Auditing Web Applications, including AI
This 3-day course identifies the key issues that an auditor should look at to identify whether a web application has been properly secured. The course covers essential secure coding requirements, including the OWASP Top 10 for Web Application Security Risks, APIs and Large Language Model (LLM) Applications. The tools and techniques for assessing and securing applications will be reviewed, including hands-on exercises which reinforce the concepts introduced in the class. Penetration testing techniques are used throughout the exercises to better understand the vulnerabilities. Web Application topics discussed include authentication, authorization, SQL injection, cross-site scripting, cross site request forgery, logging requirements, data storage requirements, how to respond to incidents and more! AI related risks such as AI bias, misinformation, prompt injection, excessive agency, data and model poisoning and adversarial threats will be investigated. Authentication options will be explored, as well as the steps required to adequately audit authentication.
CPE:
21
Program Level:
Intermediate
Delivery Method:
Live
Cost :
$990 for this live 3 day course
Course Contents/Objectives
I. Foundational Skills & Application Basics
• Importance of Web Application Security
• Architectural considerations
• API and Non-API Architecture Platforms
• HTTP communication
• Common vulnerabilities
• OWASP Top Ten for Web Applications
• OWASP Top Ten for APIs
• OWASP Top Ten for Large Language Models (LLMs)
II. Environment Identification & Application Exploration
• Server-Side APIs
• Scanning
• Proxy based tools
• Artificial Intelligence
• AI bias
• Encryption
• Client-side considerations
• Inter-Process Communication
• Data Storage Protections
III. Access Control
• Access control
• Principle of least privilege
• CORS vulnerabilities
• Excessive Agency with AI
IV. Cryptographic Considerations
• Encryption weaknesses
• Certificates
• TLS/SSL
• HSTS
• Managing keys
• Crypto prevention controls
V. Identification and Authentication
• Password considerations
• Storage and transportation of passwords
• Hard-coded credential risks
• Authentication methods
• Security questions
• Managing secrets
• Certificates
• CAPTCHA
• Timeouts
VI. Session Analysis
• Session management
• Session attacks
• Session fixation
• Cookies and security considerations
VII. Insecure Design
• Security Development Lifecycle, including incident handling
• Business logic vulnerabilities
• AI adversarial threats
• Concurrency controls
• Security misconfigurations
• Security headers
• Handling errors and exceptions
• Vulnerability and Outdated components
• Creating a BOM
• AI misinformation
• Code review
• Security testing
VIII. Element Manipulation Concepts
• Injection vulnerabilities
• Prompt injection
• Data and model poisoning
• File uploads
• Input validation challenges
• Allowlists vs Blocklists
• Centralized validation
IX. Security logging and monitoring
• Activity to log – authentication, privileges, administrative actions, sensitive data
• Log storage
• Honeytokens
X. Server-Side Request Forgery
• Cross site scripting
• Client-side require forgery
• Fuzzing
XI. Conclusion
Laptop Required
Students are required to have a laptop in order to complete the hands-on exercises. The laptop should meet the following specifications for the student to get the most from the exercises:
• 16 GB RAM or higher
• 25 GB available hard drive space
• Windows 10 professional or later
• Administrator privileges including the capability to install and run tools, as well as disable anti-virus
• VMWare Player should be installed
Target Audience
• Internal Auditors
• IT Specialist Auditors
• IT Auditors
• IT Audit Managers
• Information System Auditors
• Information Technology Auditors
• Information Security Officers
• Developers
Prerequisites
Participants should be familiar with Internet technologies and commonly used Internet security controls. No other advance preparation is required.
What People Say About Us
Denny
Khalid
Hidee