Course Information
CyberSecurity Audits of Modern Web Applications - Legacy & Beyond
Parking for SAO, Professional Development courses is in Garage B (1511 San Jacinto Blvd.). The Garage signage may read 1511 San Jacinto or Garage B. The elevator in Garage B is not reliable. If you are unable to walk the stairs, please contact the professionaldevelopment@sao.texas.gov for alternate parking arrangements. Handicapped parking is free at the meters around the downtown area.
A course coordinator will email you a parking permit prior to the course start date. A permit must be displayed or you will be ticketed.
Course Description
Operating an Internet web site is a necessity in today’s eBusiness environment; however, there are many important CyberSecurity risks that come with web applications. Increasingly demanding regulatory requirements, litigations, and intensified lethal attacks on Web-based applications, along with traditional information asset protection, have significantly raised the stakes on the importance of secure application design, testing, certification/accreditation, and audit. Additionally, CyberSpace (IT) applications have become more complex and frequently rushed to market by poorly trained commercial CyberSpace (IT) product and internal developers, increasing the business risks and the challenges to applying and verifying reliable CyberSecurity safeguards. In this information-packed workshop, we will cover key building blocks and significant risks, and systematically sort through the available CyberSecurity safeguards in today's complex Web-enabled, multi-tiered applications. NOTE: Several demonstrations in the course will optionally afford the opportunity for students to try the associated procedures on the Internet with their own computers. Students are invited to bring their own computers to replicate some of the procedures and/or research useful resource sites on the Internet.
Course Objectives
Identify and assess CyberSecurity control points and software building blocks in a multi-tiered web application
• Understand the risks and causes associated with different types of CyberAttacks on web applications
• Evaluate different methods of testing CyberAuditing web applications throughout the System Development Life Cycle (SDLC) and after they go into production
• Gain familiarity with industry best practices for secure web application design and operation
Outline
Web Application Audit Planning
• CyberSecurity risks to business applications
• Planning CyberSecurity audits for web applications
Auditing the Legacy/“Monolith” Web Application Environment
• Distributed computing models
• Web applications and control points
• Web applications and associated security architecture
• Client/Server—Middleware
• Virtualization
• Cloud computing
• Single sign-on for web applications
Auditing the Modern Cloud-Native Web Environment
• Microservices
• Application programming interfaces (APIs)
• Container virtualization • Serverless computing
• Documenting and analyzing distributed web applications
Securing and Auditing Your Web Storefront - HTTP Servers
• Hypertext transfer protocol (HTTP) and state management
• Web server host enumeration
• Auditing web (http) server surety configuration/policies - Apache, Microsoft IIS, nginx
• Auditing web server session encryption (SSL/TLS)
Auditing Secure Design and Testing of Web Applications
• Web software development lifecycles (SDLCs), including off-the-shelf software
• Common web application risks, attacks, and countermeasures
• CyberSecurity in software design and testing throughout the SDLC
Summary Wrap-up
• Summary audit points
• Sources of information, checklists, and tools
Prerequisites
No prerequisites required.
YB, 4.23(k)
Instructors
Ken Cutler is a Senior Teaching Fellow with CPEi, specializing in Technical Audits of IT Security and related IT controls. He is the President and Principal Consultant for Ken Cutler & Associates (KCA) InfoSec Assurance, an independent consulting firm delivering a wide array of Information Security and IT Audit management and technical professional services. He is also the Director – Q/ISP (Qualified Information Security Professional) programs for Security University. An internationally recognized consultant and trainer in the Information Security and IT audit fields, he is certified and has conducted courses for: Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) and CompTIA Security+. In cooperation with Security University, he recently was featured in two full length training videos on CISSP and Security+.
Ken was formerly Vice-President of Information Security for MIS Training Institute (MISTI), Chief Information Officer of Moore McCormack Resources, a Fortune 500 company. He also directed company-wide IS programs for American Express Travel Related Services, Martin Marietta Data Systems, and Midlantic Banks, Inc. Ken has been a long-time active participant in international government and industry security standards initiatives.
He is a prolific author on information security topics and has been frequently quoted in popular trade publications, including Computerworld, Information Security Magazine, Infoworld, Information Week, CIO Bulletin, and Healthcare Information Security Newsletter, and has been interviewed in radio programs My Technology Lawyer and Talk America.
Ken received Bachelor of Science degree in Business Administration and Computer Science degree from SUNY Empire State College. He received a Bachelor’s of Science in economics from the University of Massachusetts and a Masters in Public Administration (MPA) with a major in Finance from Suffolk University. Ken is a Certified Governmental Financial Manager, Certified Information Systems Auditor, Certified Information Security Manager, Certified Fraud Examiner, Certified Quality Assurance specialist, and Certified in the Governance of Enterprise IT.
Additional Information
TAC Rule 523.142(g) requires the CPE Sponsor to monitor individual attendance and assign the correct number of CPE credits. Participants will be asked to document their time of arrival and departure in compliance with this Rule. Additionally, attendance will be monitored throughout the day and CPE certificates will reflect actual attendance of each participant.
If you are making travel plans to come to Austin, we recommend making "refundable" air and hotel reservations or waiting until 14 days before the class to actually book your reservations. Courses are occasionally canceled or rescheduled due to low enrollment. We determine whether a course has enough participants 16 days prior to the course date. If we cancel or reschedule, we will email the participant and his or her billing contact no later than 14 days before the original class date.
Vending machines with Coca-Cola products and various snack items are available. There is also a refrigerator and microwave in our coffee bar area. Feel free to bring in your own drinks and food if you prefer.
You might want to bring a light sweater or jacket, as room temperatures vary.
To see answers to our Frequently Asked Questions, visit http://www.sao.texas.gov/training/faq.html.