IQSOFT - John Brice Oktatóközpont
IT Leadership Development Program - ITLDP

Advanced JAVA and Web Services Security

Tanfolyam célja

The training gives an insight on the most sever security threats of IP based networks and Web technologies, including eavesdropping, impersonation, identity theft, virus infections, SPAM, phishing, Cross Site Scripting (XSS), SQL Injection, Denial-of-Service (DoS). The curricula will cover the most important protection techniques, security protocols and standards that the JAVA platform supports to prevent these most aching threats of the Internet based services. The main focus will be on the standardized Web Services Security (WSS) solutions, which will be presented together with the related security features and services of the Java Enterprise Edition (JEE). Practical exercises will demonstrate the typical security vulnerabilities of Web technologies, the common Java implementation bugs, and the methods that can be applied to avoid these problems.
Aim of this curse is to prepare experienced Java developers to implement security critical applications.

Tematika

1. Fighting security flaws and vulnerabilities

  • Basic Security Concepts
    • Threat, damage and risk
    • Confidentiality, integrity and availability
  • Security vulnerabilities at large
    • Dangers of exploitable security vulnerabilities
    • Process of a typical attack
    • Technical, economical and political initiatives
    • Secure software development methods
  • Security vulnerabilities and countermeasure knowledge sources
    • Categorization of security flaws
    • Organizations - sources of vulnerabilities and countermeasures
    • Standards and guidelines
    • Legal background

2. JAVA security overview

  • Introduction to Java security architecture and the security services of Java
    • Overview of JAVA security features
    • JAVA Security Technologies
    • JAVA Enterprise Edition
  • Overview of WEB Services Security
    • Basic technologies
    • Identity management
    • Web Services security standards

3. JAVA specific vulnerabilities

  • Input validation and representation - missing or faulty handling of incorrect or potentially dangerous inputs.
  • API Abuse - weaknesses originating from improper use of API functions
  • Security Features - improper use of security services
  • Time and State - inconsistency problems in distributed computing
  • Errors - vulnerabilities originating from programming bugs
  • Code Quality - problems caused by poor programming style
  • Encapsulation - using untrusted pieces of information in trusted environment
  • Environment - security issues that are caused by factors outside of the source code

4. Cryptography background for Java services

  • Basics of cryptography
  • Encryption systems
  • Secure communication
  • Security protocols

5. JAVA security solutions and tools, WEB Services - practical exercises

  • Java security solutions
    • Introduction to JAVA security solutions
    • Controlling applets' permissions
    • Defining security policies - the Policy Tool
    • JAVA Security Manager - controlling applications
    • Code Signing - principles and practice
    • Permission classes - file, socket, property, runtime, AWT, net, security, serializable, reflection and all permissions
    • Implementing one's own permission
    • Secure file exchange
  • JAVA Cryptography Architecture exercises
    • Generating and verifying signatures
    • Cryptographic Service Providers (CSP) - engine classes and algorithms
    • JSSE - Java Secure Sockets Extensions
    • JAAS - Java Authentication and Authorization Services
    • JGSS - Java Generic Security Services API
    • Java Certification Path API
  • Practical problems and solutions of WEB technologies
    • SQL and command injection attack examples
    • XSS - Cross site scripting, the attack and the applicable solutions
    • Dangers of C/C++ vulnerabilities through JNI interfaces

5. Secure JAVA programming advices

  • Secure programming mechanisms
    • I/O filtering and validation using Java tools and classes
    • Secure error recovery mechanisms (fail safe)
    • Avoiding loss of control in running program due to data driven hacker interventions (steering into dead lock, crash conditions etc.)
    • Strategies against reverse engineering of Java applications(e.g. to better protect obfuscation mechanisms)
    • Handling of secrets (‘secure' storage, cookies, session token, passwords)
    • (Structured) exception handling
    • Secure multi-threading (e.g. synchronization)
  • Practical secure JAVA programming advices
  • Avoid public fields
  • Avoid public methods
  • Accessibility modifiers in case of applications
  • Avoid using static field variables
  • Mutable objects
  • Final modifier
  • Package scope
  • Inner classes
  • Minimize privileges
  • Archive files
  • Object cloning
  • Serialization
  • Deserialization
  • Class comparison
  • Encoded secrets

6. Web and Web application security

  • Internet threats and security principles
    • Threats
    • General internet threats
    • OWASP Security principles

7. Web Services Security

  • Web Services Security
  • Basic technologies
  • Identity Management
  • Elements of the security of Web Services
  • Web Services security (WS-Security) standards
Előfeltételek

Solid experience in Java programming and basic knowledge of Web Technologies

Kapcsolódó tanfolyamok