Consulting Training Blog Careers About Us Contact Us

Secure Coding for Java EE Training

Upcoming Classes

Sorry, nothing scheduled right now. Click the Get Notified button below to be alerted when a class is scheduled.

Get Notified

On Site/Private

Can't find a class that fits right for you? Contact us to inquire about scheduling your own private class

Contact Us

Description

Building a secure web application in Java is an extremely difficult challenge. While Java EE is a fantastic platform for building critical applications, there is little support for preventing flaws like the OWASP Top Ten, including Cross-Site Scripting (XSS), SQL injection, Request Forgery, Broken Authentication and Authorization, and much more. This course, teaches students how to identify, diagnose, and fix all of these very common issues. In this course, students will perform hands-on security testing and code review on web applications to find these kinds of flaws and they will learn and apply efficient and effective approaches for eliminating or avoiding these vulnerabilities in Java applications.
 
This course is intended for anyone writing Java EE applications. You’ll learn by actually finding problems using code review and application penetration testing techniques in a full Java EE application that is riddled with holes. We’ll design and implement fixes to many of these vulnerabilities in an Eclipse-based development environment, and then retest the application with security tools to verify that the problem has been eliminated. The course ends with a fun three-stage challenge designed to drive home the key lessons from the training.
 
This course goes way beyond the finding and exploiting of vulnerabilities. Students will learn about the security controls that developers should use to avoid these issues. Understanding how security is supposed to work is the greatest tool you can possibly have for finding security problems. The instructors are experienced application security professionals who come to class ready to share their real-world experiences and decades of expertise. We make the courses relevant to your organization by discussing how to apply the course’s lessons learned to your current challenges.

Bring This Course To You

For groups of 5 or more, let Intertech bring this course to your location. Customized versions tailored towards your objectives are also available.

Learn More

Learning Objectives

  • Understand and be able to employ the security features involved with using HTTP (e.g., headers, cookies, SSL)
  • Understand and be able to apply application security design principles.
  • Be able to identify and explain common web application security threats (e.g., Cross-Site Scripting, SQL Injection, Access Control Attacks, “Man-in-the-middle” attacks, etc.) and implement mitigation techniques.
  • Be able to handle credentials securely while providing the full range of authentication support functions, including login, change password, forgot password, remember password, logout, re-authentication, and timeouts.
  • Be able to implement access control rules for the user interface, business logic, and data layers.
  • Learn how Clickjacking attacks work, and the security headers that can now be used to easily defend against them
  • Be able to implement simple, straightforward Cross-Site Scripting defenses through proper output encoding and how to detect XSS vulnerabilities throughout an application.
  • Learn how Clickjacking attacks work, and the security headers that can now be used to easily defend against them.
  • Learn the strong benefits of proper input validation, and how to architect an effective and easy to use input validation framework.
  • Understand the dangers of command injection and techniques for avoiding the introduction of this type vulnerability.
  • Be able to implement a consistent error (exception) handling and logging approach for an entire web application.
  • Learn when to apply cryptographic techniques and be able to choose algorithms and use encryption/decryption and hash functions securely.
  • Be able to select and implement appropriate auditing/logging capabilities.
  • The OWASP Top 10 raised awareness to the world that a very common source of vulnerabilities in web applications is the use of known vulnerable components. The course describes how to avoid this issue with the use of automation.
  • Be able to review their applications for common security vulnerabilities using code review and penetration testing techniques.
  • Be familiar with native Java security mechanisms such as the Crypto APIs, Logging, User Principals, etc., and how they can be employed to produce secure web applications.
  • Understand the factors involved in securing a Web Services capability.

Audience

  • Java EE Software Developers
  • Java EE Software Testers
  • Security Specialists
  • Application Architects

Course Outline

1) Introduction

Section Overview: This section describes and introduces the course, and instructors. It also provides setup instructions for the course exercises.
  • Training Program Introduction
  • Course Objectives, Approach, and Layout
  • Intro to Aspect Security/Instructors
  • Students Introduce Themselves
  • Discussion of Applicable Corporate Initiatives
  • Review of Course Agenda
  • Install and Setup Testing Environment

2) Understanding HTTP and Web Technologies

Section Overview: This section is intended to provide the foundations needed to understand the upcoming application security concepts. It begins by describing the HTTP protocol and how it relates to web applications. It dives into various aspects of the protocol, in detail, to assist in the understanding of the entire communication path from client request, server processing, server response, and browser interpretation. It then discusses how a hacker proxy can be used to modify HTTP requests and where this proxy fits into the big picture. Finally, we begin the first hands-on lesson which is intended to get the students familiar with the hands-on application and comfortable using the testing proxy.
  • HTTP Protocol (Requests, Responses, Headers, Cookies, Parameters, Response Codes)
    • Security of GET vs. POST
    • SSL and Certificates
    • Man-in-the-Middle Threat
    • HTTP Strict Transport Security
  • Introducing Test Application and Security Testing Proxy
    • WebGoat Architecture Walkthrough
    • Eclipse Getting Started
    • Example Lab Description
    • ZAP Overview
  • The need for Standard Security Controls
    • Common vulnerabilities and how standard controls avoid them
    • OWASP’s ESAPI – Example Standard Security Controls
  • Java and Java EE Platform Security
    • Java Language and Platform Features
    • Java Security Manager
  • Exercises and Labs
    • Hands-On Testing Exercise: WebGoat HTTP Basics
    • Hands-On Testing Exercise: WebGoat and Proxy

3) How to Authenticate Users

Section Overview: This section introduces common web authentication methods along with their strengths and weaknesses. It discusses best practices associated with authentication and uses hands-on lessons to demonstrate some common authentication mistakes. Through this we discuss different technology specific authentication uses and configurations.
  • Overview
  • Authentication Mechanisms
  • Common Java EE Authentication Approaches (JNDI, JDBC, SiteMinder)
  • How to Protect Credentials from Disclosure
  • How to Protect Against Brute Force Attacks in Java EE applications
  • How to Provide Password Management Functions in Java EE applications
  • Exercises and Labs
    • Hands-On Testing Exercise: WebGoat – Basic Authentication
    • Hands-On Testing Exercise: WebGoat – Authentication Cookies
    • Spot the Bug(s): Flawed Password Change Page

4) How to Manage User Sessions

Section Overview: This section includes what session management is and how it works within a web application environment. It discusses common mistakes developers make regarding session management and attacks that can take advantage of these errors. The section discusses best practices associated with session management and technology specific implementation approaches.
  • Introduction to Java EE Sessions
  • Explanation of Session Lifecycle in Java EE (login, logout, reauthentication, timeouts)
  • How to Protect Against Java EE Session Hijacking
  • ESAPI Session Defenses
  • Exercises and Labs
    • Hands-On Testing Exercise: WebGoat – Weak Session Identifier
    • Spot the Bug(s): Logout Flaws

5) How to Control Access

Section Overview: This section introduces Access Control in a web environment and the various complexities associated with implementing strong access protections. It walks through the importance of checking all access to sensitive functionality, defining application roles and functions, not relying only on presentation rendering, and implementing access controls at different level, including: declarative (URL), programmatic (API) and instance (data) level. Throughout the section, various technology specific access control uses are discussed and demonstrated. This section also includes common best practices associates with access control.
  • Overview
  • Defining & Architecting Your Access Control Policy
    • Authorization Primitives
    • Defining an Access Control Matrix
  • Java EE Presentation Layer Access Control
    • Single Role vs. Multi-Role Views
  • Environment Enforced Access Control in Java EE
    • Attack Surface
    • Single Role vs. Multi-Role URLs
    • Declarative Java EE Authorization (web.xml)
  • Business Layer Access Control In Java EE
    • Programmatic Java EE Authorization
    • Single Role vs. Multi-Role Business Functions
  • Java EE Data Layer Access Control
    • The Object Reference Problem
    • ESAPI Direct Object Reference Protection
  • Other Common Java EE Access Control Problems
  • ESAPI Access Control Mechanisms
  • Exercises and Labs
    • Hands-On Testing Exercise: WebGoat – Access Control
    • Testing and Coding Lab: WebGoat – Access Control (Stages 1-2)
    • Testing and Coding Lab: WebGoat – Access Control (Stages 3-4)
    • Testing and Coding Lab: WebGoat – Access Control (Stages 5-6)

6) How to Protect Against Cross-Site Request Forgery (CSRF)

Section Overview: The section introduces a very common web application attack most developers aren’t familiar with known as Cross-Site Request Forgery. CSRF is an attack that tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf, like change the victim's e-mail address, home address, or password, or purchase something.
For most sites, such a request will automatically include any credentials associated with the site, such as the user's session cookie, basic auth credentials, IP address, Windows domain credentials, etc. Therefore, if the user has authenticated to the site, the site will have no way to distinguish this from a legitimate user request. This section discusses the significance of these types of flaws and presents several approaches for how developers can defend their applications against this type of attack.
  • Overview of CSRF
    • What is CSRF
    • CSRF Vulnerability Pattern
    • The Same Origin Policy
  • CRSF Vulnerability Types
    • Standard and Stored CSRF
  • Misconceptions: CSRF Defenses that Don’t Work
  • CSRF Recommended Defenses
    • Use of CSRF Tokens
    • ESAPI’s CSRF Mechanism
    • Protecting REST Interfaces Against CSRF
    • OWASP’s CSRF Tester
  • CSRF’s relationship to XSS
  • Exercises and Labs
    • Hands-On Testing Exercise: WebGoat – CSRF

7) How to Protect Against Cross-Site Scripting (XSS)

Section Overview: The section covers in detail a very common web application attack known as Cross-Site Scripting (XSS). It explains how and why this attack works and the consequences of such attacks. It introduces and explains two types of XSS attacks (reflected and stored), demonstrates an attack, walks through various buggy code examples. And finally allow the students to apply what they have learned by executing XSS attacks using hands-on lessons. Throughout the section different technology specific protections, including output encoding and input validation, are explored and discussed.
  • Overview of XSS
    • Types of XSS (Stored and Reflected)
    • Tricking the Browser Sandbox
    • Consequences of XSS
  • How to Solve Java EE XSS Problems
    • Output Encoding
    • ESAPI’s Output Encoding Mechanisms
    • Java EE Filters
    • Input Validation
    • ESAPI’s Input Validation Mechanisms
    • HTTPOnly
    • Response Headers to Help Prevent XSS
  • Exercises and Labs
    • Hands-On Testing Exercises: WebGoat – Stored and Reflected XSS
    • Testing and Coding Lab: XSS - 4 Stages
    • Hands-On Testing Exercises: WebGoat – HTTPOnly

8) How to Prevent Against Clickjacking Vulnerabilities

Section Overview: The section introduces another common web application attack most developers aren’t familiar with. It explains how and why allowing your content to be framed allows this attack to work and the consequences of such attacks. It discusses the significance of these types of flaws and presents several approaches for how developers can defend their applications against this type of attack.
  • Overview of Clickjacking
    • The Attack Deconstructed
    • Evading CSRF Defenses
    • Consequences of a Clickjacking Attack
  • How to Defend Against Clickjacking
    • Approach 1: Framebusting Code
    • Approach 2: X-Frame-Options Header
    • Approach 3: Content Security Policy (CSP)
  • Exercises and Labs
    • Hands-On Demo: WebGoat – Clickjacking

9) How to Architect Input Validation Solutions

Section Overview: The section provides a basis for understanding the important of proper input validation. It walks through common design and implementation approaches to validate user input and discusses the strengths and weaknesses associated with each approach. It starts off with a focus on threats associated with unvalidated user input. It introduces and explains these threats, demonstrates the attacks, and allows students to apply what they have learned by using hands-on lessons. Throughout the section different technology specific protections are explored and discussed as well as the best practices associated with quality attributes of proper input validation.
  • Introduction
    • Lack of Validation
    • Hidden Fields
    • Use of Positive Validation
    • Regex’s
    • Unchecked Redirects and Forwards
  • How to Validate Outside Java EE Applications
  • How to Validate Within Java EE Applications
    • ESAPI’s Input Validation Mechanisms
  • How to Respond to Input Validation Issues in Java EE Applications
  • How to Validate Data from Other Sources
    • Safe File Uploads/Downloads
  • Exercises and Labs:
    • Spot the Bug(s): Input Validation Flaws
    • Hands-On Testing Exercise: WebGoat – Hidden Fields
    • Hands-On Testing Exercise: WebGoat – JavaScript

10) How to Protect Sensitive Data

Section Overview: This section discusses common cryptographic problems associated with web applications as well as caching of sensitive data. It demystifies and dispels the myth that crypto is extremely complex by walking through various simple and straightforward code examples. These code examples are technology specific and include examples of encrypting, decrypting, hashing, and the use of SSL. It also discusses other common flaws that can lead to the exposure of sensitive data.
  • Overview
  • Cryptography in Java EE Applications
  • How to Choose the Right Algorithm
  • How to Use JCE to Encrypt, Decrypt, Sign, and Hash
    • ESAPI’s Encryption Mechanisms
  • How to Avoid Replay Attacks
  • How to Use SSL
  • How to Protect Sensitive Data in Caches in Java EE Applications
    • ESAPI’s AntiCaching Mechanisms
  • Exercises and Labs:
    • Spot the Bug(s): Flawed Use of Cryptography

11) How to Use Databases Securely

Section Overview: The section provides the material necessary to use a database securely. Threats related to securely connecting to a database, validating input, using SQL, handling errors and logging, and validating results are covered. Some architectural concerns are also discussed in terms of centralizing the security functions related to accessing a database securely.
  • Overview/Goals
  • How to Prevent SQL Injection using JDBC
    • Use of Prepared Statements
    • Use of Stored Procedures
    • Using Dynamic Queries Safely
  • Protecting JDBC Connection Strings (usernames/passwords)
    • ESAPI’s Encrypted Properties Files
  • Minimizing Privilege
  • How to Handle SQL Exceptions and Verify Results
  • Database Layer Access Control
  • Architectural Patterns for Database Security (DAO)
  • Exercises and Labs:
    • Hands-On Testing Exercise: WebGoat – SQL Injection
    • Testing and Coding Lab: WebGoat – SQL Injection – 4 Stages

12) How to Handle Errors and Log Security Events

Section Overview: This section introduces the importance of proper error handling and security logging mechanisms for security critical events. Throughout the section technology specific logging APIs and error handling strategies will be introduced and discussed.
  • Overview
    • Example Real World Fail Opens
  • How to Configure Error Handling in Java EE
  • Java EE Error Handling Best Practices
  • What Events to Log and What Data to Capture
  • Standard Logging Mechanisms
    • Java Logging
    • Log4j
    • ESAPI
  • Detecting and Responding to Attacks
    • OWASP AppSensor
  • Exercise and Labs:
    • Spot the Bug(s): Improper Error Handling
    • Hands-On Testing Exercise: WebGoat – Fail Open Authentication Pattern

13) Avoiding the Use of Components with Known Vulnerabilities

Section Overview: This section introduces the importance keeping track of which versions of 3rd party and open source components are being used in a project, and keeping them up to date when new versions become available. Most updates to such components include security updates. Without updating, this introduces significant risk to your applications.
  • Overview
    • A Huge Risk Most Dev Teams aren’t Dealing With
    • The Proliferation in the Use of Open Source
    • Serious Vulnerabilities in Open Source are Common
  • What Can You Do?
    • Automation Can Warn You When Your Components Are Out-of-date/Vulnerable
    • Develop a Process For Updating Frequently

14) How to Prevent Quality Issues from Introducing Vulnerabilities

Section Overview: Security is directly related to quality, and software vulnerabilities increase directly with the quality of the code. This section explores the importance of establishing and following a coding guideline that is tailored to address security approaches adopted by the project. Some specific code quality problems that are frequently linked with security are included. The section includes a discussion of what can be enforced automatically and some of the relevant tools.
  • Why Code Quality and Deployment Issues Lead to Vulnerabilities
  • General Code Quality Best Practices for Security
  • Handling Debug and Test Code (including Ant and JUnit)
  • How to Avoid Concurrency Vulnerabilities in Java EE Applications
  • Exercises
    • Hands-On Testing Exercise: WebGoat – Clues in HTML
    • Spot the Bug(s): Find the Concurrency Flaws

15) How to Use XML Securely

Section Overview: This section discusses the use of XML for data storage and transmission. XML parsers and generators have been abused with certain types of injection attacks that need to be understood. Also, the use of XML schema for validation purposes will be covered. Finally, this section demonstrates the use of XML encryption and signature techniques and discusses scenarios for their use.
  • Overview
  • Security Risks Associated With XML
    • XML Documents and Data Stores
    • XML-Based Communication
    • XML Threats and Attacks
    • XPath Injection Attack
  • Validating XML Content with Java (DTD, Schema)
    • Validation Challenges with XML
  • XML Cryptography and Signatures in Java

16) How to Access Services Securely

Section Overview: This section discusses security issues associated with external connections, and walks through various best practices. This section is used as a review of all the practices covered in the course thus far. Students should realize that all the practices they’ve learned for protection of a web application should apply to an external connection as well.
  • A Pattern for using Services Securely
    • Vulnerability Examples
  • Applying the Pattern to Prevent Command Injection
  • Architecting Secure Service Access
  • Examples of How to Access Services Securely
  • Exercises and Labs:
    • Hands-On Testing Exercise: WebGoat – Command Injection

17) Web Services Security

Section Overview: This section discusses issues related to using web services securely, including the various standards available and special issues related to web services, SOAP, WSDL, and XML Schema.
  • How Do Web Services Work?
  • SOAP Introduction and Examples
  • WSDL Introduction and Examples
  • Java EE Web Service Client Using AXIS
  • Web Services Security Overview
  • Exercises and Labs:
    • Hands-On Testing Exercise: WebGoat – WS SOAP Request
    • Hands-On Testing Exercise: WebGoat – WS WSDL Scanning
    • Hands-On Testing Exercise: WebGoat – WS SQL Injection

18) HTML5 Security

Section Overview: HTML5 is gaining in popularity and browser support. This section describes a number of security features introduced in HTML5 and how developers can take advantage of them to improve the security of their applications and/or leverage new HTML capabilities in a secure way.
  • What is HTML5
  • HTML5: Local Storage
    • Security Implications of Using IndexDB
  • HTML5: WebSockets
    • Using WebSockets Securely
  • Cross-Origin Resource Sharing (CORS)
    • CORS Preflight Requests
    • CORS Security Risks

19) AppSec at DevOps Speed and Portfolio Scale

Section Overview: Software development is moving much faster than application security with new platforms, languages, frameworks, paradigms, and methodologies like Agile and Devops. This section describes how development organizations can instrument their entire IT organization with passive sensors to collect real-time data that can be used to identify vulnerabilities, enhance security architecture, and enable application security activities to generate significant measureable value.
  • Comparison of AppSec to Healthcare
  • Traditional SDLC Approaches
  • Starting Over, at Portfolio Scale, and DevOps Speed
  • Example Sensors
    • Clickjacking
    • Security Headers
    • Access Control
    • Known Vulnerable Components
    • CSRF
    • Injection
    • Architecture, Inventory, More …
  • Building Continuous AppSec Throughout Lifecycle
  • What Sensors Does Your Organization Need?
  • What Security Do You Expect vs. What Are You Actually Measuring?
  • Aligning Sensors with Business Concerns
  • Developing a Portfolio Wide Dashboard

The Challenge

Section Overview: The challenge section allows students to step back, look at what they have learned and apply this knowledge by performing a final hack on the hands-on Challenge lesson. This lesson combines many of the vulnerabilities previously discussed into a single lesson (with multiple stages). This lesson doesn’t contain any hints, as do previous lessons. In previous lessons, hints are included to guide students through each stage of an attack. While the instructor assists students, this is the time to allow the students to use their creativity and the knowledge they have gained from this course to successfully compromise the final lesson.
a) Exercises and Labs:
  • Hands-On Testing Exercise: WebGoat – Challenge Stage 1 – Break Authentication
  • Hands-On Testing Exercise: WebGoat – Challenge Stage 2 – Steal the Credit Cards
  • Hands-On Testing Exercise: WebGoat – Challenge Stage 3 – Deface the Web Site

Free Resources from Intertech

Complete Guide to Becoming a Full Stack Developer

Free Book Chapter: Spring Web

Introduction to Groovy Whitepaper

X