Securing Web Applications, Services, and Servers Training

Modeling web security

• Achieving Confidentiality, Integrity and Availability (CIA)
• Performing authentication and authorization

Encrypting and hashing

• Distinguishing public– and private–key cryptography
• Verifying message integrity

Configuring security for HTTP services

• Managing software updates
• Restricting HTTP methods

Securing communication with SSL/TLS

• Obtaining and installing server certificates
• Enabling HTTPS on the web server

Detecting unauthorized modification of content

• Configuring permissions correctly
• Scanning for file–system changes

Employing OWASP resources

• The Open Web Application Security Project (OWASP) top ten
• Remediating identified vulnerabilities

Securing database and application interaction

• Uncovering and preventing SQL injection
• Defending against an insecure direct object reference

Managing session authentication

• Protecting against session ID hijacking
• Blocking cross-site request forgery

Controlling information leakage

• Displaying sanitized error messages to the user
• Handling requests and page faults

Performing input validation

• Establishing trust boundaries
• Removing the threat of Cross-Site Scripting (XSS)
• Exposing the dangers of client-side validation
• Implementing robust server-side input validation with regular expressions

Ajax features

• Identifying core Ajax components
• Exchanging information asynchronously

Assessing risks and evaluating threats

• Managing unpredictable interactions
• Exposing Ajax vulnerabilities

Diagnosing XML vulnerabilities

• Identifying nonterminated tags and field overflows
• Uncovering web service weaknesses

Protecting the SOAP message exchange

• Validating input with an XML schema
• Encrypting exchanges with HTTPS
• Implementing WS–Security with a framework

Operating and configuring scanners

• Matching patterns to identify faults
• "Fuzzing" to discover new or unknown vulnerabilities

Detecting application flaws

• Scanning applications remotely
• Finding vulnerabilities in web applications with OWASP and third-party penetration testing tools

Adopting standards

• Reducing risk by implementing proven architectures
• Handling personal and financial data

Managing network security

• Modeling threats to reduce risk
• Integrating applications with your network architecture