How To Take This Class

Course Overview

Java Secure Coding is a hands-on, lab-intensive Java security, code-level training course that teaches students the best practices for designing, implementing, and deploying secure programs in Java. Students will take an application from requirements through to implementation, analyzing and testing for software vulnerabilities. This course explores well beyond basic programming skills, teaching developers sound processes and practices to apply to the entire software development lifecycle. Perhaps just as significantly, students learn about current, real examples that illustrate the potential consequences of not following these best practices. This course is short on theory and long on application, providing students with in-depth, code-level labs.

Course Prerequisites

Familiarity with the Java programming language is required, and real world programming experience is highly recommended.

Course Audience

This is an intermediate-level programming course designed for application project stakeholders who wish to get up and running on developing well defended Java applications.

What You'll Learn

Upon successful completion of this course, students will be able to:
  • Understand the concepts and terminology behind defensive coding
  • Understand and use Threat Modeling as a tool in identifying software vulnerabilities based on realistic threats against meaningful assets
  • Learn the entire spectrum of threats and attacks that take place against software applications in today’s world
  • Use Threat Modeling to identify potential vulnerabilities in a real life case study
  • Perform both static code reviews and dynamic application testing to uncover vulnerabilities in Java applications
  • Understand the vulnerabilities of the Java programming language and the JVM as well as how to harden both
  • Understand and work with Java 2 platform security to gain an appreciation for what is protected and how
  • Understand the role that Java Authentication and Authorization Service (JAAS) has in Java applications
  • Use JAAS in conjunction with a Java application for both authentication and authorization
  • Understand the basics of Java Cryptography (JCA) and Encryption (JCE) and where they fit in the overall security picture
  • Understand the fundamentals of XML Digital Signature and XML Encryption

Course Duration

3 Days

Course Outline

  1. Misconceptions
    • Thriving Industry of Identity Theft
    • Dishonor Roll of Data Breaches
    • TJX: Anatomy of a Disaster
    • Heartland: What? Again?
  2. Security Concepts
    • Terminology and Players
    • Assets, Threats, and Attacks
    • OWASP
    • CWE/SANS Top 25 Programming Errors
    • Categories
    • What they mean to your applications
  3. Defensive Coding Principles
    • Security Is a Lifecycle Issue
    • Bolted on Versus Baked
    • Minimize Attack Surface Area
    • Examples of Minimization
    • Defense in Depth
    • Manage Resources
    • Layers of Defense: Tenacious D
    • Compartmentalize
    • Consider All Application States
    • Do NOT Trust the Untrusted
    • Fix Security Defects Correctly
    • Learning From Vulnerabilities
  4. Reality
    • Recent, Relevant Incidents
    • Find Security Defects In Web Application
  5. Vulnerabilities
    • Security Attacks
    • Information Attacks
    • System Attacks
    • Data Attacks
  6. Java Security Fundamentals
    • Perimeter Defenses
    • Java Security Architecture
    • JVM Defenses
    • Extending the defenses
  7. Cryptography Overview
    • Cryptography defined
    • Strong Encryption
    • Ciphers and algorithms
    • Message digests
    • Keys and key management
    • Types of keys
    • JCA and JCE
    • Key management in Java
    • Certificate management in Java
    • Encryption/Decryption
  8. Code Location-Based Security
    • Java 2 Security and Applets
    • Work with Java 2 Security
    • Byte Code verifier
    • Class loaders
    • Class loader tunnels
    • Signing code
    • Trusted code
    • Java permission management
    • Extending Java permissions
  9. User-based J2SE Security
    • JAAS Overview
    • JAAS Authentication
    • Extending JAAS authentication
    • JAAS Authorization
  10. Java Network Security
    • SSL Support
    • HTTPS
    • GSS
    • SASL protocols
  11. Code Level Security Best Practices
    • What Java security provides for
    • Preventing remote hacking
    • Preventing accessing of restricted resources
    • Retaining credibility with Java code
  12. Defending XML
    • Understanding common attacks and how to defend
    • Operating in safe mode
    • Using standards-based security
    • XML-aware security infrastructure