Secure Web Applications and Web Services Architectures
Most applications are not designed with security in mind ... Learn now how to tackle this vulnerability ! In Cooperation with Ascure NV.
28 October 2004 (14-21)
Location: Sofitel Diegem
(Diegem near Brussels (Belgium))
Presented in English
Price: 480 EUR
(excl. 21% VAT)
This event is history,
please check out the List of Upcoming Seminars, or send us an email
Check out our related in-house workshops:
Why this seminar?
Web Applications have become the point of entry to critical
and confidential data, and have become the interface to internal resources,
e-business and e-government platforms. Yet, we read time-and-time again that
they remain a major source of comprise.
Web Services are maybe not so visible, but there are more and
more of them everyday. They are being set up both internally within organisations
to facilitate internal communications and processes, and externally to facilitate the exchange of business-critical (e.g. financial)
data. Most of these Web Services lack any solid security.
Everyone is using these technologies to unlock data and processes, even over
the Internet. The advantages of being able to flexibly reach anyone, anywhere,
anytime are clear. However, it is important to unlock wisely and in a controlled
This seminar will refrain from being highly technical and try to run you conceptually through the different topics which should be looked at when setting
up any Web Application or Web Services Architecture.
First of all we will set the scene using some simple examples of how Web resources can and are easily exploited. Then secondly, we will get into the overall controls which should be put in place: we will show you how to assess your real risk and how security should be fit into the application processes. Also, we'll give a complete overview of the scene and all procedural and technical building blocks for such environments.
Following those overall controls, we will thirdly get into Web application security specifics: how should Web applications be securely developed and what extra layer of security can be put in place to mitigate human/programmer's failure ? Next, we will add an important component which is identity and access control management and how this best fits into Web environments. Finally, we will look at Web services, their specific security issues and how the lessons we already learned can be re-applied to these Web services.
Questions answered in this seminar
- How can Web resources be exploited (= abused) ?
- How do I assess risks ?
- What are the generic (not application-specific) building blocks to secure
my environment ?
- What are the development guidelines and principles for secure Web applications, and how to mitigate human/programmer's
- How does Identity and Access control fit in Web environments ?
- What are the security aspects of Web services and service-oriented architectures ?
Who should attend this seminar ?
- "Business-side" people (responsible for e-Business, e-Government, e-Services
and/or internal business processes/data) who want to understand how their
valuable data is being unlocked and exposed, what the coinciding risks might
be and what security controls and assurances they can and should demand.
- "IT-side" people who want to get a clear view of those risks
and the measures they should take to warrant the security of their IT-services/architectures.
- Security people (of course) who have to guide and guard the process and
to help both worlds to take the right decisions together.
Registration and Coffee/Tea
An Intro into the Most Common Threats for Web Applications
(Sebastien Deleersnyder, Ascure)
Web applications are omni-present, but few people seem to understand to what
a degree those applications can expose their environment. In this introductory
session we will try to give you an insight why almost 80% of the hacks today
involve web-application hacking. We will take you conceptually through a number
of scenarios which might expose your data and/or your organisation.
- Network- and System-level attacks: your infrastructure and entry points
through the eyes of an attacker.
- Specific web-attacks: hidden field manipulation, cookie poisoning, backdoor
& debug options, application buffer overflow, stealth commanding, 3rd
party misconfigurations, known vulnerabilities, parameter tampering, cross
site scripting, forceful browsing, SQL injection, ...
A Risk Management Perspective on Application Security
(Erik van Zuuren, Ascure)
Closing everything down is an impossible and extremely expensive exercise.
And, frankly it is for most organisations not effective, nor efficient. The
real question is: which measures do we have to take to protect our organisation
and its information at a sufficiently acceptable level? This session will teach
you how to analyse those risks and how to define the correct controls to achieve
- An overall security framework (people, process, technology, financials)
- Getting grips on the business processes
- Reckon with the legal and international context
- Getting a clear overview of the risks (high level approach)
- Drilling down to specific risks (levels of vulnerability)
- Identifying effective risk-mitigation measures
The Architectural Building Blocks of Secure e-Architectures
(Jan De Meyer, Ascure)
Once your risks and required controls are known, things need to be put in place.
And as security is determined by the weakest link, this session will look
at all architectural and procedural elements you should have in place if you
want to have a trust-worthy environment. We will give you a good insight
into what concepts like multi-layer defence and time-based security really means
and why you need to have those in mind.
- Layered Security Aspects: Network-layer controls, System-Layer Controls,
Application-Layer Controls, etc. Understanding the (in)abilities of firewalls,
application-level firewalls, intrusion detection, anti-virus, ...
- Important ISO17799-topics and Crucial Processes: Personnel Security, Physical
& Environmental Security, Communications and Operations Management, Access
Control, Systems Development and Maintenance, Compliance.
Web Applications: Secure
Development Guidelines and Principles
(Sebastien Deleersnyder, Ascure)
As becomes clear over and over again: the development department needs to work
under severe time constraints, constantly changing requirements, ever-evolving
technical evolutions, ... and worst of all without any clear principles
or guidelines on how to deliver secure applications. In this session, we therefore
want to give you some insight on what your development department should
know and how things could be put under control methodologically.
- Some rules and techniques (at conceptual level):
- Validate input and output
- Fail securely
- Make it simple
- Use and reuse trusted components
- Defense in depth
- Only as secure as the weakest link
- No security by obscurity
- Least privilege
- Trust no one
- Input validation
- Stored procedures
- Session management
Web Application Firewalls: Mitigating Risk & Buying
(Jan De Meyer, Ascure)
Even with the best of guidelines, even with the best procedures, things sometimes
go wrong, or required changes can not be executed due to conflicts with the production environment.
What do you do if the alarm goes off but your hands are tied ? This session
explains how Web application firewalls can buy you critical time and what their
impact is on your environment.
- An overview of mitigating solutions in the market place.
- Understand how Web application firewalls work and buy you time
- Where to put Web application firewalls and the possible consequences
- Creating rules and tuning Web application firewalls
- What (and what not) to log
Important cornerstone: Identity
and Access Control Management
(Erik van Zuuren, Ascure)
Even the best of controls can not function properly if you haven't got
a clue who is doing what, where and when. Identities, roles and privileges must
be uniquely determined and stringently administered. This session will take
you through the most important aspects of identity management, role- and privilege-based
access. Also, you will get some insights into different federation models and
what can or can not work. Finally as identities in the Web services world are
no different from identities in the Web application world, we will give you
some ideas on how to keep both worlds in sync.
- The building blocks of IAM in a web-context
- Identity Management and Provisioning issues
- Successful Access Management strategies
- Authentication-, Assertion- and PKI-integration specifics
- Delegated administration versus Federation
The (immediate) future: Web Services and their Security
(Sebastien Deleersnyder, Ascure)
Web services are not only rapidly becoming a cornerstone in backend connectivity
and enterprise application integration (EAI), but they are also about to cause the
same evolution boom as Web applications did. Regrettably, few of the Web services
already in production have true security on board. Partly, because it is just
standardizing. This presentation will give you a look ahead on how to successfully
protect your Web services.
- Web services: already in more places then you would think.
- Web services security models and features (WSTrust, WSS, SAML, ...)
- Which features to use when and where ?
- Integration of IAM and Web services
Conclusions & Summary / Final Q&A
ir. Erik R. van Zuuren MBA is Business Unit Manager InfoSec Architectures and Principal InfoSec / RM Consultant and has an extensive experience in Information Security Governance and Risk Management related disciplines, both at strategic and tactical level and has an extensive experience at C-level in the private sector and management- / cabinet-level in the public sector.
ir. Erik R. van Zuuren MBA is active as consultant since over 10 years and since
participated in and led a broad range of strategic and tactical projects mostly in Belgium and The Netherlands. Some examples of his experience are:
- extensive experience in governments (Belgian Federal and Flemish) and related agencies and wide experience in a diverse spectrum of private industry (financial/insurance/industry/energy/...).
- one of the fathers/authors of the blueprint for the Belgian Personal Identity Card Project (BelPIC) and e.g. program manager for the Flemish government’s identity and access management platform.
- assistant to several CIO/CTO/CISO’s and coach in several Information- and ICT- Security projects
(incl. strategic level, tactical level, architectural angle, organisational/procedural angle, ...)
- creator of security strategies, policies, frameworks and architectures for medium/large organisations, multinationals and government agencies
- creator of e-business- and e-government enabling Identity and Access Control Management as well as Public Key Infrastructure blueprints, concepts and architectures
- co-organiser/chairman/speaker/moderator at several security- and ICT-related events (CSI US, LSEC, esec2001-esec2004, ITworks, ...)
Jan De Meyer is a Senior level Information Security Consultant at Ascure with extensive experience in designing web-architectures and securing Windows environments.
- He worked several years as system engineer for Multinationals and a Belgian public utility company.
- In 1998 he started specializing in security with a primary focus on Microsoft-based solutions
- The last 4 years he extended his specialization with securing web-based applications for a wide ranges of industries (banks, hospitals, pharma, ...). As he is convinced that a solid advise is not possible without perfectly knowing the details, he actually implements those complex architectures (Portals, Load-Balancers, reverse proxies, ...) too.
- Besides technical certifications (MCSE, RSA, Sanctum,...) he obtained both the CISSP and CISM certification.
Sebastien Deleersnyder (Ascure)
Sebastien Deleersnyder is a Senior level consultant with extensive experience in Information Security related disciplines, both at strategic and tactical level. Some examples of his experience are:
- he started his career in 1995 as a software engineer for several industries, including space industry, ferro-industry, pharmaceutical industry and the banking sector
- he developed on different platforms ranging from mainframe to Windows on a variety of applications, languages and databases; and based on this knowledge, Sebastien specialized in information security 4 years ago
- he implemented more general security products, such as firewalls, IDS and content technology
- he revised and advised upon security architectures for the banking and insurance sector
- he performed security audits and performed the role of Security Officer for projects of the European Commission
- he specializes in (web) application security combining both his extensive development and information security experience
- he holds a Master in Informatics, and is a CISSP, CISM, and PRINCE2 certified project manager
Questions about this ? Interested but you can't attend ? Send us an email !