AppSec Latam 2012 Training: Java Secure Coding

Course Length: 2 Day
Training Audience: Technical
Required Skill Level: Intermediate

Course Description

In this class we discuss secure coding techniques using Java. It is a very hands-on course with many labs. Everything is done from a developers perspective, NOT a hackers perspective. We make an effort to show what to do, and avoid the usual security paradigm of only discussing what not to do.

The course covers input validation, authentication, authorization, session management, databases, output encoding, error handling, logging, file handling, file uploading, and cryptography.

The class is hands-on and will include labs. Attendees should have a laptop capable of running VMs. We will provide a VM at the beginning of the class.

Instructor Bio

Instructor: Ari Elias-Bachrach, Appsec Labs
Twitter: @angelofsecurity

Course Outline

1. Intro to class

a.	Goals for class
b.	Agenda
c.	Intro to security
d.	integrating security into the SDLC

2. Input validation

a.	Why needed (cmd injection, xss, sql injection, logic errors, etc.)
b.	When needed (any time there’s input. Everything is input)
c.	Where done (Client = bad, server = good)
d.	Whitelist vs blacklist
e.	How to do regex
f.	Canonicalization
g.	Other ways to validate – length, range
h.	ESAPI

3. Authentication

a.	Definition and explanation
b.	The three factors of authentication – what they are and examples of each
c.	Types of auth: basic, digest, client cert, windows, forms based
d.	Securing the passwords (hash, salt, HMAC)
e.	Brute force
f.	Anti-automation
g.	Revealing usernames

4. Authorization

a.	Definition and explanation
b.    ACL
c.    secure by URL
d.    secure at service layer

5. Session Management

a.	Maintaining session state
b.	What not do 
c.	Java session management with JSESSIONID 
d.	Cookie security
e.	Session fixation

6. How to deal with databases

a.	Why needed (SQLi) 
b.	Parameterized queries
c.	Stored procedures
d.	Connection strings – how to store them
f.	Permissions
g.	Other misc tips

7. Output encoding

a.	Intro to XSS
b.	Demo something more dangerous – change action of form or steal JSESSIONID
c.	HTML encode
d.	Other encoding contexts
e.	ESAPI encoding
f.	ESAPI demo

8. Error handling

a.	Info disclosed during error handling
b.	Custom error messages

9. Logging/auditing

a.	Importance of logging
b.	Logging technologies (log4j)
c.	Events to log
d.	Data NOT to log

10. File handling

a.	Directory traversal
b.	Canonicalization
c.	File extension handling – backup file (.old .bck, etc.)
d.	Directory listing

11. File uploads

a.	Threats
b.	Whitelist file types
c.	Convert file types (to drop executable code/virus)
d.	Limit number of uploads & file sizes and who can do them
e.	File storage

12. Data confidentiality and integrity

a.	Threats to Data
b.	Crypto
c.	JCE – Java crypto architecture
d.	Hash Functions & salt
e.	Digital signatures
f.	SSL