- Training
- Training Live Events
- Training Without Travel
- Security Courses
- Security Curricula
- Certified Instructors
- Training Calendars
- SANS vLive! / SANS @Home
- SANS OnDemand
- Community SANS
- SANS Mentor Program
- Coins
- SANS Onsite
- SANS SelfStudy
- SANS Summit Series
- SANS Partnership Series
- Webcasts
- Work Study
- Events Archive
- DoD 8570
- Voucher Credit Program
- group discounts
- Certification
- Resources
- List of Resources
- Top 20 List
- Top 25 Programming Errors
- 20 Coolest Jobs
- Application Security Procurement Language
- Top 10 Security Trends
- Top 5 Essential Log Reports
- Reading Room
- Webcasts
- AudioCasts
- WhatWorks
- Newsletters
- RSS Feeds
- Calendar Feeds
- Security Thought Leaders
- Security Policy Project
- Security+ Study Guide
- SANS Buyers Guide
- Security Tool Demos
- 2008 Salary Survey
- Vendor
- Portal
- Storm Center
- College
- Developer
- About
The most trusted source for computer security training, certification and research.
select a course
- Vendor Events
- Hotel & Travel Info
- General Info
- Faculty
- Vendor Expo
- Special Events
- SANS @Night
- Brochure (PDF)
SANS never fails to provide top level training that is worth every penny.
-Tyler Hudak, Yellow Roadway Tech
Security 428
2 Day Course
Upcoming Events
No Events Scheduled At This Time
Please Check Back
Click for Calendar of Events
Work Study opportunities still available for Software Security Series 2007. Please visit Work Study Facilitator Page to submit an application.
No matter your organization's size, budget, or regulatory environments, SANS courses are the best security dollars you can spend.- John Medic, ScriptPro
Java Security Auditing
Please see the specific event details for Faculty Information.6 CPE Credits Per Day
This course is designed to fully equip the risk manager, auditor, developer or security professional tasked to audit Java/J2EE web-based applications for security vulnerabilities. We will review security concerns regarding the deployment of Java applets for enterprise applications. We will discuss every stage of a Java security audit from pre-audit preparation to report delivery.
This course is the perfect opportunity for a novice programmer to receive a comprehensive introduction to the Java programming language using a secure coding approach. Topics include:
- Security considerations of Java polymorphism
- Fundamental secure Java coding theory
- Auditing the Java application deployment environment
- Java Virtual Machine functionality breakdown with security considerations at each JVM subsystem
- Java Virtual Machine security policy
- Auditing the Application Architecture and Project Documentation
- Auditing the J2EE network server infrastructure
- OWASP secure code checklist review
- Auditing Java applications for protection from SQL/LDAP injection, XSS, XST, XSRF and other web attacks
- Auditing Java Applications for security vulnerabilities created at design
- Auditing the application operations (deployment, change control)
- Auditing application administration operations
- Automated Code Review Tools for Java auditors and for developers
- How to conduct a security-based manual code review
- A complete review of the syntax of the Java language
- A complete review of security considerations regarding the object-oriented aspects of Java
- A review of the core Java Packages and most-used API's
We will investigate and demonstrate automated audit tools including the Fortify Audit Workbench, the FindBugs project and Lint4j. These tools can be built directly into development environments to allow programmers to scan code for security vulnerabilities as well as enforce code quality. We will also review Java audit management tools such as Enerjy.
The bulk of this course is focused on the manual audit of Java code. Manual Code Review is truly the core process of any Java audit. We will review the core aspects of the Java Programming language and highlight security concerns from management, developer and operational perspectives.
We will conclude the course by discussing how a security professional can approach software development teams and encourage changes in the software development life cycle. This will allow development teams to prevent vulnerabilities from the very earliest stages of development.
This course is targeted at technical managers and auditors.
- Who Should Attend
- The security professional who is tasked to audit Java code, but is not necessarily a software engineer
- Hey, are you a netsec geek who wants to learn more about coding and Java source code auditing? This is for you.
- A novice/beginner/intermediate coder who doesn't mind getting a review of the Java language, in addition to being lectured that they really need to design and develop code very differently. Advanced Java coders will get bored, fast
- Advanced coders who don't know Java, but both wish to learn the language and be able to audit Java for security, effectively.
- Risk managers who are tasked to manage a large Java audit process.
- The security professional who is tasked to audit Java code, but is not necessarily a software engineer
- A Sampling of Topics
- Security considerations of Java polymorphism during a Java audit
- Fundamental secure Java coding theory
- Auditing the Java application deployment environment
- Java Virtual Machine functionality breakdown with security considerations at each JVM subsystem
- Java Virtual Machine security policy
- Auditing the Application Architecture and Project Documentation
- Auditing the J2EE network server infrastructure
- OWASP secure code checklist review
- Auditing Java applications for protection from SQL/LDAP injection, XSS, XST, XSRF and other web attacks
- Auditing Java Applications for security vulnerabilities created at design
- Auditing the application operations (deployment, change control)
- Auditing application administration operations
- Automated Code Review Tools for Java audits and for developers
- How to conduct a security-based manual code review
- A complete review of the syntax of the Java language
- A complete review of security considerations regarding the object-oriented aspects of Java
- A review of the core Java Packages and most-used API's
- © 2000-2009 The SANS™ Institute
- Web Privacy Policy | Web Contact |
- Press Room | Trademark Usage Policy