•    Employment
  •    Academia
  •    Research
    • NICE Framework
    • CAE Program

Web Application Security

The intent of the Web Application Security Knowledge Unit is to provide students with an understanding of technology, tools, and practices associated with web applications.

Topics

  1. Web Application Technologies a. HTTP Protocol b. Encoding Schemes c. Web Application architectures d. AJAX e. XML and JSON
  2. Web Application Technologies
  3. Authentication
  4. Access Controls
  5. b. Encoding Schemes
  6. Application Server Vulnerabilities
  7. Encoding Schemes
  8. HTTP Protocol
  9. Web Application architectures
  10. AJAX
  11. XML and JSON

Outcomes

  1. Examine concepts of web application technologies and security issues associated with them.
  2. Describe approaches used in the development and deployment of secure web applications
  3. Explain how web applications are operated in a secure manner.

KSA-T

Below are the Knowledge, Skills, Abilities and Tasks (KSA-T) identified as being required to perform this work role.
Learn More about the KAS-T's.

  • Knowledge
  • Skills
  • Abilities
  • Tasks
ID DESCRIPTION
K0070 Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
K0624  Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list) 
K0176 Knowledge of Extensible Markup Language (XML) schemas.
K0398 Knowledge of concepts related to websites (e.g., web servers/pages, hosting, DNS, registration, web languages such as HTML).
K0143 Knowledge of front-end collection systems, including traffic collection, filtering, and selection.
K0349 Knowledge of website types, administration, functions, and content management system (CMS).
K0105 Knowledge of web services (e.g., service-oriented architecture, Simple Object Access Protocol, and web service description language).
K0089 Knowledge of systems diagnostic tools and fault identification techniques.
K0161 Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution attacks).
K0056 Knowledge of network access, identity, and access management (e.g., public key infrastructure, Oauth, OpenID, SAML, SPML).
K0007 Knowledge of authentication, authorization, and access control methods.
K0033 Knowledge of host/network access control mechanisms (e.g., access control list, capabilities lists).
K0065 Knowledge of policy-based and risk adaptive access controls.
K0009 Knowledge of application vulnerabilities.
ID DESCRIPTION
S0174 Skill in using code analysis tools.
S0031 Skill in developing and applying security system access controls.
S0095 Skill in identifying common encoding techniques (e.g., Exclusive Disjunction [XOR], American Standard Code for Information Interchange [ASCII], Unicode, Base64, Uuencode, Uniform Resource Locator [URL] encode).
ID DESCRIPTION
ID DESCRIPTION