Embed Size (px)
Citation preview
Security Compass 2011. Application Security Training Datasheet. Securing Web Applications in Java 1
Securing Web Applications in Java Application Security Training Datasheet
Security Compass 2011. Application Security Training Datasheet. Securing Web Applications in Java 2
Securing Web Applications in Java COURSE OVERVIEW Students will gain valuable insight in to developing secure Java applications.
The course will assist students in understanding web application attacks and how they occur due to insecure coding practices. Students will then see how we employ Java secure coding techniques to defend against these coding defects. Students will learn to define and identify secure code, differentiate between secure coding methods, employ secure code in practice, and design and judge effectiveness of secure coding practice. Students completing this class will find their secure coding abilities materially sharpened and able to integrate these techniques in your organization.
COURSE DETAILS
Audience
Java web application developers, Architects
Instructor Led Delivery
3 Day on-site or remote instructor led training
Computer Based Training (CBT)
Approximately 2 hours narration. At your own pace for TrueLabs.
All computer based training courses are SCORM-compliant consisting of Flash, HTML, JavaScript, and audio files.
LEARNING OBJECTIVES • Express the vulnerabilities and exploits facing modern web applications including common weaknesses when programming with Java
• Learn and implement defensive coding methods in Java and the frameworks and tools that can help support secure coding
• Hands-on experience in writing secure code and adding security controls into vulnerable source code examples
Intermediate Level
Instructor led
CBT available
3 Day Training
Java Developers
Security Compass 2011. Application Security Training Datasheet. Securing Web Applications in Java 3
Introduction • What is information security? • Software security trends
1. Authentication • Factors of authentication
o JAAS authentication o Container authentication
• Mechanisms to authentication • Authentication weaknesses
2. Authorization and Access Control
• Authorization basics • Horizontal & vertical privilege escalation • Access control: container based and
programmatic
3. Session Management • Hijacking sessions
o Session basics o Setting secure flag
• Session weaknesses o Session fixation o ESAPI defense
• Cross-site request forgery (CSRF) • ESAPI CSRF defenses
4. Data Validation
• Types of validation o Java regex o Servlet filters
• Cross-site scripting and defense o XSS in Java frameworks o ESAPI output encoding
• SQL injection and defense
• Parameter manipulation and defense • Other validation
o Setting HTTP only o Java ORM mappers o LDAP injection o JCA HMAC
5. Cryptography • Basics of cryptography • Symmetric and asymmetric key encryption • Hashing and message digest • Hashing, message digest and salts • SSL and weak encryption
o Setting up SSL in Tomcat
6. XML • XML basics and attacks on parsers
o Xerces and Xalan • Attacks on XML validation • Attacks on XML injection
o ESAPI encoding defense • XSLT based attacks
7. Miscellaneous Topics in Security • Leakage and error handling
o Java error dos and donts • Log injection
o ESAPI logging • 3rd party code • File references
Outline, at a glance
Security Compass 2011. Application Security Training Datasheet. Securing Web Applications in Java 4
What can we do for you? We understand application security. We breathe it. We strive to provide you with the best training experience for your staff.
Our experience helping our clients research and manage real world security risks allows us to drive our training material with the latest threats and vulnerabilities seen in every day engagements.
What does that mean? It means that your staff is ready to respond to with forward thinking concepts to securing your business’ most sensitive applications.
Here to help.
Reach out to Security Compass’ advisors who can help.
Oliver Ng Director of Training [email protected] 1-888-777-2211 ext. 125 Sahba Kazerooni Director of Professional Services [email protected] 1-888-777-2211 ext. 103
