DEVELOPER 541

Secure Coding in Java/JEE: Developing Defensible Applications

The Difference between Good and Great Programmers

Great programmers have traditionally distinguished themselves by the elegance, effectiveness, and reliability of their code. That's still true, but elegance, effectiveness, and reliability have now been joined by security. Major financial institutions and government agencies have informed their internal development teams and outsourcers that programmers must demonstrate mastery of secure coding skills and knowledge, through reliable third-party testing, or lose their right to work on assignments for those organizations. More software buyers are joining the movement every week.

The Only Course Covering the Key Elements of Secure Application Development in Java

Such buyer and management demands create an immediate response from programmers, Where can I learn what is meant by secure coding? This unique SANS course allows you to bone up on the skills and knowledge being measured in the third-party assessments as defined in the Essential Skills for Secure Programmers Using Java/JavaEE. (You can find the Essential Skills document at http://www.sans-ssi.org/blueprint_files/java_blueprint.pdf. )

What Does the Course Cover?

This is a comprehensive course covering a huge set of skills and knowledge. It's not a high level theory course. It's about real programming. In this course you will examine actual code, work with real tools, build applications, and gain confidence in the resources you need for the journey to improving security of Java applications.

Rather than teaching students to use a set of tools, we're teaching students concepts of secure programming. This involves looking at a specific piece of code, identifying a security flaw, and implementing a fix for that flaw.

Here's a sampling of topics:

Input handling to ensure input from their interfaces are properly processed and validated.

• Ensuring input from multiple sources can be trusted: HTTP Requests, configuration files, backend datastores, command line arguments, environment variables.
• Validate common data types such as string data as well as uncommon input structures, using Regular Expressions, doValidate() and other tools of Java and J2EE
• White-list and black-list approaches; tradeoffs.

Understanding authentication and session management and mastering authentication principals

• Authentication for end-users, 3rd party services, backend systems, etc.
• How to use encryption and certificates in protecting a variety of authentication process, including an understanding of strength-of-function, credential expiration, credential recover/reset, and re-authentication.
• Protection of session tokens
• Gaining familiarity with the more common authentication techniques and APIs available within Java and J2EE.
• What services and protections are and are not provided.

Active enforcement of access control to guaranteeing the confidentiality of user data.

• Restricting access to resources and functions, declarative access control, control checks in custom code, and how the Java Authentication and Authorization Service can be used in implementing access control.

Security Implications of built-in data types and java-specific memory management

• Complete mastery of the String class' immutability and how to compare String objects.
• Limitations of Java's numerical data types and the resulting security implications
• Security implications of Java Garbage Collector, and how it works
• ArrayList and the Vector: differences and security considerations
• Accessibility modifiers, the final modifier, class comparisons, serialization, clone-ability, and inner classes
• Managing the privileges of code and different protection domains, including Security Manager and its policy file.

Properly handling application faults.

• Java's try/catch/finally construct, Java's logging function, configuration to return default error pages for 404 and other errors.

Structuring multi-threaded programs securely

• Avoiding race conditions
• Implementing the Singleton pattern and protecting other resources accessed by multiple threads.

Making connections with other applications securely

• Security risks introduced by using dynamic queries
• How to defend against SQL injection with safe use of the PreparedStatement to interact with databases based on user-supplied input
• How to use output encoding to display data to user interfaces as a defense against cross-site scripting.
• Implementing fail-safe connection patterns.

Using JAR Sealing and J2EE Filters effectively

• How JAR sealing is used
• Where they can be used to implement each secure coding technique
• What to avoid in using them

Who Should Attend?

This course is ideal for:

• Developers who want to build more secure applications
• Java EE programmers
• Software engineers
• Software architects
• Application security auditors
• Technical project managers
• Senior software QA specialists
• Penetration testers who want a deeper understanding of target applications or who want to provide more detailed vulnerability remediation options

Pre-requisites:

Students should have at least one year's experience working with the JEE framework and should have thorough knowledge of Java language and web technology.

The vendor-neutral instructional approach goes a long way in providing a broad base of information without bias.
-Keith Rice, Bank of America

Author Statement

After having taught application security to hundreds of developers, I've learned what works in teaching this important subject. Developers need to be intellectually challenged with exercises; they need a variety of solutions they can apply to a single problem in different scenarios. By giving our students concrete examples of applications they can take back with them, class attendees will be armed with strong techniques that can be applied to both current and future projects. By knowing how various Web application attacks work, how common programming errors are made, and how to prevent them, developers will have the tools necessary to prevent a large number of application attacks. Take part in this groundbreaking class and arm yourself with the knowledge to protect your Java applications.
Frank Kim