How To Take This Class

Course Overview

Securing JEE Web Applications is a lab-intensive, hands-on JEE security training course, essential for experienced enterprise developers who need to produce secure JEE-based web applications. In addition to teaching basic programming skills, this course digs deep into sound processes and practices that apply to the entire software development lifecycle. In this course, students thoroughly examine best practices for defensively coding JEE web applications, including XML processing and web services. Students will repeatedly attack and then defend various assets associated with a fully-functional web application. This hands-on approach drives home the mechanics of how to secure JEE web applications in the most practical of terms.

Course Prerequisites

Familiarity with Java and JEE is required and real world programming experience is highly recommended. Ideally students should have approximately 6 months to a year of Java and JEE working knowledge.

Course Audience

This is an intermediate -level JEE programming course, designed for developers who wish to get up and running on developing well defended software applications. This course may be customized to suit your team’s unique objectives.

What You'll Learn

Upon successful completion of this course, students will be able to:
  • Understand potential sources for untrusted data
  • Understand the consequences for not properly handling untrusted data such as denial of service, cross-site scripting, and injections
  • Be able to test web applications with various attack techniques to determine the existence of and effectiveness of layered defenses
  • Prevent and defend the many potential vulnerabilities associated with untrusted data
  • Understand the vulnerabilities of associated with authentication and authorization
  • Be able to detect, attack, and implement defenses for authentication and authorization functionality and services
  • Understand the dangers and mechanisms behind Cross-Site Scripting (XSS) and Injection attacks
  • Be able to detect, attack, and implement defenses against XSS and Injection attacks
  • Understand the concepts and terminology behind defensive, secure, coding
  • Understand the use of Threat Modeling as a tool in identifying software vulnerabilities based on realistic threats against meaningful assets
  • Perform both static code reviews and dynamic application testing to uncover vulnerabilities in Java-based web applications
  • Design and develop strong, robust authentication and authorization implementations within the context of JEE
  • Understand the fundamentals of Java Cryptography (JCA) and Encryption (JCE) and where they fit in the overall security picture
  • Understand the fundamentals of XML Digital Signature and XML Encryption as well as how they are used within the web services arena
  • Be able to detect, attack, and implement defenses for XML-based services and functionality
  • Understand techniques and measures that can used to harden web and application servers as well as other components in your infrastructure

Course Duration

3 Days

Course Outline

  1. Misconceptions
    • Thriving Industry of Identity Theft
    • Dishonor Roll of Data Breaches
    • TJX: Anatomy of a Disaster
    • Heartland: What? Again?
  2. Security Concepts
    • Terminology and Players
    • Assets, Threats, and Attacks
    • OWASP
    • CWE/SANS Top 25 Programming Errors
    • Categories
    • What they mean to your web applications
  3. Defensive Coding Principles
    • Security Is a Lifecycle Issue
    • Bolted on Versus Baked
    • Minimize Attack Surface Area
    • Examples of Minimization
    • Defense in Depth
    • Manage Resources
    • Layers of Defense: Tenacious D
    • Compartmentalize
    • Consider All Application States
    • Do NOT Trust the Untrusted
    • Fix Security Defects Correctly
    • Learning From Vulnerabilities
  4. Reality
    • Recent, Relevant Incidents
    • Finding Security Defects In Web Applications
  5. Unvalidated Input
    • Unvalidated Input: Description
    • Integer Arithmetic Vulnerabilities
    • Unvalidated Input: From the Web
    • Hidden Values in HTTP Communications
    • Unvalidated Input: Symptoms and Detection
    • Detection Through Fuzz Testing
    • Unvalidated Input: Fixes
    • Identifying Trust Boundaries
    • Designing An Appropriate Response
    • Testing Defenses And Responses
  6. Overview Of Regular Expressions
    • Regular Expressions
    • Working with Regular Expressions in Java
  7. Broken Access Control
    • Access Control Issues
    • Broken Access Control: Description
    • Excessive Privileges
    • Unprotected URL/Resource Access: Description
    • Unprotected URL/Resource Access: Symptoms and Detection
    • Primary Concerns in URL/Resource Access
    • Unprotected URL/Resource Access: Fixes
    • Protecting Sessions
    • Addressing Client-Side Caching of Content
    • Authorization Security Overview
    • Defending Special Privileges Such As Administrative Functions
    • Application Authorization Best Practices
  8. Broken Authentication And Session Management
    • Description With Working Example
    • Defenses
    • Multi-Layered Defenses Of Authentication Services
    • Password Management Strategies
    • Password Handling With Hashing Using JCE/JCA
    • Mitigating Password Caching
    • Testing Defenses And Responses For Weaknesses
    • Alternative Authentication Mechanisms
    • Best Practices For Session Management in J2EE
    • Defending Session Hijacking Attacks
    • Best Practices For Single Sign-On (SSO)
  9. Cross Site Scripting (XSS) Flaws
    • Description With Working Example
    • Defenses
    • Character Encoding Complications
    • Blacklisting
    • Whitelisting
    • HTML/XML Entity Encoding
    • Trust Boundary Definition
    • Implementing An Effective Layered Defense
    • Designing An Appropriate Response
  10. Injection Flaws
    • SQL Injection Continues to be Prevalent
    • Injection Flaws: Description
    • Injection Flaws: Symptoms and Detection
    • SQL Injection Examples
    • SQL Injection Attacks Evolve
    • Attackers have a Variety of Tools
    • SQL Injection: Drill Down on Stored Procedures
    • SQL Injection: Drill Down on ORM
    • Minimize SQL Injection Vulnerabilities
    • Minimizing Injection Flaws
    • Command Injection Vulnerabilities
  11. Error Handling And Information Leakage
    • Description With Working Example
    • Defenses
    • J2EE Application Exception Handling
    • Error Response Best Practices
    • Error, Auditing, And Logging Content Management
    • Error, Auditing, And Logging Service Management
    • Best Practices For Supporting Web Attack Forensics
  12. Insecure Storage
    • Description With Working Example
    • Defenses
    • Data Leakage
    • Risk Minimization
    • Cryptography Overview
    • JCS/JCE
    • Data Encryption
    • In-Memory Data Handling
    • Handling Passwords on Server Side
  13. Insecure Management of Configuration
    • Description with working example
    • Defenses
    • System hardening
    • J2EE application server configuration “Gotchas!”
    • Hardening software installation
  14. Direct Object Access
    • Description With Working Example
    • Defenses
    • Java Byte Code Verifier
    • XML/DTD/Schema/XSLT Best Practices
    • Race Conditions
    • Direct Object References
  15. Spoofing and Redirects
    • Spoofing: Description
    • Name Resolution Vulnerabilities
    • Attacks are Constant and Changing
    • Spoofing: Fixes
    • Cross Site Request Forgeries (CSRF)
    • How To Get Victim To Select URL?
    • CSRF Defenses are Entirely Server-Side
    • CSRF Defenses are Evolving
    • Redirects and Forwards
    • Safe Redirects and Forwards
  16. Prioritizing Your Efforts
    • Common Vulnerabilities and Exposures
    • OWASP Top Ten for 2010
    • Security Is a Lifecycle Issue
    • Minimize Attack Surface Area
    • Defense in Depth
    • Manage Resources
    • Layers of Defense: Tenacious D
    • Compartmentalize
    • Consider All Application States
    • Do NOT Trust the Untrusted
    • Fix Security Defects Correctly
    • Leverage Experience
  17. Java Best Practices
    • Code Obfuscation
    • JAAS Usage
    • Java 2 Security and Policy Files
    • Signing JAR Files
  18. Defending XML
    • Understanding Common Attacks And How To Defend
    • Operating In Safe Mode
    • Using Standards-Based Security
    • XML-Aware Security Infrastructure
    • JAXP Safe Mode
  19. Defending Web Services
    • Security Exposures
    • Transport-Level Security
    • Message-Level Security
    • WS-Security
    • Attacks And Defenses
  20. Defending Ajax
    • Ajax Security Exposures
    • Attack Surface Changes
    • Injection Threats And Concerns
    • Effective Defenses And Practices