Services
SOA/Web Service Security Course Syllabus
Module 1 - Day 1
- The real risk in SOA and Web Services, not just the hype
- SOA
- Web Services
- XML
- Risks
- Security Goals
- Defense in depth
- Service definition
- Service evolution
- SOA Web Services Basics
- SOA Web Services Patterns
- Service Registry
- Identity & Access Management
- Message Level Security
- Enterprise Service Bus
- Service Level Management
- Orchestration
- Web Services Risks
- The OWASP Top Ten in a Web Services world
- Security Metrics
Module 2 - Day 1
- Service Model
- WSDL
- SOAP Request/Response
- Modeling Risks
- Shirey Model
- Disclosure
- Deception
- Usurpation
- Disruption
- Example attacks
- Security Standards
- WS-Security
- Message level security with WS-Security
- WS-Trust
- Beyond point to point
- Web Service metadata
- SAML
- XACML
- XACML Policy
- Input validation with Web Services
- Audit logging in Web Services
Module 3 - Day 2
- Identity under attack
- Laws of Identity in Web Services
- Impersonation
- Delegation
- Identity and Access Management in Web Services
- WS-Trust – composing Kerberos, X.509, SAML
- Detailed SAML examples
- XACML and related concepts
- XML Signature
- XML Encryption
- XML Signature and Encryption examples
- WS-Security
- Detailed WS-Security examples tags, headers, timestamps
- WS-Security examples supporting various token types
- Message level security risks
- encoding threats
- entity threats
- validation threats
- semantic threats
- Security Token Server pattern
- XML Security Gateway patterns
Module 4 - Day 2
- Use case modeling
- Integrating security in the SDLC
- Threat modeling
- Design for failure
- AJAX, REST, Web 2.0 and web services security
- Transactional security
- Web Services Assurance
- OS
- HW
- SW
- Systems Engineering
- Deployment
- WS-ReliableMessaging
- WS-SecureConversation
- HIDS and NIDS in Web Services
- Honeypots in Web Services
