- Training
- Training Live Events
- Training Without Travel
- Security Courses
- Security Curricula
- Certified Instructors
- Training Calendars
- SANS vLive! / SANS @Home
- SANS OnDemand
- Community SANS
- SANS Mentor Program
- Coins
- SANS Onsite
- SANS SelfStudy
- SANS Summit Series
- SANS Partnership Series
- Webcasts
- Work Study
- Events Archive
- DoD 8570
- Voucher Credit Program
- group discounts
- Certification
- Resources
- List of Resources
- Top 20 List
- Top 25 Programming Errors
- 20 Coolest Jobs
- Application Security Procurement Language
- Top 10 Security Trends
- Top 5 Essential Log Reports
- Reading Room
- Webcasts
- AudioCasts
- WhatWorks
- Newsletters
- RSS Feeds
- Calendar Feeds
- Security Thought Leaders
- Security Policy Project
- Security+ Study Guide
- SANS Buyers Guide
- Security Tool Demos
- 2008 Salary Survey
- Vendor
- Portal
- Storm Center
- College
- Developer
- About
The most trusted source for computer security training, certification and research.
select a course
San Jose, CA - December 4 - 9, 2006
- Hotel & Travel Info
- Faculty
- Vendor Expo
- General Info
- Vendor Events
- Special Events
- SANS @Night
- Brochure (PDF)
It's very dynamic and I will be able to apply what I learned directly into my area of work.
-Wagner Nascimento, eBay, Inc.
Security 428
2 Day Course
(Portal Account Required)
For OnDemand Bundles
You can bundle SANS OnDemand online training and assessment package for an additional $179.00 US when registering for the full course. Additional information can be found at the OnDemand Bundles page and the OnDemand FAQ.
Java Security Auditing
Monday, December 4, 2006 - Tuesday, December 5, 2006 : 9am - 5pmJames Manico, Consultant
6 CPE Credits Per Day
This course is designed to fully equip the risk manager, auditor, developer or security professional tasked to audit Java/J2EE web-based applications for security vulnerabilities. We will review security concerns regarding the deployment of Java applets for enterprise applications. We will discuss every stage of a Java security audit from pre-audit preparation to report delivery.
This course is the perfect opportunity for a novice programmer to receive a comprehensive introduction to the Java programming language using a secure coding approach. Topics include:
- Security considerations of Java polymorphism
- Fundamental secure Java coding theory
- Auditing the Java application deployment environment
- Java Virtual Machine functionality breakdown with security considerations at each JVM subsystem
- Java Virtual Machine security policy
- Auditing the Application Architecture and Project Documentation
- Auditing the J2EE network server infrastructure
- OWASP secure code checklist review
- Auditing Java applications for protection from SQL/LDAP injection, XSS, XST, XSRF and other web attacks
- Auditing Java Applications for security vulnerabilities created at design
- Auditing the application operations (deployment, change control)
- Auditing application administration operations
- Automated Code Review Tools for Java auditors and for developers
- How to conduct a security-based manual code review
- A complete review of the syntax of the Java language
- A complete review of security considerations regarding the object-oriented aspects of Java
- A review of the core Java Packages and most-used API's
We will investigate and demonstrate automated audit tools including the Fortify Audit Workbench, the FindBugs project and Lint4j. These tools can be built directly into development environments to allow programmers to scan code for security vulnerabilities as well as enforce code quality. We will also review Java audit management tools such as Enerjy.
The bulk of this course is focused on the manual audit of Java code. Manual Code Review is truly the core process of any Java audit. We will review the core aspects of the Java Programming language and highlight security concerns from management, developer and operational perspectives.
We will conclude the course by discussing how a security professional can approach software development teams and encourage changes in the software development life cycle. This will allow development teams to prevent vulnerabilities from the very earliest stages of development.
This course is targeted at technical managers and auditors.
- Who Should Attend
- The security professional who is tasked to audit Java code, but is not necessarily a software engineer
- Hey, are you a netsec geek who wants to learn more about coding and Java source code auditing? This is for you.
- A novice/beginner/intermediate coder who doesn't mind getting a review of the Java language, in addition to being lectured that they really need to design and develop code very differently. Advanced Java coders will get bored, fast
- Advanced coders who don't know Java, but both wish to learn the language and be able to audit Java for security, effectively.
- Risk managers who are tasked to manage a large Java audit process.
- The security professional who is tasked to audit Java code, but is not necessarily a software engineer
- A Sampling of Topics
- Security considerations of Java polymorphism during a Java audit
- Fundamental secure Java coding theory
- Auditing the Java application deployment environment
- Java Virtual Machine functionality breakdown with security considerations at each JVM subsystem
- Java Virtual Machine security policy
- Auditing the Application Architecture and Project Documentation
- Auditing the J2EE network server infrastructure
- OWASP secure code checklist review
- Auditing Java applications for protection from SQL/LDAP injection, XSS, XST, XSRF and other web attacks
- Auditing Java Applications for security vulnerabilities created at design
- Auditing the application operations (deployment, change control)
- Auditing application administration operations
- Automated Code Review Tools for Java audits and for developers
- How to conduct a security-based manual code review
- A complete review of the syntax of the Java language
- A complete review of security considerations regarding the object-oriented aspects of Java
- A review of the core Java Packages and most-used API's
- © 2000-2009 The SANS™ Institute
- Web Privacy Policy | Web Contact |
- Press Room | Trademark Usage Policy