Securing Web Applications, Services and Servers: Hands-On

Frequently Asked Questions

What is this course about? Organizations today increasingly rely on the Internet and networked systems to conduct business. At the same time, cyber crime and security violations pose an ever-growing threat to business-critical functions and data. If Web applications are not enabled with the appropriate security countermeasures, third parties are able to eavesdrop and compromise the integrity of information passed to and from your Web applications. For organizations that share proprietary data across the Internet, intranets or other public networks, this is of particular concern. This course systematically exposes potential security threats, provides proven solutions and shows you the steps you can take today to help ensure the integrity and privacy of your Web applications. Special attention is paid to the Open Web Application Security Project (OWASP) Top Ten security issues. Who will benefit from this course? This course is valuable for anyone who wants to protect their Web applications from attack. Specifically, this course is geared for those directly involved in the development, maintenance or auditing of Web applications, including Web application developers, software QA personnel, Web application security testers and auditors, and security administrators. What background do I need? Experience developing Web applications and a basic knowledge of Web server administration are assumed. You should have knowledge at the level of Course 470, Developing a Web Site: Hands-On. For example, you should have an understanding of session management, cookies, basic HTML and server-side programming is assumed. In addition, the ability to configure a basic Web server is helpful. What Web servers are covered in this course? This course provides a choice between the two most commonly deployed Web servers: Microsoft Internet Information Services on Windows or Apache on Windows. What Web programming languages are covered in this course? This course covers most Web application security issues in a language-independent format. The information provided is applicable to most environments used today. During the hands-on exercises, you choose between using ASP.NET with C# or Java EE. Will I learn how to enable HTTPS in this course? Yes, this course covers configuring a Web server to use HTTPS. This includes obtaining a digital certificate from a certification authority, as well as self-signing. Participants are given a choice of using IIS or Apache for the hands-on exercise. Does this course cover the OWASP Top Ten? Yes, this course goes into detail on the Open Web Application Security Project (OWASP) Guide and the Top Ten security issues. These include: SQL injection flaws, cross-site scripting (XSS), session ID hijacking, Cross Site Request Forgery (CSRF), information leakage, improper error handling, insecure cryptographic storage and failure to restrict URL access. Will I learn how to secure Web services in this course? Yes. Topics covered include protecting XML message content with WS-Security and ensuring integrity with XML schemas. Does this course cover securing Web servers? Yes. While this course does not cover detailed configuration of a Web server, several Web server security topics are covered. These topics include enabling HTTPS on a Web server, configuring file permissions, detecting file-system changes, and restricting Web server acceptance of HTTP methods. How much time is spent on each topic? Content Hours Setting the stage 2.0 Establishing security fundamentals 2.0 Augmenting Web server security 4.0 Implementing Web application security 7.0 Enhancing Ajax security 1.5 Securing XML Web services 3.0 Scanning applications for weaknesses 3.0 Best practices for Web security 1.5 Times, including the workshops, are estimates; exact times may vary according to the needs of each class. How much of this course is hands-on? Approximately 50 percent of class time is spent in hands-on exercises. Based on an evolving case study, you gain practical experience securing applications. Exercises include intercepting and modifying a signed SOAP message, detecting unauthorized file system modification, and preventing code injection with input validation. Does this course cover scanning for vulnerabilities? Yes. In this course, you learn how to scan Web applications to detect vulnerabilities within the Web application layer. Web application scanners are used to scan deployed Web applications and determine possible vulnerabilities. For coverage of network and system vulnerability scanning, which are not covered in this course, you should consider Course 589, Hands-On Vulnerability Assessment: Protecting Your Organization. Will I learn to hack? No. While this course covers vulnerabilities and exploitation, it does not focus on hacking techniques or tools. For more information on hacking, see Course 589, Hands-On Vulnerability Assessment: Protecting Your Organization, or Course 537, Ethical Hacking and Countermeasures: Hands-On. Will I learn to develop Web applications in this course? No. This course assumes previous knowledge of Web application development. The primary focus of this course is on securing against common vulnerabilities. How does this course relate to other Learning Tree courses? In addition to the aforementioned Course 470, the following courses may be of interest: In Course 589, Hands-On Vulnerability Assessment: Protecting Your Organization, you learn how to detect and respond to vulnerabilities that put your organization at risk Course 537, Ethical Hacking and Countermeasures: Hands-On, provides the skills to deploy ethical hacking to expose weaknesses in your organization and use countermeasures In Course 577, Building XML Web Services with Java: Hands-On, you develop and deploy Web services with Java and XML In Course 513, Windows® Communication Foundation (WCF): Creating .NET 3.5 Web Services, you leverage Windows Communication Foundation (WCF) to build Service-Oriented Architecture applications Course 508, Building Web Services with .NET 2.0: Hands-On, offers the skills to develop highly scalable distributed applications with XML Web services In Course 986, Developing Ajax Web 2.0 Applications: Hands-On, you learn how to develop Ajax-powered interactive and dynamic Web sites Course 424, Service-Oriented Architecture (SOA): A Comprehensive Hands-On IntroductionCourse 424, [title], provides the skills to model, design and implement Service-Oriented Architecture (SOA) Course 289, Disaster Recovery Planning: Ensuring Business Continuity, offers the skills to create, document and test continuity arrangements for your organization In Course 340, Project Management for Software Development, you gain the skills to deliver successful software projects that support your organization's strategic goals Course 286, Project Risk Management, provides the skills to effectively manage project risk to deliver successful projects that meet stakeholder needs