SI Secure
SI Secure
IndustriesServicesProductsCompanyLibrary
SI Services


Creating Secure Code - Java

  View our "Creating Secure Code"  Webcast

COURSE OVERVIEW

This two day course presents the security features and pitfalls of the Java programming environment. Beginning with an investigation of the Java Virtual Machine and its security capabilities, we discuss bytecode, class loading and permissions. We'll then examine known Java vulnerabilities and how to properly handle cryptography and conclude with Java coding best practices.
The course content is mixed with hands-on examples, complementing the theoretical scope presentations.   Each section will have an in depth hands on lab

COURSE OUTLINE

I. Introduction
  • What is Software Security?
  • Security and the Software Development Lifecycle
II. Java Virtual Machine
  • Java Virtual Machine Overview
  • Bytecode
  • Class Files
  • Class Loaders
  • Lab 1 – Class Loading
III. Java Security
  • Evolution of Java Security
  • Language Security
    - Bytecode Verifier
  • Cryptography
    - Java Cryptography Architecture (JCA)
    - Java Cryptography Extension (JCE)
    - Java Secure Socket Extension (JSSE)
    - Certificates
    - Code Signing
  • Lab 2:  Java & SSL
    - Authentication and Authorization
          Java Authentication and Authorization Service (JAAS)
    - Access Control
         Security Manager
         Access Controller
         Context
         Java 2 Runtime Security Check Algorithm
         Using All Available Permissions
         Protecting Instances
    - Permissions
         Classes
         Subclasses
         Objects
    - Policy
         Security Policy
         Policy Class
         Security Policy File
         Assigning Permissions
  • Lab 3:  Policy and Permission
    - Protection Domains
         ProtectionDomain Class
         CodeSource Class
  • Loading Classes
    - Secure Class Loader
    - Loading Classes and Protection Domains
IV.   Threat Modeling
  • Overview
    - What is threat modeling
    - Why is threat modeling so important
  • Threat Modeling Process
    - Collecting Information
         Overview
         Use cases
         Implementation assumptions
         External dependencies
         Security Notes
    - Decomposing the Application
         Overview
         Identifying entry points
         Identifying assets
         Identifying roles
         Example: Online store application
    - Building the Activity Matrix
         Overview
         Mapping roles to assets
         Example: Online store application



     
IV. Cryptography
  • Java Security APIs
  • Java Security Libraries
  • Using JSSE
  • Using JAAS
  • Code Signing
V.  Best Practices

For more information, please contact Sales at +1.978.694.1008 x24 or email

back to the top of the page