Course Description
This course is a hands-on, lab-intensive Java security, code-level training course that teaches you the best practices for designing, implementing, and deploying secure programs in Java. You will take an application from requirements through to implementation, analyzing and testing for software vulnerabilities. This course explores well beyond basic programming skills, teaching developers sound processes and practices to apply to the entire software development lifecycle. Perhaps just as significantly, you learn about current, real examples that illustrate the potential consequences of not following these best practices. This course is short on theory and long on application, providing you with in-depth, code-level labs.
Security experts agree that the least effective approach to security is "penetrate and patch." It is far more effective to "bake" security into an application throughout its lifecycle. After spending significant time trying to defend a poorly designed (from a security perspective) web application, developers are ready to learn how to build secure web applications starting at project inception. The final portion of this course builds on the previously learned mechanics for building defenses by exploring how design and analysis can be used to build stronger applications from the beginning of the software lifecycle. This workshop is a companion course with several developer-oriented courses and seminars. Although this edition of the course is Java-specific, it may also be presented using .Net (TT8205-N) or other programming languages.
What You'll Learn
- Concepts and terminology behind defensive coding
- Threat Modeling as a tool in identifying software vulnerabilities based on realistic threats against meaningful assets
- The entire spectrum of threats and attacks that take place against software applications in today's world
- Threat Modeling to identify potential vulnerabilities in a real life case study
- Perform both static code reviews and dynamic application testing to uncover vulnerabilities in Java applications
- Vulnerabilities of the Java programming language and the JVM as well as how to harden both
- Work with Java 2 platform security to gain an appreciation for what is protected and how
- The role that Java Authentication and Authorization Service (JAAS) has in Java applications.
- Use JAAS in conjunction with a Java application for both authentication and authorization
- The basics of Java Cryptography (JCA) and Encryption (JCE) and where they fit in the overall security picture
- Fundamentals of XML Digital Signature and XML Encryption
- Implement the processes and measures associated with the Secure Software Development (SSD)
- Skills, tools, and best practices for design and code reviews as well as testing initiatives
- Basics of security testing and planning
- Work through a comprehensive testing plan for recognized vulnerabilities and weaknesses
Who Needs to Attend
This is an intermediate-level Java programming course designed for application project stakeholders who wish develop secure Java applications
Prerequisites
Familiarity with the Java programming language is required, and real world programming experience is highly recommended.
You should have an understanding and a working knowledge in the following topics, or attend at least one of the following courses as a prerequisite:
- Java 7 SE Programming for OO Experienced Developers
- introduction to Java Programming for Non-OO Developers
- Java Web Essentials for OO Developers
Course Outline
1. Introduction: Misconceptions
- Security: The Complete Picture
- TJX: Anatomy of a Disaster?
- Causes of Data Breaches
- Heartland - Slipping Past PCI Compliance
- Target's Painful Christmas
- Meaning of Being Compliant
- Verizon's 2013 Data Breach Report
2. Foundation
- Security Concepts
- Motivations: Costs and Standards
- Open Web Application Security Project
- Web Application Security Consortium
- CERT Secure Coding Standards
- Assets are the Targets
- Security Activities Cost Resources
- Threat Modeling
- System/Trust Boundaries
- Principles of Information Security
- Security Is a Lifecycle Issue
- Minimize Attack Surface Area
- Layers of Defense: Tenacious D
- Compartmentalize
- Consider All Application States
- Do Not Trust the Untrusted
- Vulnerabilities
- Unvalidated Input
- Broken Access Control
- Broken Authentication and Session Management
- Cross Site Scripting (XSS) Flaws
- Injection Flaws
- Error Handling And Information Leakage
- Insecure Storage
- Insecure Management of Configuration
- Direct Object Access
- Spoofing and Redirects
- Understanding What's Important
- Common Vulnerabilities and Exposures
- OWASP Top Ten for 2013
- CWE/SANS Top 25 Most Dangerous SW Errors
- Monster Mitigations
- Strength Training: Project Teams/Developers
- Strength Training: IT Organizations
3. Java Security
- Java Security Fundamentals
- Perimeter Defenses
- Java Security Architecture
- JVM Defenses
- Extending the Defenses
- Cryptography Overview
- Strong Encryption
- Ciphers and Algorithms
- Message Digests
- Keys and Key Management
- Code Location-Based Security
- Work with Java 2 Security
- Byte Code Verifier
- Signing Code
- Trusted Code
- Java Permission Management
- Extending Java Permissions
- User-based J2SE Security
- JAAS Authentication
- Extending JAAS Authentication
- JAAS Authorization
- Java Network Security
- SSL Support
- HTTPS
- GSS
- SASL Protocols
- Code Level Security Best Practices
- What Java Security Provides
- Preventing Remote Hacking
- Preventing Accessing of Restricted Resources
- Retaining Credibility with Java Code
- Defending XML and Services
- Defending XML
- XML Signature
- XML Encryption
- XML Attacks: Structure
- XML Attacks: Injection
- Safe XML Processing
- Defending Web Services
- Web Service Security Exposures
- When Transport-Level Alone is NOT Enough
- Message-Level Security
- WS-Security Roadmap
- XWSS Provides Many Functions
- Web Service Attacks
- Web Service Appliance/Gateways
4. Secure Development Lifecycle (SDL)
- SDL Process Overview
- Software Security Axioms
- Security Lifecycle - Phases
- Applying Processes and Practices
- Awareness
- Application Assessments
- Security Requirements
- Secure Development Practices
- Security Architecture/Design Review
- Security Code Review
- Configuration Management and Deployment
- Vulnerability Remediation Procedures
- Risk Analysis
- Threat Modeling Process
1. Identify Security Objectives
2. Describe the System
3. List Assets
4. Define System/Trust Boundaries
5. List and Rank Threats
6. List Defenses and Countermeasures
5. Security Testing
- Testing Tools and Processes
- Security Testing Principles
- Black Box Analyzers
- Static Code Analyzers
- Criteria for Selecting Static Analyzers
- Testing Practices
- OWASP Web App Penetration Testing
- Authentication Testing
- Session Management Testing
- Data Validation Testing
- Denial of Service Testing
- Web Services Testing
- Ajax Testing
Labs
Hands-On Learning: As a programming class, this course provides multiple challenges labs for students to work through during the class. This workshop is about 50% hands-on lab and 50% lecture. Throughout the course students will be led through a series of progressively advanced topics, where each topic consists of lecture, group discussion, comprehensive hands-on lab exercises, and lab review. Multiple detailed lab exercises are laced throughout the course, designed to reinforce fundamental skills and concepts learned in the lessons. At the end of each lesson, developers will be tested witha set of review questions to ensure that he/she has fully understands that topic.