Writing Secure Java Web Applications
Duration: 3 days
The increasing use of the Internet for commercial purposes has led to a need for web applications to operate correctly and securely. There are many people seeking to take advantage of poorly designed and badly configured applications, and today's developers need to know how to write secure applications, and how to guard against attacks. This course will show how security can (and must) be designed into a project from the start, and will then examine a number of the common attacks experienced by web applications.
Delegates should have practical experience of writing Java web applications, including a working knowledge of servlets, JSPs and how they operate within a container.
Course Content
Introduction- Why web applications are insecure
- Review of HTTP and web technologies
- Security throughout the lifecycle
- Threat Modelling
- Coding Best Practices
- Setting up a build process
- Source code analysis and testing
- Input validation
- Authentication
- Session hijacking
- Cross-site scripting
- Cross-site request forgery
- HTTP response splitting
- Cryptography and protecting sensitive data
- Buffer overruns
- Injection attacks
- Privilege escalation
- Race conditions
- Insecure error handling
- Insecure configuration management
- Denial of Service attacks
- Authentication using sessions and cookies
- FORM authentication
- EJB authorization
- Programmatic security
- Protecting code and resources in containers
- java.security.acl
- JAAS
- Securing Apache and Tomcat
- The HDIV web application security framework
- The Stanford LAPSE web application scanner
- Using a security proxy
- Fault injection and fuzzing
- Stress testing
- Load testing
- Effective auditing and logging