course-deatils-thumbnail

Securing Java Web Services

Course Code: 1317
|

Overview

This is an immersive, practical training course that focuses on training web developers to build secure web applications, incorporate essential security elements into the applications – from the development stage to the deployment stage and beyond. The course also highlights the right practices and processes for the entire software development lifecycle. During the course, participants initiate attacks, provide defenses, learn the best practices and processes for coding secure web applications, including XML processing. The course equips participants with the skills and knowledge for identifying potential as well as real security vulnerabilities, and deploying the right defense measures for overcoming them, while also testing the adequacy of the defenses. The courses discusses the common vulnerabilities encountered in web applications and examines each of these vulnerabilities from a Java/JEE perspective.

Schedule Classes

Looking for more sessions of this class?
Talk to us
Trivera

Course Delivery

This course is available in the following formats:

Live Classroom
Duration: 4 days

Live Virtual Classroom
Duration: 4 days

What You'll learn

  • Overview of services
  • How to defend XML
  • Understanding the access control issues
  • Exploring vulnerabilities encountered in web applications
  • Understanding the security policies
  • How to establish layers of defense
  • Overview of cryptography
  • How to defend rich interfaces and REST
  • Exploring the SDL (Secure Development Lifecycle)
  • Tools and techniques for testing defenses
  • Understanding the OWASP web app penetration testing

Outline

Module 1: Foundation

  • Who is safe?
    • The assumptions we make
    • Security: The complete picture
    • Anthem, Sony, Target, Heartland and TJX debriefs
    • Verizon’s 2017 data breach report
    • Attack patterns and recommendations
    • Tutorial: Working with Eclipse (JEE version) and Tomcat
    • Tutorial: Working with the HSQL database
    • Exercise: Case study set up and review
  • Security concepts
    • Motivations: Costs and standards
    • Open Web Application Security Project (OWASP)
    • Web application security consortium
    • CERT secure coding standards
    • Microsoft SDL
    • Assets and trust boundaries
    • Threat modeling
    • Exercise: Case study asset analysis
  • Principles of information security
    • Security is a lifecycle issue
    • Minimize attack surface area
    • Layers of defense: Tenacious D
    • Compartmentalize
    • Consider all application states
    • Do not trust the untrusted

Module 2: Applying security to services

  • Service challenges
    • Services overview
    • Identity and propagation
    • Real-time transactions
    • Diverse environments
    • Information protection
    • Standards compliance
  • Services and security
    • Security policies
    • Applicable OASIS standards
    • SAML
    • SAML usage scenarios
    • Oauth 2.0 and OpenID
    • Exercise: Working with OAuth

Module 3: Defending XML processing

  • Defending XML
    • XML signature
    • XML encryption
    • XML attacks: Structure
    • XML attacks: Injection
    • Safe XML processing
    • Exercise: Safe XML processing
    • Exercise: Dynamic loading using XSLT
  • Defending web services
    • Web service security exposure
    • When transport-level alone is not enough
    • Message-level security
    • WS-security roadmap
    • XWSS provides many functions
    • Web service attacks
    • Web service appliance/gateways
    • Exercise: Web service attacks
  • Defending rich interfaces and REST
    • How attackers see rich interfaces
    • Attack surface changes when moving to rich interfaces
    • Bridging and its potential problems
    • Three basic tenets for safe rich interfaces
    • OWASP REST security recommendations

Module 4: Vulnerabilities (Part I)

  • Unvalidated input
    • Buffer overflows
    • Integer arithmetic vulnerabilities
    • Unvalidated input from the web
    • Defending trust boundaries
    • Whitelisting vs. blacklisting
    • Exercise: Defending trust boundaries
    • Exercise: defending trust boundaries with regular expressions
  • Broken access control
    • Access control issues
    • Excessive privileges
    • Insufficient flow control
    • Unprotected URL/resource access
    • Examples of Shabby Access Control
    • Sessions and session management
  • Broken authentication
    • Broken quality/DoS
    • Authentication data
    • Username/password protection
    • Exploits magnify importance
    • Handling passwords on the server side
    • Single sign-on (SSO)
    • Exercise: Defending authentication
  • Cross site scripting (XSS)
    • XSS patterns
    • Persistent XSS
    • Reflective XSS
    • Best practices for untrusted data
  • Injection
    • Injection flaws
    • SQL injection attacks evolve
    • Drill down on stored procedures
    • Other forms of injection
    • Minimizing injection flaws
  • Exercise: Defending against SQL injection

Module 5: Vulnerabilities (Part 2)

  • Error handling and information leakage
    • Fingerprinting a website
    • Error-handling issues
    • Logging in support of forensics
    • Solving DLP challenges
  • Insecure data handling
    • Protecting data can mitigate impact
    • In-memory data handling
    • Secure pipes
    • Failure in TLS/SSL framework
    • Exercise: Defending sensitive data
  • Insecure configuration management
    • System hardening: IA mitigation
    • Application whitelisting
    • Least privileges
    • Anti-exploitation
    • Secure baseline
  • Direct object access
    • Remote file inclusion
    • Redirects and forwards
    • Direct object references
  • Spoofing, CSRF and redirects
    • Name resolution vulnerabilities
    • Fake certs and mobile apps
    • Targeted spoofing attacks
    • Cross Site Request Forgeries (CSRF)
    • CSRF defenses

Module 6: Best practices

  • Cryptography overview
    • Strong encryption
    • Message digests
    • Encryption/decryption
    • Keys and key management
    • NIST recommendations
  • Understanding what’s important
    • Common vulnerabilities and exposures
    • OWASP 2017 top 10
    • CWE/SANS top 25 most dangerous SW errors
    • Monster mitigations
    • Strength training: Project teams/developers
    • Strength training: IT organizations

Module 7: Secure Development Lifecycle (SDL)

  • SDL process overview
    • Types of security controls
    • Phases of typical data-oriented attack
    • Phases: Offensive actions and defective controls
    • Security lifecycle activities

Module 8: Security testing

  • SDL process overview
    • Types of security controls
    • Phases of typical data-oriented attack
    • Phases: Offensive actions and defective controls
    • Security lifecycle activities
View More

Prerequisites

Participants need to have experience working with Java/JEE.

Who Should Attend

The course is highly recommended for –

  • Java developers
  • Full stack developers
  • Web developers
  • Software developers
  • Software engineers

Interested in this course? Let’s connect!

Related Courses

Web and mobile testing fundamentals
Web and mobile testing fundamentals
Social media Boot Camp
Social Media Boot Camp
Getting started with react basics
Getting Started with React | React Basics
Mastering javascript and jquery
Mastering JavaScript and jQuery

Popular Courses

ITIL 4 foundation
ITIL® 4 Foundation
ITIL® Foundation (v3, 2011)
Certified Information Systems Security Professional (CISSP)
Certified Information Systems Security Professional (CISSP)
Mastering Python Programming
Mastering Python Programming

Recent Posts

(ISC)2 pilot testing online exam proctoring, what does it mean for you?

January 20, 2021

Why your organization needs a Certified Scrum Master®?

November 6, 2020

What is Docker and Kubernetes?

October 20, 2020

Getting started with learning DevOps

October 16, 2020