About the course
DEV541: Secure Coding in Java/JEE: Developing Defensible Applications
Mon, September 23 - Thu, September 26, 2019
Contents | Additional Info
Instructor: Gregory Leonard
Actually coding the examples from a 'find the weakness' and 'fix it' standpoint, as you do in DEV541, is a big help.
Andrew Whitehead, Federal Reserve Bank, Richmond
I have seen other webinars about secure coding but they don't even scratch the surface of what this first section even contains. I am so impressed. Way worth the value!
Oscar Frink, SC Department of Corrections
This secure coding course will teach students how to build secure Java applications and gain the knowledge and skills to keep a website from getting hacked, counter a wide range of application attacks, prevent critical security vulnerabilities that can lead to data loss, and understand the mindset of attackers.
The course teaches you the art of modern web defense for Java applications by focusing on foundational defensive techniques, cutting-edge protection, and Java EE security features you can use in your applications as soon as you return to work. This includes learning how to:
- Identify security defects in your code
- Fix security bugs using secure coding techniques
- Utilize secure HTTP headers to prevent attacks
- Secure your sensitive representational state transfer (REST) services
- Incorporate security into your development process
- Use freely available security tools to test your applications
Great developers have traditionally distinguished themselves by the elegance, effectiveness and reliability of their code. That is still true, but the security of the code now needs to be added to those other qualities. This unique SANS course allows you to hone the skills and knowledge required to prevent your applications from getting hacked.
How the Course Works
DEV541: Secure Coding in Java/JEE: Developing Defensible Applications is a comprehensive course covering a wide set of skills and knowledge. It is not a high-level theory course - it is about real-world, hands-on programming. You will examine actual code, work with real tools, build applications and gain confidence in the resources you need to improve the security of Java applications.
Rather than teaching students to use a given set of tools, the course covers concepts of secure programming. This involves looking at a specific piece of code, identifying a security flaw and implementing a fix for flaws found on the OWASP Top 10 and CWE/SANS Top 25 Most Dangerous Programming Errors.
The course culminates in a Secure Development Challenge in which students perform a security review of a real-world open-source application. You will conduct a code review, perform security testing to actually exploit real vulnerabilities, and implement fixes for these issues using the secure coding techniques that you have learned in course.
Section 6.5 of the Payment Card Industry (PCI) Data Security Standard (DSS) instructs auditors to verify processes that require training in secure coding techniques for developers. If you are responsible for developing applications that process cardholder data and are therefore required to be PCI compliant then this is the course for you.
Common Web Application Vulnerabilities
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- SQL injection
- HTTP response splitting
- Parameter manipulation
- Input validation
- Whitelisting vs. blacklisting
- Output encoding and escaping
- Parameterized queries
- Using frameworks and APIs
- How to use encryption and certificates
- Protecting session IDs
- JEE-based authentication
- Basic and form-based authentication
- Client certificate authentication
- Session hijacking
- Session fixation
- Access Control
- Java Enterprise Edition (JEE)-based authorization
- Declarative and programmatic access control
- Using annotations
- Java Security Manager
- Java Secure Socket Extension (JSSE)
- Java Cryptography Architecture (JCA)
- Client certificates
- Secure sockets layer (SSL)
- Java Programming and Language
- Race conditions
- Logging and error handling
- Class security
You Will Learn To:
- Keep your website from getting hacked
- Counter a wide range of application attacks
- Prevent critical security vulnerabilities that can lead to data loss
- Understand the attacker's mindset and how your applications can be hacked
DEV541.1: Data Validation
DEV541.2: Authentication and Session Management
DEV541.3: Java Platform and API Security
DEV541.4: Secure Development Lifecycle
After having taught application security to hundreds of developers, I have learned what works in teaching this important subject. Developers need to be intellectually challenged with exercises, and they need a variety of solutions they can apply to a single problem in different scenarios. By giving our students concrete examples of applications they can take back with them to their workplaces, we are arming attendees of this course with strong techniques that can be applied to both current and future projects. By knowing how various web application attacks work, and how common programming errors are made and how to prevent them, developers will have the tools necessary to prevent a large number of application attacks. Take part in this groundbreaking class and arm yourself with the knowledge to protect your Java applications! - Frank Kim