Description

Module 1: IT security and secure coding

Lessons:

• Nature of security
• What is risk?
• IT security vs. secure coding
• From vulnerabilities to botnets and cybercrime
• Nature of security flaws
• From an infected computer to targeted attacks
• The Seven Pernicious Kingdoms
• OWASP Top Ten 2017

Module 2: Web application security

Lessons:

• Injection
• Injection principles
• SQL injection
• Exercise – SQL injection
• Typical SQL Injection attack methods
• Blind and time-based SQL injection
• SQL injection protection methods
• Effect of data storage frameworks on SQL injection
• Other injection flaws
• Command injection
• Case study – ImageMagick
• Broken authentication
• Session handling threats
• Session handling best practices
• Session handling in Java
• Setting cookie attributes – best practices
• Cross site request forgery (CSRF)
• CSRF prevention
• CSRF prevention in Java frameworks
• XML external entity (XXE)
• XML Entity introduction
• XML external entity attack (XXE) – resource inclusion
• XML external entity attack – URL invocation
• XML external entity attack – parameter entities
• Exercise – XXE attack
• Preventing entity-related attacks
• Case study – XXE in Google Toolbar
• Broken access control
• Typical access control weaknesses
• Insecure direct object reference (IDOR)
• Exercise – Insecure direct object reference
• Protection against IDOR
• Case study – Facebook Notes
• Cross-Site Scripting (XSS)
• Persistent XSS
• Reflected XSS
• DOM-based XSS
• Exercise – Cross Site Scripting
• XSS prevention
• XSS prevention tools in Java and JSP
• Insecure deserialization
• Serialization and deserialization basics
• Security challenges of deserialization
• Deserialization in Java
• Denial-of-service via Java deserialization
• From deserialization to code execution
• POP payload targeting InvokerTransformer (Java)
• Real-world Java deserialization vulnerabilities
• Issues with deserialization – JSON
• Best practices against deserialization vulnerabilities

Module 3: Client-side security

Lessons:

• Example
• JavaScript security
• Same Origin Policy
• Simple requests
• Preflight requests
• Exercise – Client-side authentication
• Client-side authentication and password management
• Protecting JavaScript code
• Exercise – IFrame, Where is My Car?
• Protection against Clickjacking
• Anti frame-busting – dismissing protection scripts
• Protection against busting frame busting
• AJAX security
• XSS in AJAX
• Script injection attack in AJAX
• Exercise – XSS in AJAX
• XSS protection in AJAX
• Exercise CSRF in AJAX – JavaScript hijacking
• CSRF protection in AJAX
• HTML5 security
• New XSS possibilities in HTML5
• HTML5 clickjacking attack – text field injection
• HTML5 clickjacking – content extraction
• Form tampering
• Exercise – Form tampering
• Cross-origin requests
• HTML proxy with cross-origin request
• Exercise – Client side include

Module 4: Practical cryptography

Lessons:

• Rule #1 of implementing cryptography
• Cryptosystems
• Elements of a cryptosystem
• Java Cryptography Architecture / Extension (JCA/JCE)
• Using Cryptographic Service Providers
• Symmetric-key cryptography
• Providing confidentiality with symmetric cryptography
• Symmetric encryption algorithms
• Modes of operation
• Private (symmetric) key cryptography in Java
• Other cryptographic algorithms
• Hash or message digest
• Hash algorithms
• SHAttered
• Hashing in Java: MessageDigest class
• MAC and password-based encryption in Java: Mac class
• Message Authentication Code (MAC)
• Providing integrity and authenticity with a symmetric key
• Random number generation
• Random numbers and cryptography
• Cryptographically-strong PRNGs
• Weak and strong PRNGs in Java
• Hardware-based TRNGs
• Exercise RandomTest
• Using random numbers in Java – spot the bug!
• Asymmetric (public-key) cryptography
• Providing confidentiality with public-key encryption
• Rule of thumb – possession of private key
• The RSA algorithm
• Introduction to RSA algorithm
• Encrypting with RSA
• Combining symmetric and asymmetric algorithms
• Digital signing with RSA
• Exercise Sign
• Public Key Infrastructure (PKI)
• Man-in-the-Middle (MitM) attack
• Digital certificates against MitM attack
• Certificate Authorities in Public Key Infrastructure
• X.509 digital certificate
• The Java Keystore (JKS)
• Java Certification Path (CertPath)

Module 5: Secure communication in Java

Lessons:

• SSL and TLS
• Usage options
• Security services of TLS
• SSL/TLS handshake

Module 6: Java security services

Lessons:

• Java security services – architecture

Module 7: Common coding errors and vulnerabilities

Lessons:

• Input validation
• Input validation concepts
• Integer problems
• Representation of negative integers
• Integer overflow
• Exercise IntOverflow
• What is the value of Math.abs(Integer.MIN_VALUE)?
• Integer problem – best practices
• Path traversal vulnerability
• Path traversal – weak protections
• Path traversal – best practices
• Unvalidated redirects and forwards
• Log forging
• Some other typical problems with log files
• Improper use of security features
• Typical problems related to the use of security features
• Password management
• Exercise – Weakness of hashed passwords
• Password management and storage
• Special purpose hash algorithms for password storage
• Argon2 and PBKDF2 implementations in Java
• bcrypt and scrypt implementations in Java
• Case study – the Ashley Madison data breach
• Typical mistakes in password management
• Exercise – Hard coded passwords
• Accessibility modifiers
• Accessing private fields with reflection in Java
• Exercise Reflection – Accessing private fields with reflection
• Exercise ScademyPay – Integrity protection weakness
• Improper error and exception handling
• Typical problems with error and exception handling
• Empty catch block
• Overly broad throws
• Overly broad catch
• Using multi-catch
• Returning from finally block – spot the bug!
• Catching NullPointerException
• Exception handling – spot the bug!
• Exercise ScademyPay – Error handling
• Code quality problems
• Dangers arising from poor code quality
• Poor code quality – spot the bug!
• Unreleased resources
• Private arrays – spot the bug!
• Private arrays – typed field returned from a public method
• Exercise Object Hijack
• Public method without final – object hijacking
• Serialization – spot the bug!
• Exercise Serializable Sensitive
• Immutable String – spot the bug!
• Exercise Immutable Strings
• Immutability and security

Module 8: Principles of security and secure coding

Lessons:

• Matt Bishop’s principles of robust programming
• The security principles of Saltzer and Schroeder

Module 9: Knowledge sources

Lessons:

• Secure coding sources – a starter kit
• Vulnerability databases
• Java secure coding sources
• Recommended books – Java

Audience Profile

Web developers using Java

Prerequisites

General Java development skills are required.