Secure Java EE Development

Bascom Bridge’s Java EE 7 Security Training: Secure Java EE Development course shows experienced developers of Java EE applications and services how to write new code and upgrade existing code for maximum safety.

JAVA EE 7 SECURITY TRAINING OBJECTIVES

All students will:

• Develop secure Java web applications and services, or secure existing applications and services by refactoring as necessary.
• Define security constraints and login configurations that instruct the web container to enforce authentication and authorization policies.
• Guard against common web attacks including XSS, CSRF, and SQL injection.
• Validate user input aggressively for general application health and specifically to foil injection and XSS attacks.
• Configure a server and/or application to use one-way or two-way HTTPS.
• Apply application-level cryptography where necessary.
• Secure log files and establish audit trails for especially sensitive information or actions.
• Use HMAC security as appropriate in RESTful web services.
• Participate in SAML SSO systems and be aware of the security concerns involved in single sign-on.
• Implement the server and client sides of the OAuth-2.0 initial flow in order to provide third-party authorization to resources in a secure manner.

JAVA EE 7 SECURITY TRAINING PREREQUISITES

• Java programming experience is essential – Bascom Bridge’s  Beginning Java Application Development is excellent preparation should students need to get up to speed on Java.
• Servlets programming experience is required – Students should have taken Bascom Bridge’s  Beginning JSP and Servlets or have equivalent experience.
• JSP page-authoring experience is recommended but not required. Again, consider Beginning JSP and Servlets.
• Understanding of RESTful web services as implemented in JAX-RS will be highly beneficial, but is not strictly required. Consider Bascom Bridge’s  RESTful Web Services with JAX-RS course for your team.

JAVA EE 7 SECURITY TRAINING MATERIALS

All attendees receive comprehensive courseware covering all topics in the course outline.

SOFTWARE NEEDED FOR EACH PC:

• Core 2 Duo or faster processor with at least 3 GB RAM
• Any operating system that supports JDK 7 or later
• JDK 7 or later
• Eclipse Luna for Java EE Developers or later version
• Related lab files that Accelebrate would provide
• For classes delivered online, all participants need either dual monitors or a separate device logged into the online session so that they can do their work on one screen and watch the instructor on the other. A separate computer connected to a projector or large screen TV would be another way for students to see the instructor’s screen simultaneously with working on their own.

JAVA EE 7 SECURITY TRAINING OUTLINE

• Introduction
• Secure Web Applications
  • Threats and Attack Vectors
  • Server, Network, and Browser Vulnerabilities
  • Secure Design Principles
  • GET vs. POST
  • Container Authentication and Authorization
  • HTML Forms
  • Privacy Under /WEB-INF
  • HTTP and HTTPS
  • Other Cryptographic Practices
  • SOA and Web Services
  • The OWASP Top 10
• Authentication and Authorization
  • HTTP BASIC and DIGEST Authentication Schemes
  • Declaring Security Constraints
  • User Accounts
  • Safeguarding Credentials in Transit
  • Replay Attacks
  • Authorization Over URL Patterns
  • Roles
  • FORM Authentication
  • Login Form Design
  • EJB Authorization
  • Programmatic Security
  • Programmatic Security in JSF
• Common Web Attacks
  • Single Points of Decision
  • Cross-Site Scripting
  • Validation vs. Output Escaping
  • Forceful Browsing
  • Cross-Site Request Forgery
  • Request Tokens
  • Injection Attacks
  • Protections in JDBC and JPA
  • Session Management
  • Taking Care of Cookies
• Input Validation
  • Validating User Input
  • Validation Practices
  • Regular Expressions
  • JSF Validation
  • Bean Validation (a/k/a JSR-303)
  • Constraint Annotations
  • Cross-Field Validation
  • Built-In Support in Java EE
  • Using a Validator
  • Producing Error Responses
• HTTPS and Certificates
  • Digital Cryptography
  • Encryption
  • SSL and Secure Key Exchange
  • Hashing
  • Signature
  • Keystores
  • keytool
  • Why Keys Aren’t Enough
  • X.509 Certificates
  • Certificate Authorities
  • Obtaining a Signed Certificate
  • Configuring HTTPS
  • Client-Side Certificates and Two-Way SSL
  • PKCS #12 and Trust Stores
  • CLIENT-CERT Authentication
• Application-Level Cryptography
  • The Java Cryptography Architecture
  • Secure Random Number Generation
  • The KeyStore API
  • Digital Signature
  • Hashing
  • Password Hashing
  • Why Hashing Isn’t Enough
  • Salts
  • Slow Algorithms
  • Key Lengthening and Key Strengthening
  • The Java Cryptography Extensions
  • The SecretKey and KeyGenerator Types
  • Symmetric Encryption
  • Choosing Algorithms and Key Sizes
  • Dangerous Practices
• Secure Development Practices
  • Secure Development Cycle
  • Error Handling and Information Leakage
  • Failing to a Secure Mode
  • Logging Practices
  • Appropriate Content for Logs
  • Auditing
  • Strategies: Filters, Interceptors, and Command Chains
  • Penetration Testing
  • Back Doors
  • Secure Code Review
• REST Security Basics
  • Security Concerns for REST Services
  • HTTPS
  • HTTP BASIC and DIGEST
  • Authorization by URL Pattern
  • Cross-Site Scripting
  • Injection Attacks
  • Cross-Site Request Forgery
  • Common Countermeasures
• HMAC Security
  • Use Case: Message Authentication
  • Digital Signature
  • Hashing as Signature: the HMAC
  • Appropriate Salts
  • Canonicalization
  • Amazon S3
  • Timestamps
  • Signing and Verifying Messages
  • XML Cryptography and Canonicalization
  • Canonicalizing JSON
• SAML SSO
  • Use Case: Single Sign-On
  • SAML Orientation
  • SAML Assertions
  • SAML Protocol
  • HTTP Bindings
  • Speaking “Through” the Browser
  • Artifact and SOAP Bindings
  • SAML Attributes
  • SAML SSO
  • Federated Identity
  • Identity Providers and Service Providers
  • Metadata
  • OpenID
  • Universal Identity
  • Security Concerns in SSO Systems
• OAuth
  • Use Case: Third-Party Authorization
  • OAuth
  • Initial Flow
  • Grant Types
  • Access Tokens
  • The Google OAuth API
  • Implementing Authorization and Resource Servers
  • Implementing Clients
  • Security Concerns with OAuth
• Conclusion