Overview
The course is focused training web developers in Java/JEE security to enable them to build secure web applications, incorporating essential security elements into the applications, from the development to deployment stage and beyond. Participants will dive deep into various topics including right practices and processes to be able to code secure web applications, including XML processing, rich interfaces, as well as RESTful and SOAP-based web services. Additionally, they will learn to initiate attacks and provide defenses.
What You'll Learn
- How to recognize the potential and real security vulnerabilities, overcome them and test the adequacy of defenses
- Understand the most common security vulnerabilities in web applications and examine each vulnerability from a Java/JEE perspective
- Describe the threat and attack mechanisms, associated vulnerabilities, and design, implement, and test effective defenses.
Curriculum
- Assumptions we make
- Security: The complete picture
- Anthem, Sony, target, heartland, and TJX debriefs
- Verizon’s 2017 data breach report
- Attack patterns and recommendations
- Tutorial: Working with eclipse (JEE Version) and tomcat
- Tutorial: Working with the HSQL database
- Exercise: Case study setup and review
- Motivations: Costs and standards
- Open web application security project
- Web application security consortium
- CERT secure coding standards
- Microsoft SDL
- Assets and trust boundaries
- Threat modeling
- Exercise: Case study asset analysis
- Security is a lifecycle issue
- Minimize attack surface area
- Layers of defense: Tenacious D
- Compartmentalize
- Consider all application states
- Do not trust the untrusted
- Buffer overflows
- Integer arithmetic vulnerabilities
- Unvalidated input: From the web
- Defending trust boundaries
- Whitelisting vs blacklisting
- Exercise: Defending trust boundaries
- Exercise: Defending trust boundaries with regular expressions
- Access control issues
- Excessive privileges
- Insufficient flow control
- Unprotected URL/resource access
- Examples of shabby access control
- Sessions and session management
- Broken quality/DoS
- Authentication data
- Username/password protection
- Exploits magnify importance
- Handling passwords on server side
- Single sign-on (SSO)
- Exercise: Defending authentication
- XSS patterns
- Persistent XSS
- Reflective XSS
- Best practices for untrusted data
- Exercise: Defending against XSS
- Injection flaws
- SQL injection attacks evolve
- Drill down on stored procedures
- Other forms of injection
- Minimizing injection flaws
- Exercise: Defending against SQL injection
- Fingerprinting a web site
- Error-handling issues
- Logging in support of forensics
- Solving DLP challenges
- Exercise: Error handling
- Protecting data can mitigate impact
- In-memory data handling
- Secure pipes
- Failures in TLS/SSL framework
- Exercise: Defending sensitive data
- System hardening: IA mitigation
- Application whitelisting
- Least privileges
- Anti-exploitation
- Secure baseline
- Remote file inclusion
- Redirects and forwards
- Direct object references
- Exercise: Unsafe direct object references
- Name resolution vulnerabilities
- Fake certs and mobile apps
- Targeted spoofing attacks
- Cross-site request forgeries (CSRF)
- CSRF defenses
- Exercise: Cross-site request forgeries
- Strong encryption
- Message digests
- Encryption/decryption
- Keys and key management
- NIST recommendations
- Common vulnerabilities and exposures
- OWASP 2017 top ten
- CWE/SANS top 25 most dangerous SW errors
- Monster mitigations
- Strength training: Project teams/developers
- Strength training: IT organizations
- Exercise: Recent incidents
- XML signature
- XML encryption
- XML attacks: Structure
- XML attacks: Injection
- Safe XML processing
- Exercise: Safe XML processing
- Exercise: Dynamic loading using XSLT
- Web service security exposures
- When transport-level alone is not enough
- Message-level security
- WS-security roadmap
- Java’s XWSS API
- Web service attacks
- Web service appliance/gateways
- Exercise: Web service attacks
- How attackers see rich interfaces
- Attack surface changes when moving to rich interfaces and REST
- Bridging and its potential problems
- Three basic tenets for safe rich interfaces
- OWASP REST security recommendations
- OAuth 2.x and OpenID
- Exercise: Working with OAuth
Who should attend
Anyone interested in the paradigm shifts necessary to enable organizational agility in today’s innovative business climate will find the Business Agility Foundations course compelling. The course is highly recommended for –
- Current and aspiring business agility leaders
- Business change agents
- Business leaders
- Business managers
- Value managers
- Product owners
- Product managers
- Anyone wanting a certification in ICAgile Business Agility Foundation (ICP-BAF)
- Anyone wanting to be an ICAgile Certified Expert in Business Agility
Prerequisites
Participants must have working knowledge of Java and JEE.
