Secure Coding in Java/JEE: Developing Defensible Applications

Overview | Who Should Attend | Sampling of Topics | Laptop | Day Information

Overview

The Difference between Good and Great Programmers

Great programmers have traditionally distinguished themselves by the elegance, effectiveness, and reliability of their code. That's still true, but elegance, effectiveness, and reliability have now been joined by security. Major financial institutions and government agencies have informed their internal development teams and outsourcers that programmers must demonstrate mastery of secure coding skills and knowledge, through reliable third-party testing, or lose their right to work on assignments for those organizations. More software buyers are joining the movement every week.

The Only Course Covering the Key Elements of Secure Application Development in Java

Such buyer and management demands create an immediate response from programmers, Where can I learn what is meant by secure coding? This unique SANS course allows you to bone up on the skills and knowledge being measured in the third-party assessments as defined in the Essential Skills for Secure Programmers Using Java/JavaEE. (You can find the Essential Skills document at http://www.sans-ssi.org/blueprint_files/java_blueprint.pdf. )

What Does the Course Cover?

This is a comprehensive course covering a huge set of skills and knowledge. It's not a high level theory course. It's about real programming. In this course you will examine actual code, work with real tools, build applications, and gain confidence in the resources you need for the journey to improving security of Java applications.

Rather than teaching students to use a set of tools, we're teaching students concepts of secure programming. This involves looking at a specific piece of code, identifying a security flaw, and implementing a fix for that flaw.

Here's a sampling of topics:

Input handling to ensure input from their interfaces are properly processed and validated.

• Ensuring input from multiple sources can be trusted: HTTP Requests, configuration files, backend datastores, command line arguments, environment variables.
• Validate common data types such as string data as well as uncommon input structures, using Regular Expressions, doValidate() and other tools of Java and J2EE
• White-list and black-list approaches; tradeoffs.

Understanding authentication and session management and mastering authentication principals

• Authentication for end-users, 3rd party services, backend systems, etc.
• How to use encryption and certificates in protecting a variety of authentication process, including an understanding of strength-of-function, credential expiration, credential recover/reset, and re-authentication.
• Protection of session tokens
• Gaining familiarity with the more common authentication techniques and APIs available within Java and J2EE.
• What services and protections are and are not provided.

Active enforcement of access control to guaranteeing the confidentiality of user data.

• Restricting access to resources and functions, declarative access control, control checks in custom code, and how the Java Authentication and Authorization Service can be used in implementing access control.

Security Implications of built-in data types and java-specific memory management

• Complete mastery of the String class' immutability and how to compare String objects.
• Limitations of Java's numerical data types and the resulting security implications
• Security implications of Java Garbage Collector, and how it works
• ArrayList and the Vector: differences and security considerations
• Accessibility modifiers, the final modifier, class comparisons, serialization, clone-ability, and inner classes
• Managing the privileges of code and different protection domains, including Security Manager and its policy file.

Properly handling application faults.

• Java's try/catch/finally construct, Java's logging function, configuration to return default error pages for 404 and other errors.

Structuring multi-threaded programs securely

• Avoiding race conditions
• Implementing the Singleton pattern and protecting other resources accessed by multiple threads.

Making connections with other applications securely

• Security risks introduced by using dynamic queries
• How to defend against SQL injection with safe use of the PreparedStatement to interact with databases based on user-supplied input
• How to use output encoding to display data to user interfaces as a defense against cross-site scripting.
• Implementing fail-safe connection patterns.

Using JAR Sealing and J2EE Filters effectively

• How JAR sealing is used
• Where they can be used to implement each secure coding technique
• What to avoid in using them

Who Should Attend

• Developers who want to build more secure applications
• Java EE programmers
• Software engineers
• Software architects
• Application security auditors
• Technical project managers
• Senior software QA specialists
• Penetration testers who want a deeper understanding of target applications or who want to provide more detailed vulnerability remediation options

Sampling of Topics

• Topics Covered
  • java.lang.String Immutability
  • Integer and Double Overflows
  • ArrayList/Vector security considerations
  • Access modifiers
  • Inner classes
  • Garbage Collector
  • SecurityManager and code privileges
  • Jar Sealing
  • Jar Signing

Laptop

Laptop Requirements

• Laptop with administrative level access
• 5 GB available hard drive space
• 1 GB RAM or higher
• DVD drive (minimum 12x recommended)
• x86 compatible 2Ghz CPU minimum or higher

VMWare

You will use VMware to perform exercises in class. You must have a working copy of one of the following installed on your system prior to coming to class:

• VMware Player 2.0 or later
• VMware Workstation 6.0 or later
• VMware Fusion for Max OS X

VMware Player can be downloaded for free. Alternatively, if you want a more configurable and flexible tool, you can download a free 30-day trial copy of VMware Workstation or VMware Fusion. These products are available at www.vmware.com. VMware will send you a time-limited serial number for VMware Workstation or VMware Fusion if you register for the trial at their Web site. No serial number is required for VMware Player.

Java Documentation

It is recommended that students download the Java SE 6 and Java EE 5 Javadoc documentation for use as reference material while doing the in-class exercises (the Javadoc license prohibits redistribution). The documentation can be found at java.sun.com.

You will receive a DVD containing a Linux VMware image that contains all the course exercises.

Day Information

Day 1

Data Validation

Improper data validation is the root cause of the most prevalent web application vulnerabilities today. Cross Site Scripting (XSS) has become the most widely reported issue with web applications. It has reached the point where the Web Application Security Consortium (WASC) estimates that over 80% of the web sites on the Internet are vulnerable to this attack.

Beginning on the first day, you will learn about some of the most prevalent web applications vulnerabilities such as XSS, CSRF, SQL Injection, HTTP Response Splitting, and Parameter Manipulation. You will see how to spot some of these issues and how to recreate them in a running application. Then you will use a variety of methods to actually fix these vulnerabilities in your Java code.

The course is full of hands on exercises where you can apply practical data validation techniques that you can use to prevent common attacks.

• Topics Covered
  • Web Application Attacks
    • Cross Site Scripting
    • Cross Site Request Forgery (CSRF)
    • SQL Injection
    • HTTP Response Splitting
    • Parameter Manipulation
  • Web Application Proxy
    • Using Paros
  • Validation Concerns
    • Character Encoding
    • Input Validation
    • Output Encoding
    • Blacklisting & Whitelisting
  • Validation Techniques
    • Regular Expressions
    • Servlet Filters
    • HTML Encoding
    • Struts Validation
    • CAPTCHA
    • Prepared Statements
    • Stored Procedures
    • Aspect Oriented Programming (AOP)

Day 2

Authentication & Session Management

Broken authentication and session management are common issues that can compromise the integrity of your system. Such weak authentication protections can allow an attacker to expose your most sensitive secrets: your data! You will learn about these vulnerabilities and what you can do to design and code stronger authentication protections from the start.

You will learn how to use JEE Container Based Authentication and setup both Basic and Form Based Authentication. You will also learn about Acegi, which is the popular security system for Spring. This course is full of hands on exercises and culminates in a lab where you put everything you learned together into an application that is protected by proper authentication controls.

• Topics Covered
  • Authentication Attacks
    • Brute Force Attacks
    • Weak Password Storage
    • Password Reset
    • Secret Questions
    • Weak Session Management
  • Protecting Sessions
    • Using SSL
    • Session Hijacking
    • Session Fixation
  • Authentication
    • JEE Container Based Authentication
    • Basic Authentication
    • Form Based Authentication
    • Client Certificates
    • Account Lockout
    • Password Policy
  • Acegi Security System for Spring
    • Using Acegi
  • Encryption
    • Jasypt

Day 3

Access Control & Java Security APIs

Improper access control can lead to unauthorized users gaining access to sensitive information or functionality. In this module you will learn about authorization, access control lists, and the Java Authentication & Authorization Service (JAAS). From there you will learn about a number of other security topics including how to do proper error handling using Java Exceptions and try/catch/finally blocks as well as the importance of logging. With hands on exercises you will also write code to encrypt both data in transit and data at rest using the Java Secure Socket Extension (JSSE) and the Java Cryptography Architecture (JCA). You will also learn about race conditions and how they can be prevented using synchronization features in Java.

• Topics Covered
  • Access Control/Authorization
    • ACLs
    • JAAS
  • Error Handling
    • Exceptions
    • Using try/catch/finally
  • Logging
    • java.util.logging
  • Race Conditions
    • Using synchronization
  • Encryption
    • Encryption of data in transit with JSSE
    • Encryption of data at rest with JCA

Day 4

Java Language & JRE Security Topics

Java is the language of choice for the development of many mission critical applications. As such, it is vital to understand the security features and implications of using the Java language itself and the Java Runtime Environment (JRE). Through the numerous hands on exercises you will learn about the SecurityManager and how code privileges are managed and how to seal and sign jar files. Through hands on examples you will also learn about String immutability, integer and double overflows, and about numerous Java language features that you should consider while writing secure code.

• Topics Covered
  • java.lang.String Immutability
  • Integer and Double Overflows
  • ArrayList/Vector security considerations
  • Access modifiers
  • Inner classes
  • Garbage Collector
  • SecurityManager and code privileges
  • Jar Sealing
  • Jar Signing