Mastering SOA Security Training

How To Take This Class

Live Instructor-Led Online Class

Cost: $1,000.00

  • Open enrollment class for individuals
  • Live class with an instructor
  • Free class retakes forever!
  • Six months of instructor email support
  • Hands-on exercises and student labs
  • Classes never cancelled due to low enrollment
  • Money-back guarantee

    Sorry, no courses are scheduled at this time. Please Contact Us to schedule this course.

Onsite or Offsite Group Training

Cost: Based on number of students

  • For groups as small as 3 people
  • Class Held at our location or yours
  • Hands-on exercises and student labs
  • Customization at no extra charge
  • Six months of instructor email support
  • All-inclusive pricing
  • Money-back guarantee
Request Group Pricing Proposal

Course Duration

2 Days

Course Description

The Mastering SOA Security training is geared for analysts, architects, and developers that are working in Service-Oriented Architectures (SOA) and the infrastructures supporting them. Mastering SOA Security is a SOA security training course that provides students with essential best practices skills for designing, implementing, and deploying services within a secure infrastructure. This course is targeted for those that need to understand the issues and concepts associated with secure services and service infrastructures. This course is not a coding course, although implemented services, service infrastructures, and code are used extensively as examples and training aids.

Course Objectives

Upon successful completion of this course, students will be able to:
  • Understand the concepts and terminology behind supporting, designing, and deploying secure services
  • Appreciate the magnitude of the problems associated with service security and the potential risks associated with those problems
  • Understand what are the currently accepted best practices for supporting the many security needs of services

Course Audience

This is course designed for web application project stakeholders who wish to get up and running on developing well defended service infrastructures. Familiarity with web applications and infrastructures is helpful, and a working knowledge with web services is highly recommended.

Course Prerequisites

Ideally students should have a basic understanding of SOA and the associated technologies. Attendees should have a minimum of 2 years working knowledge in the IT industry. A basic understanding of software development and web-based applications is necessary. Actual development working knowledge is helpful but not necessary.

Course Syllabus

  1. Foundation
    • Misconceptions
    • Security Concepts
    • Terminology and Players
    • Assets, Threats, and Attacks
    • OWASP
    • CWE/SANS Top 25 Programming Errors
    • What they mean to your services and architecture
    • Defensive Coding Principles
    • Security Is A Lifecycle Issue
    • Minimize Attack Surface
    • Manage Resources
    • Application States
    • Compartmentalize
    • Defense In Depth - Layered Defense
    • Consider All Application States
    • Not Trusting The Untrusted
    • Security Defect Mitigation
    • Leverage Experience
    • Recent, Relevant Incidents
    • Find Security Defects In Web Application
    • Top Security Vulnerabilities
    • Unvalidated Input
    • Broken Access Control
    • Broken Authentication and Session Management
    • Cross Site Scripting (XSS/CSRF) Flaws
    • Injection Flaws
    • Improper Error Handling, Auditing, and Logging
    • Insecure Storage
    • Insecure Configuration Management
    • Direct Object Access
    • Spoofing
  2. Challenges
    • Identity and Propagation
    • Real-time Transactions
    • Diverse Environments
    • Information Protection
    • Standards compliance
  3. Services and Security
    • SOA Components
    • Service Lifecycle
    • Security Policies
  4. Security Services
    • Identity
    • Authentication
    • Authorization
    • Confidentiality/Integrity
    • Auditing
    • Non-repudiation
  5. Applying Security to Services
    • Authentication
    • Authorization
    • Secure Assertion Markup Language (SAML)
    • SAML Assertions
    • SAML Authorities
    • SAML Usage Scenarios
    • Threats Against SAML Infrastructures
    • SAML Flow
    • SAML Scenario: Server
    • SAML Scenario: Client
    • Using Handlers
    • Using Devices
  6. WS-Security
    • Defending XML Processing and Web Services
    • WS-Security Stack
    • J2EE, .Net, and WS-Security
    • Best Practices
  7. XML Digital Signature
    • Architecture
    • Working with XML Digital Signature
    • Integrating XML Digital Signature into Web Services
    • Best Practices
  8. Devices and Firewalls
    • Application Firewalls
    • XML and Web Service Firewalls
  9. Defensive Coding Principles
    • Security Is A Lifecycle Issue
    • Minimize Attack Surface
    • Manage Resources
    • Application States
    • Defense In Depth - Layered Defense
    • Consider All Application States
    • Not Trusting The Untrusted
    • Security Defect Mitigation
    • Leverage Experience
  10. J2EE Web Application Security Design Patterns
    • Authentication Enforcer
    • Authorization Enforcer
    • Intercepting Validator
    • Secure Base Action
    • Secure Logger
    • Secure Pipe
    • Secure Service Proxy
    • Intercepting Web Agent
  11. Design and Analysis Processes
    • Motivation
    • Secure Software Development (SSD)
    • CLASP applied
  12. Application of Design and Analysis Processes
    • Security Risk Modeling
    • Testing and Review Best Practices