JEE: Securing JEE Web Services (TT8500)

Securing JEE Web Services is a lab-intensive, hands-on JEE security training course, essential for experienced enterprise developers who need to produce secure JEE-based web services. In addition to teaching basic programming skills, this course digs deep into sound processes and practices that apply to the entire software development lifecycle.

In this course, you will thoroughly examine best practices for defensively coding JEE services, including XML processing. You will repeatedly attack and then defend various assets associated with fully functional web services. This hands-on approach drives home the mechanics of how to secure JEE web services in the most practical of terms.

The second portion of the course steps through a series of vulnerabilities illustrating in very real terms the right way to implement secure web services. The last portion of the course examines several design patterns that can be used to facilitate better application architecture, design, implementation, and deployment. You will leave the course armed with the skills required to recognize actual and potential software vulnerabilities, implement defenses for those vulnerabilities, and test those defenses for sufficiency.

Security experts agree that the least effective approach to security is "penetrate and patch". It is far more effective to "bake" security into an application throughout its lifecycle. After spending significant time trying to defend a poorly designed (from a security perspective) web application, you will learn how to build secure web applications starting at project inception. The final portion of this course builds on the previously learned mechanics for building defenses by exploring how design and analysis can be used to build stronger applications from the beginning of the software lifecycle.

A key component to our Best Defense IT Security Training Series, this workshop is a companion course with several developer-oriented courses and seminars. Although this edition of the course is Java-specific, it may also be presented using .Net or other programming languages, and it may be customized to suit your team's unique objectives.

What You Will Learn

• Consequences for not properly handling untrusted data such as denial of service, cross-site scripting, and injections
• Test web applications with various attack techniques to determine the existence of and effectiveness of layered defenses
• Prevent and defend the many potential vulnerabilities associated with untrusted data
• Concepts and terminology behind supporting, designing, and deploying secure services
• Problems associated with service security and the potential risks associated with those problems
• Best practices for supporting the many security needs of services.
• Vulnerabilities associated with authentication and authorization within the context of web services
• Detect, attack, and implement defenses for authentication and authorization functionality
• Dangers and mechanisms behind Cross-Site Scripting (XSS) and Injection attacks
• Detect, attack, and implement defenses against XSS and Injection attacks
• Concepts and terminology behind defensive, secure coding
• Using Threat Modeling as a tool in identifying software vulnerabilities based on realistic threats against meaningful assets
• Perform both static code reviews and dynamic application testing to uncover vulnerabilities in Java-based web services
• Design and develop strong, robust authentication and authorization implementations within the context of JEE
• Fundamentals of XML Digital Signature as well as how it can be used as part of the defensive infrastructure for web services
• Fundamentals of XML Encryption as well as how it can be used as part of the defensive infrastructure for web services
• Understand and defend vulnerabilities that are specific to XML and XML parsers

Audience

This intermediate-level JEE/web services programming course is designed for developers who wish to get up and running on developing well-defended software applications.

Prerequistes

• Familiarity with Java and JEE is required and real-world programming experience is highly recommended with approximately 6 months to a year of Java and JEE working knowledge as the ideal
• TT4300 Core XML Fundamentals and TT5160 Core Servlet/JSP Development or TT5100 Developing JEE Web Applications using Servlets/JSPs, JDBC and More or equivalent knowledge and skills

Course Outline

1. Foundation

• Misconceptions
  • Thriving Industry of Identify Theft
  • Dishonor Roll of Data Breaches
  • TJX: Anatomy of a Disaster
  • Heartland: What? Again?
• Security Concepts
  • Terminology and Players
  • Assets, Threats, and Attacks
  • OWASP
  • CWE/SANS Top 25 Programming Errors
• Categories
• What They Mean to Your Services
• Defensive Coding Principles
  • Security Is a Lifecycle Issue
  • Minimize Attack Surface
  • Manage Resources
  • Application States
  • Compartmentalize
  • Defense in Depth - Layered Defense
  • Consider All Application States
  • Not Trusting the Untrusted
  • Security Defect Mitigation
  • Leverage Experience
• Reality
  • Recent, Relevant Incidents
  • Find Security Defects in Web Application

2. Applying Security to SOA

• SOA Overview
  • SOA Defined
  • Cross-Cutting Concerns
• Challenges
  • Identity and Propagation
  • Real-Time Transactions
  • Diverse Environments
  • Information Protection
  • Standards compliance
• Services and Security
  • SOA Components
  • Service Lifecycle
  • Security Policies
  • Appliances and Gateways
• Authentication and Authorization
  • Requirements
  • Applicable OASIS Standards
  • SAML
  • SAML Assertions
  • Authentication, Attributes, and Authorization StatementsSAML Usage Scenarios

3. Defending XML Processing

• Defending XML
  • Understanding Common Attacks and How to Defend
  • Operating in Safe Mode
  • Using Standards-Based Security
  • XML-Aware Security Infrastructure
• Defending Web Services
• Security Exposures
• Transport-Level Security
• Message-Level Security
• WS-Security
• Attacks and Defenses

4. WS-Security

• WS-Security
  • WS-Security Stack
  • JEE and WS-Security
  • Best Practices
• XML Digital Signature
  • Architecture
  • Working with XML Digital Signature
  • Integrating XML Digital Signature into Web Services
  • Best Practices
• XML Encryption
  • Architecture
  • Working with XML Encryption
  • Integrating XML Encryption into Web Services
  • Best Practices

5. Top Security Vulnerabilities

• Unvalidated Input
  • Sources of Untrusted Input
  • Trust Boundaries
  • Designing and Implementing Defenses
• Overview of Regular Expressions
• Broken Access Control
• Broken Authentication and Session Management
• Cross-Site Scripting (XSS/CSRF) Flaws
  • What and How
  • Designing and Implementing Defenses
• Injection Flaws
  • What and How
  • SQL, XML, and Others
  • Designing and Implementing Defenses
• Error Handling and Information Leakage
  • What and How
  • Four Dimensions of Error Response
  • Proper Error Handling Design
• Insecure Storage
  • What and How
  • Designing and Implementing Defenses
• Insecure Management of Configuration
• Direct Object Access
• Spoofing

6. Secure Software Development (SSD)

• SSD Process Overview
  • CLASP Defined
  • CLASP Applied
• Asset, Boundary, and Vulnerability Identification
• Vulnerability Response
• Design and Code Reviews
• Applying Processes and Practices
• Risk Analysis

7. Security Testing

• Testing as Lifecycle Process
• Testing Planning and Documentation
• Testing Tools And Processes
  • Principles
  • Reviews
  • Testing
  • Tools
• Static and Dynamic Code Analysis
• Testing Practices
  • Authentication Testing
  • Session Management Testing
  • Data Validation Testing
  • Denial Of Service Testing
  • Web Services Testing

Course Labs