March 10-11, 2008 (New York City)

If your company or client is looking to employ new services or upgrade existing services to address new business requirements, a SOA (Services Oriented Architecture) can better support the integration of disparate applications and the sharing of data. Yet, building a SOA solution requires different security measures that address the new risks introduced by web services integration. For instance, traditional security protocols, such as SSL, do not provide sufficient security for SOA/Web Services.

Course objective

This two-day course will prepare students to identify, define, diagnose, and implement a comprehensive security strategy. Attendees will be exposed to a broad range of SOA security subjects, providing a solid foundational understanding of sound approaches to designing and implementing SOA security. This includes an understanding of:

• The real risks in SOA, Web Services, and XML
• SOA standards and how to use them
• How to architect security services in Web Services and SOA
• How an attacker looks at Web Services
• Best practices

Target audience

• Developers, architects, security engineers, CIOs, CISOs
• IT professionals of all levels whose organization is looking to implement a SOA or whose clients may be interested in securing their web services�based applications

Prerequisites

Basic understanding of SOA/Web Services

Topics covered

Topics covered include understanding how web application risks (such as those in OWASP Guide and OWASP Top Ten) apply in a Web Services world, and Web Services security topics such as:

• Web Services attack patterns
• Common XML attack patterns
• Data and XML security using WS-Security, SAML, XML Encryption and XML Digital Signature
• Identity services and federation with SAML and Liberty
• Hardening Web Services servers
• Input validation for Web Services
• Integrating Web Services securely with backend resources and applications using WS-Trust
• Secure Exception handling in Web Services
• Understand the impact of Web 2.0 technologies like Ajax, and REST on distributed systems security

View complete course syllabus

Printed guides and Power Point presentation will be made available for both days of the course

About the instructor

Gunnar Peterson (blog) is a Managing Principal at Arctec Group. He focuses on distributed systems security for large, mission-critical financial, financial exchanges, healthcare, manufacturer, and insurance systems, as well as emerging start-ups. Mr. Peterson is an internationally recognized software security expert, frequently published, an Associate Editor for IEEE Security & Privacy Journal on Building Security In, an Associate Editor for Information Security Bulletin, a contributor to the SEI and DHS Build Security In portal on software security, and an in-demand speaker at security conferences.