Software insecurity has become one of the biggest security concerns facing organizations today. As hackers turn their attention to the software and applications that make up an organization's IT infrastructure, people are realizing that the best way to protect that infrastructure is by building secure software and writing secure code at the onset.

During this course, students will understand the key security features of the Java Platform, Enterprise Edition (Java EE), identify and avoid common web security pitfalls, and learn how to build secure and reliable web applications using Java. Students will be guided through hands-on code examples that highlight security issues and demonstrate prescriptive solutions for the prevention of application vulnerabilities.

What You'll Learn

• The process and techniques of writing secure code
• The most common web application vulnerabilities and how to avoid them
• Effective authentication and authorization techniques
• Cryptography
• Secure user management systems
• Data validation strategies
• Effective error handling and exception management
• Software security review techniques

Who Needs to Attend

This course is for professional software developers or software security auditors who have been working with the J2EE framework for at least one year.

Prerequisites

A comprehensive knowledge of the major J2EE specifications, the Java language, and web technology is required.

Follow-On Courses

• Foundstone Ultimate Hacking
• Foundstone Ultimate Hacking: Expert

Course Outline

1. Introduction

• Overview of course content and format
• Secure Design Principles
• Introduction to Hacme Books

2. Java Platform Security

• Java Security
• Java Runtime and Compile Time Security
• Java Security Manager
• Java Authentication and Authorization Service (JAAS)
• Servlet, JSP, and EJB Security

3. Cryptography

• Overview of Cryptography
• Common Mistakes
• Random Numbers
• Java Cryptography Extension (JCE)
• Key Storage and Generation
• Java Secure Sockets Extension (JSSE)
• XML Encryption and Digital Signatures

4. Authentication

• Authentication Protocols
• Common Mistakes
• Servlet Container Authentication
• Single Sign-On
• Code Signing

5. Authorization

• Access Control Models
• Common Mistakes
• Least Privilege
• Discretionary Access Control
• Role-Based Access Control (RBAC)
• Cross-Site Request Forgery (CSRF)
• Servlet Container Authorization
• Session Management
• EJB Authorization Controls
• Custom Authorization Implementations

6. Error Handling and Exception Management

• Java Exception Fundamentals
• Exception Handling Patterns and Anti-patterns
• Best Practices for Handling User Errors
• Servlet, JSP, EJB, and Struts Exception Frameworks

7. Data Validation

• Common Mistakes
• Trust Boundaries
• Data Validation Design
• Validation Strategies and Tactics
• Web Application Firewalls
• Character Encoding and Security
• Regular Expressions
• Common Data Validation Attacks
• Validating Non-textual Data

8. Client-Side Security

• Common Mistakes
• Reverse Engineering
• Code Obfuscation
• Anti-Tampering Measures

9. User Management

• Common Mistakes
• Secure Password Storage
• Password Reset Schemes
• Password Lockout Schemes
• Password Length and Complexity

10. Logging and Auditing

• Common Mistakes
• What to Log?
• Auditing
• What To Do With Log Files
• Logging Frameworks in Java

11. Secure Code Review

• Secure Code Review Methodology
• Threat Modeling
• Automated Source Code Analysis
• Identifying Common Mistakes

12. Advanced Java Security

• Access Protection
• Thread Safety
• Defensive Coding
• Serialization
• Java Native Interface