May 12, 2008

New Course on Web-Application Security

Capstone Courseware is proud to announce the release of a new course on secure development practices for Java web applications. Course 121, "Securing Java Web Applications," offers an eye-opening tour of the most common web-application vulnerabilities, and shows how to avoid them.

Areas of web-application vulnerability

This information-packed course discusses all of these security concerns, and more:

  • HTTP BASIC and DIGEST, and FORM authentication
  • Programmatic authorization
  • Certificate chains and HTTPS
  • Cross-site scripting (XSS)
  • Predictable resource locations and forceful browsing
  • Injection attacks
  • Cross-site request forgery (CSRF)
  • Java Cryptography Architecture (JCA) and Extensions (JCE)
  • Error handling, logging, and auditing

As usual with Capstone courses, there is a wealth of practical examples and hands-on exercises in key techniques. The lab software includes our own "HTTPSneak" application, which allows us to simulate sniffing, man-in-the-middle attacks, and request forgery, and we use it to observe the actual traffic on the wire between browser and server.

"Securing Java Web Applications" also meshes nicely with the rest of our security curriculum: consider Course 107, "Java Development for Secure Systems," and Course 562, "Securing Java Web Services," as possible combinations.