Application Security Training Suite

Aligned with Industry recommended Standards & Practices

Customized Delivery as per Business Role & Scope
“There is only one way to keep your product plans safe and that is by having a trained,
Aware and a Conscientious workforce”
- Kevin Mitnick. ‘The Art of Deception’

Online LAB
Case Studies
Checklist
Cert Attempts

Awareness | Web Security Testing | Secure Programming

Secure SDLC | Application Security Testing

www.hack2secure.com | training@hack2secure.com
 Application Security Training Suite
Customized Delivery as per Business Role & Scope
Hands-On | 90+ Hours, 15 Days | 5 Sections | 4 Certs | Online LAB Access

Hack2Secure’s “Application Security Training Suite” is one of the unique vendor independent,
Industry aligned, End-to-End Application Security Training program, completely customizable as
per Business needs. AppSec Training Suite (ASTS) provides a flexible framework for complete
Team/Organization, enabling workforce to learn, explore and implement Application Security
practices and controls according to their Roles and business responsibilities.
Broken into 5 Sections, this 15 Days of flexible Application Security Training program enables
professionals to adopt and attend modules as per their needs and interests. All Sections are
logically scoped around the organizational Roles and are equipped with Real Time Case Studies,
resources and dedicated Online Lab to ensure core level understanding of required Security
Concepts, Controls and Practices.
ASTS also covers curriculum of 4 globally delivered and proctored H2S Certification Programs with
PearsonVUE across Application Security domains for proper assessment of individual’s knowledge
and assurance of his Professional Skills.

Testers / Consultant Management

Duration Developers Architects
QE / QA / Sr. Engg. / Executives

App. Security
3 Days
Awareness

Web Security
4 Days
Testing

Secure Coding
3 Days
Practices

Secure SDLC 2 Days

App. Security
3 Days
Testing

Recommended Good to Learn Optional

For more details, www.hack2secure.com | training@hack2secure.com

[Type here]
 What each Participant will Receive?
 Instructor Led Classroom Session  Hack2Secure’s Cert Attempt Voucher
 Soft Deliverables o Exam Voucher of any Hack2Secure
o Program Slides, Reference Documents Cert of Choice
 Online Lab Access  1 Attempt, 6 months Validity
o On Training Day  Globally Proctored and Delivered
Exam by Pearson VUE
 Access to Self-Paced Online Session

Key Take Away

AppSec Awareness Secure App. Coding
 InfoSec Concepts & Definitions  CWE/SANS Top 25 Most Dangerous Errors
o Core Security Concepts  Secure Coding Practices to ensure
o Security Design Principles o C.I.A. Triad, A.A.A.
 Protocols: o Data at Rest
o HTTP, HTTPS  REST & AJAX Security Best Practices
o SSL/TLS  Enterprise Security API (ESAPI)
 OWASP Top10 Web Security Risk  Code Review & Analysis Guidelines
 Secure SDLC
o Process, Requirements and Use
Cases Secure SDLC
o Standards & Frameworks
 Defining Security Quality Gates
 Common Vulnerability Scoring System
(CVSS)  Building Security Requirement Checklist
 Building Final Security Review Plan
 Security Patch Management
Web Security Testing  Application Disposal Policy

 Web Reconnaissance
o Active & Passive Methods
App. Security Testing
o Google Hacking
 Securing Web Services
 Scanning, Fingerprinting, Spidering
 Session Management in Web Services
 Attacks on A.A.A.
 Security Attacks on APIs
 Session Management Flaws
 Application Threat Modeling
 Injection Attacks
 IPSec & VPS
 Cross Site Scripting
 Buffer Overflow Attacks
 Cross Site Request Forgery
 Web Application Filters & Firewalls
 Tools
o BurpSuite, ZAP, Nikto, Recon-Ng,
o NMap, Netcat, SqlMap, TheHarvester

For more details, www.hack2secure.com | training@hack2secure.com

[Type here]
 Detailed Curriculum
Section#1: Application Security Awareness
Duration: 3 Days | Online LAB Access | Case Studies

Information Security Concepts Web Security: Building the Base

 Core Security Concepts: C.I.A. Triad
o Ensuring Confidentiality
 About, How to Ensure
 Encryption, PKI, SSL/TLS
o Ensuring Integrity
 About, How to Ensure
 Hashing, Digital Signatures
o Ensuring Availability
 About, How to Ensure
 DoS/DDoS Attack
 Core Security Concepts: A.A.A.
o About Authentication
 Types, Deployment methods
 Password Security Best Practices
o About Authorization
 About, How to Ensure
 Access Control: Types
o About Accountability
 About, How to Ensure
 Secure Design Principles
o About, Best Practices, Case Studies
 Security Definitions & Terminology
o Risk, Threats & Vulnerabilities
o Policies, Procedures & Practices
o Standards & Compliances
o Security Testing: Black, Grey & White Box
o Vulnerability Assessment & Penetration
Testing
[Concepts, Processes & Methodologies]
 Understanding the Web
 Web Application Security
o Importance, Current Approach
 Proxy Servers
o Burp Suite, Zed Attack Proxy
 HTTP Protocol
o History, Versions, Status Codes
o Request & Response Analysis
 HTTPS Protocol
o Introduction, SSL/TLS handshake
o Testing Methods
 About OWASP
o Top 10 Web Application Security Risk
o WAST Guide: Walkthrough
o Security Testing Framework
Secure SDLC: Introduction
 About Secure SDLC
o Process, Requirements & Methodologies
o Secure SDLC in Agile
 Software Security Standards, Regulations and Com-
pliances
 Secure SDLC Standards & Frameworks
o NIST SP 800-64, BSIMM7 Framework
 Security Assurance Methodologies
o STRIDE, DREAD, Common Vulnerability Scor-
ing System (CVSS)

For more details, www.hack2secure.com | training@hack2secure.com

[Type here]
 Section#2: Web Security Testing
Duration: 4 Days | Online LAB Access | Hands-On Scenarios
Casual Leakage Points [Reconnaissance] Session Management
 Why Information Gathering  Attacks on Sessions
 DNS Protocol o Fixation, Hijacking, Tampering
o Overview, Zone Transfers,  Securing Cookie & Headers
o Analysis & Scan  Cross Site Request Forgery
 Open Source Intelligence o About & How it happens
 Exploring Google Search o Myths & Defensive Measures
o Keywords & Filters, GHDB o Attack Scenarios
 Website Mirroring with Httrack
 Internet Connected Devices, Shodan Injection Attacks
 TheHarvester & Recon-Ng  SQL Query: Primer
 SQL Injection (SQLi)
Looking for Entry Point o About, Root Cause, Types & Analysis
[Scanning, Fingerprinting & Spidering]  Command Injection:
o About, Root Cause, Attack Scenarios
 Scanning: Identify Ports & Services
o Nmap, Nikto  [Local/Remote] File Inclusion Vulnerability
 Fingerprinting Web Server
 Spidering/Crawling Cross Site Scripting (XSS)
 Fuzzing: About, What to Look for  JavaScript (Primer)
 Directory Browsing  Same Origin Policy, Document Object Model
 XSS
Analyzing A.A.A. Concerns o Overview, How it Works
o Types & Analysis, Testing Methods
 Authentication
 HTML Injection
o Cracking Weak Passwords
 Browser Cache Weakness
 Authorization Web Application Filters and Firewall (WAF)
o Privilege Escalation Attack  Web Application Defenses: Filtering & Firewall
o Insecure Direct Object References  Filtering
o Directory Traversal Attacks o .NET & ESAPI Filtering Options
 Accountability  Web Firewall
o About, Secure Logging Practices o Types, Detection & Attack methods

For more details, www.hack2secure.com | training@hack2secure.com

[Type here]
 Section#3: Secure Application Coding
Duration: 3 Days | Online LAB Access | Checklist
Introduction Secure Coding Practices: Data at Rest
 CWE/SANS Top 25 Most Dangerous Errors  System Configuration
o Insecure Interaction between Components  Database Security
o Risky Resource Management  File Management
o Porous Defenses  Memory Management

Secure Coding Practices: C.I.A. Triad Securing Web Services

 Cryptographic Practices  About Web Services
 Communication Security  SOAP/XML, REST/JSON
 Input Validation o Features, Usage and Security Concerns
 Canonicalization, Code Access Security  AJAX Technologies
 Output Encoding o About, Features and Security Concerns
 Anti-Tampering  REST & AJAX Security Best Practices

Secure Coding Practices: A.A.A. Enterprise Security API (ESAPI)

 Authentication & Password Management  ESAPI Project
 Session Management o About, Use Cases
 Access Control o Recommended Practices & Templates
 Error Handling & Logging
 Exception Management Secure SDLC - Implementation
 Implementation Level Controls
o Versioning: Best practices
o Code Review & Analysis
o Static Code Analysis

Section#4: Secure SDLC

Duration: 2 Days | Case Studies | Checklist
Building Security Requirements
 Defining Security Quality Gates
 Building Security Requirement Checklist
 Core Security Requirements
o Ensure C.I.A. and A.A.A.
 General Security Requirements
o Ensure Secure Session, Error and
Configuration Management
 Operational Security Requirements
o Related with Secure Deployment
Environment, Archiving & Anti-Piracy
 Other
o Related with International Laws,
Procurement and Time Sequencing
concerns
Security Review & Response
 Building Final Security Review Plan
 Handling Auditing and VA-PT Process
 Incident Handling Process
 Threats to Supply Chain Software
 Software Deployment and Procurement Risk
Securing Maintenance Cycle
 Security Patch Management
 Handling 3rd Party Library Upgrades
 Application Disposal Policy

For more details, www.hack2secure.com | training@hack2secure.com

[Type here]
 Section#5: Application Security Testing
Duration: 3 Days | Online LAB Access | Case Studies | Checklist
Securing Web Services Application Threat Modeling
 About Web Services & Testing Requirements  About S.T.R.I.D.E
 SOAP/XML, REST/JSON  Attack Surface Analysis
o Features, Usage and Security Concerns  Threat Modeling
o Attack Scenarios o Process & Workflow
 AJAX Technologies o Threat Considerations in an Application
o About, Features and Security Concerns  Web & Mobile Clients
o Attack Scenarios  API Communication
 Security Best practices o Threat Modeling: Workshop

Session Management in Web Services IPSec & VPN

 “Sessions” & Tracking Methods  IPSec: About, Usage
o Header Analysis  SSL & IPSec VPN
o Attack Scenarios
Buffer Overflow Attacks
Security Attacks on APIs  Heap & Stack Overflow
 SQLi, XSS & XSRF Scenarios in
 Format String Vulnerabilities
o Mobile Applications
o Rich Interface Application [HTML5]

Online Lab Layout

Cloud Based | Independent Setup for Each Participant | Accessible for 30 Days

SSH (In & Out)

RDP (In & Out)

Vulnerable Web Server Linux Machine Candidate Machine

(Target Machine) (Client/Attacker)

For more details, www.hack2secure.com | training@hack2secure.com

[Type here]
 Hack2Secure Certification Program
Evaluate your Knowledge & Skills in Application Security Domain
Globally Delivered & Proctored by PearsonVUE

Section: App Sec Awareness + Web Security Testing

For more details

www.hack2secure.com/wasd

Section: App Sec Awareness + Secure Coding

For more details

www.hack2secure.com/secap

Section: App Sec Awareness + Secure SDLC

For more details

www.hack2secure.com/swadlp

Section: App Sec Awareness + App Sec Testing

For more details

www.hack2secure.com/aste

To Schedule Hack2Secure’s Cert Exams

www.pearsonvue.com/hack2secure

www.hack2secure.com | certificate@hack2secure.com
[Type here]
 About Hack2Secure
Hack2Secure excels in “Information Security” Domain and offers
customised IT Security programs, including Training, Services and
Solutions. Our programs are designed by industry experts and
tailored as per specific needs. We help students, professionals
and companies with knowledge, tools and guidance required to
be at forefront of a vital and rapidly changing IT industry.
InfoSec Training
Vendor Independent, Customizable, Across Domains
Hack2Secure excels in delivering intensive, immersion security
training sessions designed to master practical steps necessary
for defending systems against the dangerous security threats.
Our wide range of fully customizable training courses allow
individual to master different aspects of Information Security as
per their industry requirement and convenience.
 Delivered Training to more than 15k+ Professionals Globally
 Customizable Security Training Programs, aligned with Business Requirements
InfoSec Certification
 Globally delivered and Proctored Security Certification programs with PearsonVUE
 Vendor Independent Programs based on Industry Security Standards and Practices
InfoSec Services
Hack2Secure offers IT Security Professional Services to provide ways to stay ahead of Security
Threats through adaptive and proactive Security methods like
 Secure Software Development Lifecycle
 Secure Application Design & Threat Modeling
 Application Security Testing
Hack2Secure featured as:
 Risk Assessment, Consulting
25 FASTEST GROWING CYBER SECURITY
COMPANIES IN INDIA
Source: The CEO Magazine, India
hack2secure
10 BEST SECURITY COMPANIES in INDIA: 2017
+91 (80) 49 58 32 99 Source: Silicon Review Magazine, India

+91 (80) 49 58 33 99 EXCELLENCE IN SECURITY TRAINING

PROGRAMMES
Source: GDS Review Magazine

www.hack2secure.com | | info@hack2secure.com
[Type here]