JVA-122. Secure Java Web Development

Similar documents
elearning for Secure Application Development

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

The increasing popularity of mobile devices is rapidly changing how and where we

The end. Carl Nettelblad

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Magento Security and Vulnerabilities. Roman Stepanov

Enterprise Application Security Workshop Series

Architectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A.

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS

(WAPT) Web Application Penetration Testing

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Ruby on Rails Secure Coding Recommendations

What is Web Security? Motivation

Multi Factor Authentication API

Where every interaction matters.

Using Foundstone CookieDigger to Analyze Web Session Management

MS-55096: Securing Data on Microsoft SQL Server 2012

From the Intranet to Mobile. By Divya Mehra and Stian Thorgersen

Contents at a Glance. 1 Introduction Basic Principles of IT Security Authentication and Authorization in

Hack Proof Your Webapps

SECURITY AND REGULATORY COMPLIANCE OVERVIEW

Web Application Guidelines

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Adobe Systems Incorporated

Angel Dichev RIG, SAP Labs

Securing Data on Microsoft SQL Server 2012

Spring Security 3. rpafktl Pen source. intruders with this easy to follow practical guide. Secure your web applications against malicious

Secure development and the SDLC. Presented By Jerry

Web Application Security Assessment and Vulnerability Mitigation Tests

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Criteria for web application security check. Version

Testing the OWASP Top 10 Security Issues

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

Sichere Software- Entwicklung für Java Entwickler

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

PARTNER INTEGRATION GUIDE. Edition 1.0

Workday Mobile Security FAQ

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

APPLICATION SECURITY AND ITS IMPORTANCE

SAML Security Option White Paper

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

SECURITY AND REGULATORY COMPLIANCE OVERVIEW

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Web Application Report

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

Web Application Security

Application Security

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

WEB APPLICATION SECURITY

Python Cryptography & Security. José Manuel

Gateway Apps - Security Summary SECURITY SUMMARY

Check list for web developers

JVA-561. Developing SOAP Web Services in Java

Securely Managing and Exposing Web Services & Applications

USING FEDERATED AUTHENTICATION WITH M-FILES

Sitefinity Security and Best Practices

Security vulnerabilities in new web applications. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

CompTIA Mobile App Security+ Certification Exam (Android Edition) Live exam ADR-001 Beta Exam AD1-001

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Application Security. Petr Křemen.

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,

MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE QUEUE

Introduction to SAML

Cloud Security:Threats & Mitgations

Secure the Web: OpenSSO

Passing PCI Compliance How to Address the Application Security Mandates

INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE

SAML-Based SSO Solution

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

Apigee Gateway Specifications

Lecture 11 Web Application Security (part 1)

Core Feature Comparison between. XML / SOA Gateways. and. Web Application Firewalls. Jason Macy jmacy@forumsys.com CTO, Forum Systems

Perceptive Experience Single Sign-On Solutions

Chapter 1 Web Application (In)security 1

Copyright: WhosOnLocation Limited

Web Based Single Sign-On and Access Control

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Building Web Applications, Servlets, JSP and JDBC

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

enterprise^ IBM WebSphere Application Server v7.0 Security "publishing Secure your WebSphere applications with Java EE and JAAS security standards

Using etoken for SSL Web Authentication. SSL V3.0 Overview

AccountView. Single Sign-On Guide

REDCap Technical Overview

TrustedX - PKI Authentication. Whitepaper

Application Code Development Standards

Liberty Alliance. CSRF Review. .NET Passport Review. Kerberos Review. CPSC 328 Spring 2009

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

M.Sc. Thesis within Computer Engineering AV 30 ECTS. Federated identity management AD FS for single sign-on and federated identity management

Application Security Testing

Using SAML for Single Sign-On in the SOA Software Platform

APIs The Next Hacker Target Or a Business and Security Opportunity?

Web Application Security

Transcription:

JVA-122. Secure Java Web Development Version 7.0 This comprehensive course shows experienced developers of Java EE applications how to secure those applications and to apply best practices with regard to secure enterprise coding. Authentication, authorization, and input validation are major themes, and students get good exposure to basic Java cryptography for specific development scenarios, as well as thorough discussions of HTTPS configuration and certificate management, error handling, logging, and auditing. Perhaps the most eye-opening parts of the course concern common web "hacks," or attack vectors. Students see how easy it is to leave an application unguarded against cross-site scripting (XSS), cross-site request forgery (CSRF), SQL injection, and other attack types -- and learn that it's also easy to fix such vulnerabilities and the importance of a secure development process. In the last part of the course we move beyond the scope of traditional, interactive web applications to consider RESTful web services, single sign-on systems, and third- party authorization. Students learn to perform HMAC cryptography as a means of HTTP messagelevel authentication, and get introductions and hands-on exercise with SAML SSO and OAuth. Course Length: 5 days Prerequisites Java programming experience is essential -- Course 103 is excellent preparation. Servlets programming experience is required -- Course 111. JSP page-authoring experience is recommended but not required -- again, Course 111. Understanding of RESTful web services as implemented in JAX-RS will be highly beneficial, but is not strictly required. Consider Course 563. Learning Objectives Generally, be prepared to develop secure Java web applications and services, or to secure existing applications and services by refactoring as necessary. Define security constraints and login configurations that instruct the web container to enforce authentication and authorization policies. Guard against common web attacks including XSS, CSRF, and SQL injection. Validate user input aggressively, for general application health and specifically to foil injection and XSS attacks. Configure a server and/or application to use one-way or two-way HTTPS. Apply application-level cryptography where necessary. Store sensitive information securely, hash user passwords, and understand the importance of salting and of using slow hashing algorithms and processes, to maximize the safety of stored credentials. Use HMAC security as appropriate in RESTful web services. Participate in SAML SSO systems, and be aware of the security concerns involved in single sign-on. Implement server and client sides of the OAuth-2.0 initial flow in order to provide third-party authorization to resources in a secure manner. Server Support: Tomcat 1

IDE Support: Eclipse Luna In addition to the primary lab files, an optional overlay is available that adds support for Eclipse Luna. Students can code, build, deploy, and test all exercises from within the IDE. See also our orientation to Using Capstone's Eclipse Overlays. Course Outline Chapter 1. Concerns for Web Applications Threats and Attack Vectors Server, Network, and Browser Vulnerabilities Secure Design Principles GET vs. POST Container Authentication and Authorization HTML Forms Privacy Under /WEB-INF HTTP and HTTPS Other Cryptographic Practices SOA and Web Services The OWASP Top 10 Chapter 2. Authentication and Authorization HTTP BASIC and DIGEST Authentication Schemes Declaring Security Constraints User Accounts Safeguarding Credentials in Transit Replay Attacks Authorization Over URL Patterns Roles FORM Authentication Login Form Design Session Fixation Protections Programmatic Security Programmatic Security in JSF Chapter 3. Common Web Attacks Forceful Browsing Predictable Resource Locations Using Random Numbers Cross-Site Scripting Output Escaping Cross-Site Request Forgery Synchronizer Tokens 2

Injection Attacks Protections in JDBC and JPA Session Management Taking Care of Cookies Chapter 4. Input Validation Validating User Input Validation Practices Regular Expressions Bean Validation (a/k/a JSR-303) Constraint Annotations Cross-Field Validation Built-In Support in Java EE Using a Validator Producing Error Responses JSF Validation Chapter 5. HTTPS and Certificates Digital Cryptography Encryptio SSL and Secure Key Exchange Hashing Signature Keystores keytool Why Keys Aren't Enough X.509 Certificates Certificate Authorities Obtaining a Signed Certificate Configuring HTTPS Client-Side Certificates and Two-Way SSL PKCS #12 and Trust Stores CLIENT-CERT Authentication Chapter 6. Application-Level Cryptography The Java Cryptography Architecture Secure Random Number Generation The KeyStore API Digital Signature Hashing Password Hashing Why Hashing Isn't Enough Salts Key Lengthening and Key Strengthening 3

Slow Algorithms The Java Cryptography Extensions The SecretKey and KeyGenerator Types Symmetric Encryption Choosing Algorithms and Key Sizes Dangerous Practices Storing and Managing Keys Chapter 7. REST Security Basics Security Concerns for REST Services HTTPS HTTP BASIC and DIGEST Authorization by URL Pattern Cross-Site Scripting Injection Attacks Cross-Site Request Forgery Common Countermeasures Chapter 8. HMAC Security Use Case: Message Authentication Digital Signature Hashing as Signature: the HMAC Keyed Hashing The Hmac Utility Appropriate Salts Canonicalization Amazon S3 Timestamps Signing and Verifying Messages XML Cryptography and Canonicalization Canonicalizing JSON Chapter 9. SAML SSO The Challenge of Single Sign-O Federated Identity SAML 2.0 The Web Browser SSO Profile Identity Providers and Service Providers SAML Assertions SAML Protocol SAML Bindings Speaking "Through" the Browser The HTTP Redirect Binding Artifact and SOAP Bindings 4

SAML Attributes Security Concerns in SSO Systems Chapter 10. OAuth Use Case: Third-Party Authorization OAuth Initial Flow Grant Types Access Tokens The Google OAuth API Implementing Authorization and Resource Servers Implementing Clients Security Concerns with OAuth Appendix A. Learning Resources 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information