Secure Web Applications and Web Services Architectures

Secure Web Applications and Web Services Architectures


Most applications are not designed with security in mind ... Get the concepts, architectures and vision at this seminar in cooperation with Ascure NV.

2 March 2005 (14-21)
Location: Sofitel Diegem (Diegem near Brussels (Belgium))
Presented in English
Price: 480 EUR (excl. 21% VAT)
AGENDA » SPEAKERS »


This event is history, please check out the List of Upcoming Seminars

Check out our related in-house workshops:


Full Programme:
13.30h-14.00h
Registration and Coffee/Tea
14.00h-14.50h
An Intro into the Most Common Threats for Web Applications
(Jan De Meyer, Ascure)

Web applications are omni-present, but few people seem to understand to what a degree those applications can expose their environment. In this introductory session we will try to give you an insight why almost 80% of the hacks today involve Web application hacking. We will take you conceptually through a number of scenarios which might expose your data and/or your organisation.

  • Specific web-attacks: hidden field manipulation, cookie poisoning, backdoor & debug options, application buffer overflow, stealth commanding, 3rd party misconfigurations, known vulnerabilities, parameter tampering, cross site scripting, forceful browsing, SQL injection, ...
14.50h-15.40h
Building Blocks of Secure e-Architectures
(Erik R. van Zuuren, Ascure)

Once your risks and required controls are known, things need to be put in place. And as security is determined by the weakest link, this session will look at all architectural and procedural elements you should have in place if you want to have a trust-worthy environment. We will give you a good insight into what concepts like multi-layer defence and time-based security really means and why you need to have those in mind.

  • Risk management aspects: applying frameworks, baselines and risk management techniques to Web application and Web services environments
  • Layered Security Aspects: Network-layer controls, System-Layer Controls, Application-Layer Controls, etc. Understanding the (in)abilities of firewalls, application-level firewalls, intrusion detection, anti-virus, ...
  • Policies-elements and Crucial Processes: Personnel Security, Physical & Environmental Security, Communications and Operations Management, Access Control, Systems Development and Maintenance, Compliance, ISO17799, ...
15.40h-16.10h
Coffee/Tea
16.10h-17.00h
Web Applications: Secure Development Guidelines and Principles
(Sebastien Deleersnyder, Ascure)

As becomes clear over and over again: the development department needs to work under severe time constraints, constantly changing requirements, ever-evolving technical evolutions, ... and worst of all without any clear principles or guidelines on how to deliver secure applications. In this session, we therefore want to give you some insight on what your development department should know and how things could be put under control methodologically.

  • Some rules and techniques (at conceptual level):
    • Validate input and output
    • Fail securely
    • Make it simple
    • Use and reuse trusted components
    • Defense in depth
    • Only as secure as the weakest link
    • No security by obscurity
    • Least privilege
    • Compartimentalization
    • Trust no one
    • Input validation
    • Stored procedures
    • Session management
17.00h-17.50h
Web Application Firewalls: Mitigating Risk & Buying Critical Time
(Jan De Meyer, Ascure)

Even with the best of guidelines, even with the best procedures, things sometimes go wrong, or required changes can not be executed due to conflicts with the production environment. What do you do if the alarm goes off but your hands are tied ? This session explains how Web application firewalls can buy you critical time and what their impact is on your environment.

  • An overview of mitigating solutions in the market place.
  • Understand how Web application firewalls work and buy you time
  • Where to put Web application firewalls and the possible consequences
  • Creating rules and tuning Web application firewalls
  • What (and what not) to log
17.50h-19.00h
Dinner
19.00h-19.50h
Important Cornerstone: Identity and Access Control Management
(Erik R. van Zuuren, Ascure)

Even the best of controls can not function properly if you haven't got a clue who is doing what, where and when. Identities, roles and privileges must be uniquely determined and stringently administered. This session will take you through the most important aspects of identity management, role- and privilege-based access. Also, you will get some insights into different federation models and what can or can not work. Finally as identities in the Web services world are no different from identities in the Web application world, we will give you some ideas on how to keep both worlds in sync.

  • The building blocks of IAM in a web-context
  • Identity Management and Provisioning issues
  • Successful Access Management strategies
  • Authentication-, Assertion- and PKI-integration specifics
  • Delegated administration versus Federation
19.50h-20.40h
The (immediate) Future: Web Services and their Security Aspects
(Sebastien Deleersnyder, Ascure)

Web services are not only rapidly becoming a cornerstone in backend connectivity and enterprise application integration (EAI), but they are also about to cause the same evolution boom as Web applications did. Regrettably, few of the Web services already in production have true security on board. Partly, because it is just standardizing. This presentation will give you a look ahead on how to successfully protect your Web services.

  • Web services: already in more places then you would think.
  • Web services security models and features (WSTrust, WSS, SAML, ...)
  • Which features to use when and where ?
  • Integration of IAM and Web services
20.40h-21.00h
Conclusions & Summary / Final Q&A
        SPEAKERS »

Questions about this ? Interested but you can't attend ? Send us an email !