What You Will Learn
1. Identity and Access Control Management (I&ACM) Architecture
- goals for information security safeguards in applications
- defining an enterprise I&ACM architecture
- access control models and architectures
- security audit log management in multi-tiered applications
- TCP/IP network application services security risk analysis
- enterprise directory services
- client/server and middleware security for multi-tiered applications
- locating control points in complex, multi-tiered applications
2. Web Application Architectures
- inventorying your application software environments
- Web application building blocks and control points
- HTTP protocol and state management: cookies, hidden fields, viewstate, querystrings
- Web application markup languages: HTML, XML- HTTPS/SSL session encryption
- single/reduced sign-on (SSO) pros and cons
- common Web application threats and vulnerabilities
- Web application security strategies
3. Web (HTTP) Server Security and Audit
- summary of baselines for secure server operating system security
- Web server configuration: operational and security requirements
- comparing and contrasting Web server access control security features: Apache, Microsoft IIS
- perils and protections for remote Web application development
- application firewalls and intrusion prevention systems
- tools, techniques, and checklists for discovering and testing Web servers security
4. Security in Application Software Design
- server-side Web page programming security: SSI, CGI, ASP, PHP, Java/JSP, ASP.NET (VB.NET, C#)
- mobile code security: Java Applets, ActiveX, VBScript, JavaScript, AJAX, Flash ActionScript
- common security vulnerabilities and attacks on Web application software
- attacks on Web servers: cross-site scripting, SQL injection, buffer overflow
- input validation and editing
- software change controls and configuration management
- web application vulnerability and testing tools
- tools, techniques, and checklists for auditing security in application design
5. Application (Middleware) Servers
- roles, architecture, and security control points for XML/object-oriented development environments and associated application servers
- defining key sources of application server security: declarative vs. programmatic controls, database and Enterprise Information System (EIS) connectors
- security and audit features in components and servers
- tools and techniques for securing and auditing application servers
6. Securing and Auditing File Sharing and Database Management Systems
- methods for providing data access to users and other applications
- data access control, authorization, and audit
- file sharing technologies: Windows file shares, SAMBA, Network File Systems (NFS)
- relational database management systems (DBMS)
- Structured Query Language (SQL): more than just query
- security risks associated DBMS systems
- comparing security and audit features for major DBMS products
- tools, techniques, and checklists for securing and auditing DBMS components
7. Web Services and Service-Oriented Architectures
- Simple Object Access Protocol (SOAP) Web services definition and architecture
- SOAP Web services standards
- Service Oriented Architectures (SOA)
- SOA Enterprise Service Bus (ESB) Representational State Transfer (REST) Web services
- Web services security and audit tools, and techniques
8. Remote Access and Mobile Application Security and Audit
- key control points in remote access and mobile applications
- how mobile application differ from internal server based applications
- tools and techniques for protecting the contents of mobile devices
- gateways for mobile applications: vulnerabilities and safeguards
- checklist for secure mobile and wireless application best practices |
