secure java coding

By attending Secure Java Coding workshop, Participants will learn:

  • Concepts and terminology behind defensive coding
  • Threat Modeling as a tool in identifying software vulnerabilities based on realistic threats against assets
  • Entire spectrum of threats and attacks that take place against software applications
  • Threat Modeling to identify potential vulnerabilities in a real life case study
  • Static code reviews and dynamic application testing for uncovering vulnerabilities in Java applications
  • Vulnerabilities of the Java programming language and the JVM, and how to harden both
  • Work with Java 2 platform security to gain an appreciation for what is protected and how
  • Roles that Java Authentication and Authorization Service (JAAS) have in Java applications
  • Use JAAS in conjunction with a Java application for both authentication and authorization
  • Basics of Java Cryptography (JCA) and Encryption (JCE) and where they fit in the overall security picture
  • Fundamentals of XML Digital Signature and XML Encryption

The Secure Java Coding Training course covers the best practices for designing, implementing, and deploying secure programs in Java. Participants will take an application from requirements through to implementation, analyzing and testing for software vulnerabilities. This course explores well beyond basic programming skills, teaching developers sound processes and practices to apply to the entire software development lifecycle. Perhaps just as significantly, Participants will learn about current, real examples that illustrate the potential consequences of not following these best practices.

  • Familiarity with Java and J2EE is required
  • Programming experience is highly recommended
  • At least six months of Java and J2EE working knowledge recommended

  • Application project stakeholders who wish to develop secure Java application.

COURSE AGENDA

  • Security Concepts
    • Motivations: Costs and Standards
    • Open Web Application Security Project
    • Web Application Security Consortium
    • CERT Secure Coding Standards
    • Assets are the Targets
    • Security Activities Cost Resources
    • Threat Modeling
    • System/Trust Boundaries
  • Principles of Information Security
    • Security Is a Lifecycle Issue
    • Minimize Attack Surface Area
    • Layers of Defense: Tenacious D
    • Compartmentalize
    • Consider All Application States
    • Do Not Trust the Untrusted
  • Vulnerabilities
    • Unvalidated Input
    • Broken Access Control
    • Broken Authentication And Session Management
    • Cross Site Scripting (XSS) Flaws
    • Injection Flaws
    • Error Handling And Information Leakage
    • Insecure Storage
    • Insecure Management of Configuration
    • Direct Object Access
    • Spoofing and Redirects
  • Understanding What’s Important
    • Common Vulnerabilities and Exposures
    • OWASP Top Ten
    • CWE/SANS Top 25 Most Dangerous SW Errors
    • Monster Mitigations
    • Strength Training: Project
    • Teams/Developers
    • Strength Training: IT Organizations
  • Security: The Complete Picture
  • TJX: Anatomy of a Disaster?
  • Causes of Data Breaches
  • Heartland – Slipping Past PCI Compliance
  • Target’s Painful Christmas
  • Meaning of Being Compliant
  • Java Security Fundamentals
    • Perimeter Defenses
    • Java Security Architecture
    • JVM Defenses
    • Extending the defenses
  • Cryptography Overview
    • Strong Encryption
    • Ciphers and algorithms
    • Message digests
    • Keys and key management
  • Code Location-Based Security
    • Work with Java 2 Security
    • Byte Code verifier
    • Signing code
    • Trusted code
    • Java permission management
    • Extending Java permissions
  • User-based J2SE Security
    • JAAS Authentication
    • Extending JAAS authentication
    • JAAS Authorization
  • Java Network Security
    • SSL Support
    • HTTPS
    • GSS
    • SASL protocols
  • Code Level Security Best Practices
    • What Java security provides for
    • Preventing remote hacking
    • Preventing accessing of restricted resources
    • Retaining credibility with Java code
  • Defending XML
    • XML Signature
    • XML Encryption
    • XML Attacks: Structure
    • XML Attacks: Injection
    • Safe XML Processing
  • Defending Web Services
    • Web Service Security Exposures
    • When Transport-Level Alone is NOT Enough
    • Message-Level Security
    • WS-Security Roadmap
    • XWSS Provides Many Functions
    • Web Service Attacks
    • Web Service Appliance/Gateways