What you will learn
1. Security Principles
2. An understanding of OWASP and PCI DSS
3. Writing compliant Java code
4. How to test security
5. How to build privacy into you application
6. How to secure installations
7. How to write secure documentation and error messages
8. How security and security concerns can be integrated into your development lifecycle
9. Practical, hands-on, skills
Outline
Session 1: Introduction
Introduction to tutor and course.
Session 2: Secure Development Overview
Security of Applications, why applications via the web are different, What Web App security is and is not. Legal compliance.
Session 3: PCI-DSS
What it is, who must comply, cost of non-compliance
Session 4: OWASP
What is OWASP, Open Web Application Security Project, The OWASP Top Ten: A1: Injection, A2: Cross-Site Scripting (XSS), A3: Broken Authentication and Session Management, A4: Insecure Direct Object References, A5: Cross-Site Request Forgery (CSRF), A6: Security Misconfiguration, A7: Insecure Cryptographic Storage, A8: Failure to Restrict URL Access, A9: Insufficient Transport Layer Protection, A10: Unvalidated Redirects and Forwards. Other threats are considers as and when appropriate.
Session 5: Securing Application Servers
The issue of Security Misconfiguration. The need to secure the Application Server, hardening the Application Server. Hardening the OS and the Database.
Session 6: Input Validation
Validation input from HttpServletRequest, Cross Site Scripting and defending against XSS, Insecure Direct Object References. Cross Site request forgery (CSRF). Output Encoding. Buffer Overflows. Malicious File Execution.
Session 7: SQL Injection
How SQL Injection works and how to defend against it
Session 8: Further Injection Flaws
XML/XPath injection, LDAP, Command and resource Injection. Unvalidated Redirects and Forwards
Session 9: Securing Web Apps
Broken Authentication and Session management. Authentication and Authorization, Web app security, Spring Security, X509 Certificates, Session Handling, Session Fixation, JAAS, Single Sign On, Captcha
Session 10: Java EE Security
Java EE Authorization, Spring Authorization.
Session 11: Secure Web Services
JAX-WS based web services, why security is an issue and using WS-Security to secure above and beyond basic authentication/authorisation and SSL.
Session 12: Additional Security Issues
Privilege Escalation, Denial of Service. People, Race conditions, Brute Forcing.
Session 13: Leaking information
Exception handling, Logging, Failure to Restrict URL Access.
Session 14: Cryptography and data protection
Insecure Cryptography Storage, Insufficient transport Layer protection. Password Hashing, Using a Salt. JCA/JCE for cryptography, JSSE for SSL/TLS
Session 15: Secure Development Lifecycle
SDLC as part of a software lifecycle
