Home About Courses Schedule Services Webinars Contact Search

Securing J2EE Web Services

SEE SCHEDULE

Duration: 4 Days

Method: Instructor led, Hands-on workshops

Price: $2250.00

Course Code: WS1309


Audience

This is an intermediate to advanced level J2EE/Web Services course, designed for developers who wish to get up and running on developing well defended web services.

Description

This intense coding class is essential for experienced developers who need to produce secure J2EE-based web services. Throughout the course, students learn the best practices for designing, implementing, and deploying secure web services using J2EE. This course is short on theory and long on application.

We will examine best practices for defensively coding J2EE web services including the use of WS-Security where appropriate. Finally, a set of J2EE security patterns are examined with a lab that applies a security pattern in defending against an actual complex web service attack.

Objectives

Upon successful completion of this course, the student will be able to:

  • Understand potential sources for untrusted data
  • Understand the consequences for not properly handling untrusted data such as denial of service, cross-site scripting, and injections
  • Be able to test web services with various attack techniques to determine the existence of and effectiveness of layered defenses
  • Prevent and defend the much potential vulnerability associated with untrusted data
  • Understand the vulnerabilities of associated with authentication and authorization within the context of web services
  • Be able to detect, attack, and implement defenses for authentication and authorization functionality
  • Understand the dangers and mechanisms behind Cross-Site Scripting (XSS) and Injection attacks
  • Be able to detect, attack, and implement defenses against XSS and Injection attacks
  • Understand the concepts and terminology behind defensive, secure, coding
  • Understand the use of Threat Risk Modeling as a tool in identifying software vulnerabilities based on realistic threats against meaningful assets
  • Perform both static code reviews and dynamic application testing to uncover vulnerabilities in Java-based web services
  • Understand the basics of XML Encryption as well as how it can be used as part of the defensive infrastructure for web services
  • Understand the basics of XML Digital Signature as well as how it can be used as part of the defensive infrastructure for web services
  • Understand and defend vulnerabilities that are specific to XML and XML parsers

Prerequisites

Familiarity with Java and J2EE is required and real world programming experience is highly recommended. Ideally students should have approximately 6 months to a year of Java and J2EE working knowledge. In addition, experience and/or working knowledge of web services and XML processing within J2EE are required. This course starts out immediately attacking and defending web services implemented in J2EE. There is no preliminary familiarization of either J2EE or Web Services.

Topics

  • I. Foundation
    • Terminology and Players
      • Assets, Threats, and Attacks
      • OWASP
      • Basic Principles
    • Reality
      • Survey of recent, relevant incidents
      • Lab to find the security defects in an existing web service
    • Defending XML Processing and Web Services
      • Understanding common attacks and how to defend
      • Operating in safe mode
      • Appropriate protocol layer for WS Security
      • Using standards-based security
      • XML-aware security infrastructure
      • WSDL protection
      • Message validation, compliance, and inspection
  • II. Top Ten Security Vulnerabilities
    • #1 Unvalidated Input
      • Description with working web service example
      • Defenses
      • Identifying trust boundaries Qualifying untrusted data
      • Implementing a layered defense that effectively protects quality of service as well as data integrity
      • Designing an appropriate response to a recognized attack
      • Testing defenses and responses for weaknesses
    • #2 Broken Access Control
      • Description with working web service example
      • Defenses
      • Defending special privileges such as
      • inistrative functions
      • Application authorization best practices
    • #3 Broken Authentication and Session Management
      • Description with working web service example
      • Defenses
      • Multi-layered defenses of authentication services
    • #4 Cross Site Scripting (XSS) Flaws
      • Description with working web service example
      • Defenses
      • Character encoding complications
      • Blacklisting
      • Whitelisting
      • HTML/XML entity encoding
      • Understanding the implications of trust boundary definition
      • Implementing a layered defense that effectively protects quality of service as well as XSS vulnerabilities
      • Designing an appropriate response to a recognized attack
    • #5 Buffer Overflows
      • Description with working example
      • Defenses
      • Java’s strong typing
      • Java’s memory model
    • #6 Injection Flaws
      • Description with working web service example
      • Defenses
      • Qualifying untrusted data
      • JDBC with Prepared Statements
      • Hibernate best practices
      • XML best practices
      • Implementing a layered defense that effectively protects quality of service as well as injection vulnerabilities
      • Designing an appropriate response to a recognized attack
    • #7 Improper Error Handling, Auditing, and Logging
      • Description with working web service example
      • Defenses
      • Web service exception handling
      • Error response best practices
      • Error, auditing, and logging content management
      • Error, auditing, and logging service management
      • Best practices for supporting web service attack forensics
    • #8 Insecure Storage
      • Description with working web service example
      • Defenses
      • Data leakage
      • Risk minimization
      • Cryptography Overview
      • Working with XML Encryption
    • #9 Insecure Management of Configuration
      • Description with working example
      • Defenses
    • #10 Dynamic Loading
      • Description with working web service example
      • Defenses
      • XML/DTD/Schema/XSLT best practices
  • III. WS-Security
    • WS-Security
      • WS-Security Stack
      • J2EE and WS-Security
      • Best Practices
    • XML Digital Signature
      • Architecture
      • Working with XML Digital Signature
      • Integrating XML Digital Signature into Web Services
      • Best Practices
  • IV. Best Practices and Design Patterns
    • Defensive Coding Principles
      • Attack Surface Management
      • Application States
      • Defense in Depth
      • Not Trusting the Untrusted
      • No Security through Obscurity
      • Security Defect Mitigation
      • Leverage Experience
    • J2EE Web Application Security Design Patterns
      • Authentication Enforcer
      • Authorization Enforcer
      • Intercepting Validator
      • Secure Base Action
      • Secure Logger
      • Secure Pipe
      • Secure Service Proxy
      • Intercepting Web Agent
  • V. Secure Design and Analysis
    • Design and Analysis Processes
      • Motivation
      • Security Development Lifecycle (SDL)
      • CLASP applied
    • Application of Design and Analysis Processes
      • Threat Risk Modeling
      • Testing and Review Best Practices