Knowledge United

Leverage the Power of Learning
Services - Knowledge United Promo.
 
 
Free Webinar on Demand: Preserve Training on Reduced Budgets
 
Virtual Training Spotlight
 
SmartPoints from Knowledge United
 
Onsite Training from Knowledge United
 
Save Time and Money With The Universal Learning Pack
 
Contact Knowledge United
Toll Free: 888-448-5669
International: 951-436-9140
contact@knowledgeunited.com
 
 

Mastering SOA Security

Enroll Now

Dates: February 3-4, 2009
Times: 10am-5pm EST
Course Length: 2 days
List Tuition (US): $1,200
Special Rate (US): $995

Course Overview

Geared for analysts, architects, and developers that are working in Service-Oriented Architectures (SOA) and the infrastructures supporting them, Mastering SOA Security provides students with essential best practices skills for designing, implementing, and deploying services within a secure infrastructure. This course is targeted for those that need to understand the issues and concepts associated with secure services and service infrastructures. This course is not a coding course, although implemented services, service infrastructures, and code are used extensively as examples and training aids.

A key component to our Best Defense Security Training Series, this works hop is a companion course with several developer-oriented courses and seminars. Although this edition of the course is language-agnostic, it may also be presented using Java, .Net or other programming languages or environments.

What You'll Learn

Students who attend Mastering SOA Security will leave the course armed with an understanding of security basics, what concerns are particular to supporting services, and how best to address those concerns within various service architectures.

This course introduces the most common security vulnerabilities faced by applications today, as well as the challenges that face service providers and users. The course also explores the services needed within a service provider's infrastructure and how those services can be implemented in conjunction with the Enterprise Service Bus (ESB).

Security experts agree that the least effective approach to security is "penetrate and patch". It is far more effective to "bake" security into an application throughout its lifecycle. The last portion of the course examines service lifecycles, measures for protecting web services and XML functionality, and basic design and security patterns.

Working in a dynamic learning environment attendees will learn to:

  • Understand the concepts and terminology behind supporting, designing, and deploying secure services
  • Appreciate the magnitude of the problems associated with service security and the potential risks associated with those problems
  • Understand what are the currently accepted best practices for supporting the many security needs of services.

Who Should Attend

This is course designed for web application project stakeholders who wish to get up and running on developing well defended service infrastructures. Familiarity with web applications and infrastructures is helpful, and a working knowledge with web services is highly recommended. This course may be customized to suit your team's unique objectives

Ideally students should have a basic understanding of SOA and the associated technologies.

Course Outline

Session: Foundation

  • Terminology and Players
    • Assets, Threats, and Attacks
    • OWASP
    • Basic Principles
  • Top Security Vulnerabilities
  • Unvalidated Input
  • Broken Access Control
  • Broken Authentication and Session Management
  • Cross Site Scripting (XSS) Flaws
  • Injection Flaws
  • Improper Error Handling, Auditing, and Logging
  • Insecure Storage
  • Insecure Configuration Management
  • Direct Object Access
  • Spoofing

Session: SOA Security Overview

  • Challenges
    • Identity and Propagation
    • Real-time Transactions
    • Diverse Environments
    • Information Protection
    • Standards compliance
  • Services and Security
    • SOA Components
    • Service Lifecycle
    • Security Policies
  • Security Services
    • Identity
    • Authentication
    • Authorization
    • Confidentiality/Integrity
    • Auditing
    • Non-repudiation

Session: Applying Security to Services

  • Direct Service Exposure
  • Indirect Service Exposure
  • Enterprise Service Bus (ESB)
    • Mediating Security Services
    • Transport-Level Security
    • Message-Level Security
    • Policy Enforcement
    • Policy Management
    • Protecting the ESB
  • Composed Services
    • Single-Sign On
    • Trust Relationships
    • Trust Relationships and Web Services

Session: WS Security

  • Defending XML Processing and Web Services
  • WS-Security
    • WS-Security Stack
    • J2EE and WS-Security
    • Best Practices
  • XML Digital Signature
    • Architecture
    • Working with XML Digital Signature
    • Integrating XML Digital Signature into Web Services
    • Best Practices

Session: Best Practices and Design Patterns

  • Defensive Coding Principles
    • Attack Surface Management
    • Application States
    • Defense in Depth
    • Not Trusting the Untrusted
    • No Security Through Obscurity
    • Security Defect Mitigation
    • Leverage Experience
  • J2EE Web Application Security Design Patterns
    • Authentication Enforcer
    • Authorization Enforcer
    • Intercepting Validator
    • Secure Base Action
    • Secure Logger
    • Secure Pipe
    • Secure Service Proxy
    • Intercepting Web Agent

Session: Secure Design and Analysis

  • Design and Analysis Processes
    • Motivation
    • Security Development Lifecycle (SDL)
    • CLASP applied
  • Application of Design and Analysis Processes
    • Security Risk Modeling
    • Testing and Review Best Practices
 

©2003-2008 Knowledge United, Inc. • All Rights Reserved  • Legal InfoPrivacy PolicySite Map