DEV541: Secure Coding in Java/JEE: Developing Defensible Applications

Provided by SANS
Certification
GSSP-JAVA Certification
Qualification level
GSSP-JAVA Certification
Location
Live/Online
Study type
Distance learning
Duration
View Website
Price
View Website

About the course

This secure coding course will teach students how to build secure Java applications and gain the knowledge and skills to keep a website from getting hacked, counter a wide range of application attacks, prevent critical security vulnerabilities that can lead to data loss, and understand the mindset of attackers.

The course teaches you the art of modern web defense for Java applications by focusing on foundational defensive techniques, cutting-edge protection, and Java EE security features you can use in your applications as soon as you return to work. This includes learning how to:

  • Identify security defects in your code
  • Fix security bugs using secure coding techniques
  • Utilize secure HTTP headers to prevent attacks
  • Secure your sensitive representational state transfer (REST) services
  • Incorporate security into your development process
  • Use freely available security tools to test your applications

 

Great developers have traditionally distinguished themselves by the elegance, effectiveness and reliability of their code. That is still true, but the security of the code now needs to be added to those other qualities. This unique SANS course allows you to hone the skills and knowledge required to prevent your applications from getting hacked.

 

 

Course Syllabus

DEV541.1: Data Validation

Overview

Improper data validation is the root cause of the most prevalent web application vulnerabilities today. On this first course day students will learn about some of the most prevalent web application vulnerabilities, including cross-site scripting (XSS), cross-site request forgery (CSRF), SQL injection, HTTP response splitting and parameter manipulation. You will see how to find these issues and re-create them in a running application. Then you will use a variety of methods to actually fix the vulnerabilities in your Java code.

The course is full of hands-on exercises where you can apply practical data validation techniques to prevent common attacks with defense, ranging from input validation, output encoding and use of new techniques like Content Security Policy.

CPE/CMU Credits: 6

Topics

  • Web Application Attacks
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • SQL Injection
  • HTTP Response Splitting
  • Parameter Manipulation
  • Directory Traversal
  • Web Application Proxies
  • Validation Concerns
  • Character Encoding
  • Input Validation
  • Output Encoding
  • Blacklisting and Whitelisting
  • Validation Techniques
  • Regular Expressions
  • Servlet Filters
  • Output Encoding
  • Content Security Policy
  • Prepared Statements
  • CSRF Defense

 

DEV541.2: Authentication and Session Management

Overview

Broken authentication and session management are common issues that can compromise the integrity of your system. Weak authentication protection can allow an attacker to expose your most sensitive secrets: your data! In this session students will learn about these vulnerabilities and what you can do to design and code stronger authentication protections from the start. You will learn how to use Java Enterprise Edition (EE) container-based authentication and set up basic, form-based and client certificate authentication.

You will also learn how to protect data in transit using SSL, and how to securely store passwords at rest. Various authorization attacks will be discussed, as well as unvalidated forwards and redirects. Session management attacks and defenses will also be covered along with Clickjacking and associated defenses.

CPE/CMU Credits: 6

Topics

  • Authentication Factors
  • Authentication Attacks
  • Java EE authentication
  • Basic Authentication
  • Form-based Authentication
  • Client Certificates
  • Using SSL
  • Secure Password Storage
  • Authorization
  • Web and Enterprise JavaBean Access Control
  • Authorization Attacks
  • Access Control Bypass
  • Unvalidated Forwards and Redirects
  • State Management Attacks
  • Session Hijacking
  • Session Fixation
  • Clickjacking
  • Using X-Frame-Options

 

DEV541.3: Java Platform and API Security

Overview

Java is the language of choice for the development of many mission-critical applications. As such, it is vital to understand the security features and implications of using the Java language itself and the Java runtime environment (JRE). Through numerous hands-on exercises you will learn about Java Security Manager, how code privileges are managed, and how to sign jar files. You will also learn about exception handling and the importance of logging. With hands-on exercises you will write code to encrypt data both in transit and at rest using the Java Secure Socket Extension and the Java Cryptography Architecture, as well as integer and double overflows, and about numerous Java language features that you should consider while writing secure code.

Organizations continue to expose critical representational state transfer (REST)-based web services that can be consumed by Ajax and mobile applications. You will learn how vulnerabilities like Cross-Site Request Forgery (CSRF) can be used by attackers to hack your JSON services. You will also learn how to develop applications that are resistant to such attacks and about the OAuth protocol for authentication and authorization.

CPE/CMU Credits: 6

Topics

  • Java Security Manager
  • Permissions
  • Policy File
  • Jar Signing
  • Class Security
  • Error Handling
  • Exceptions
  • Using Try/Catch/Finally
  • Logging
  • Logging Frameworks
  • ESAPI Logging
  • Encryption
  • Java Secure Sockets Extension (JSSE)
  • Java Cryptography Architecture (JCA)
  • Integer and Double Overflows
  • Thread Safety
  • Race Conditions
  • Web Service (JAX-RS) Security
  • REST Security
  • OAuth

 

DEV541.4: Secure Development Lifecycle

Overview

Using what you have learned about web application vulnerabilities, in this session you will conduct a security review of a real-world open-source application. You will see first hand how to integrate security in your software development life cycle (SDLC) by first conducting a code review of a large, widely used open-source application. Once you have identified various vulnerabilities in the code itself you will perform security testing and actually exploit these weaknesses. Once they have been exploited, you will fix the weaknesses using the secure coding techniques learned in class.

The Secure Development Challenge introduces you to what is needed in a Secure SDLC and shows you how to do it first hand!

 

CPE/CMU Credits: 6

Topics

  • Security and the SDLC
  • Conducting a Secure Code Review
  • Manual Code Review
  • Using a Static Analysis Tool
  • Using FindBugs
  • Integrating Code Review into the SDLC
  • Security Testing
  • Exploiting XSS, CSRF, and SQL Injection
  • Secure Coding
  • Fixing Weaknesses in a Running Application

 

Who Should Attend

  • Developers who want to build more secure applications
  • Java Enterprise Edition (JEE) programmers
  • Software engineers
  • Software architects
  • Developers who need to be trained in secure coding techniques to meet PCI compliance

 

While the course is focused specifically on software development, it is accessible enough for anyone comfortable working with code who has an interest in understanding the developer's perspective, including:

  • Application security auditors
  • Technical project managers
  • Senior software QA specialists
  • Penetration testers who want a deeper understanding of target applications or who want to provide more detailed vulnerability remediation options

 

What You Will Receive

Ubuntu Linux VMWare virtual machine containing:

  • Pre-installed developer tools, including Eclipse, Tomcat, MySQL, Paros, FindBugs, BeEF and sqlmap
  • Java projects and code for all hands-on exercises

Course books covering the following topics:

  • Section 1: Data Validation
  • Section 2: Authentication and Session Management
  • Section 3: Java Platform and API Security
  • Section 4: Secure Development Lifecycle

MP3 audio files of the complete course lecture

 

You Will Be Able To

Use a web application proxy to view and manipulate HTTP requests and responses

Review and perform basic exploits of common web application vulnerabilities, such as those found among the SANS/CWE Top 25 Most Dangerous Software Errors and the OWASP Top 10:

  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • SQL injection
  • Parameter manipulation
  • Open redirect
  • Session hijacking
  • Clickjacking
  • Authentication and access control bypass

 

Mitigate common web application vulnerabilities using secure coding practices and Java libraries, including:

  • Input validation
  • Blacklist and whitelist validation
  • Regular expressions
  • Output encoding
  • Content Security Policy
  • Client-side security headers

 

Build applications using:

  • Java Enterprise Edition authentication
  • Basic and form-based authentication
  • Client certificates
  • Secure Sockets Layer/Transport Layer Security (SSL/TLS)
  • Java Secure Sockets Extension
  • Secure password storage techniques
  • Java Cryptography Architecture
  • Security Manager

 

Implement a secure software development lifecycle, including code review, static analysis and dynamic analysis techniques.

 

Hands-on Training

  • Exploiting and Fixing SQL Injection
  • Cross-Site Request Forgery (CSRF) Protection
  • Access Control Bypass
  • Securing Password Storage
  • Clickjacking Defense
  • JavaScript Object Notation (JSON) and CSRF
  • Code Review Challenge

 

 

Contact the course provider: