Maxtrain.com - info@maxtrain.com - 513-322-8888 - 866-595-6863
Secure Java Coding Camp | Attacking & Securing Java / JEE Web Applications
Description
Secure Java Coding Camp Introduction
Step into the realm of cybersecurity with our Secure Java Coding Camp, designed specifically for experienced Java web developers. This comprehensive course dives deep into the advanced techniques of bug hunting, ethical hacking, and securing Java web applications against the most challenging cyber threats.
With a focus on practical labs, real-world scenarios, and expert guidance, you’ll learn how to implement robust security measures, proactively addressing potential vulnerabilities in your web applications.
Participants will gain a thorough understanding of essential security practices, from troubleshooting to critical thinking and advanced software development. This course not only equips you with the skills to identify and mitigate security risks but also prepares you to comply with PCI Data Security Standard (PCI DSS) requirements.
By the end of this training, you’ll be adept at enhancing the security of Java web applications, ensuring they are fortified against both common and sophisticated attacks.
Secure Java Coding Camp Course Objectives
- Understand the core principles of secure coding and explore various stages of exploits with a focus on defensive strategies.
- Learn to analyze and enhance security measures in web applications through foundational and advanced principles.
- Practice ethical hacking techniques responsibly, including defect detection, bug reporting, and safe operational practices.
- Identify common vulnerabilities in web application testing and adopt best practices to avoid these pitfalls.
- Evaluate and implement multilayered defense strategies, enhancing the security of web applications through practical, hands-on experience.
- Manage risks associated with untrusted data sources and understand how to prevent issues like denial of service and cross-site scripting.
- Deepen your knowledge in critical security areas such as authentication, authorization, and vulnerability management for web-specific threats like XSS and SQL injection.
- Explore security risks in XML processing and file handling, and learn mitigation strategies to safeguard applications.
- Familiarize yourself with essential security tools and techniques for server and infrastructure hardening.
Prerequisites
- Practical hands-on Java web development experience. This is java coding class that requires intermediate Java developer skills to complete the lab work.
Audience
- This is an intermediate level Java programming course, designed for experienced Java Web developers, software engineers, and architects who are seeking to enhance their knowledge and skills in application security, bug hunting, and secure software development.
- The course would also be well-suited for IT professionals, such as security analysts, security engineers, and DevOps team members, who are responsible for ensuring the security and integrity of web applications in their organizations.
Secure Java Coding Camp Outline
Bug Hunting Foundation
- Why Hunt Bugs?
- The Language of Cybersecurity
- The Changing Cybersecurity Landscape
- AppSec Dissection of SolarWinds
- The Human Perimeter
- First Axiom in Web Application Security Analysis
- First Axiom in Addressing ALL Security Concerns
Safe and Appropriate Bug Hunting/Hacking
- Warning to All Bug Hunters
- Working Ethically
- Respecting Privacy
- Bug/Defect Notification
- Bug Hunting Pitfalls
Moving Forward From Hunting Bugs
- Removing Bugs
- Open Web Application Security Project (OWASP)
- OWASP Top Ten Overview
- Web Application Security Consortium (WASC)
- Common Weaknesses Enumeration (CWE)
- CERT Secure Coding Standard
- Microsoft Security Response Center
- Software-Specific Threat Intelligence
Bug Stomping 101
- Unvalidated Data
- CWE-787, 125, 20, 416, 434, 190, 476 and 119
- Potential Consequences
- Defining and Defending Trust Boundaries
- Rigorous, Positive Specifications
- Allow Listing vs Deny Listing
- Challenges: Free-Form Text, Email Addresses, and Uploaded Files
Broken Access Control
- CWE-22, 352, 862, 276, and 732
- Elevation of Privileges
- Insufficient Flow Control
- Unprotected URL/Resource Access/Forceful Browsing
- Metadata Manipulation (Session Cookies and JWTs)
- Understanding and Defending Against CSRF
- CORS Misconfiguration Issues
Cryptographic Failures
- CWE-200
- Identifying Protection Needs
- Evolving Privacy Considerations
- Options for Protecting Data
- Transport/Message Level Security
- Weak Cryptographic Processing
- Keys and Key Management
- NIST Recommendations
Injection
- CWE-79, 78, 89, and 77
- Pattern for All Injection Flaws
- Misconceptions With SQL Injection Defenses
- Drill Down on Stored Procedures
- Other Forms of Server-Side Injection
- Minimizing Server-Side Injection Flaws
- Client-side Injection: XSS
- Persistent, Reflective, and DOM-Based XSS
- Best Practices for Untrusted Data
Insecure Design
- Secure Software Development Processes
- Shifting Left
- Principles for Securing All Designs
- Leveraging Common AppSec Practices and Control
- Paralysis by Analysis
- Actionable Application Security
- Additional Tools for the Toolbox
Security Misconfiguration
- System Hardening: IA Mitigation
- Risks with Internet-Connected Resources
- Minimalist Configurations
- Application Allow Listing
- Secure Baseline
- Segmentation with Containers and Cloud
- CWE-611
- Safe XML Processing
Bug Stomping 102
- Vulnerable and Outdated Components
- Problems with Vulnerable Components
- Software Inventory
- Managing Updates: Balancing Risk and Timeliness
- Virtual Patching
- Dissection of Ongoing Exploits
Identification and Authentication Failures
- CWE-306, 287, 798 and 522
- Quality and Protection of Authentication Data
- Anti-Automation Defenses
- Multifactor Authentication
- Proper Hashing of Passwords
- Handling Passwords on Server Side
Software and Data Integrity Failures
- CWE-502
- Software Integrity Issues and Defenses
- Using Trusted Repositories
- CI/CD Pipeline Issues
- Protecting Software Development Resources
- Serialization/Deserialization
Security Logging and Monitoring Failures
- Detecting Threats and Active Attacks
- Best Practices for Logging and Logs
- Safe Logging in Support of Forensics
Server Side Request Forgeries (SSRF)
- CWE-918
- Understanding SSRF
- Remote Resource Access Scenarios
- Complexity of Cloud Services
- SSRF Defense in Depth
- Positive Allow Lists
Moving Forward with Application Security
- Applications: What Next?
- Common Vulnerabilities and Exposures
- CWE Top 25 Most Dangerous SW Errors
- Strength Training: Project Teams/Developers
- Strength Training: IT Organizations
Secure Development Lifecycle (SDL)
- SDL Overview
- Attack Phases: Offensive Actions and Defensive Controls
- Secure Software Development Processes
- Shifting Left
- Actionable Items Moving Forward
SDL In Action
- Risk Escalators
- Risk Escalator Mitigation
- SDL Phases
- Actions for each SDL Phase
- SDL Best Practices
Next Steps
- Your Secure Coding Action Plan
- Key Resources
$2495.00
|
4 Days Course |