The talk covers the most insidious security vulnerabilities in Java Web and EE applications through practical demonstration of how to exploit these vulnerabilities and recommendations on how to prevent them. The threat posed by each vulnerability is explained and strategies for mitigating the flaw are introduced. The talk concludes with a discussion about integrating security at every step of the development life cycle.
Stephen de Vries is a Principal Consultant in Corsaire's Security Assessment team. He has worked in IT Security since 1998, and has been programming since 1997. He has spent the last four years focused on Ethical Hacking, Security Assessment and Audit at Corsaire, KPMG and Internet Security Systems. He was a contributing author and trainer on the ISS Ethical Hacking course and Technical Leader for the Automated Perimeter Scanning project co-coordinating a team of six developers in three countries. Stephens past roles have included that of a Security Consultant at a leading City of London Financial institution and also Security Engineer at SMC Electronic Commerce. At both positions he was involved in corporate security at many levels and was responsible for consulting on the paper security policies and procedures, conducting vulnerability assessments, designing, deploying and managing the security infrastructure of the organisation.
Using Spring Security 2— This session presents not only the new features of Spring Security 2, but also shows some best practices and examples to get the most out of it. Covered architectures will include web (2.0) applications, web services and client/server applications.
Liberty Alliance ID-WSF 2.0— This session gives an overview of ID-WSF 2.0's layered architecture, focusing in particular on the new-in-version-2.0 People Service and how it allows consumers and organizations to manage social and enterprise applications such as bookmarks, blogging, calendars, e-mail, photo sharing and instant messaging in a federated social network. Learn how ID-WSF's SOAP based invocation framework builds on SAML's foundation to provide identity with privacy for web services.
OpenSSO— This session looks at the progress of OpenSSO over the past two years and gives an overview of its features and functionality, with an emphasis on how you can leverage it and get involved. The OpenSSO project (http://opensso.dev.java.net/) was launched by Sun Microsystems in July 2005 to bring its access control, single sign-on and federation technology to the open source community. Since then, the entire code base of Sun's Access Manager product has been released as open source and work is proceeding on Sun Java System Federated Access Manager 8.0 in the OpenSSO community. Come find out how OpenSSO can work in your identity project.
XML Security and JSR 105-106— Java programmers now have a standard solution for creating and validating XML signatures. And with the progression of JSR 106 (Java XML Encryption API) through the Java Community Process, a standard solution for XML encryption will soon be available.
SAML v2— Discover the basics of single sign-on and how SAML assertions are finding their way into projects like OpenSSO, NetBeans and Glassfish to secure web services. SAML V2.0, approved by OASIS in March 2005, is an XML-based framework for communicating user authentication, entitlement, and attribute information. Beyond defining the industry-standard protocol for cross domain Web single sign-on (SSO), SAML is a keystone of higher level specifications such as Web Services Interoperability Basic Security Profile (WS-I BSP), the Liberty Alliance's Identity Web Service Framework (ID-WSF) and even Microsoft's Cardspace.
