Fall 2023 Auditing Web Applications: The OWASP Top Ten with Tanya Baccam

When:  Nov 16, 2023 from 09:00 to 17:00 (ET)
Associated with  New York Metropolitan Chapter

The final class registration day will be closed on November 13th 2023 at 08:00 pm. No exceptions are made.

Note:  Due to COVID-19 This event will be online only
" Please register for this class using the private email address (Gmail, yahoo, AOL, Hotmail address) and not your organizations' email address.
Many organizations block emails with attachments and block webex

Dates and Times: All times are New York time (Eastern Standard Time). Please click here to check the time and date in your location. 

November 16th,  2023    9:00 AM - 5:00 PM EST

Prerequisite: Anyone who is interested in this topic

Benefits of this class:
Overview:  This course identifies key issues that an auditor should look at  in order to identify whether a web application API has been properly secured. Topics such as the OWASP Top 10 and CWE/SANS Top 25 Most  Dangerous Programming Errors, as they relate to APIs will be investigated. The tools and techniques for assessing and securing application APIs will be reviewed, including hands-on exercises which  reinforce the concepts introduced in the class (authentication,  authorization, SQL injection, cross-site scripting, logging requirements, and more!).  Authentication solutions and mechanisms that will be investigated include using more advanced methods such as multi-factor authentication, CAPTCHA, and others.

Class Syllabus:

• Background on APIs

- Why they are used

- Users of APIs

- Business case for APIs

- Open API specification

• API Paradigms

- Request-Response APIs

- Event-Drive APIs

• Network Design Considerations

• Common Attack Vectors

- Parameters

- Identity/Authentication

- Man in the Middle

• API Security

- OWASP Top Ten, as they impact APIs

- Authentication and Access Control

- API Gateway and Authentication

- Exposing information in the URLs

- API throttling, rate limiting and DDOS prevention

- OAuth

- Encryption

- Replay attack protection

- Input parameter validation


- API Keys

- Managing errors

- Logging

Instructor:  Ms. Tanya Baccam, CPA, CISSP, GCIH, GPPA, GSEC, CISA, CISM, CITP, OCP DBA
Tanya is an experienced information security consultant and senior SANS  instructor. She has consulted with a variety of clients about their security architecture in areas such as perimeter security, network infrastructure design, system audits, Web server security, Web application assessments, risk assessments, penetration testing, and database security. She has played an integral role in developing multiple business applications in roles ranging from the director of assurance services for a security services consulting firm, the manager of infrastructure security for a healthcare organization, and as a  manager at Deloitte. She currently holds CPA, GIAC GCIH, CISSP, CISM,  CITP, CISA, CCNA, and OCP DBA certifications. 

Laptop Required
Students are required to bring a laptop in order to ensure the hands-on exercises can be completed. The laptop should meet the following specifications for the  student to get the most from the exercises:
     • USB Port
     • 8 GB RAM or higher
     • 25 GB available hard drive space
     • Windows 10 Professional or later (Home or similar editions will not have some of the features needed.)
     • Administrator privileges including the capability to install and run tools, as well as disable anti-virus
     • VMWare Player should be installed and functioning prior to class in order to avoid delays with the exercises.”

Who should attend as this course's Target Audience
• Internal Auditors, IT Specialist Auditors, IT Auditors, IT Audit Managers, Information System Auditors, Information System
Managers, Information Technology Auditors, Information Security Officers, Consultants

Course Material: This Will be sent out prior to the class via email.


Important: Anyone who fails to make a payment online will not be considered an attendee. 

CPE Credits: 7   Capacity:  webinar - 25 people.

Live broadcast webinar location: Anywhere in the world
Refund Policy:  100%  Refund before October 16th, 2023.  A refund must be requested in writing and will not be accepted after the said date. Please modify your registration with your confirmation number.  Once class material has been sent out there will be NO REFUND.

Very Important: 

Anyone who fails to make a payment online will not be considered an attendee. 

  • CPE  credits can be applied toward each ISACA designation that is held. Full  CPE credits will be awarded only if all sections of Preparation classes have been attended.
  • Webinar sessions are not being recorded - it's a live broadcast.
  • You cannot switch between onsite and online sessions once decided if is offered the choices.
  • Webinar access instructions are provided prior to the first day of class.
  • For webinar attendees, For the best result please use the PC, or labtop.
Register Now