Certified Application Security Engineer (CASE).Java: Building a Path to Success as a Security Engineer
Are you aspiring to become a proficient security engineer, safeguarding digital realms against threats and vulnerabilities? The Certified Application Security Engineer (CASE).Java course is your stepping stone to achieving this goal.
Unleash Your Potential
As a security engineer, your role is pivotal in fortifying applications and systems against cyber threats. The CASE.Java course equips you with the knowledge and skills necessary to excel in this role. With a strong focus on hands-on training, you’ll learn to understand application security, identify common vulnerabilities, and implement robust security measures. This course delves into crucial topics like secure coding, cryptography, session management, error handling, and dynamic testing.
Boost Your Career
The cybersecurity landscape is ever-evolving, and organizations are in constant need of skilled security engineers. By enrolling in the CASE.Java course, you not only enhance your professional skills but also gain a valuable certification that can open doors to rewarding career opportunities. As businesses increasingly rely on digital technologies, your expertise as a security engineer will be in high demand, making this course a smart investment in your future.
Embrace a Secure Tomorrow
The CASE.Java course is your passport to a secure and prosperous career in cybersecurity. Take the first step towards becoming a sought-after security engineer and help protect the digital world from evolving threats. Secure your future today with the CASE.Java certification.
Enroll now and become a certified security engineer!
Course Details
Course Code: CASE.JAVA; Instructor-led
Audience
The CAPM® certification offers recognition to Practitioners, SMEs or Team Members who wish to demonstrate their project management knowledge and skills.
This certification denotes that the individual possesses the knowledge in the principles and terminology of A Guide to the Project Management Body of Knowledge (PMBOK® Guide7th Edition), the standard of project management’s generally recognized good practices.
Individuals who contribute specialized skills to a project team can benefit from this certification by allowing them to align their work with that of project managers. The knowledge a practitioner gains from earning the CAPM® certification can be applied to on-the-job experiences which help develop growing levels of competence in the practice of project management.Â
Prerequisites
- Oracle Database 12c: Introduction to SQL
Methodology
This program will be conducted with interactive lectures, PowerPoint presentation, discussion and practical exercise.
Course Objectives
Upon completion of this course, the student should be able to:
- Describe Oracle Database architecture
- Describe Oracle Database Cloud Service (DBCS) architecture and features
- Create and manage DBCS database deployments
- Configure the database to support your applications
- Manage database security and implement auditing
- Implement basic backup and recovery procedures
- Move data between databases and files
- Employ basic monitoring procedures and manage performance
Outlines
Module 1: Understanding Application Security, Threats, and Attacks
- What is a Secure Application?
- Need for Application Security
- Most Common Application Level Attacks
- SQL Injection Attacks
- Cross-site Scripting (XSS) Attacks
- Parameter Tampering
- Directory Traversal
- Cross-site Request Forgery (CSRF) Attack
- Denial-of-Service (DoS) Attack
- Denial-of-Service (DoS): Examples
- Session Attacks
- Cookie Poisoning Attacks
- Session Fixation
- Why Applications become Vulnerable to Attacks
- Common Reasons for Existence of Application Vulnerabilities
- Common Flaws Existed due to Insecure Coding Techniques
- Improper Input Validation
- Insufficient Transport Layer Protection
- Improper Error Handling
- Insecure Cryptographic Storage
- Broken Authentication and Session Management
- Unvalidated Redirects and Forwards
- Insecure Direct Object References
- Failure to Restrict URL Access
- What Constitutes a Comprehensive Application Security?
- Application Security Frame
- 3W’s in Application Security
- Insecure Application: A Software Development Problem
- Solution: Integrating Security in Software Development Life Cycle (SDLC)
- Functional vs Security Activities in SDLC
- Advantages of Integrating Security in SDLC
- Microsoft Security Development Lifecycle (SDL)
- Software Security Standards, Models, and Frameworks
- The Open Web Application Security Project (OWASP)
- OWASP TOP 10 Attacks-2017
- The Web Application Security Consortium (WASC)
- WASC Threat Classification
- Software Security Framework
- Software Assurance Maturity Model (SAMM)
- Building Security in Maturity Model (BSIMM)
- BSIMM vs OpenSAMM
Module 2: Security Requirements Gathering
- Importance of Gathering Security Requirements
- Security Requirements
- Gathering Security Requirements
- Why We Need Different Approach for Security Requirements Gathering
- Key Benefits of Addressing Security at Requirement Phase
- Stakeholders Involvement in Security Requirements Gathering
- Characteristics of Good Security Requirement: SMART
- Types of Security Requirements
- Functional Security Requirements
- Security Drivers
- Security Requirement Engineering (SRE)
- SRE Phases
- Security Requirement Elicitation
- Security Requirement Analysis
- Security Requirement Specification
- Security Requirement Management
- Common Mistakes Made in Each Phase of SRE
- SRE Phases
- Different Security Requirement Engineering Approaches/Model
- Abuse Case and Security Use Case Modeling
- Abuse Cases
- Threatens Relationship
- Abuse Case Modeling Steps
- Abuse Cases: Advantages and Disadvantages
- Abuse Case Template
- Security Use Cases
- Security Use Cases are Abuse Case Driven
- Modeling Steps for Security Use Cases
- Mitigates Relationship
- Abuse Case vs Security Use Case
- Security Use Case: Advantages and Disadvantages
- Security Use Case Template
- Security Use Case Guidelines
- Example 1: Use Case for Online Bidding System
- Example 1: Abuse Case for Online Bidding System
- Example 1: Security Use Case for Online Bidding System
- Example 2: Use Case for ATM System
- Example 2: Abuse Case for ATM System
- Example 2: Security Use Case for ATM System
- Example 3: Use Case for E-commerce System
- Example 3: Abuse Case for E-commerce System
- Example 3: Security Use Case for E-commerce System
- Effectiveness of Abuse and Security Case
- Abuser and Security Stories
- Textual Description Template: Abuser Stories and Security Stories
- Examples: Abuser Stories and Security Stories
- Effectiveness of Abuser and Security Stories
- Abuser Stories: Advantages and Disadvantages
- Security Quality Requirements Engineering (SQUARE)
- SQUARE Effectiveness
- SQUARE Process
- SQUARE: Advantages and Disadvantages
- Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE
- OCTAVE Effectiveness
- OCTAVE Steps
- OCTAVE: Advantages and Disadvantages
Module 3: Secure Application Design and Architecture
- Relative Cost of Fixing Vulnerabilities at Different Phases of SDLC
- Secure Application Design and Architecture
- Goal of Secure Design Process
- Secure Design Actions
- Security Requirement Specifications
- Secure Design Principles
- Threat Modeling
- Secure Application Architecture
- Secure Design Principles
- Define Secure Design principles
- Secure Design Principles
- Security through obscurity
- Secure the Weakest Link
- Use Least Privilege Principle
- Secure by Default
- Fail Securely
- Apply Defense in Depth
- Do Not Trust User Input
- Reduce Attack Surface
- Enable Auditing and Logging
- Keep Security Simple
- Separation of Duties
- Fix Security Issues Correctly
- Apply Security in Design Phase
- Protect Sensitive Data
- Exception Handling
- Secure Memory Management
- Protect Memory or Storage Secrets
- Fundamentals of Control Granularity
- Fault Tolerance
- Fault Detection
- Fault Removal
- Fault Avoidance
- Loose Coupling
- High Cohesion
- Change Management and Version Control
- Threat Modeling
- Threat Modeling Phases
- Attack Surface Evaluation
- Threat Identification
- Impact Analysis
- Control Recommendations
- Threat Modeling Process
- Identify Security Objective
- Application Overview
- Decompose Application
- Identify Threats
- Identify Vulnerabilities
- Identify Security Objective
- How to Identify Security Objectives
- Create an Application Overview
- Draw the End-to-End Deployment Architecture
- Identify Various User Roles
- Identify Use Cases Scenarios
- Identify Technologies
- Identify Application Security Mechanisms
- Threat Modeling Phases
- Decompose Application
- Prepare and Document Threat Model Information
- Example: Threat Model Information
- Identify the External Dependencies
- External Dependencies: Example
- Identify the Entry Points
- Entry Points: Example
- Identify the Assets
- Assets: Example
- Identify the Trust Levels
- Trust Levels: Example
- Define Trust Levels to Entry points
- Define Trust Levels to Assets
- Perform Application Modelling using Data Flow Diagrams (DFDs)
- Determine the Threats: Identify the Goal of an Attacker and Create Threat Profile
- Example: Attacker’s Goal/Threat Profile and Vulnerabilities Associated
- Determine the Threats: Create a Security Profile
- Identify the Threats
- The STRIDE Model
- Example: Threat Categorized and Identified using STRIDE
- Determine Countermeasures and Mitigation Security Controls
- Document the Threats
- Rating the Threats
- Rating the Threats: DREAD Model
- Secure Application Architecture
- Design Secure Application Architecture
- Prepare and Document Threat Model Information
Module 4: Secure Coding Practices for Input Validation
- Input Validation
- Why Input Validation?
- Input Validation Specification
- Input Validation Approaches
- Validation and Security Issues
- Impact of Invalid Data Input
- Data Validation Techniques
- Input Validation using Frameworks and APIs
- Open Source Validation Framework for Java
- Servlet Filters
- Validation Filters for Servlet
- Data Validation using OWASP ESAPI
- Data Validation: Struts Framework
- Struts Validator
- Struts Validation and Security
- Data Validation using Struts Validator
- Avoid Duplication of Validation Forms
- Secure and Insecure Struts Validation Code
- Struts Validator Class
- Secure and Insecure Code for Struts Validator Class
- Enable the Struts Validator
- Secure and Insecure Struts Validator Code
- Struts 2 Framework Validator
- Struts 2 Framework: Built-in Data Validators
- Struts 2 Framework Annotation Based Validators
- Struts 2 Custom Validation: Workflow Interceptor
- Struts 2 Ajax Validation: jsonValidation Interceptor
- Data Validation: Spring Framework
- Spring Validator
- Data Validation: Spring MVC Framework
- Implementing Validator
- JSR 380 Bean Validator API
- Configuring JSR 380
- Custom Validator Implementation in Spring
- Spring Validation and Security
- Input Validation Errors
- Improper Sanitization of Untrusted Data
- Improper Validation of Strings
- Improper Logging of User Inputs
- Improper Incorporation of Malicious Inputs into Format Strings
- Inappropriate Use of Split Characters in Data Structures
- Improper Validation of Non-Character Code Points
- Improper Use of String Modification
- Improper Comparison of Locale-dependent Data
- Best Practices for Input Validation
- Common Secure Coding Practices
- SQL Injection
- Prepared Statement
- Stored Procedures
- Vulnerable and Secure Code for Stored Procedures
- Stored Procedure for Securing Input Validation
- Cross-site Scripting (XSS)
- Whitelisting vs Blacklisting
- Vulnerable and Secure Code for Blacklisting & Whitelisting
- Regular Expressions
- Vulnerable and Secure Code for Regular Expressions
- Character Encoding
- Vulnerable and Secure Code for Character Encoding
- Checklist for Character Encoding
- Cross-site Scripting (XSS) Countermeasures
- HTML Encoding
- Vulnerable and Secure Code for HTML Encoding
- HTML Encoding using ESAPI Encoder
- Cross-site Request Forgery (CSRF)
- Cross-site Request Forgery (CSRF) Countermeasures
- Directory Traversal
- Directory Traversal Countermeasures
- HTTP Response Splitting
- HTTP Response Splitting Countermeasures
- Parameter Manipulation and Countermeasures
- Protecting Application from Log Injection Attack
- XML Injection
- Command Injection
- LDAP Injection
- XML External Entity Attack
- Unrestricted File Upload Attack
- Prevent Unrestricted File Upload: Validate File Extension
- Injection Attacks Countermeasures
- CAPTCHA
- Sample Code for Creating CAPTCHA
- Sample Code for CAPTCHA Verification
- Sample Code for Displaying CAPTCHA
- Best Practices for Input Validation
Module 5: Secure Coding Practices for Authentication and Authorization
- Introduction to Authentication
- Java Container Authentication
- Authorization Mechanism Implementation
- Types of Authentication
- Declarative vs Programmatic Authentication
- Declarative Security Implementation
- Programmatic Security Implementation
- Java EE Authentication Implementation Example
- Basic Authentication
- How to Implement Basic Authentication?
- Form-based Authentication
- Form-based Authentication Implementation
- Implementing Kerberos-Based Authentication
- Secured Kerberos Implementation
- Client Certificate Authentication
- Certificate Generation with Keytool
- Implementing Encryption and Certificates in Client Application
- Authentication Weaknesses and Prevention
- Brute Force Attack
- Web-based Enumeration Attack
- Weak Password Attacks Â
- Introduction to Authorization
- JEE Based Authorization
- Declarative
- Programmatic
- JEE Based Authorization
- Access Control Model
- Discretionary Access Control (DAC)
- Mandatory Access Control (MAC)
- Introduction to Authentication
- Java Container Authentication
- Authorization Mechanism Implementation
- Types of Authentication
- Declarative vs Programmatic Authentication
- Declarative Security Implementation
- Programmatic Security Implementation
- Java EE Authentication Implementation Example
- Basic Authentication
- How to Implement Basic Authentication?
- Form-based Authentication
- Form-based Authentication Implementation
- Implementing Kerberos-Based Authentication
- Secured Kerberos Implementation
- Client Certificate Authentication
- Certificate Generation with Keytool
- Implementing Encryption and Certificates in Client Application
- Authentication Weaknesses and Prevention
- Brute Force Attack
- Web-based Enumeration Attack
- Weak Password Attacks Â
- Introduction to Authorization
- JEE Based Authorization
- Declarative
- Programmatic
- JEE Based Authorization
- Access Control Model
- Discretionary Access Control (DAC)
- Mandatory Access Control (MAC)
- Securing Authentication Provider
- Implementing HTTP Basic Authentication
- Form-based Authentication
- Implementing Digest Authentication
- Security Expressions
- URL-based Authorization
- JSP Page Content Authorization
- JSP Page Content Authorization with Domain Object’s ACL
- Method Authorization
- Configuring Anonymous Login
- Logout Feature Configuration
- Remember-Me Authentication
- Integrating Spring Security with JAAS
- Spring JAAS Implementation
- Defensive Coding Practices against Broken Authentication and Authorization
- Do Not Store Password in Java String Object
- Avoid Cookie based Remember-Me Use Persistent Remember-Me
- Implement Appropriate Session Timeout
- Prevent Session Stealing by Securing SessionID Cookie
- Secure Development Checklists: Broken Authentication and Session Management
- Â
Module 6: Secure Coding Practices for Cryptography
- Java Cryptography
- Need for Java Cryptography
- Java Security with Cryptography
- Java Cryptography Architecture (JCA)
- Java Cryptography Extension (JCE)
- Encryption and Secret Keys
- Attack Scenario: Inadequate/Weak Encryption
- Encryption: Symmetric and Asymmetric Key
- Encryption/Decryption Implementation Methods
- SecretKeys and KeyGenerator
- Implementation Methods of KeyGenerator Class
- Creating SecretKeys with KeyGenerator Class
- Cipher Class
- The Cipher Class
- Implementation Methods of Cipher Class
- Insecure Code for Cipher Class using DES Algorithm
- Secure Code for Cipher Class using AES Algorithm
- Digital Signatures
- Attack Scenario: Man-in-the-Middle Attack
- Digital Signatures
- The Signature Class
- Implementation Methods of Signature Class
- The SignedObjects
- Implementing Methods of SignedObjects
- The SealedObjects
- Implementation Methods of SealedObject
- Insecure and Secure Code for Signed/Sealed Objects
- Java XML Digital Signature
- Secure Socket Layer (SSL)
- Java Secure Socket Extension (JSSE)
- SSL and Security: Example 1
- SSL and Security: Example 2
- JSSE and HTTPS
- Insecure HTTP Server Code
- Secure HTTP Server Code
- Key Management
- Attack Scenario: Poor Key Management
- Keys and Certificates
- Key Management System
- KeyStore
- Implementation Method of KeyStore Class
- KeyStore: Persistent Data Stores
- Key Management Tool: KeyTool
- Digital Certificates
- Certification Authorities
- Signing Jars
- Signing JAR Tool: Jarsigner
- Signed Code Sources
- Insecure Code for Signed Code Sources
- Secure Code for Signed Code Sources
- Hashing
- Hashing Algorithms
- Securing Hashed Password with Salt
- Implementing Hashing with Salt in Spring Security
- Java Card Cryptography
- Spring Security: Crypto Module
- Crypto Module
- Spring Security Crypto Module
- Key Generators
- PasswordEncoder
- Implementing BCryptPasswordEncoder()
- Configuring BCryptPasswordEncoder() in Spring Security
- JavaScript Object Signing and Encryption (JOSE)
- Attacks against JWT, JWS and JWE
- Implementing JWS using Jose4J
- Implementing JWE using Jose4J
- Implementing JWK using Jose4J
- Dos and Don’ts in Java Cryptography
- Dos and Don’ts
- Avoid using Insecure Cryptographic Algorithms
- Avoid using Statistical PRNG, Inadequate Padding and Insufficient Key Size
- Implement Strong Entropy
- Implement Strong Algorithms
- Best Practices for Java Cryptography
- Â
Module 7: Secure Coding Practices for Session Management
- Session Management
- Session Tracking
- Session Tracking Methods
- HttpSession
- Cookies – Setting a Limited Time Period for Session Expiration – Preventing Session Cookies from Client-Side Scripts Attacks
- URL Rewriting – Example Code for URL Rewriting
- Hidden Fields Session Objects
- Session Management in Spring Security
- Spring Session Management
- Session Tracking Methods
- Session Management using Spring Security
- Restricting Concurrent Sessions per User using Spring Security
- Controlling Session Timeout
- Prevent using URL Parameters for Session Tracking Â
- Prevent Session Fixation with Spring Security
- Use SSL for Secure Connection
- Session Vulnerabilities and their Mitigation Techniques
- Session Vulnerabilities
- Types of Session Hijacking Attacks
- Countermeasures for Session Hijacking
- Countermeasures for Session ID Protection
- Best Practices and Guidelines for Secured Sessions Management
- Best Coding Practices for Session Management
- Checklist to Secure Credentials and Session IDs
- Guidelines for Secured Session Management
Module 8: Secure Coding Practices for Error Handling
- Introduction to Exceptions
- Exception and Error Handling o Checked Exceptions o Unchecked Exceptions
- Example of an Exception
- Handling Exceptions in Java
- Exception Classes Hierarchy
- Exceptions and Threats
- Erroneous Exceptional Behaviors
- Suppressing or Ignoring Checked Exceptions
- Disclosing Sensitive Information
- Logging Sensitive Data
- Restoring Objects to Prior State, if a Method Fails
- Avoid using Statements that Suppress Exceptions
- Prevent Access to Untrusted Code that Terminates JVM
- Never Catch java.lang.NullPointerException
- Never Allow methods to Throw RuntimeException, Exception, or Throwable
- Never Throw Undeclared Checked Exceptions
- Never Let Checked Exceptions Escape from Finally Block
- Dos and Don’ts in Error Handling
- Dos and Don’ts in Exception Handling
- Avoid using Log Error and Throw exception at Same Time
- Spring MVC Error Handling
- Handling Controller Exceptions with @ExceptionHandler Annotation
- Handling Controller Exceptions with HandlerExceptionResolver
- Spring MVC: Global Exception Handling
- Global Exception Handling: HandlerExceptionResolver
- Mapping Custom Exceptions to Statuscode with @ResponseStatus
- Configure Custom Error Page in Spring MVC
- Exception Handling in Struts 2
- Exception Handling: Struts 2
- Best Practices for Error Handling
- Best Practices for Handling Exceptions in Java
- Introduction to Logging
- Logging in Java
- Example for Logging Exceptions
- Logging Levels
- Logging using Log4j
- Log4j and Java Logging API
- Java Logging using Log4j
- Secure Coding in Logging
- Vulnerabilities in Logging
- Logging: Vulnerable Code and Secure Code
- Secured Practices in Logging
- Â
Module 9: Static and Dynamic Application Security Testing (SAST & DAST)
- Static Application Security Testing
- Static Application Security Testing (SAST)
- Objectives of SAST
- Why SAST
- Skills required for SAST
- What to look for in SAST
- Common Vulnerabilities Identified Through SAST
- Types of SAST
- Automated Source Code Analysis
- Manual Source Code Review
- Where does Secure Code Review Fit in SDLC?
- SAST Steps
- SAST Activities-flow Chart
- Recommendation for Effective SAST
- SAST Deliverable
- Automated Source Code Analysis
- Static Code Analysis Using Checkmarx Static Code Analysis
- Static Code Analysis Using Visual Code Grepper (VCG)
- Static Code Analysis Using HP Fortify
- Static Code Analysis Using Rational AppScan Source Edition
- Selecting Static Analysis Tool
- Manual Secure Code Review
- Where does Secure Code Review Fit in SDLC?
- SAST Steps
- SAST Activities-flow Chart
- Recommendation for Effective SAST
- SAST Deliverable
- Automated Source Code Analysis
- Static Code Analysis Using Checkmarx Static Code Analysis
- Static Code Analysis Using Visual Code Grepper (VCG)
- Static Code Analysis Using HP Fortify
- Static Code Analysis Using Rational AppScan Source Edition
- Selecting Static Analysis Tool
- Manual Secure Code Review
- Manual Secure Code Review for Most Common Vulnerabilities
- Code Review for PCI DSS Compliance
- Code Review for Blacklisting Validation Approach
- Code Review for Client-Side Validation Approach
- Code Review for Non-parametrized SQL Query
- Review Code for Non-parameterized Stored Procedure
- Code Review for XSS Vulnerability
- Review Code for Unvalidated Redirects and Forwards
- Code Review for Weak Password Authentication
- Code Review for Hard-Coded Passwords
- Code Review for Clear-text credentials in for Authentication
- Code Review for Unencrypted Form Authentication Tickets
- Code Review for Clear-text Connection strings
- Code Review for Weak Password Length
- Code Review for Inappropriate Authorization
- Code Review for use of Weak Hashing Algorithm
- Code Review for use of Weak Encryption Algorithm
- Code Review for Use of SSL
- Code Review for use of URL for Storing Session Tokens
- Code Review for Cookies Persistence
- Code Review for Allowing Number of Failed Login attempts
- Code Review for providing Relative path to Redirect Method
- Code Review for Use of Server. Transfer() Method
- Code Review for Keeping both Public and Restricted pages in Same folder
- Code Review for use of Weak Encryption Algorithm
- Code Review for use of ECB Cipher Mode
- Code Review for use of Zero Padding
- Code Review for use of Small Key Size
- Code Review for use of Small Block Size
- Code Review for Cryptographic Keys Generation Mechanism
- Code Review for Sensitive Information Leakage
- Code Review for Generic Exception Throwing and Catching
- Code Review for use of Unencrypted Cookies
- Code Review for Overly Long Sessions
- Code Review for Cookieless Sessions
- Code Review for regeneration of Expired Sessions
- Code Review for weak Session Key Generation Mechanism
- Code Review for Cookies Vulnerable to Client-side Scripts attacks
- Code Review for Cookies Vulnerable to CSRF Attacks
- Code Review for View State Security
- Code Review for allow Override Attribute
- Code Review for Enabling Trace feature
- Code Review for Enabling Debug feature
- Code Review: Check List Approach
- Sample Checklist
- Impute Validation
- Authentication
- Authorization
- Session Management
- Cryptography o Exception Handling
- Logging
- Sample Checklist
- SAST Finding
- SAST Report
- SAST Reporting
- Dynamic Application Security Testing
- Types of DAST
- Automated Application Vulnerability Scanning
- Manual Application Penetration Testing
- SAST vs DAST
- Types of DAST
- Automated Application Vulnerability Scanning Tools
- Web Application Security Scanners
- Web Inspect
- IBM Security App Scan
- Web Application Security Scanners
- Proxy-
- Burp Suite
- OWASP Zed Attack Proxy (ZAP)
- Additional Proxy-based Security Testing Tools
- Choosing Between SAST and DAST
Module 10: Secure Deployment and Maintenance
- Secure Deployment
- Prior Deployment Activity
- Check the Integrity of Application Package Before Deployment
- Review the Deployment Guide Provided by the Software Vendor
- Deployment Activities: Ensuring Security at Various Levels
- Host Level Deployment Security
- IIS level Deployment SecurityÂ
- Ensuring Security at Host Level
- Check and Configure the Security of Machine Hosting Web Server, Application Server, Database Server and Network Devices
- Physical Security
- Host Level Security
- Ensuring Security at Network Level
- Network level Security
- Router
- Firewall
- Switch
- Network level Security
- Ensuring Security At Application Level
- Web Application Firewall (WAF)
- Benefits of WAF
- WAF Limitations
- WAF Vendors
- Web Application Firewall (WAF)
- Ensuring Security at Web Container Level
- Install and Configure Tomcat Securely
- Remove Server Banner
- Start Tomcat with Security Manager
- Configure Default Servlet Not to Serve Index Pages
- Replace Default Error Page
- Replace Default server.xml
- Protect Shutdown Port
- Restrict Access to Tomcat Manager Applications
- Protecting Resources with Realms
- Store Passwords as Digest
- Do Not Run Tomcat as Root
- Configure Restricted Datasets
- Session Handling using App Mode in Tomcat
- Role Based Security
- Securing Tomcat at Network level
- Java Runtime Security Configurations
- Tomcat General Security Setting
- Verify Trace Element Setting in sever.xml
- Verify Custom Error Settings in web.xml
- Verify max Post Size Setting
- Tomcat Security Checklist
- Checklist for Security Configuration in server.xml File in Apache Tomcat
- Tomcat High Availability
- Best Practices for Securing Tomcat
- Ensuring Security in Oracle
- Oracle Database General Security Overview
- Methods of Authentication in Oracle
- Authentication by Oracle Database
- Oracle Security Features
- Default Database Installation and Configuration Security
- Managing User Accounts Securely for the Site
- Securing User Accounts
- Password Management
- Lock all Expired Accounts
- Assign Users to Password Profile
- Disable Remote Operating System Authentication
- Securing Data
- Restrict Access to Operating System Directories
- Securing Database Installation and Configuration
- Securing Network
- How to Configure Encryption on the Client and the Server
- Control Access Data
- Virtual Private Database
- Oracle Label Security
- Database Vault o Management and Reports
- Disabling the Recycle Bin
- Audit Vault
- Built-in Audit Tools
- Standard Database Auditing – Standard Auditing Enable Network Auditing
- Value Based Auditing
- Fine Grained Auditing (FGA)
- Recommended Audit Settings
- Security Maintenance and Monitoring
- Post Deployment Activities: Security Maintenance and Monitoring
- Security Maintenance Activities at OS Level
- Security Maintenance Activities at Web Container Level
