TECHNOLOGY, INNOVATION UNIT

Certified Secure
Web Application
Engineer
CSWAE
Erdenetsetseg\TIU\
Uranbileg\TIU\
 1 Introduction
The Certified Secure Web Application Engineer (CSWAE)
preparatory course is a comprehensive course covering all of
the exam topics of the CSWAE certification offered by Mile2.
2 Secure SDLC
Kindly delete this note after editing this page. Thank you!

Threat modeling and risk

3
management
Authentication and
TOPICS 4
authorization policies
Session management
5
attacks

6 Codes for security testing

Perform web application

7
penetration testing

8 Cryptography
Introduction
The Certified Secure Web
Application Engineer (CSWAE)
preparatory course is a
comprehensive course covering
all of the exam topics of the
CSWAE certification offered by
Mile2.
Developing secure web applications
Developing secure web applications involves more than writing secure code :

SECURE SCANNING AND RISK MANAGEMENT AND APPLICATION SECURITY

ASSESSMENT POLICIES AND
PROCEDURES
Proactively finding vulnerablities
in your web application can only
be achieved by developing a
consistent process of scanning
and security assessment
MITIGATING CONTROLS
Once security vulnerabilities have
been found, they must be
analyzed, prioritized, and
tracked.
ARCHITECTURE
Developing a secure web
applicationn requires that it is
designer with security in mind.
Developing secure
web applications

Secure SDLC
Integrating security tasks into the
software development lifecycle is the
best way to ensure that security has
been thought about during each
phase of the development process.
 Step 1 Step 2

Secure Web Define web application

security
Understand challenges
associated with web
application

Application
Engineer Step
Step 3 Step 4
Understand the most Review common defense
coomon web application mechanisms use in web
security threats application
Threat modeling and risk management

Risk management Risk mitigation Risk Assessment

Risk management is the
process of identifying and
analyzing risk to ensure that
adequate controls are in place
to control risk.
Risk mitigation is the
implementation of controls
needed to reduce or remove
the risk to protected assets.
Risk Assessment is the
process of identifying assets,
vulnerabilities, and summaries
of possible defensive
measures and their costs.
 Tangible Assets

Risk Analysis D Database records

P
# Identify
for a
blur assets
drumroll and their values Pass files

S Source code

# Identify vulnerabilities and

threats Untangible Assets

R Reputation
# Determine the probability of the threats

Retention
R

# Calculate difference between impact andcost to

mitigate
C Competitive
Internal and
External threats to INTERNAL THREATS

web application Human Threats

Software Threats
Network Security Threats
Social, Economic

EXTERNAL THREATS
External suppliers
Cyber attack
Poor defense
Web application Penetration
Security Testing
Penetration Testing is the process of testing web application to expose security vulnerabilities.

PURPOSE 1 PURPOSE 2 PURPOSE 5

Expose vulnerabilities in access Expose vulnerabilities in user Expose vulnerabilities in

control schemas input handling data transmission and
storage

PURPOSE 4
PURPOSE 3

Expose vulnerabilities in Expose vulnerabilities in session

authentication and authrization managment
processes
 Authentication policies
Authentication is the core

Authentication security implemented to protect

an application.

and
authorization Authorization policies
Authorization policies are used when you
policies want to protect a resource based on
criteria other than authentication, and
you want Access Manager to enforce
Access restrictions. Authorization policies
are enforced when a user requests data
from a resource.
Session
management
Session management refers to the process of securely
handling multiple requests to a web-based application or
service from a single user or entity. Session management
involves the sharing of secrets with authenticated users,
and as such, secure cryptographic network communications
are essential to maintaining session management security.
 Input Validation and Go Back to Agenda Page

Data Sanitization

One of the key factors in developing

secure software is to validate (e.g.
check and verify) the input.
 Know the Vulnerabilities
01 In order to find a secirity vulnerabilities,
you have to know what a vulnerabilities is
Attend training
Read, Read
Practice

Know the Bussiness Risks

Identify 02 Know what assets are being accessed by
the code and the level of protection that

vulnerabilities is required
Review use cases

Know when to conduct the

03 code review
The perception of time constraints is
usually why code reviews are not done
Remember, fixing security issues after
deployment can be constly and more
time sonsuming
 Know who should be involved
04
Developers who are familiar with the
architecture
Strong Developers
Developers with knowledge of security

Know what to look for

05
Identify Configuration
Authentication
Logging

vulnerabilities Error and Exception Handling

Data Validation

06 Remediate the issues

Document and Rank issues
Are issues related to lack of training?

Automated tools can be used to assist with the

process of vulnerability identification
Authentication and
authorization policies
Authentication is the core security implemented to
protect an application.

Go Back to Agenda Page

 Testing Methodologies

Map application Analyze the application Access handling

Input Handlling

Application logic

Information Leakage
Thank you for your attention!