COD 813: Creating Secure Code - J2EE Applications

Live Training English
Duration: 2 days | Course is offered in English

Course Overview

Secure coding is the process of reducing the susceptibility of code to vulnerabilities. This course gives developers an in-depth immersion into secure coding practices with an emphasis on the security features and pitfalls of the Java programming environment. To complement the knowledge and techniques presented, it includes hands-on labs on implementing secure solutions in J2EE and real-world examples of how to find, fix, and prevent vulnerabilities. 

Upon completion of this course, participants will be able to:

  • Leverage Java security architecture and its built-in security features to reduce application security risk
  • Properly handle byte code, class loading, cryptography and permissions
  • Avoid Java vulnerabilities by using Java coding best practices
  • Recognize and remediate common J2EE coding errors that lead to vulnerabilities
  • Write defensive code that protects your application from common threats
  • Understand the do’s and don’ts of managed code
  • Recognize when code is required to be reviewed for security vulnerabilities

Course Modules

Introduction

This module offers a "State of Software Security" address and why it’s still woefully lacking. It introduces the concept of entry points, the primary means that software is exploited.  Additionally, it will provide examples of when good design goes bad and a framework for how to think about software security (and how it's different from network security).

Java Virtual Machine

  • Java virtual machine overview
  • Byte code
  • Class files

Java Security

  • Evolution of Java Security
  • Language security
  • Cryptography
  • Java and SSL
  • Policy and permission
  • Loading classes

Threat Modeling

This module illustrates how threat modeling is leveraged to identify potential threats to your application, uncover and prioritize security vulnerabilities, and guide your secure programming and security testing efforts. It includes a lab that entails conducting a threat model.

Cryptography

  • Java security APIs
  • Java security libraries
  • Using JSSE
  • Using JAAS
  • Code signing

Common Coding and Design Errors

This module describes the top ten most common programming errors that lead to security vulnerabilities. Leveraging real-world examples, the instructor will show you what vulnerabilities look like in code, and how to leverage manual and automated techniques to find them. Most importantly, you’ll learn how to remediate them and countermeasures to mitigate them.

Coding errors covered:

  1. Trusting the identity of a remote host
  2. Poorly implementing cryptography
  3. Not validating user input
  4. Information disclosure
  5. Integer overflows
  6. Relative and default paths
  7. Administrative, software and service back doors
  8. Storing sensitive data in plain text
  9. Creating temporary files
  10. Trusting libraries and OS APIs

Common Web Application Errors

This module describes how web applications are different from other platforms and how they are typically attacked and examines the most common errors in web applications that lead to security vulnerabilities. For each vulnerability, the instructor will include examples of how to find the error, how to fix the error and how to leverage ASP.NET’s built-in security protections can help (where applicable).

Errors covered:

  1. Trusting Client-Side Validation
  2. Cross site scripting
  3. SQL injection
  4. Command injection
  5. Performance issues/Denial of service
  6. Forceful browsing
  7. Session hijacking
  8. Disclosing too much information
  9. Server fingerprinting
  10. Allowing zero and one-click attacks

Defensive Coding Principles

This module focuses on 19 secure design and coding principles and provides in-depth examples of how to apply these principles to managed code. It also includes a lab that covers security testing and how to conduct a security code review.