Secure Java Coding Training

Course #:WA2512

Secure Java Coding Training

This 3 day course is a hands-on, lab-intensive Java security, code-level training course that teaches you the best practices for designing, implementing, and deploying secure programs in Java. You will take an application from requirements through to implementation, analyzing and testing for software vulnerabilities. This course explores well beyond basic programming skills, teaching developers sound processes and practices to apply to the entire software development lifecycle. Perhaps just as significantly, you will learn about current, real examples that illustrate the potential consequences of not following these best practices.

  • Security Misconceptions
  • Security Concepts
  • Vulnerabilities
  • Java Security Fundamentals
  • Cryptography Overview
  • User-based Java SE Security
  • Code Level Security Best Practices
  • Defending XML
  • Defending Web Services

Practical work
  As a programming class, this course provides multiple challenging labs for students to work through during the class. This workshop is about 50% hands-on lab and 50% lecture. Throughout the course students will be led through a series of progressively advanced topics, where each topic consists of lecture, group discussion, comprehensive hands-on lab exercises, and lab review. Multiple detailed lab exercises are laced throughout the course, designed to reinforce fundamental skills and concepts learned in the lessons.

What you will learn
  After completing this course, the student should be able to:
  • Concepts and terminology behind defensive coding
  • Threat Modeling as a tool in identifying software vulnerabilities based on realistic threats against assets
  • Entire spectrum of threats and attacks that take place against software applications
  • Threat Modeling to identify potential vulnerabilities in a real life case study
  • Static code reviews and dynamic application testing for uncovering vulnerabilities in Java applications
  • Vulnerabilities of the Java programming language and the JVM, and how to harden both
  • Work with Java 2 platform security to gain an appreciation for what is protected and how
  • Roles that Java Authentication and Authorization Service (JAAS) have in Java applications
  • Use JAAS in conjunction with a Java application for both authentication and authorization
  • Basics of Java Cryptography (JCA) and Encryption (JCE) and where they fit in the overall security picture
  • Fundamentals of XML Digital Signature and XML Encryption


Application project stakeholders who wish to develop secure Java applications

  • Familiarity with Java and Java EE is required
  • Programming experience is highly recommended
  • At least six months of Java and Java EE working knowledge recommended

  Three days.

Outline of Secure Java Coding Training

1. Introduction: Misconceptions

  • Security: The Complete Picture
  • TJX: Anatomy of a Disaster?
  • Causes of Data Breaches
  • Heartland - Slipping Past PCI Compliance
  • Target's Painful Christmas
  • Meaning of Being Compliant
  • Verizon's 2013 Data Breach Report

2. Foundation

  • Security Concepts
    • Motivations: Costs and Standards
    • Open Web Application Security Project
    • Web Application Security Consortium
    • CERT Secure Coding Standards
    • Assets are the Targets
    • Security Activities Cost Resources
    • Threat Modeling
    • System/Trust Boundaries
  • Principles of Information Security
    • Security Is a Lifecycle Issue
    • Minimize Attack Surface Area
    • Layers of Defense: Tenacious D
    • Compartmentalize
    • Consider All Application States
    • Do Not Trust the Untrusted
  • Vulnerabilities
    • Unvalidated Input
    • Broken Access Control
    • Broken Authentication And Session Management
    • Cross Site Scripting (XSS) Flaws
    • Injection Flaws
    • Error Handling And Information Leakage
    • Insecure Storage
    • Insecure Management of Configuration
    • Direct Object Access
    • Spoofing and Redirects
  • Understanding What's Important
    • Common Vulnerabilities and Exposures
    • OWASP Top Ten for 2013
    • CWE/SANS Top 25 Most Dangerous SW Errors
    • Monster Mitigations
    • Strength Training: Project
    • Teams/Developers
    • Strength Training: IT Organizations

3. Java Security

  • Java Security Fundamentals
    • Perimeter Defenses
    • Java Security Architecture
    • JVM Defenses
    • Extending the defenses
  • Cryptography Overview
    • Strong Encryption
    • Ciphers and algorithms
    • Message digests
    • Keys and key management
  • Code Location-Based Security
    • Work with Java 2 Security
    • Byte Code verifier
    • Signing code
    • Trusted code
    • Java permission management
    • Extending Java permissions
  • User-based J2SE Security
    • JAAS Authentication
    • Extending JAAS authentication
    • JAAS Authorization
  • Java Network Security
    • SSL Support
    • HTTPS
    • GSS
    • SASL protocols
  • Code Level Security Best Practices
    • What Java security provides for
    • Preventing remote hacking
    • Preventing accessing of restricted resources
    • Retaining credibility with Java code

4. Defending XML and Services

  • Defending XML
    • XML Signature
    • XML Encryption
    • XML Attacks: Structure
    • XML Attacks: Injection
    • Safe XML Processing
  • Defending Web Services
    • Web Service Security Exposures
    • When Transport-Level Alone is NOT Enough
    • Message-Level Security
    • WS-Security Roadmap
    • XWSS Provides Many Functions
    • Web Service Attacks
    • Web Service Appliance/Gateways
We regularly offer classes in these and other cities. Atlanta, Austin, Baltimore, Calgary, Chicago, Cleveland, Dallas, Denver, Detroit, Houston, Jacksonville, Miami, Montreal, New York City, Orlando, Ottawa, Philadelphia, Phoenix, Pittsburgh, Seattle, Toronto, Vancouver, Washington DC.