Java Quality Assurance, Security Testing and Auditing

Overview

This course is designed to fully equip the auditor, risk manager, or security professional tasked to audit Java/J2EE Web-based applications for security vulnerabilities. This is not a developer course, but some basic familiarity with programming will be a great help.

This course is the perfect opportunity for a non-programmer to receive a comprehensive introduction to the Java programming language using a secure coding approach. Topics include:

• Security considerations of Java polymorphism
• Fundamental secure Java coding theory
• Auditing the Java application deployment environment
• Java Virtual Machine functionality breakdown with security considerations at each JVM subsystem
• Java Virtual Machine security policy
• Auditing the application architecture and project documentation
• Auditing the J2EE network server infrastructure
• OWASP secure code checklist review
• Auditing Java applications for protection from SQL/LDAP injection, XSS, XST, XSRF, and other Web attacks
• Auditing Java applications for security vulnerabilities created at design
• Auditing the application operations (deployment, change control)
• Auditing application administration operations
• Automated code review tools for Java auditors and for developers
• How to conduct a security-based manual code review
• A complete review of the syntax of the Java language
• A complete review of security considerations regarding the object-oriented aspects of Java
• A review of the core Java packages and most-used API's

We will investigate and demonstrate automated audit tools, including the Fortify Audit Workbench, the FindBugs project, and Lint4j. These tools can be built directly into development environments to allow programmers to scan code for security vulnerabilities as well as enforce code quality. We will also review Java audit management tools, such as Enerjy.

The bulk of this course is focused on the manual audit of Java code. Manual code review is truly the core process of any Java audit. We will review the core aspects of the Java programming language and highlight security concerns from management, developer, and operational perspectives.

We will conclude the course by discussing how a security professional can approach software development teams and encourage changes in the software development life cycle. This will allow development teams to prevent vulnerabilities from the very earliest stages of development.

This course is targeted at technical managers and auditors.

Sampling of Topics

• A Sampling of Topics
  • Security considerations of Java polymorphism during a Java audit
  • Fundamental secure Java coding theory
  • Auditing the Java application deployment environment
  • Java Virtual Machine functionality breakdown with security considerations at each JVM subsystem
  • Java Virtual Machine security policy
  • Auditing the application architecture and project documentation
  • Auditing the J2EE network server infrastructure
  • OWASP secure code checklist review
  • Auditing Java applications for protection from SQL/LDAP injection, XSS, XST, XSRF, and other Web attacks
  • Auditing Java applications for security vulnerabilities created at design
  • Auditing the application operations (deployment, change control)
  • Auditing application administration operations
  • Automated code review tools for Java audits and for developers
  • How to conduct a security-based manual code review
  • A complete review of the syntax of the Java language
  • A complete review of security considerations regarding the object-oriented aspects of Java
  • A review of the core Java packages and most-used API's

Laptop