Duration: 3 Days
This lab-intensive Java/JEE security course is geared for experienced enterprise Java developers who need to develop secure, JEE-based web applications. You will thoroughly examine best practices for defensively coding JEE web applications, including XML processing and web services, as well as dive deep into the most common security vulnerabilities faced by web applications today. You will examine each vulnerability from a Java/JEE perspective through a process of describing the threat and attack mechanisms, recognizing associated vulnerabilities, and, finally, designing, implementing, and testing effective defenses.
Extensive practical hands-on labs reinforce these concepts with real vulnerabilities and attacks. You will repeatedly attack and then defend various assets associated with a fully functional web application, learning how to design and implement the layered defenses you will need to defend your own applications.
This approach truly drives home the mechanics of how to secure JEE web applications in the most practical terms. You will leave the course armed with the skills required to recognize actual and potential software vulnerabilities, implement defenses for those vulnerabilities, and test those defenses for sufficiency.
What You Will Learn
Working in a lab-intensive, hands-on programming environment, led by our security experts and guided by our expert security team, you will learn about:
- Potential sources for untrusted data
- Consequences for not properly handling untrusted data, such as denial of service, cross-site scripting, and injections
- Testing web applications with various attack techniques to determine the existence of and effectiveness of layered defenses
- Preventing and defending the many potential vulnerabilities associated with untrusted data
- Vulnerabilities associated with authentication and authorization
- Detecting, attacking, and implementing defenses for authentication and authorization functionality and services
- Dangers and mechanisms behind Cross-Site Scripting (XSS) and Injection attacks
- Detecting, attacking, and implementing defenses against XSS and Injection attacks
- Concepts and terminology behind defensive, secure, and coding
- Using Threat Modeling as a tool in identifying software vulnerabilities based on realistic threats against meaningful assets
- Performing both static code reviews and dynamic application testing to uncover vulnerabilities in Java-based web applications
- Designing and developing strong, robust authentication and authorization implementations within the context of JEE
- Fundamentals of XML Digital Signature and XML Encryption as well as how they are used within the web services arena
- Detecting, attacking, and implementing defenses for XML-based services and functionality
- Techniques and measures that can used to harden web and application servers as well as other components in your infrastructure
Audience
This is an intermediate-level JEE/web services programming course designed for developers who wish to get up and running on developing well-defended software applications.
Prerequistes
- Familiarity with Java and JEE is required and real-world programming experience is highly recommended.
- Ideally you should have approximately six months to a year of Java and JEE working knowledge.
- Completion of or skills equivalent to:
Course Outline
1. Introduction: Security Misconceptions
- Security: The Complete Picture
- Causes of Data Breaches
- Heartland: Slipping Past PCI Compliance
- Verizon's 2013 Data Breach Report
- Verizon AppSec Recommendations
Foundation
2. Security Concepts
- Open Web Application Security Project
- Web Application Security Consortium
- Assets are the Targets
- Threat Modeling
- System/Trust Boundaries
3. Principles of Information Security
- Security Is a Lifecycle Issue
- Bolted on vs. Baked in
- Layers of Defense: Tenacious D
- Do NOT Trust the Untrusted
Vulnerabilities
4. Unvalidated Input
- Description
- Integer Arithmetic Vulnerabilities
- Fixes
- Defending Trust Boundaries
5. Overview of Regular Expressions
- Regular Expressions
- Working with Regexes in Java
- Applying Regular Expressions
6. Broken Access Control
- Access Control Issues
- Excessive Privileges
- Insufficient Flow Control/Forceful Browsing
- Unprotected URL/Resource Access: Fixes
- Protecting Sessions
7. Broken Authentication
- Broken Quality/DoS: Fixes
- Broken Authentication Data: Fixes
- Protecting SSO Security Domains
- Handling Passwords on Server Side
8. Cross Site Scripting (XSS)
- XSS: Symptoms and Detection
- XSS: Fixes
- Responding to Error State
- Best Practices for Untrusted Data
9. Injection
- Injection Flaws: Symptoms and Detection
- SQL Injection: Drill Down on Stored Procedures
- SQL Injection: Drill Down on ORM
- Minimize Injection Vulnerabilities
- Defending Against SQL Injection
10. Error Handling and Information Leakage
- Fingerprinting a Web Site
- Error-Handling Issues
- How Does Information Leak?
- Solving DLP Challenges
11. Insecure Data Handling
- Protecting Data Can Mitigate Impact
- Insecure Data Handling: Fixes
- Transport-Level Security
- BEAST Injects JavaScript into SSL Session
12. Insecure Configuration Management
- System Hardening
- Insecure Configuration: Fixes
13. Direct Object Access
- Dynamic Loading: Description
- Dynamic Loading: Fixes
- Race Conditions
- Direct Object References
14. Spoofing and Redirects
- Spoofing: Description
- Attacks are Constant and Changing
- Cross Site Request Forgeries (CSRF)
- CSRF Defenses are Entirely Server-Side
- Safe Redirects and Forwards
15. Understanding What's Important
- Common Vulnerabilities and Exposures
- OWASP Top Ten for 2013
- CWE/SANS Top 25 Most Dangerous SW Errors
- Strength Training: Project Teams/Developers
- Strength Training: IT Organizations
Defending XML Processing
16. Defending XML
- XML Challenges
- XML Signature
- XML Encryption
- Safe XML Processing
17. Defending Web Services
- Web Service Security Exposures
- Web Services Security Roadmap
- XWSS Provides Many Functions
- Web Service Appliance/Gateways
18. Defending AJAX/RESTful Services
- AJAX/REST Security
- How Attackers See AJAX/REST
- AJAX/REST Privacy Concerns
- CSRF Attacks are of Concern
- Bridging and Its Potential Problems
- Three Basic Tenets for Safe AJAX/REST
Course Labs
This course is about 50% hands-on lab and 50% lecture, with extensive programming exercises designed to reinforce fundamental skills and concepts learned in the lessons. Multiple practical labs reinforce these concepts with real vulnerabilities and attacks. You will be challenged to design and implement the layered defenses you will need to defend your own applications.
