Overview
This is an immersive, practical training course that focuses on training web developers to build secure web applications, incorporate essential security elements into the applications – from the development stage to the deployment stage and beyond. The course also highlights the right practices and processes for the entire software development lifecycle. During the course, participants initiate attacks, provide defenses, learn the best practices and processes for coding secure web applications, including XML processing. The course equips participants with the skills and knowledge for identifying potential as well as real security vulnerabilities, and deploying the right defense measures for overcoming them, while also testing the adequacy of the defenses. The courses discusses the common vulnerabilities encountered in web applications and examines each of these vulnerabilities from a Java/JEE perspective.
What You'll Learn
- Overview of services
- How to defend XML
- Understanding the access control issues
- Exploring vulnerabilities encountered in web applications
- Understanding the security policies
- How to establish layers of defense
- Overview of cryptography
- How to defend rich interfaces and REST
- Exploring the SDL (Secure Development Lifecycle)
- Tools and techniques for testing defenses
- Understanding the OWASP web app penetration testing
Curriculum
- Who is safe?
- The assumptions we make
- Security: The complete picture
- Anthem, Sony, Target, Heartland and TJX debriefs
- Verizon’s 2017 data breach report
- Attack patterns and recommendations
- Tutorial: Working with Eclipse (JEE version) and Tomcat
- Tutorial: Working with the HSQL database
- Exercise: Case study set up and review
- Security concepts
- Motivations: Costs and standards
- Open Web Application Security Project (OWASP)
- Web application security consortium
- CERT secure coding standards
- Microsoft SDL
- Assets and trust boundaries
- Threat modeling
- Exercise: Case study asset analysis
- Principles of information security
- Security is a lifecycle issue
- Minimize attack surface area
- Layers of defense: Tenacious D
- Compartmentalize
- Consider all application states
- Do not trust the untrusted
- Service challenges
- Services overview
- Identity and propagation
- Real-time transactions
- Diverse environments
- Information protection
- Standards compliance
- Services and security
- Security policies
- Applicable OASIS standards
- SAML
- SAML usage scenarios
- Oauth 2.0 and OpenID
- Exercise: Working with OAuth
- Defending XML
- XML signature
- XML encryption
- XML attacks: Structure
- XML attacks: Injection
- Safe XML processing
- Exercise: Safe XML processing
- Exercise: Dynamic loading using XSLT
- Defending web services
- Web service security exposure
- When transport-level alone is not enough
- Message-level security
- WS-security roadmap
- XWSS provides many functions
- Web service attacks
- Web service appliance/gateways
- Exercise: Web service attacks
- Defending rich interfaces and REST
- How attackers see rich interfaces
- Attack surface changes when moving to rich interfaces
- Bridging and its potential problems
- Three basic tenets for safe rich interfaces
- OWASP REST security recommendations
- Unvalidated input
- Buffer overflows
- Integer arithmetic vulnerabilities
- Unvalidated input from the web
- Defending trust boundaries
- Whitelisting vs. blacklisting
- Exercise: Defending trust boundaries
- Exercise: defending trust boundaries with regular expressions
- Broken access control
- Access control issues
- Excessive privileges
- Insufficient flow control
- Unprotected URL/resource access
- Examples of Shabby Access Control
- Sessions and session management
- Broken authentication
- Broken quality/DoS
- Authentication data
- Username/password protection
- Exploits magnify importance
- Handling passwords on the server side
- Single sign-on (SSO)
- Exercise: Defending authentication
- Cross site scripting (XSS)
- XSS patterns
- Persistent XSS
- Reflective XSS
- Best practices for untrusted data
- Injection
- Injection flaws
- SQL injection attacks evolve
- Drill down on stored procedures
- Other forms of injection
- Minimizing injection flaws
- Exercise: Defending against SQL injection
- Error handling and information leakage
- Fingerprinting a website
- Error-handling issues
- Logging in support of forensics
- Solving DLP challenges
- Insecure data handling
- Protecting data can mitigate impact
- In-memory data handling
- Secure pipes
- Failure in TLS/SSL framework
- Exercise: Defending sensitive data
- Insecure configuration management
- System hardening: IA mitigation
- Application whitelisting
- Least privileges
- Anti-exploitation
- Secure baseline
- Direct object access
- Remote file inclusion
- Redirects and forwards
- Direct object references
- Spoofing, CSRF and redirects
- Name resolution vulnerabilities
- Fake certs and mobile apps
- Targeted spoofing attacks
- Cross Site Request Forgeries (CSRF)
- CSRF defenses
- Cryptography overview
- Strong encryption
- Message digests
- Encryption/decryption
- Keys and key management
- NIST recommendations
- Understanding what’s important
- Common vulnerabilities and exposures
- OWASP 2017 top 10
- CWE/SANS top 25 most dangerous SW errors
- Monster mitigations
- Strength training: Project teams/developers
- Strength training: IT organizations
- SDL process overview
- Types of security controls
- Phases of typical data-oriented attack
- Phases: Offensive actions and defective controls
- Security lifecycle activities
- SDL process overview
- Types of security controls
- Phases of typical data-oriented attack
- Phases: Offensive actions and defective controls
- Security lifecycle activities
Who should attend
The course is highly recommended for –
- Java developers
- Full stack developers
- Web developers
- Software developers
- Software engineers
Prerequisites
Participants need to have experience working with Java/JEE.
