealt with during the course.  The minimum passing grade is 70%. The corresponding certificate is awarded to all students who pass the exam.

  Online
The total duration of the course is 24 hours, and it is divided into six four-hour instances. 
 
  • Requirements: Participants will use their own equipment (laptops or PCs) with an Internet connection. To follow the course, attendees will be provided with access to a cloud-based work environment through a remote desktop. No GeneXus or other software licenses are required.
  •  Exam: An exam will be administered on the last day of the course. This exam will consist of multiple-choice and true/false questions in order to assess whether the student has effectively learned the concepts explained during the course. The minimum passing grade is 70%. Candidates who pass the exam will receive the corresponding certificate (issued by the product manufacturer).


Methodology
The course has a theoretical approach detailing the basic concepts necessary for dealing with security issues, as well as a practice section that is the most extensive in terms of duration. 
The following aspects are considered for each item in the OWASP Top 10:
  • Demo, on a sample application, for understanding vulnerability.
  • Theoretical explanation about the risk implied.
  • What GeneXus does automatically to avoid it or to mitigate it. 
  • What the developer should do to avoid it and possible solutions. 
  • How to detect in case any action is required. 
  • Practice exercise in GeneXus to detect, exploit, solve and verify the problem. 
Practice exercises are done by the assistants by accessing a virtual machine handled by the instructor through a LAN configured for the course.

Instructor
The course instructor will be one of the following professionals:
 
Gerardo Canedo, Engineer
IT Security and GeneXus Software Architecture Specialist.
Member of OWASP Uruguay chapter.
https://www.linkedin.com/in/gcanedo
Martín Marsicano, Engineer
GeneXus Software Architecture Consultant.
https://www.linkedin.com/in/martinmarsicano
Michell Mamrut
GeneXus Software Architecture Consultant.
https://www.linkedin.com/in/michellmamrut

Scope
As a reference and course guide, the latest OWASP Top 10 ranking publication is used, which features the most common risks for applications today.  
The main topics of the course are presented below:

Introduction 
Presentation of the instructor, topics to be addressed in the course, and work methodology.

GeneXus & OWASP TOP 10 2017
The topics to be addressed in the OWASP Top 10 are as follows:
 
 
1. A1- Injection
a. SQL
b. XML
c. JSON
d. OS (Operating system)
d. Source Code
2. A2- Broken Authentication
a. Authentication
b. Session Management
3. A3- Sensitive Data Exposure
a. Storage
b. Caches
c. Deployment
4. A4- XML External Entities (XXE)
5. A5- Broken Access Control
a. Insecure Direct Object References
b. Absence of Access Control to Functions
6. A6- Security Misconfiguration
a. KB Properties
b. Transmission
7. A7- Cross-Site Scripting (XSS)
8. A8- Insecure Deserialization
9. A9- Components with Known Vulnerabilities
10. A10- Insufficient Logging & Monitoring

Secure development cycle
Introduction of tasks required for achieving an efficient and effective approach in terms of security. 

Materials
The course materials are delivered in digital format to all attendants through electronic mail. 
The work environment for practice is installed in a virtual machine accessed through remote desktop, which contains the following elements:
  • Examples of vulnerabilities in applications (WebGoat),
  • GeneXus and a working KB,
  • Application generated from the KB,
  • Support tools (ZAP, Firebug, others)
The testing environment is not delivered to course attendants because it is used exclusively for imparting the course.