December 17, 2014

Securing Java Web Services and Applications

We celebrate two new releases today, starting with a major update and expansion of our most popular security course. The new Course 121, "Securing Java Web Applications," has been thoroughly reworked, with support for modern tools and standards across the board:

  • Java EE 7, with Tomcat 8 as the hosting web server
  • The latest guidance from OWASP, including correlation to the 2013 edition of the OWASP Top 10
  • Cross-tested on Windows 7 and 8, Mac OS 10.8, with a prepared workspace for Eclipse Luna
  • Cross-tested on recent versions of Internet Explorer, FireFox, Chrome, and Safari
  • Enhanced examples of common web hacks (cross-site scripting, CSRF, injection, and more) that work against all tested browsers
  • Expanded treatment of input validation, including an introduction to Java EE Bean Validation
  • New concerns such as session fixation, secure logging, and appropriate hashing and salting of password databases

The new Course 122, "Secure Java Web Development," also arrives today. This includes most of the material from Course 121, but takes a more general view of security -- for web services as well as traditional web applications -- and so considers:

  • Security for RESTful web services
  • Message-level security with HMACs
  • Single sign-on with SAML 2.0
  • Third-party authorization with OAuth 2.0

Students will find either of these courses to be highly illuminating and full of good ideas on secure web-development practice.