This is an intermediate to advanced level J2EE/Web Services course, designed for developers who wish to get up and running on developing well defended web services.
This intense coding class is essential for experienced developers who need to produce secure J2EE-based web services. Throughout the course, students learn the best practices for designing, implementing, and deploying secure web services using J2EE. This course is short on theory and long on application.
We will examine best practices for defensively coding J2EE web services including the use of WS-Security where appropriate. Finally, a set of J2EE security patterns are examined with a lab that applies a security pattern in defending against an actual complex web service attack.
Upon successful completion of this course, the student will be able to:
- Understand potential sources for untrusted data
- Understand the consequences for not properly handling untrusted data such as denial of service, cross-site scripting, and injections
- Be able to test web services with various attack techniques to determine the existence of and effectiveness of layered defenses
- Prevent and defend the much potential vulnerability associated with untrusted data
- Understand the vulnerabilities of associated with authentication and authorization within the context of web services
- Be able to detect, attack, and implement defenses for authentication and authorization functionality
- Understand the dangers and mechanisms behind Cross-Site Scripting (XSS) and Injection attacks
- Be able to detect, attack, and implement defenses against XSS and Injection attacks
- Understand the concepts and terminology behind defensive, secure, coding
- Understand the use of Threat Risk Modeling as a tool in identifying software vulnerabilities based on realistic threats against meaningful assets
- Perform both static code reviews and dynamic application testing to uncover vulnerabilities in Java-based web services
- Understand the basics of XML Encryption as well as how it can be used as part of the defensive infrastructure for web services
- Understand the basics of XML Digital Signature as well as how it can be used as part of the defensive infrastructure for web services
- Understand and defend vulnerabilities that are specific to XML and XML parsers
Familiarity with Java and J2EE is required and real world programming experience is highly recommended. Ideally students should have approximately 6 months to a year of Java and J2EE working knowledge. In addition, experience and/or working knowledge of web services and XML processing within J2EE are required. This course starts out immediately attacking and defending web services implemented in J2EE. There is no preliminary familiarization of either J2EE or Web Services.