Fall 2023 Auditing Web Applications: The OWASP Top Ten with Tanya Baccam

When:  Nov 16, 2023 from 09:00 to 17:00 (ET)
Associated with  New York Metropolitan Chapter

The final class registration day will be closed on November 13th 2023 at 08:00 pm. No exceptions are made.

Note:  Due to COVID-19 This event will be online only
" Please register for this class using the private email address (Gmail, yahoo, AOL, Hotmail address) and not your organizations' email address.
Many organizations block emails with attachments and block webex

Dates and Times: All times are New York time (Eastern Standard Time). Please click here to check the time and date in your location. 

November 16th,  2023    9:00 AM - 5:00 PM EST

Prerequisite: Anyone who is interested in this topic

Benefits of this class:
Overview:  This course identifies the key issues that an auditor should look at in order to identify whether a web application has been properly secured. Each of the OWASP Top 10 as well as other programming errors will be addressed. The tools and techniques for assessing and securing applications will be explored. Topics discussed include authentication, authorization, SQL injection, cross site scripting, server side request forgery, logging requirements, data storage requirements, and more! In addition to exploring the vulnerabilities, students will also learn methods to mitigate the risks identified. 

I. Background on Web Application Security

a. Key targeted vulnerabilities

b. Who are the victims?

II. OWASP Top Ten vulnerabilities

a. Broken Access Control

i. Access control risks

ii. Permissions

iii. Race conditions

iv. Clickjacking

v. CORS vulnerabilities

b. Cryptographic Failures

i. Key cryptographic attacks

ii. SSL/TLS vulnerabilities

iii. Managing encryption keys

c. Injection

i. SQL injection

ii. Command injection

iii. Log injection

iv. XXE vulnerabilities

d. Insecure Design

i. Business logic issues

ii. Concurrency concerns

e. Security Misconfiguration

i. Configuration considerations

ii. HTTP security headers

f. Vulnerable and Outdated Components

g. Identification and Authentication Failures

i. Attacks targeting authentication

ii. Attacks targeting the session

h. Software and Data Integrity Failures

i. Security Logging and Monitoring Failures

j. Server Side Request Forgery (SSRF)

i. XSS and CSRF 

Instructor:  Ms. Tanya Baccam, CPA, CISSP, GCIH, GPPA, GSEC, CISA, CISM, CITP, OCP DBA
Tanya is an experienced information security consultant and senior SANS  instructor. She has consulted with a variety of clients about their security architecture in areas such as perimeter security, network infrastructure design, system audits, Web server security, Web application assessments, risk assessments, penetration testing, and database security. She has played an integral role in developing multiple business applications in roles ranging from the director of assurance services for a security services consulting firm, the manager of infrastructure security for a healthcare organization, and as a  manager at Deloitte. She currently holds CPA, GIAC GCIH, CISSP, CISM,  CITP, CISA, CCNA, and OCP DBA certifications. 

Laptop Required
Students are required to bring a laptop in order to ensure the hands-on exercises can be completed. The laptop should meet the following specifications for the  student to get the most from the exercises:
     • USB Port
     • 8 GB RAM or higher
     • 25 GB available hard drive space
     • Windows 10 Professional or later (Home or similar editions will not have some of the features needed.)
     • Administrator privileges including the capability to install and run tools, as well as disable anti-virus
     • VMWare Player should be installed and functioning prior to class in order to avoid delays with the exercises.”

Who should attend as this course's Target Audience
• Internal Auditors, IT Specialist Auditors, IT Auditors, IT Audit Managers, Information System Auditors, Information System
Managers, Information Technology Auditors, Information Security Officers, Consultants

Course Material: This Will be sent out prior to the class via email.


Important: Anyone who fails to make a payment online will not be considered an attendee. 

CPE Credits: 7   Capacity:  webinar - 25 people.

Live broadcast webinar location: Anywhere in the world
Refund Policy:  100%  Refund before October 16th, 2023.  A refund must be requested in writing and will not be accepted after the said date. Please modify your registration with your confirmation number.  Once class material has been sent out there will be NO REFUND.

Very Important: 

Anyone who fails to make a payment online will not be considered an attendee. 

  • CPE  credits can be applied toward each ISACA designation that is held. Full  CPE credits will be awarded only if all sections of Preparation classes have been attended.
  • Webinar sessions are not being recorded - it's a live broadcast.
  • You cannot switch between onsite and online sessions once decided if is offered the choices.
  • Webinar access instructions are provided prior to the first day of class.
  • For webinar attendees, For the best result please use the PC, or labtop.