HARRISBURG CHAPTER
 

New CGEIT Certification!


Other Sites
 ISACA Int'l
 

Training Summary

2007-2008

2006-2007

2005-2006
 

Contact Us

 

 

Securing and Auditing Your Web-Enabled Applications
Designing and Ensuring End-to-End Security and Compliance in Today's E-Business Applications

 Focus and Features

The recent avalanche of government regulatory initiatives, litigations, and intensified attacks on Web-based applications, along with traditional information asset protection, have significantly raised the stakes on the importance of secure application design, testing, certification/accreditation, and audit. In addition, IT applications have become more complex and frequently rushed to market by commercial IT product and internal developers, increasing the business risks and the challenges to applying and verifying reliable security safeguards.

In this information-packed three-day seminar you will cover key building blocks and significant risks, and systematically sort through the available safeguards in today's complex Web-enabled, multi-tiered applications. You will place special emphasis on a control point definition and transactional analysis approach to application design, security, and auditing within the context of robust but practical enterprise architecture and governance models. Case studies, demonstrations, and checklists will provide reinforcement and enhanced comprehension of complex design, safeguard concepts, and best practices.

Learning Level: Advanced

Prerequisite: Auditing Application Systems Development (ITG212) or Intermediate IT Audit School (ITG241)

Bonus: You will receive the Standard Edition of the MIS Swiss Army Knife Reference listing hundreds of valuable resources for you and your organization.

Who Should Attend
Information Security Managers and Analysts; IT Managers, Auditors, and Architects; Security Architects; Application Certification Specialists, Consultants, Architects and Developers

Agenda

1. Web Application Architectures

  • client/server and middleware security for multi-tiered applications

  • contemporary application building blocks

  • web application control points

  • middleware and security application program interfaces (APIs)

  • hypertext transfer protocol (HTTP) and uniform resource locator (URL) essentials

  • HTTP state management: cookies, hidden fields, view state, query strings

  • LDAP directory services

  • locating control points and mapping associated sources of security services in complex, multi-tiered applications

 2. Web (HTTP) Server Security and Audit

  •  web server configuration: operational and security features

  •     web server configuration best practices

  •     user authentication and web-based single sign-on

  •     access control and server lockdown procedures

  •     session encryption: Secure Sockets Layer (SSL)

  •     web server security audit logs and intrusion detection systems

  • comparing and contrasting security features for prominent web servers: Apache, Microsoft IIS, Sun Java System Web Server (iPlanet/NetScape)

  • perils and protections for remote Web application development: Frontpage, WebDAV, Expression Web, SharePoint

  • application firewalls and intrusion prevention systems

  • tools, techniques, and checklists for securing and auditing Web servers

 3. Security in Web Application Software Design 

  • sorting out the Web application environment building blocks and tools

  • common vulnerabilities and attacks on Web applications: brute force attacks, privilege escalation, cross-site scripting, SQL injection, buffer overflow

  • server-side web page scripting security: SSI, CGI, ASP, ASP.NET, PHP, JSP

  • mobile code security: Java, ActiveX, VBScript, JavaScript, AJAX

  • best practices for input validation and error handling

  • software testing and assurance tools and techniques

  • tools, techniques, and checklists for secure application design

4. Web Application Servers

  • roles, architecture, and security control points for XML-oriented development environments and associated Web application servers

  • assessing available security services and associated design best practices for the two prevailing Web application server environments:

  •     Microsoft .NET Framework and associated ASP.NET components

  •     Java 2 Enterprise Edition (J2EE): Sun/Glassfish, Red Hat JBoss, IBM WebSphere, Oracle Application Server (OAS), BEA WebLogic

  • demystifying web services and Service Oriented Architectures (SOAs)

  • tools and techniques for securing and auditing Web application servers and web services

 5. Relational Database Management System (RDBMS) Security and Audit 

  • RDBMS and Structured Query Language (SQL) terminology, architecture, and features

  • security risks associated RDBMS systems

  • comparing security and audit features for major RDBMS products: IBM DB2, Oracle, Microsoft SQL Server, Sybase

  •     connection and authentication for RDBMS systems

  •     user accounts and password management

  •     permissions, roles

  •     database object protection methods: access control, encryption

  •     database audit logging options

  •     transaction logs and other database availability controls

  •     built-in audit tools: tables, stored procedures

  • tools, techniques, and checklists for securing and auditing RDBMS systems

This page last updated 12/2/2008