How To Take This Class

Course Overview

The Secure JEE Web Application Development Training is an intense JEE security training workshop/seminar essential for web developers who need to produce secure web applications, integrating security measures into the development process from requirements to deployment and maintenance. This course explores well beyond basic programming skills, teaching developers sound processes and practices to apply to the entire software development lifecycle. Perhaps just as significantly, students learn about current, real examples that illustrate the potential consequences of not following these best practices. This course is short on theory and long on application, providing students with in-depth, code-level demonstrations and walkthroughs.

Course Prerequisites

Students should have an understanding and a working knowledge in basic programming in either .Net or Java.

Course Audience

This is an intermediate -level and beyond JEE course designed for developers who wish to get up and running on developing well defended web applications. Familiarity with Java and JEE is required and real world programming experience is highly recommended. Ideally students should have approximately 6 months to a year of Java and JEE working knowledge.

What You'll Learn

Upon successful completion of this course, students will be able to:
  • Understand potential sources for untrusted data
  • Understand the consequences for not properly handling untrusted data such as denial of service, cross-site scripting, and injections
  • Be able to test web applications with various attack techniques to determine the existence of and effectiveness of layered defenses
  • Prevent and defend the many potential vulnerabilities associated with untrusted data
  • Understand the vulnerabilities of associated with authentication and authorization
  • Be able to detect, attack, and implement defenses for authentication and authorization functionality and services
  • Understand the dangers and mechanisms behind Cross-Site Scripting (XSS) and Injection attacks
  • Be able to detect, attack, and implement defenses against XSS and Injection attacks
  • Understand the concepts and terminology behind defensive, secure, coding
  • Understand the use of Threat Modeling as a tool in identifying software vulnerabilities based on realistic threats against meaningful assets
  • Perform both static code reviews and dynamic application testing to uncover vulnerabilities in Java-based web applications
  • Design and develop strong, robust authentication and authorization implementations within the context of JEE
  • Understand the fundamentals of Java Cryptography (JCA) and Encryption (JCE) and where they fit in the overall security picture
  • Understand the fundamentals of XML Digital Signature and XML Encryption as well as how they are used within the web services arena
  • Be able to detect, attack, and implement defenses for XML-based services and functionality
  • Understand techniques and measures that can used to harden web and application servers as well as other components in your infrastructure

Course Duration

2 Days

Course Outline

  1. Misconceptions
    • Thriving Industry of Identity Theft
    • Dishonor Roll of Data Breaches
    • TJX: Anatomy of a Disaster
    • Heartland: What? Again?
    • Security Concepts
    • Terminology and Players
    • Assets, Threats, and Attacks
    • OWASP
    • CWE/SANS Top 25 Programming Errors
    • Categories
    • What they mean to your web applications
  2. Defensive Coding Principles
    • Security Is A Lifecycle Issue
    • Minimize Attack Surface
    • Manage Resources
    • Application States
    • Compartmentalize
    • Defense In Depth - Layered Defense
    • Consider All Application States
    • Not Trusting The Untrusted
    • Security Defect Mitigation
    • Leverage Experience
    • Reality
    • Recent, Relevant Incidents
    • Find Security Defects In Web Application
  3. Unvalidated Input
    • Unvalidated Input: Description
    • Integer Arithmetic Vulnerabilities
    • Unvalidated Input: From the Web
    • Hidden Values in HTTP Communications
    • Unvalidated Input: Symptoms and Detection
    • Detection Through Fuzz Testing
    • Unvalidated Input: Fixes
    • Identifying Trust Boundaries
    • Designing An Appropriate Response
    • Testing Defenses And Responses
    • Overview Of Regular Expressions
    • Regular Expressions
    • Working with Regular Expressions in Java
    • Broken Access Control
    • Access Control Issues
    • Broken Access Control: Description
    • Excessive Privileges
    • Unprotected URL/Resource Access: Description
    • Unprotected URL/Resource Access: Symptoms and Detection
    • Primary Concerns in URL/Resource Access
    • Unprotected URL/Resource Access: Fixes
    • Protecting Sessions
    • Addressing Client-Side Caching of Content
    • Authorization Security Overview
    • Defending Special Privileges Such As Administrative Functions
    • Application Authorization Best Practices
  4. Broken Authentication And Session Management
    • Description With Working Example
    • Defenses
    • Multi-Layered Defenses Of Authentication Services
    • Password Management Strategies
    • Password Handling With Hashing Using JCE/JCA
    • Mitigating Password Caching
    • Testing Defenses And Responses For Weaknesses
    • Alternative Authentication Mechanisms
    • Best Practices For Session Management in JEE
    • Defending Session Hijacking Attacks
    • Best Practices For Single Sign-On (SSO)
  5. Cross Site Scripting (XSS) Flaws
    • Description With Working Example
    • Defenses
    • Character Encoding Complications
    • Blacklisting
    • Whitelisting
    • HTML/XML Entity Encoding
    • Trust Boundary Definition
    • Implementing An Effective Layered Defense
    • Designing An Appropriate Response
  6. Injection Flaws
    • SQL Injection Continues to be Prevalent
    • Injection Flaws: Description
    • Injection Flaws: Symptoms and Detection
    • SQL Injection Examples
    • SQL Injection Attacks Evolve
    • Attackers have a Variety of Tools
    • SQL Injection: Drill Down on Stored Procedures
    • SQL Injection: Drill Down on ORM
    • Minimize SQL Injection Vulnerabilities
    • Minimizing Injection Flaws
    • Command Injection Vulnerabilities
  7. Error Handling And Information Leakage
    • Description With Working Example
    • Defenses
    • JEE Application Exception Handling
    • Error Response Best Practices
    • Error, Auditing, And Logging Content Management
    • Error, Auditing, And Logging Service Management
    • Best Practices For Supporting Web Attack Forensics
  8. Insecure Storage
    • Description With Working Example
    • Defenses
    • Data Leakage
    • Risk Minimization
    • Cryptography Overview
    • JCS/JCE
    • Data Encryption
    • In-Memory Data Handling
    • Handling Passwords on Server Side
  9. Insecure Management Of Configuration
    • Description With Working Example
    • Defenses
    • System Hardening
    • Server Configuration “Gotchas!”
    • Hardening Software Installation
  10. Insecure Management of Configuration
    • Description with working example
    • Defenses
    • System hardening
    • JEE application server configuration “Gotchas!”
    • Hardening software installation
  11. Direct Object Access
    • Description With Working Example
    • Defenses
    • Java Byte Code Verifier
    • XML/DTD/Schema/XSLT Best Practices
    • Race Conditions
    • Direct Object References
  12. Spoofing and Redirects
    • Spoofing: Description
    • Name Resolution Vulnerabilities
    • Attacks are Constant and Changing
    • Spoofing: Fixes
    • Cross Site Request Forgeries (CSRF)
    • How To Get Victim To Select URL?
    • CSRF Defenses are Entirely Server-Side
    • CSRF Defenses are Evolving
    • Redirects and Forwards
    • Safe Redirects and Forwards
  13. Prioritizing Your Efforts
    • Common Vulnerabilities and Exposures
    • OWASP Top Ten for 2010
    • Security Is a Lifecycle Issue
    • Minimize Attack Surface Area
    • Defense in Depth
    • Manage Resources
    • Layers of Defense: Tenacious D
    • Compartmentalize
    • Consider All Application States
    • Do NOT Trust the Untrusted
    • Fix Security Defects Correctly
    • Leverage Experience
  14. Java Best Practices
    • Code Obfuscation
    • JAAS Usage
    • Java 2 Security and Policy Files
    • Signing JAR Files
  15. Defending XML
    • Understanding Common Attacks And How To Defend
    • Operating In Safe Mode
    • Using Standards-Based Security
    • XML-Aware Security Infrastructure
    • JAXP Safe Mode
  16. Defending Web Services
    • Security Exposures
    • Transport-Level Security
    • Message-Level Security
    • WS-Security
    • Attacks And Defenses
  17. Defending Ajax
    • Ajax Security Exposures
    • Attack Surface Changes
    • Injection Threats And Concerns
    • Effective Defenses And Practices
  18. SSD Process Overview
    • CLASP Defined
    • CLASP Applied
    • Asset, Boundary, and Vulnerability Identification
    • Vulnerability Response
    • Design and Code Reviews
    • Applying Processes and Practices
    • Risk Analysis
  19. Security Testing
    • Testing as Lifecycle Process
    • Testing Planning and Documentation
    • Testing Tools And Processes
    • Static and Dynamic Code Analysis
    • Testing Practices
    • Authentication Testing
    • Session Management Testing
    • Data Validation Testing
    • Denial Of Service Testing
    • Web Services Testing
    • Ajax Testing
  20. Design patterns introduction
    • JEE Web Application Security Design Patterns
    • Authentication Enforcer
    • Authorization Enforcer
    • Intercepting Validator
    • Secure Base Action
    • Secure Logger
    • Secure Pipe
    • Secure Service Proxy
    • Intercepting Web Agent