Print this Page

Web Application Security Boot Camp™
 The Challenge of Securing Web Applications and Web Services in an Evolving Web World

These days, with a computer, hackers can create a whole lot more fraud a whole lot quicker than conventional criminals could in the old days swiping credit cards.

Your web applications WILL experience deliberate internal and external attacks.  It's not a question of "if", it's a question of which attacks and how well will your infrastructure and web applications resist them.

How many security attacks would cripple your critical web applications for hours, or even days?

What if your applications seem to work fine, but hackers have corrupted them so that they hemorrhage your sensitive information -- and you don't even know!

Can your web applications survive these, and other, common threats?

  • Denial of Service Attack

  • Elevation of Privilege

  • Identity Spoofing

  • NetBIOS Attacks

  • Trojan Horse Attacks

  • SYN Attacks

  • Bombing and Spamming

Because "www" really stands for "wild, wild web", web applications are inherently NOT secure.  You must explicitly build in all of the required security in both the infrastructure and the application.

The Web Application Security Boot Camp™ provides you with the practical information and techniques that you need to design, build, implement and manage secure web applications in a secure infrastructure.  This intensive 4-day course looks hard at common external threats and the infrastructure and application conditions that create internal holes that hackers exploit, and then teaches you how to build a comprehensive web application security strategy.

The Web Application Security Boot Camp™ addresses both infrastructure and application defenses in a unique "problem/solution" threat scenario format designed to solve frequently occurring security challenges.  Participants will work with knowledgeable consultants/instructors to learn how to identify many of the common critical threat scenarios that jeopardize your web applications.  Learners then practice how to utilize and effective analysis and planning framework to systematically evaluate each threat scenario and develop the specific mitigation and elimination strategies that will succeed for each threat.

The Web Application Security Boot Camp™ comes in two versions: One for .NET and the other for J2EE.  Both versions contain dual two-day components, woven together by the threat scenarios.  The first component addresses infrastructure security risks and resolutions common to all web application environments.  The second component tackles web application development security challenges and solutions, including threats and conditions specific to either .NET or J2EE and coding examples customized for either .NET or J2EE.

What You Will Learn

  • Why does the web present such an application security challenge?

    • Web application Scope: Internal, Controlled External, Uncontrolled External

    • Distributed servers and application components

    • Web Services

  • How much web application security is enough?

    • What options do you have?

    • Where should you invest your scarce resources?

  • How can you plan your infrastructure & web application security strategies?

    • How to use a structured framework for threat identification & analysis.

    • How to evaluate risks using a threat analysis approach.

    • How to determine factors that influence vulnerability.

    • How to identify & analyze consequences.

    • How to identify and build mitigation/elimination strategies.

    • How to develop recovery strategies.

  • What are the pieces of the web application security infrastructure puzzle?

    • Physical security: Access, Detection/Recovery and Encryption

    • Logical security: Identity, Authentication and Authorization

    • Implementation: Provisioning, Single Sign-On and Management/Administration

    • Data Integrity: Encryption, Hashing and Signing

    • Communications Privacy: Cryptography, Digital Certificates, SSL

  • What current and proposed standards address which security issues?

    • SSL

    • HTTP, S-HTTP, HTTPS

    • WS-Security

    • SAML

    • The Liberty Alliance

    • W3C Encryption

  • How can you plan your security infrastructure?

    • Framework: Security strategies, decisions, choices & options

    • Approach: Decision-making under conditions of uncertainty

    • Legal Issues

    • Price vs. Performance

  • How can you develop secure software?

    • How to incorporate security into product requirements.

    • How to apply the Principle of Least Privilege.

    • How to find the security vulnerabilities of your software.

    • How to design secure software.

    • How to develop secure software with Microsoft .NET and J2EE.

Course Outline

Part 1: Security Infrastructure and Functions for Web Applications

Chapter 1: The Challenge

  • The changing corporate enterprise architecture

    • The fundamental changes in the infrastructure

    • Centralized or decentralized

    • The high availability architecture

  • The evolution of the Internet

    • The changing demographics

    • The changing business environment

    • E-business evolution

    • IPV6 - new opportunities

  • Security Challenges

    • The threat

      • Hacker attacks

      • Your employees

      • Remote system management

    • Examples of hacker attacks

Chapter 2: Identity

  • Must we tradeoff ease of use for security?

  • Single sign-on issues

  • The challenge of global authentication

Chapter 3: Authentication

  • An in-depth look at certificates

    • Secure sockets layer (SSL)

    • Kerberos

  • Digital signatures

  • Digital payments

  • Authentication

  • What do you do?

  • Where to get help?

Chapter 4: Access

  • Encryption

    • Magic Decoder Ring

    • Public Key

    • Private Key

    • Encryption using software or hardware

  • Security Technology

    • Monitoring tools

    • Firewalls - What is changing and why?

    • Infrastructure analysis tool

    • Radius security

  • VPN

  • Cookies

    • The mobile user issues and solutions

      • The technology choices and the threat

      • Flaws in wireless security

      • Defensive strategies

Part 2: Infrastructure Standards & Solutions for Today & Tomorrow

Chapter 1: Sorting out the smorgasbord or security opportunities

  • Standards organizations

    • The Oasis consortium

    • World Wide Web Consortium (W3C)

  • Accommodating Security in Legacy Standards & Architectures

    • DCOM and CORBA

    • HTML – An evolving work in progress

    • HTTP, S-HTTP, HTTPS

    • SGML

  • Security in Emerging Standards

    • XML: Key management, encryption, signatures, XACML

    • eBXML

    • SAML, XACML

    • WSDL, UDDI and SOAP

  • Security features

    • The Java environment

    • Microsoft .NET

Chapter 2: Attempts at Formal Security Standards

  • WS-Security: A model to incorporate existing and future technologies

  • Web Services

    • WS-I

    • Liberty alliance

  • Microsoft Security Initiatives

  • Microsoft WS-SDK toolkit

Chapter 3: Provisioning: Implementing identity & authentication across the enterprise

  • Security Assertion Markup Language (SAML) -- a single sign-in

  • Other options for single sign-on

Chapter 4: Vendor products & Strategies Reality Check

  • Open standards adoption in real products (or not)

  • Administration approaches

    • Initial set up

    • Day-to-day

    • TCO

Chapter 5: Planning & Managing Security: Strategies, Decisions, Choices & Options

  • Evaluating security choices

    • Reducing to basics

  • Choices to secure Web services

  • Legal issues

  • An architectural guide to securing web services in the new distributed architecture

  • Security and costs

  • When will this all come together?

  • What is a realistic architecture today?

    • What are its capabilities?

    • How do you build?

    • How do you manage?

    • How do you secure?

  • Appendix: Sources for more information

  • Security organizations and links

Part 3: Developing Secure Web Applications

Chapter 1: Determining the Security Vulnerabilities of Your Application

  • Classic Software Security Problems

    • Buffer Overflows

    • Race Conditions

    • Storing Passwords

    • Whom do you trust?

    • Validating input

    • Misusing Cryptography

    • Web Applications and Databases

    • Canonicalization Errors

    • Storing Secrets in Code

  • The Principle of Least Privilege

  • Analyzing the Security Vulnerabilities of Your Application

Chapter 2: Remediating the Security Vulnerabilities of Your Application

  • Open vs. Closed Source Technologies

  • Access Control

  • Auditing

  • Privacy

  • Nonrepudiation

  • Code Reviews

Chapter 3: Minimizing the Information You Disclose

  • Determining Who Really Needs to Know

  • Permissions and Privileges

  • Code Obsfuscation

  • Designing Proper Error Messages

  • HTTPS and SSL

Part 4: .NET Technologies for Implementing Secure Web Applications

Chapter 1: Verifiable vs. Managed Code

  • Managed Code and the Common Language Runtime

  • Type Safe Code and Verification

  • .NET Languages and Type Safe Code

  • .NET Code Obsfuscators

Chapter 2: Code Access Security

  • Vulnerabilities of Applications Built from Components

  • Assemblies and Strong Names

  • Assemblies and Evidence

  • Code Permissions

  • Security Policy

Chapter 3: Web Applications with ASP.NET

  • Authenticating Web Applications

    • User Based Authentication

    • Role Based Authentication

  • Authorizing Web Applications

  • Storing Passwords

  • Validating Input

  • Diagnostics

Chapter 4: Microsoft .NET Web Services

  • WS-Security

  • Authenticating Web Service Applications

  • Authorizing Web Services Applications

  • Signing SOAP Messages

  • Encrypting SOAP Messages

Chapter 5: .NET Cryptographic Classes

Part 5: J2EE Technologies for Implementing Secure Web Applications

Chapter 1: J2EE Web Services and Security

  • Threats

  • Solutions

  • Technology

  • Levels

  • Public-Key Encryption

  • Digital Signature

  • Securing XML Content

  • Securing J2EE Components

Chapter 2: J2EE Security

  • J2SE Security

  • HTTP Authentication

  • Securing Web Applications

  • Security Constraints on URL Patterns

  • Authorizing Web Components

  • EJB Security

  • Roles

  • Authorization Policies

  • CORBA Security

  • HTTPS

Chapter 3: Interoperable Security

  • A Contradiction in Terms?

  • The Point of Interoperability

  • Securing XML Content

  • XML Encryption

  • XML Signature

  • Canonicalization

  • Single Sign-On

  • SAML

  • Portable Policies

  • XML Key Base

  • XACML