Course Outline
The increasing use of the Internet for commercial purposes has led to a need for web applications to operate correctly and securely. There are many people seeking to take advantage of poorly designed and badly configured applications, and today's developers need to know how to write secure applications, and how to guard against attacks. This course will show how security can (and must) be designed into a project from the start, and will then examine a number of the common attacks experienced by web applications.
Course Content
Our hands-on Java EE Security training course has been developed for real-world, commercial scenarios by our expert instructors. See below for detailed syllabus, or if you have a technical question, please email sales@jbinternational.co.uk
What you will learn
1. Security Principles
2. An understanding of OWASP
3. Writing compliant Java code
4. How to test security
5. How to build privacy into you application
6. How to secure installations
7. How to write secure documentation and error messages.
Secure Development Overview
Case Studies
The Need for Secure Systems
Trustworthy Computing
Proactive Security Development
Security Principles
Threat Modelling
Writing Code
Coding best practices
Setting up a build process (TDD, unit tests, mock objects)
Source code analysis: static tools, build process etc
OWASP
What is OWASP?
Current OWASP Top Ten
Cross-site scripting (XSS)
Understanding XSS
Validate Requests in Java EE
Validating all parameters before use
Injection flaws
Understanding SQL injection.
Understanding LDAP and Xpath injection flaws as well as other injection flaws.
JDBC and SQL Injection
Validating input to verify user data cannot modify meaning of commands and queries
Malicious file execution
Validating input to verify application does not accept filenames or files from users.
Using the File upload control
Flash, Java and ActiveX
Insecure direct object references
Avoiding exposing internal object references to users.
Using Code Access Security in Java EE
Understanding Trust levels
Cross-site request forgery
Understanding Cross-site request forgery (CSRF)
Dealing with authorization credentials and tokens automatically submitted by browsers
Cross-site service security policies for Silverlight and Flash
Information leakage and improper error handling
Avoiding leaking information via error messages or other means.
Java EE exception handling
Exception handling patterns
Broken authentication and session management
Authenticating users and protect account credentials and session tokens.
Understanding & configuring Java Session state
Insecure cryptographic storage
Preventing cryptographic flaws.
Exploiting Weak Cryptography
Using cryptography in Java EE
Insecure communications
Properly encrypting all authenticated and sensitive communications.
Understanding secure communications in Java EE and XML Web Services
Failure to restrict URL access
Consistently enforcing access control in presentation layer and business logic for all URLs.
Java EE security
Testing Web Applications
Using a security proxy
Fault injection and fuzzing
Stress test
Load test Effective auditing and logging
