Duration: 4 Days
During this four-day course, you will be led through a series of advanced
topics, where most topics consist of lecture, group discussion, comprehensive
hands-on lab exercises, and lab review.
The initial portion of the course lays down the foundation of basic
terminology and concepts that is built upon in subsequent lessons. The second
portion of the course steps through a series of vulnerabilities illustrating, in
very real terms, the right way to implement secure web applications. The last
portion of the course examines several design patterns that can be used to
facilitate better application architecture, design, implementation, and
deployment.
This course focuses on code, rather than theory and concepts, with about 50%
hands-on labs and 50% lecture. Many examples are threaded into the course,
designed to reinforce fundamental skills and concepts covered, all in the J2EE
environment. Because these lessons, labs, and projects are presented in a
building-block fashion, you will gain a solid understanding of not only the core
concepts, but also how all the pieces fit together in a complete application.
At the end of each lesson, developers will be tested with a set of review
questions to ensure that he/she fully understands that topic.
What You Will Learn
You will leave this course armed with the skills required to recognize actual
and potential software vulnerabilities, implement defenses for those
vulnerabilities, and test those defenses for sufficiency. This course quickly
introduces developers to the most common security vulnerabilities faced by web
applications today. Each vulnerability is examined from a Java/J2EE perspective
through a process of describing the threat and attack mechanisms, recognizing
associated vulnerabilities, and, finally, designing, implementing, and testing
effective defenses. In many cases, there are labs that reinforce these concepts
with real vulnerabilities and attacks. Then, you will be challenged to design
and implement the layered defenses you will need to defend your own
applications.
You'll learn to:
- Understand potential sources for untrusted data
- Understand the consequences for not properly handling untrusted data, such
as denial of service, cross-site scripting, and injections
- Test web applications with various attack techniques to determine the
existence of and effectiveness of layered defenses
- Prevent and defend the many potential vulnerabilities associated with
untrusted data
- Understand the vulnerabilities of associated with authentication and
authorization
- Detect, attack, and implement defenses for authentication and
authorization functionality and services
- Understand the dangers and mechanisms behind Cross-Site Scripting (XSS)
and Injection attacks
- Detect, attack, and implement defenses against XSS and Injection attacks
- Understand the concepts and terminology behind defensive, secure coding
- Understand the use of Threat Risk Modeling as a tool in identifying
software vulnerabilities based on realistic threats against meaningful
assets
- Perform both static code reviews and dynamic application testing to
uncover vulnerabilities in Java-based web applications
- Design and develop strong, robust authentication and authorization
implementations within the context of J2EE
- Understand the basics of Java Cryptography (JCA) and Encryption (JCE) and
where they fit in the overall security picture
- Understand the fundamentals of XML Digital Signature and XML Encryption as
well as how they are used within the web services arena
- Detect, attack, and implement defenses for XML-based services and
functionality
- Understand techniques and measures that can used to harden web and
application servers as well as other components in your infrastructure
- Understand and implement the processes and measures associated with the
security development lifecycle (SDL)
- Acquire the skills, tools, and best practices for design and code reviews
as well as testing initiatives
- Understand the basics of security testing and planning
- Work through a comprehensive testing plan for recognized vulnerabilities
and weaknesses
Audience
This is an intermediate-to-advanced-level J2EE course designed for developers
who wish to get up and running on developing well-defended web applications.
Prerequistes
- Familiarity with Java and J2EE is required
- Real-world programming experience is highly recommended
- Approximately 6 months to a year of Java and J2EE working knowledge is
ideal
Course Outline
1. Foundation
- Terminology and Players
- Assets, Threats, and Attacks
- OWASP
- Basic Principles
- Reality
- Survey of recent, relevant incidents
- Lab to find the security defects in an existing web application
2. Top Security Vulnerabilities
- #1: Unvalidated Input
- Description with working example
- Defenses
- Identifying trust boundaries
- Qualifying untrusted data
- Implementing a layered defense that effectively protects quality of
service as well as data integrity
- Designing an appropriate response to a recognized attack
- Testing defenses and responses for weaknesses
- #2: Broken Access Control
- Description with working example
- Defenses
- J2EE authorization security overview
- ServletFilter turning off cache
- Defending special privileges such as administrative functions
- Application authorization best practices
- #3: Broken Authentication and Session Management
- Description with working example
- Defenses
- Multi-layered defenses of authentication services
- Password management strategies
- Password handling with hashing
- Mitigating password caching
- Testing defenses and responses for weaknesses
- Alternative authentication mechanisms
- Best practices for session management
- Defending session hijacking attacks
- Best practices for Single Sign-On (SSO)
- #4: Cross Site Scripting (XSS) Flaws
- Description with working example
- Defenses
- Character encoding complications
- Blacklisting
- Whitelisting
- HTML/XML entity encoding
- Understanding the implications of trust boundary definition
- Implementing a layered defense that effectively protects quality of
service as well as XSS vulnerabilities
- Designing an appropriate response to a recognized attack
- #5: Buffer Overflows
- Description with working example
- Defenses
- Java's strong typing
- Java's memory model
- #6: Injection Flaws
- Description with working example
- Defenses
- Qualifying untrusted data
- JDBC with PreparedStatements
- Hibernate best practices
- XML best practices
- Third-party APIs
- Implementing a layered defense that effectively protects quality of
service as well as injection vulnerabilities
- Designing an appropriate response to a recognized attack
- #7: Improper Error Handling, Auditing, and Logging
- Description with working example
- Defenses
- J2EE web application exception handling framework
- Error response best practices
- Error, auditing, and logging content management
- Error, auditing, and logging service management
- Best practices for supporting web attack forensics
- #8: Insecure Storage
- Description with working example
- Defenses
- Data leakage
- Risk minimization
- Cryptography Overview
- JCA/JCE
- Data encryption
- Partial/Complete
- Property/Deployment/Configuration files
- #9: Insecure Management of Configuration
- Description with working example
- Defenses
- System hardening
- J2EE application server configuration "Gotchas!"
- Hardening software installation
- #10: Dynamic Loading
- Description with working example
- Defenses
- Java Byte Code Verifier
- Reference ahead to Java best practices
- XML/DTD/Schema/XSLT best practices
- #11: Spoofing
- Description with working example
- Defenses
- Protecting your clients
- Defending against Cross Site Request Forgeries
- Phishing Defenses
3. Best Practices and Design Patterns
- Defensive Coding Principles
- Attack surface management
- Application states
- Defense in depth
- Not trusting the untrusted
- No security through obscurity
- Security defect mitigation
- Leverage experience
- Java Best Practices
- Code obfuscation
- JAAS usage
- Java 2 security and policy files
- Signing JAR files
- Defending XML Processing and Web Services
- Understanding common attacks and how to defend
- Operating in safe mode
- Appropriate protocol layer for WS Security
- Using standards-based security
- XML-aware security infrastructure\
- WSDL protection
- Message validation, compliance, and inspection
- J2EE Web Application Security Design Patterns
- Authentication Enforcer
- Authorization Enforcer
- Intercepting Validator
- Secure Base Action
- Secure Logger
- Secure Pipe
- Secure Service Proxy
- Intercepting Web Agent
4. Security Development Lifecycle (SDL)
- SDL Process Overview
- Technical practices
- Applying processes and practices
- Risk Analysis
- Threat Patterns
5. SDL Practices and Policies
- Best Practices
- Asset analysis
- Boundary analysis
- Vulnerability identification
- Vulnerability response
- Design reviews
- Code reviews
- Security Policies
- Tools: TRM to Vulnerability Analysis
- Testing as Lifecycle Process
- Testing Planning and Documentation
- Testing Tools
6. Security Testing
- Information Leakage
- Business Logic
- Authentication
- Session Management
- Input Data Validation
- Denial of Service
- Web Services Testing
Course Labs