Securing Java Web Applications

Public Training Price : $1950 per student
Private Training Price : Request a quote
Print this outline
Enroll in this Public Class

 

 

 

Securing Java Web Applications Training Class Summary

This advanced course shows experienced developers of Java web applications how to secure those applications and to apply best practices with regard to secure enterprise coding. Authentication, authorization, and input validation are major themes, and students get good exposure to basic Java cryptography for specific development scenarios, as well as thorough discussions of HTTPS configuration and certificate management, error handling, logging, and auditing.

Audience: Experienced Java web developers.

Prerequisites: Java programming experience developing web applications is required. Servlet knowledge is required, JSP knowledge is helpful.

Class Length: 3 days

Securing Java Web Applications Training Class Objectives
  • Develop secure Java web applications, or to secure existing applications by refactoring as necessary.
  • Define security constraints and login configurations that instruct the web container to enforce authentication and authorization policies.
  • Validate user input aggressively, for general application health and specifically to foil injection and XSS attacks.
  • Configure a server and/or application to use one-way or two-way HTTPS.
  • Apply application-level cryptography where necessary.
  • Secure log files and establish audit trails for especially sensitive information or actions.
Securing Java Web Applications Training Class Detailed Outline
  1. Secure Web Applications
    • Threats
    • Attack Vectors
    • Server Vulnerabilities
    • Network Vulnerabilities
    • Browser Vulnerabilities
    • Tools and Environment
    • MySQL
    • Tomcat
    • Goals
    • Principles
    • Tools and Techniques
    • POSTing not GETting
    • Container Services
    • HTML Forms
    • Non-Addressable Resources
    • HTTP and HTTPs
    • Other Cryptographic Practices
    • SOA and Web Services
    • OWASP
    • The OWASP Top 10
  2. Authentication and Authorization
    • Authentication for Web Applications
    • Authorization
    • HTTP Authentication Schemes
    • HTTP BASIC
    • The HTTPSneak Application
    • HTTP DIGEST
    • Abstract Roles, Concrete Realms
    • Declaring Security Constraints
    • Authorization Over URL Patterns
    • Custom Error Pages
    • User Accounts
    • The Healthcare Case Study
    • Replay Attacks
    • Frustrations with BASIC and DIGEST
    • Doing It Yourself
    • FORM Authentication
    • FORM Interactions
    • Login Form Design
    • Role-Based Authorization in EJB
    • Declaring Method Permissions in XML
    • Declaring Method Permissions in Java
    • Programmatic Security
    • When to Use Servlet Security APIs
    • Programmatic Security in JSF
  3. Secure Application Design
    • Single Points of Decision
    • Defense in Depth
    • Attacks and Countermeasures
    • Cross-Site Scripting
    • Reflected XSS
    • Defeating XSS
    • Framework Support
    • Forceful Browsing
    • Cross-Site Request Forgery
    • Partial Countermeasures
    • Request Tokens
    • JSF and CSRF
    • SQL Injection
    • JDBC and PreparedStatement
    • The Java Persistence API
    • Session Timeouts
    • Taking Care of Cookies
    • Validating User Input
    • Validation Practices
    • Regular Expressions
    • JSF Validation
  4. HTTPS and Certificates
    • Digital Cryptography
    • Network-Layer Cryptography
    • Application-Layer Cryptography
    • Private-Key Encryption
    • Public-Key Encryption
    • SSL and Secure Key Exchange
    • Hashing
    • Digital Signatures
    • Keystores
    • keytool
    • Why Keys Aren't Enough
    • X.509 Certificates
    • X.500 and Distinguished Names
    • Certificate Chains
    • Certificate Authorities
    • Obtaining a Signed Certificate
    • Configuring HTTPS
    • Combining HTTPS and User Login
    • Two-Way SSL
    • Configuring Two-Way SSL
    • PKCS #12
    • CLIENT-CERT Authentication
  5. Application-Level Cryptography
    • Practical Applications
    • The Java Cryptography Architecture
    • The Power of Random Numbers
    • The SecureRandom Class
    • The KeyStore Class
    • The KeyStore API
    • The Signature Class
    • The Signed Object Class
    • The Message Digest Class
    • The Java Cryptography Extensions
    • The SecretKey and KeyGenerator Types
    • The Cipher Class
    • Choosing Algorithms
    • Choosing Key Sizes
    • Dangerous Practices
  6. Secure Development Practices
    • Secure Development Cycle
    • Error Handling and Information Leakage
    • Secure Failure Modes
    • Logging
    • Appropriate Content for Logs
    • Auditing
    • Auditing Strategies
    • Penetration Testing
    • Back Doors