IQSOFT - John Brice Oktatóközpont
MS Azure és ITIL nagyvállalati üzemeltetésben

Basic JAVA Security

Tanfolyam célja

The training introduces on one hand the security features of the Java programming language, the Java Security Architecture and the security services of the Java Second Edition (JSE), including the Java Authentication and Authorization Service (JAAS), Java Cryptography Architecture (JCA), Java Cryptographic Extension (JCE) and the Java Secure Socket Extension (JSSE). On the other hand the training will systematically analyze the security relevant programming bugs that are frequently committed during Java development projects, the caused weaknesses and the methods how these vulnerabilities can be avoided. Through several practical exercises the participants will learn how to use Java security features, examine source code examples, find and correct typical implementation bugs.
Aim of this curse is to give an introduction about the security solutions of the Java platform and the common security relevant Java implementation bugs.


1. Fighting security flaws and vulnerabilities

  • Basic Security Concepts
    • Threat, damage and risk
    • Confidentiality, integrity and availability
  • Security vulnerabilities at large
    • Dangers of exploitable security vulnerabilities
    • Process of a typical attack
    • Technical, economical and political initiatives
    • Secure software development methods
  • Security vulnerabilities and countermeasure knowledge sources
    • Categorization of security flaws
    • Organizations - sources of vulnerabilities and countermeasures
    • Standards and guidelines
    • Legal background

2. JAVA security overview

  • Introduction to Java security architecture and the security services of Java
    • Overview of JAVA security features
    • JAVA Security Technologies

3. JAVA specific vulnerabilities

  • Java specific vulnerabilities
    • Input validation and representation - missing or faulty handling of incorrect or potentially dangerous inputs.
    • API Abuse - weaknesses originating from improper use of API functions
    • Security Features - improper use of security services
    • Time and State - inconsistency problems in distributed computing
    • Errors - vulnerabilities originating from programming bugs
    • Code Quality - problems caused by poor programming style
    • Encapsulation - using untrusted pieces of information in trusted environment
    • Environment - security issues that are caused by factors outside of the source code

4. Cryptography background for Java services

  • Basics of cryptography
  • Encryption systems
  • Secure communication
  • Security protocols

5. JAVA security solutions and tools - practical exercises

  • Java security solutions
    • Introduction to JAVA security solutions
    • Controlling applets' permissions
    • Defining security policies - the Policy Tool
    • JAVA Security Manager - controlling applications
    • Code Signing - principles and practice
    • Permission classes - file, socket, property, runtime, AWT, net, security, serializable, reflection and all permissions
    • Implementing one's own permission
    • Secure file exchange
  • Practical problems and solutions of WEB technologies
    • SQL and command injection attack examples
    • XSS - Cross site scripting, the attack and the applicable solutions
    • Dangers of C/C++ vulnerabilities through JNI interfaces

6. Secure JAVA programming advices

  • Secure programming mechanisms
    • I/O filtering and validation using Java tools and classes
    • Secure error recovery mechanisms (fail safe)
    • Avoiding loss of control in running program due to data driven hacker interventions (steering into dead lock, crash conditions etc.)
    • Strategies against reverse engineering of Java applications(e.g. to better protect obfuscation mechanisms)
    • Handling of secrets (‘secure' storage, cookies, session token, passwords)
    • (Structured) exception handling
    • Secure multi-threading (e.g. synchronization)
  • Practical secure JAVA programming advices
    • Avoid public fields
    • Avoid public methods
    • Accessibility modifiers in case of applications
    • Avoid using static field variables
    • Mutable objects
    • Final modifier
    • Package scope
    • Inner classes
    • Minimize privileges
    • Archive files
    • Object cloning
    • Serialization
    • Deserialization
    • Class comparison
    • Encoded secrets

Basic knowledge of Java programming

Kapcsolódó tanfolyamok