Last Day to Save $400 on SANS Albuquerque 2014

SANSFIRE 2013

Washington, DC | Fri Jun 14 - Sat Jun 22, 2013

DEV541: Secure Coding in Java/JEE: Developing Defensible Applications

The Difference between Good and Great Programmers

Great programmers have traditionally distinguished themselves by the elegance, effectiveness, and reliability of their code. That's still true, but elegance, effectiveness, and reliability have now been joined by security. Major financial institutions and government agencies have informed their internal development teams and outsourcers that programmers must demonstrate mastery of secure coding skills and knowledge through reliable third-party testing or lose their right to work on assignments for those organizations. More software buyers are joining the movement every week.

Such buyer and management demands create an immediate response from programmers, "Where can I learn what is meant by secure coding?" This unique SANS course allows you to bone up on the skills and knowledge required to prevent your applications from getting hacked.

What Does the Course Cover?

This is a comprehensive course covering a huge set of skills and knowledge. It's not a high-level theory course. It's about real programming. In this course you will examine actual code, work with real tools, build applications, and gain confidence in the resources you need for the journey to improving the security of Java applications.

Rather than teaching students to use a set of tools, we're teaching students concepts of secure programming. This involves looking at a specific piece of code, identifying a security flaw, and implementing a fix for flaws found on the Top 10 and CWE/SANS Top 25 Most Dangerous Programming Errors.

The class culminates in a Secure Development Challenge where you perform a security review of a real-world open source application. You will conduct a code review, perform security testing to actually exploit real vulnerabilities, and finally, using the secure coding techniques that you have learned in class, implement fixes for these issues.

Common Web Application Vulnerabilities

  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • SQL injection
  • HTTP response splitting
  • Parameter manipulation

Data Validation

  • Input validation
  • Whitelisting vs blacklisting
  • Output encoding and escaping
  • Parameterized queries
  • Using frameworks and APIs

Authentication

  • How to use encryption and certificates
  • Protecting session ids
  • JEE based authentication
  • Basic and Forms Based Authentication
  • Client certificate authentication

Session Management

  • Session hijacking
  • Session fixation

Access Control

  • JEE based authorization
  • Declarative and programmatic access control
  • Using annotations
  • Spring Security
  • Java Security Manager

Encryption

  • JSSE
  • JCA
  • Client certificates
  • SSL

Java Programming and Language

  • Race conditions
  • Logging & error handling
  • Class security

Course Syllabus
Course Contents InstructorsSchedule
  DEV541.1: Data Validation Srinidhi Mallur Mon Jun 17th, 2013
9:00 AM - 5:00 PM
Overview

Improper data validation is the root cause of the most prevalent web application vulnerabilities today. Cross Site Scripting (XSS) has become the most widely reported issue with web applications. It has reached the point where the Web Application Security Consortium (WASC) estimates that over 80% of the web sites on the Internet are vulnerable to this attack.

Beginning on the first day, you will learn about some of the most prevalent web applications vulnerabilities such as XSS, CSRF, SQL Injection, HTTP Response Splitting, and Parameter Manipulation. You will see how to spot some of these issues and how to recreate them in a running application. Then you will use a variety of methods to actually fix these vulnerabilities in your Java code.

The course is full of hands on exercises where you can apply practical data validation techniques that you can use to prevent common attacks.

CPE/CMU Credits: 6

Topics

  • Web Application Attacks
  • Cross Site Scripting
  • Cross Site Request Forgery (CSRF)
  • SQL Injection
  • HTTP Response Splitting
  • Parameter Manipulation
  • Directory Traversal
  • Web Application Proxy
  • Using Paros
  • Validation Concerns
  • Character Encoding
  • Input Validation
  • Output Encoding
  • Blacklisting & Whitelisting
  • Validation Techniques
  • Regular Expressions
  • Servlet Filters
  • HTML Encoding
  • Struts Validation
  • CAPTCHA
  • Prepared Statements
  • Stored Procedures
  • Aspect Oriented Programming (AOP)
 
  DEV541.2: Authentication, Session Management, and Access Control Srinidhi Mallur Tue Jun 18th, 2013
9:00 AM - 5:00 PM
Overview

Broken authentication and session management are common issues that can compromise the integrity of your system. Weak authentication protections can allow an attacker to expose your most sensitive secrets: your data! You will learn about these vulnerabilities and what you can do to design and code stronger authentication protections from the start. You will learn how to use JEE Container Based Authentication and setup both Basic and Form Based Authentication. You will also learn about Spring Security, which is the popular security system for Spring.

CPE/CMU Credits: 6

Topics

  • Authentication Attacks
  • Brute force attacks
  • Weak password storage
  • Password reset
  • Secret questions
  • Weak session management
  • Authentication
  • JEE Container Based Authentication
  • Basic Authentication
  • Form Based Authentication
  • Client certificates
  • Account lockout
  • Password policy
  • Spring Security
  • Java Authentication and Authorization Service (JAAS)

  • Protecting Sessions
  • Using SSL
  • Session hijacking
  • Session fixation
  • Authorization
  • JEE Container Based Authorization
  • Declarative access control
  • Programmatic access control
  • Access control bypass
  • JSR 250 annotations
  • Spring Security annotations
  • Unvalidated redirects and forwards
 
  DEV541.3: Java Language and Security APIs Srinidhi Mallur Wed Jun 19th, 2013
9:00 AM - 5:00 PM
Overview

Java is the language of choice for the development of many mission critical applications. As such, it is vital to understand the security features and implications of using the Java language itself and the Java Runtime Environment (JRE). Through numerous hands-on exercises you will learn about the Security Manager, how code privileges are managed, and how to sign jar files. You will also learn about Exception handling and try/catch/finally blocks as well as the importance of logging. With hands-on exercises you will also write code to encrypt both data in transit and data at rest using the Java Secure Socket Extension (JSSE) and the Java Cryptography Architecture (JCA) as well as String immutability, integer and double overflows, and about numerous Java language features that you should consider while writing secure code.

CPE/CMU Credits: 6

Topics

  • Java Security Manager
  • Permissions
  • Policy file
  • Jar signing
  • Error Handling
  • Exceptions
  • Using try/catch/finally
  • Logging
  • Logging frameworks
  • ESAPI logging
  • Encryption
  • Java Secure Sockets Extension (JSSE)
  • Java Cryptography Architecture (JCA)
  • Class Security
  • Accessibility modifiers
  • Inner classes
  • Strings
  • Immutability
  • String handling
  • Integer and Double Overflows
  • Race Conditions
  • Synchronization
  • Collections
  • Singletons
 
  DEV541.4: Secure Development Challenge Srinidhi Mallur Thu Jun 20th, 2013
9:00 AM - 5:00 PM
Overview

Using what you have learned about Web application vulnerabilities, you will conduct a security review of a real-world open source application. You will see first hand how to integrate security in your software development life cycle (SDLC) by first conducting a code review of a large, widely used open source application. Once you have identified various vulnerabilities in the code itself you will then perform security testing and actually exploit these weaknesses. Once they have been exploited you will then fix them using the secure coding techniques you have learned in class.

The Secure Development Challenge introduces you to what is needed in a Secure SDLC and shows you how to do it first hand!

CPE/CMU Credits: 6

Topics

  • Security and the SDLC
  • Conducting a secure code review
  • Manual code review
  • Using a static analysis tool
  • Using FindBugs
  • Integrating code review into the SDLC
  • Security Testing
  • Exploiting XSS, CSRF, and SQL Injection
  • Secure Coding
  • Fixing weaknesses in a running application
 
Additional Information
 
  Laptop Required
  • Laptop with administrative level access
  • 7 GB available hard drive space
  • 2 GB RAM or higher
  • DVD drive (minimum 16x recommended)
  • x86 compatible 2Ghz CPU minimum or higher

VMWare

You will use VMware to perform exercises in class. You must have a

working copy of one of the following installed on your system prior to

coming to class:

  • VMware Player 4.0 or later
  • VMware Workstation 8.0 or later
  • VMware Fusion 4.0 or later for Mac OS X

VMware Player can be downloaded for free. Alternatively, if you want a

more configurable and flexible tool, you can download a free 30-day

trial copy of VMware Workstation or VMware Fusion. These products are

available at http://www.vmware.com. VMware will send you a time-limited

serial number for VMware Workstation or VMware Fusion if you register

for the trial at their Web site. No serial number is required for

VMware Player.

Java Documentation

It is recommended that students download the Java SE 7 and Java EE 6

Javadoc documentation for use as reference material while doing the

in-class exercises (the Javadoc license prohibits redistribution). The

documentation can be found at oracle.com.

You will receive a DVD containing a Linux VMware image that contains

all the course exercises.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

 
  Who Should Attend

This course is ideal for:

  • Developers who want to build more secure applications
  • Java EE programmers
  • Software engineers
  • Software architects

This class is focused specifically on software development but is accessible enough for anyone who's comfortable working with code and has an interest in understanding the developer's perspective including:

  • Application security auditors
  • Technical project managers
  • Senior software QA specialists
  • Penetration testers who want a deeper understanding of target applications or who want to provide more detailed vulnerability remediation options
 
  Prerequisites

Students should have at least one year's experience working with the JEE platform and should have thorough knowledge of Java language and Web technology.

 

Author Statement

Author Statement

After having taught application security to hundreds of developers, I've learned what works in teaching this important subject. Developers need to be intellectually challenged with exercises; they need a variety of solutions they can apply to a single problem in different scenarios. By giving our students concrete examples of applications they can take back with them, class attendees will be armed with strong techniques that can be applied to both current and future projects. By knowing how various Web application attacks work, how common programming errors are made, and how to prevent them, developers will have the tools necessary to prevent a large number of application attacks. Take part in this groundbreaking class and arm yourself with the knowledge to protect your Java applications.

Frank Kim