IQSOFT - John Brice Oktatóközpont
IT Leadership Development Program - ITLDP

Combined C/C++, JAVA and Web Services Security

Tanfolyam célja

The training gives an overview of the typical security relevant problems of today's Internet based systems from the C/C++ common security vulnerabilities, like Buffer Overflows (BoF), printf format string bug (PFS), unicode bug, integer problems and covert channel attacks, through the IP networks specific attack methods, like eavesdropping, impersonation, identity theft, SPAM, phishing, Cross Site Scripting (XSS), SQL Injection, Denial-of-Service (DoS), to the Java and Web Services related security weaknesses caused by improper implementation. Participants will learn how to find and correct these problems through several C/C++ and Java source code examples. Practical exercises will also provide a step-by-step introduction of the attacking techniques that exploit these common security vulnerabilities and the specific protection measures that can be applied at the architecture level to prevent the occurrences of these dangerous bugs, detect them before market launch or prevent their exploitation. The curricula will also cover the most important protection techniques, security protocols, Web Services Security standards and related Java services that can be applied to prevent the most aching threats of the Internet based services.
Aim of this curse is to prepare experienced developers to implement secure Internet based applications.

Tematika

1. Fighting security flaws and vulnerabilities

  • Basic Security Concepts
    • Threat, damage and risk
    • Confidentiality, integrity and availability
  • Security vulnerabilities at large
    • Dangers of exploitable security vulnerabilities
    • Process of a typical attack
    • Technical, economical and political initiatives
    • Secure software development methods
  • Security vulnerabilities and countermeasure knowledge sources
    • Categorization of security flaws
    • Organizations - sources of vulnerabilities and countermeasures
    • Standards and guidelines
    • Legal background

2. Security relevant C/C++ programming bugs and flaws

  • Common Security Vulnerabilities
    • Stack overflow (introduction to stack operations, buffer overflow, exploitation techniques)
    • Heap overflow (introduction to dynamic memory management, effects of memory corruption, exploitation techniques)
    • Integer vulnerabilities (widthness integer overflow, arithmetical overflow, signedness bug, impacts)
    • String vulnerabilities (processing printf format string parameters, cause of the flaw, exploitation techniques)
    • Array indexing error / Unicode bug
    • Side channel attacks
    • TOCTTOU - Time-of-checking-to-time-of-usage / Serialization errors / Racing conditions
    • File I/O risks, Directory Traversal Vulnerability (DTV)
    • Unsecure threads, risks using signaling mechanisms
    • Shared libraries / DLLs
    • C++ specific flaws and vulnerabilities
  • Other related vulnerabilities
    • Injection attacks (SQL-, Command-, DLL-, code-injection, XSS cross site scripting)
    • XML vulnerabilities
  • Security protocol vulnerabilities

3. Protection against security flaws

  • Countermeasures and strategies
    • Security design and protection principles
    • Specific protections against most frequent errors
    • Specific protection measures at different layers
    • Specific protection methods
    • Stack overflow
    • Heap overflow
    • Integer vulnerabilities
    • Covert channels
  • Software development principles
    • Saltzer's secure coding principles
    • Bishop's robust programming principles
    • Other handy principles

4. JAVA security overview

  • Introduction to Java security architecture and the security services of Java
    • Overview of JAVA security features
    • JAVA Security Technologies
    • JAVA Enterprise Edition
  • Overview of WEB Services Security
    • Basic technologies
    • Identity management
    • Web Services security standards
  • XML Common Biometric Format (XCBF)

5. JAVA specific vulnerabilities

  • Java specific vulnerabilities
    • Input validation and representation - missing or faulty handling of incorrect or potentially dangerous inputs.
    • API Abuse - weaknesses originating from improper use of API functions
    • Security Features - improper use of security services
    • Time and State - inconsistency problems in distributed computing
    • Errors - vulnerabilities originating from programming bugs
    • Code Quality - problems caused by poor programming style
    • Encapsulation - using untrusted pieces of information in trusted environment
    • Environment - security issues that are caused by factors outside of the source code

6. JAVA security solutions and tools, WEB Services - practical exercises

  • Java security solutions
    • Introduction to JAVA security solutions
    • Controlling applets' permissions
    • Defining security policies - the Policy Tool
    • JAVA Security Manager - controlling applications
    • Code Signing - principles and practice
    • Permission classes - file, socket, property, runtime, AWT, net, security, serializable, reflection and all permissions
    • Implementing one's own permission
    • Secure file exchange
  • JAVA Cryptography Architecture exercises
    • Generating and verifying signatures
    • Cryptographic Service Providers (CSP) - engine classes and algorithms
    • JSSE - Java Secure Sockets Extensions
    • JAAS - Java Authentication and Authorization Services
    • JGSS - Java Generic Security Services API
    • Java Certification Path API
  • Practical problems and solutions of WEB technologies
    • SQL and command injection attack examples
    • XSS - Cross site scripting, the attack and the applicable solutions
    • Dangers of C/C++ vulnerabilities through JNI interfaces

7. Secure JAVA programming advices

  • Secure programming mechanisms
    • I/O filtering and validation using Java tools and classes
    • Secure error recovery mechanisms (fail safe)
    • Avoiding loss of control in running program due to data driven hacker interventions (steering into dead lock, crash conditions etc.)
    • Strategies against reverse engineering of Java applications(e.g. to better protect obfuscation mechanisms)
    • Handling of secrets (‘secure' storage, cookies, session token, passwords)
    • (Structured) exception handling
  • Secure multi-threading (e.g. synchronization)
  • Practical secure JAVA programming advices
    • Avoid public fields
    • Avoid public methods
    • Accessibility modifiers in case of applications
    • Avoid using static field variables
    • Mutable objects
    • Final modifier
    • Package scope
    • Inner classes
    • Minimize privileges
    • Archive files
    • Object cloning
    • Serialization
    • Deserialization
    • Class comparison
    • Encoded secrets

8. Web and Web application securityInternet threats and security principles

  • Threats
  • General internet threats
  • OWASP Security principles
  • Fix security issues correctly

9. Web Services Security

  • Web Services Security
    • Basic technologies
    • Identity Management
    • Elements of the security of Web Services
    • Web Services security (WS-Security) standards
  • WS-Trust
Előfeltételek

Solid experience in C/C++ and/or Java programming, and basic knowledge of Web Technologies

Kapcsolódó tanfolyamok