Course Overview

Developing Secure Java Web Applications is a hands-on, lab-intensive Java security, code-level training course that teaches students the best practices for designing, implementing, and deploying secure programs in Java. Students will take an application from requirements through to implementation, analyzing and testing for software vulnerabilities. This course explores well beyond basic programming skills, teaching developers sound processes and practices to apply to the entire software development lifecycle. Just as significantly, students learn about current, real world examples that illustrate the potential consequences of not following these best practices. The course is short on theory and long on application, providing students with in-depth, code-level labs.

The final portion of this course builds on the previously learned mechanics for building defenses by exploring how Analysis and Design can be used to build stronger applications from the beginning of the software lifecycle.

Key Learning Areas

  • Understand the concepts and terminology behind defensive coding.
  • Understand and use Threat Modeling as a tool in identifying software vulnerabilities based on realistic threats against meaningful assets.
  • Learn the entire spectrum of threats and attacks that take place against software applications in today’s world.
  • Use Threat Modeling to identify potential vulnerabilities in a real life case study.
  • Perform both static code reviews and dynamic application testing to uncover vulnerabilities in Java applications.
  • Understand the vulnerabilities of the Java programming language and the JVM as well as how to harden both.
  • Understand and work with Java 2 platform security to gain an appreciation for what is protected and how
  • Understand the role that Java Authentication and Authorization Service (JAAS) has in Java applications.
  • Use JAAS in conjunction with a Java application for both authentication and authorization.
  • Understand the basics of Java Cryptography (JCA) and Encryption (JCE) and where they fit in the overall security picture.
  • Understand the fundamentals of XML Digital Signature and XML Encryption
  • Understand and implement the processes and measures associated with the Secure Software Development (SSD)
  • Acquire the skills, tools, and best practices for design and code reviews as well as testing initiatives
  • Understand the basics of security testing and planning
  • Work through a comprehensive testing plan for recognized vulnerabilities and weaknesses

Course Outline

Introduction

  • Misconceptions

Foundation

  • Security Concepts
  • Principles of Information Security

Vulnerabilities

  • Understanding What’s Important

Java Security

  • Java Security Fundamentals
  • Cryptography Overview
  • Code Location-based Security
  • User-based J2SE Security
  • Code Level Security Best Practices

Defending XML and Services

  • Defending XML
  • Defending Web Services

Secure Development Lifecycle (SDL)

  • SDL Process Overview
  • Applying Processes and Practices
  • Risk Analysis

Security Testing

  • Testing Tools and Processes
  • Testing Practices

Who Benefits

Students who attend this course will leave armed with the required skills to recognize software vulnerabilities (actual and potential) and implement defenses for those vulnerabilities. The course quickly introduces developers to the various types of threats against their software.

The course begins with the concept and process of Threat Modeling introduced as a key enabler for implementing effective and appropriate security for software and information assets., and then includes coverage of the many security-related technologies that exist in the Java world.

The initial portion of the course lays down the foundation of basic terminology and concepts that is then built upon in subsequent lessons. The second portion of the course steps through a series of vulnerabilities, illustrating in very real terms the right way to implement secure web applications. The final portion of the course examines several design patterns that can be used to facilitate better application architecture, design, implementation, and deployment.

PCI Compliant Developer Training

This training course addresses common coding vulnerabilities in software development processes, and is used by one of the principle participants in the PCI DSS. Having passed multiple PCI audits, this course has been shown to meet PCI requirements. The specification of those training requirements are detailed in 6.5.1 through 6.5.10 on pages 55 through 59 of the PCI DSS Requirements 3.0 document dated November, 2013. This is not "checklist mentality" training, as it integrates demonstrations, code flashes, and hands-on labs for vulnerabilities, defenses, and best practices in secure development lifecycle (SDL).

Prerequisites

This is an intermediate level Java programming course designed for application project stakeholders who wish to get up and running on developing well defended Java applications. Familiarity with the Java programming language is required, and real world programming experience is highly recommended.

TT8320-J