Java Web Security

Course:  JWSEC
Duration:  4 Days
Level:  II
Course Summary

This course will illustrate how to ensure your web applications are deployed with the most advanced security measures for coding, communication and configuration. The class begins by discussing threats and mitigation techniques, application of security design principles, conventional and public key cryptography, and the most popular authentication protocols, including SSL and TLS, encryption and hashing, OWASP utilization, SQL injection, cross-site scripting, web service security vulnerabilities, session hijacking, AJAX issues, SOAP message protection, security flaw detection and review of security design patterns.

« Hide The Details
Topics Covered In This Course

IT Security Status

  • Security basics
    • Confidentiality
    • Integrity
    • Authentication/Authorization
    • Non-repudiation
  • Cryptographic roles
    • Key management
    • Trust models
    • Revocation
    • Random generation
  • Application flaws and threat modeling
  • Security realities
  • Security threat layers
    • Hub and Spoke
    • Perimeter
    • Identity
    • Hardware
    • OS
  • Security patterns
  • Services security

Security Patterns

  • Best practices
  • Review patterns catalog
  • Pattern design methodology
  • Tier patterns
    • Services
    • Identity
    • Provisioning
    • Personal

Communication Security

  • SSL architecture
  • SSL alert protocols
  • SSL threats
  • Use of TLS
  • Security certificates
    • Digital certificates
    • CA utilization
    • Distribution
    • Revocation

Application Server Security

  • HTTP restrictions
  • HTTPS utilization
  • Security API
    • Hashing algorithms
    • Cryptographic API
    • JCE API
    • JSSE
    • JAAS
  • Certificate management
  • Encryption techniques
    • Symmetric vs Asymmetric
    • Block cipher
    • Cipher Block
  • Session authentication
    • Hijacking prevention
    • Request forgery
    • Vulnerabilities
    • Session fixation issue
    • Timeout issues
    • Encryption threat mitigation

Web Application Security

  • Role-based granularity
  • Use of OWASP
  • OWASP vulnerabilities
    • Injection flaws
    • Authentication and Sessions
    • Cross-site scripting
    • Direct object references
    • Sensitive data
    • Access granularity
    • Invalidated redirects
  • Application role security
    • Client tier
    • EJB tier
    • Component tier
  • Error handling
    • Standardized error management
    • Request faults
    • Page faults

AJAX Management

  • AJAX components
  • Asynchronous issues
  • Vulnerabilities
    • Javascript
    • SQL injection
    • Bridging
    • XSS
  • Vulnerability testing

Web Services Security

  • Architecture
  • Core issues
    • Threats
    • Vulnerabilities
    • Risks
  • Security requirements
    • Authentication
    • Integrity
    • Traceability
    • Confidentiality
    • Non-repudiation
    • Interoperability
  • XML encryption
  • XML Key management
  • WS-Security

Identity Management

  • Core issues
  • SAML overview
  • SAML Architecture
    • Assertions
    • Domain model
    • Policy enforcement
    • Request-Reply model
    • Attribute assertion
    • XML signatures

Application Scanning

  • Application threat analysis
    • SQL injection
    • XSS
    • Command execution
    • Server configuration
    • Directory traversal
  • Use of tools
    • Commercial
    • Software-as-a-Service
    • Open Source

Security Design Patterns

  • Web-tier
    • Authentication
    • Enforcers
    • Validators
    • Proxy
    • Interceptors
  • Business-tier
    • Container managed
    • Obfuscation
    • Delegator
    • Facade
    • Service management
  • Web Service tier
    • Network layer stack
      • Perimeter defense
      • XML firewall
    • Transport layer stack
      • Infrastructure
      • Identity provider
      • Directory services
    • Message layer stack
      • Interceptor
      • Secure router
      • Gateway
What You Can Expect

Upon conclusion, each participant will have acquired these skills:

  • Illustrate current security challenges and highlight application flaws
  • Depict security architecture and design patterns (web, business, services and identity tiers) to ensure CIA principles
  • Illustrate Public Key Cryptography, Hashing, Signatures and Symmetric Encryption
  • Learn the role of Java Authentication Authorization Services (JAAS)
  • Depict the usage of JAAS Authentication and Authorization
  • Discuss secure communications with SSL and TLS
  • Discuss the functions of the JEE Security Manager
  • Understand the role of OWASP in web application security
  • Discuss threats and mitigation techniques with SQL injection
  • Illustrate digital certificates and their role in message security
  • Demonstrate the techniques for managing security for Web Services
  • Depict input validation, use of trust boundaries and protection against cross-site scripting
  • Managing AJAX security issues
  • HTTP Authentication and Authorization
  • Demonstrate Servlets and role-based security
Who Should Take This Course

This course is designed for Java developers, system designs and project managers that rs that seek to design, create and implement secure applications.

Recommended Prerequisites

You should be familiar with the basics of the web system architecture including processes, class loading, and threads. Some programming experience on the Java platform is preferable.

Training Style

Lecture/Lab

« Hide The Details
Related Courses
Code Course Title Duration Level
WSST
Web Software and Security Testing
3 Days
I
Details
WSSEC
Web Services Security Considerations in Java
1 Day
II
Details
NETSEC
Planning and Managing Network Security
5 Days
II
Details

Every student attending a Verhoef Training class will receive a certificate good for $100 toward their next public class taken within a year.

You can also buy "Verhoef Vouchers" to get a discounted rate for a single student in any of our public or web-based classes. Contact your account manager or our sales office for details.

Schedule For This Course
There are currently no public sessions scheduled for this course. We can schedule a private class for your organization just a couple of weeks from now. Or we can let you know the next time we do schedule a public session.
Notify me the next time this course is confirmed!
Can't find the course you want?
Call us at 800.533.3893, or
email us at [email protected]