header edu

FOCUS DEL MESE : Developing secure Web Applications with Spring Security

[SS49] [24 h - 3days]

Programma del corso

  • Security as a process and not as a tool/keyword collection
  • Top Ten security risks for 2010
  • A1: Injection
  • A2: Cross-Site Scripting (XSS)
  • A3: Broken Authentication and Session Management
  • A4: Insecure Direct Object References
  • A5: Cross-Site Request Forgery (CSRF)
  • A6: Security Misconfiguration
  • A7: Insecure Cryptographic Storage
  • A8: Failure to Restrict URL Access
  • A9: Insufficient Transport Layer Protection
  • A10: Unvalidated Redirects and Forwards
  • Why is security difficult?

Best practice (Quick introduction to OWASP)

  • How to take into account security in your project 
  • Analysis: Identifying Key Business Risks, Stake Holders, Evaluate Risk/Reward Profile for the Application
  • Defining Application and Environment Components, Define Necessary Functional Objects, Define Security Objects
  • Defining Interfaces (GUI, WS, files)
  • Introduction to Threat Modeling
  • Determine countermeasures and mitigation
  • Organizational commitment to security
  • Coding Standards
  • Secure Coding Principles

Tools for Application Security Verification

  • Application Security Verification Levels
  • Level 1 - Automated Verification
  • Level 2 - Manual Verification
  • Level 3 - Design Verification
  • Level 4 - Internal Verification

Spring Security

  • Architecture
  • Configuration


Spring Security for authentication

  • Configuration of <http>, <intercept-url> constraints
  • form-login configuration
  • Anonymous user management
  • Logout
  • The Authentication/Authorization Schema
  • The Filter Chain
  • Authentication Manager and Providers, including JDBC
  • Implementing UserDetailsService
  • Channel Security
  • Session Management

Spring Security for authorization

  • Programmatic Authorization: Servlets
  • Role-Based approach
  • The Spring Security Tag Library
  • XML vs. Annotations
  • ACL-based approach
  • Domain-Object Authorization

Spring Security for Single-Sign On integration

  • Integration: LDAP, CAS, OpenID
  • Certificate management with X.509

Guidelines for protecting from major threats

  • Phishing
  • Web Service attacks
  • AJAX attacks
  • authentication attacks
  • Authorization attacks
  • Session management
  • Data Validation
  • Error Handling, Auditing and Logging
  • Buffer Overflows
  • Administrative Interface
  • Cryptography
  • Configuration data

ESAPI Security Controls

  • Authentication
  • Access control
  • Input validation
  • Output encoding/escaping
  • Cryptography
  • Error handling and logging
  • Communication security
  • HTTP security
  • Security configuration

Lab: case study with a sample Web application

Apri e scarica la la brochure del corso