SANS Software Security Institute
SANS Software Security Institute
Home > Courses > Audit

Register For
Upcoming Events

September
Free Demo

(Portal Account Required)
Audit 528 ::

Java Security Source Code Review

Overview

Audit 528 focuses on a practical walk through the Java security code review process. In this newly updated course you will learn the concepts behind Java security, how to audit the Java system, and how to perform a large source code review automatically using tools which will be given to you on the course disk. A live Java exploit demonstration will be used to demonstrate a current vulnerability and then steps to secure the issue will be shown.

Most developers are taught that Java is secure without any extra effort on their behalf. This is simply not the case — a search for Java on Bugtraq will show that many recent vulnerabilities are specific to Java, including the following which will be discussed in class:

  • TTF vulnerability
  • Same origin bypass vulnerability
  • Secure Static Versioning applet execution weakness

In addition, Java applications suffer from the mainstream vulnerabilities that affect most software:

  • SQL injections and piggyback attacks
  • XSS, CSRF, and session fixation
  • Directory traversals, which are common in Java applications with devastating results
  • Weak encryption and session ID generation
  • Buffer overflows in the Java Web Start JNLP system

On top of the above vulnerabilities, the data flows through applications are often so complex that design mistakes are made by the engineering team during the software development lifecycle (SDLC).

This course will:

  • create a foundation of Java coding knowledge;
  • explain how security is implemented in the Java Platform;
  • outline the most common bugs found in Java applications;
  • run through a Java source code review process in a step-by-step practical.

Reference will be paid to free code review tools, such as:

  • http://findbugs.sourceforge.net/
  • http://checkstyle.sourceforge.net/
  • http://www.parasoft.com/jsp/products/home.jsp?product=Jtest
  • http://jcodereview.sourceforge.net/

Commercial tools available from the following sites will be covered as well:

  • http://www.fortify.com/products/sca/
  • http://www.ouncelabs.com/
  • http://developer.klocwork.com

Additionally, methodologies such as CLASP and resources like the OWASP Top 10 and Java Top 10 at http://www.javasecurity.net will be discussed.

The above knowledge will be coupled with SDLC and project management guidance to form a methodology which can be used for code review in commercial production.

Open source applications have benefited from projects such as Fortify's at http://opensource.fortifysoftware.com/welcome.html as well as source code searching sites like http://www.krugle.com. However, most closed internal applications have not yet had this privilege, and developer overconfidence in the past has meant that the majority of Java code bases in production systems are not secure. These code bases need to be reviewed and the vulnerabilities fixed, which this course will enable you to do.

Laptop