Software Security Institute
Software Security Institute
Home > Courses > Secure Coding

Register For
Upcoming Events

June
Developer 530 ::

Essential Secure Coding in Java/JEE

Overview

Please note that this two-day course is a subset of the material covered in the four-day DEV541. This two-day version is intended to cover the essential Java/JEE topics that are relevant to a large number of web application developers and therefore does not cover all the material that may be present on the GSSP-Java certification exam. DEV541: Secure Coding in Java/JEE: Developing Defensible Applications is recommended for students who wish to pursue the GSSP-Java certification.

The Difference between Good and Great Programmers
Great programmers have traditionally distinguished themselves by the elegance, effectiveness, and reliability of their code. That's still true, but elegance, effectiveness, and reliability have now been joined by security. Major financial institutions and government agencies have informed their internal development teams and outsourcers that programmers must demonstrate mastery of secure coding skills and knowledge, through reliable third-party testing, or lose their right to work on assignments for those organizations. More software buyers are joining the movement every week.

Such buyer and management demands create an immediate response from programmers, Where can I learn what is meant by secure coding? This SANS course allows you to bone up on the skills and knowledge that are needed to create secure applications.

What Does the Course Cover?
This course covers the essential Java/JEE topics that are relevant to a large number of web application developers. It's not a high level theory course. It's about real programming. In this course you will examine actual code, work with real tools, build applications, and gain confidence in the resources you need for the journey to improving the security of your Java applications.

Rather than teaching students to use a set of tools, we're teaching students concepts of secure programming. This involves looking at a specific piece of code, identifying a security flaw, and implementing a fix for that flaw. The course is full of hands on exercises where you can apply practical techniques that you can use to prevent common attacks.

Pre-requisites:
Students should have at least one year's experience working with the JEE framework and should have thorough knowledge of Java language and web technology.

Laptop

Laptop Requirements
  • Laptop with administrative level access
  • 5 GB available hard drive space
  • 1 GB RAM or higher
  • DVD drive (minimum 12x recommended)
  • x86 compatible 2Ghz CPU minimum or higher

VMWare
You will use VMware to perform exercises in class. You must have a working copy of one of the following installed on your system prior to coming to class:

  • VMware Player 2.0 or later
  • VMware Workstation 6.0 or later
  • VMware Fusion for Max OS X

VMware Player can be downloaded for free. Alternatively, if you want a more configurable and flexible tool, you can download a free 30-day trial copy of VMware Workstation or VMware Fusion. These products are available at www.vmware.com. VMware will send you a time-limited serial number for VMware Workstation or VMware Fusion if you register for the trial at their Web site. No serial number is required for VMware Player.

Java Documentation
It is recommended that students download the Java SE 6 and Java EE 5 Javadoc documentation for use as reference material while doing the in-class exercises (the Javadoc license prohibits redistribution). The documentation can be found at java.sun.com.

You will receive a DVD containing a Linux VMware image that contains all the course exercises.

Day Information

Day 1
Essential Secure Coding in Java/JEE

Improper data validation is the root cause of the most prevalent web application vulnerabilities today. Cross Site Scripting (XSS) has become the most widely reported issue with web applications. It has reached the point where the Web Application Security Consortium (WASC) estimates that over 80% of the web sites on the Internet are vulnerable to this attack.

Beginning on the first day, you will learn about some of the most prevalent web applications vulnerabilities such as XSS, CSRF, SQL Injection, HTTP Response Splitting, and Parameter Manipulation. You will see how to spot some of these issues and how to recreate them in a running application. Then you will use a variety of methods to actually fix these vulnerabilities in your Java code.

We then move on to discuss authentication and session management issues that can compromise the integrity of your system. Weak authentication protections can allow an attacker to expose your most sensitive secrets: your data! You will learn about these vulnerabilities and what you can do to design and code stronger authentication protections from the start.

Day 2
Essential Secure Coding in Java/JEE

On day two we discuss Web-based access control issues, application faults, exception handling, and logging. Then, with hands-on exercises you will write code to encrypt both data in transit and data at rest using the Java Secure Socket Extension (JSSE) and the Java Cryptography Architecture (JCA). Then we'll cover integer and double overflows and about numerous Java language features that you should consider while writing secure code. You will also learn about race conditions and how they can be prevented using synchronization features in Java.