API security in Java

API security in JavaASIJCYCydrillCY-ASIJ1.0<ul> <li>Getting familiar with essential cyber security concepts</li><li>Understanding API security issues</li><li>Detailed analysis of the OWASP API Security Top Ten elements</li><li>Putting API security in the context of Java</li><li>Going beyond the low hanging fruits</li><li>Managing vulnerabilities in third party components</li><li>Input validation approaches and principles</li></ul><p>General Java development</p><p>Java API developers</p><h4>Day 1</h4> <ul> <li>Cyber security basics <ul> <li>What is security?</li><li>Threat and risk</li><li>Cyber security threat types – the CIA triad</li><li>Consequences of insecure software</li></ul></li><li>OWASP API Security Top Ten <ul> <li>OWASP API Security Top 10 2023</li><li>API1 – Broken Object Level Authorization</li><li>Confused deputy</li><li>Insecure direct object reference (IDOR)</li><li>Lab – Insecure Direct Object Reference</li><li>Authorization bypass through user-controlled keys</li><li>Case study – Remote takeover of Nexx garage doors and alarms</li><li>Lab – Horizontal authorization</li><li>File upload</li><li>Unrestricted file upload</li><li>Good practices</li><li>Lab – Unrestricted file upload</li><li>Case study – File upload vulnerability in Netflix Genie</li></ul></li><li>API2 – Broken Authentication <ul> <li>Authentication basics</li><li>Multi-factor authentication (MFA)</li><li>Case study – The InfinityGauntlet attack</li><li>Time-based One Time Passwords (TOTP)</li><li>Password management</li><li>Storing account passwords</li><li>Password in transit</li><li>Lab – Is just hashing passwords enough?</li><li>Dictionary attacks and brute forcing</li><li>Salting</li><li>Adaptive hash functions for password storage</li><li>Lab – Using adaptive hash functions in JCA</li><li>Using password cracking tools</li><li>Password cracking in Windows</li><li>Password change</li><li>Password recovery issues</li><li>Password recovery best practices</li><li>Lab – Password reset weakness</li><li>Case study – Facebook account takeover via recovery code</li><li>Case study – GitLab account takeover</li><li>Anti-automation</li><li>Password policy</li><li>NIST authenticator requirements for memorized secrets</li><li>Password hardening</li><li>Using passphrases</li><li>Password database migration</li><li>(Mis)handling null passwords</li></ul></li></ul> <h4>Day 2</h4> <ul> <li>API3 – Broken Object Property Level Authorization <ul> <li>Information exposure</li><li>Exposure through extracted data and aggregation</li><li>Case study – Strava data exposure</li><li>System information leakage</li><li>Leaking system information</li><li>Information exposure best practices</li><li>Secrets management</li><li>Hard coded passwords</li><li>Best practices</li><li>Lab – Hardcoded password</li><li>Protecting sensitive information in memory</li><li>Challenges in protecting memory</li><li>Case study – Microsoft secret key theft via dump files</li><li>Storing sensitive data in memory</li><li>Lab – Using secret-handling classes in Java</li></ul></li><li>API4 – Unrestricted Resource Consumption <ul> <li>Denial of service</li><li>Flooding</li><li>Resource exhaustion</li><li>Sustained client engagement</li><li>Denial of service problems in Java</li><li>Infinite loop</li><li>Economic Denial of Sustainability (EDoS)</li><li>Algorithmic complexity issues</li><li>Regular expression denial of service (ReDoS)</li><li>Lab – ReDoS</li><li>Dealing with ReDoS</li></ul></li><li>API5 – Broken Function Level Authorization <ul> <li>Authorization</li><li>Access control basics</li><li>Access control types</li><li>Missing or improper authorization</li><li>Case study – Broken authn/authz in Apache OFBiz</li><li>Failure to restrict URL access</li></ul></li><li>API6 – Unrestricted Access to Sensitive Business Flows <ul> <li>Security by design</li><li>The STRIDE model of threats</li><li>Secure design principles of Saltzer and Schroeder</li><li>Economy of mechanism</li><li>Fail-safe defaults</li><li>Complete mediation</li><li>Open design</li><li>Separation of privilege</li><li>Least privilege</li><li>Least common mechanism</li><li>Psychological acceptability</li><li>Logging and monitoring</li><li>Logging and monitoring principles</li><li>Insufficient logging</li><li>Case study – Plaintext passwords at Facebook</li><li>Log forging</li><li>Web log forging</li><li>Log forging – best practices</li><li>Case study – Log interpolation in log4j</li><li>Case study – The Log4Shell vulnerability (CVE-2021-44228)</li><li>Case study – Log4Shell follow-ups (CVE-2021-45046, CVE-2021-45105)</li><li>Lab – Log4Shell</li><li>Logging best practices</li><li>Monitoring best practices</li></ul></li><li>API7 – Server Side Request Forgery <ul> <li>Server-side Request Forgery (SSRF)</li><li>Case study – SSRF in Ivanti Connect Secure</li></ul></li><li>API8 – Security Misconfiguration <ul> <li>Information exposure through error reporting</li><li>Information leakage via error pages</li><li>Case study – Information leakage via errors in Apache Superset</li><li>Same Origin Policy</li><li>Simple request</li><li>Preflight request</li><li>Cross-Origin Resource Sharing (CORS)</li><li>Configuring XML parsers</li><li>DTD and the entities</li><li>Entity expansion</li><li>External Entity Attack (XXE)</li><li>File inclusion with external entities</li><li>Server-Side Request Forgery with external entities</li><li>Lab – External entity attack</li><li>Preventing XXE</li><li>Lab – Prohibiting DTD</li><li>Case study – XXE vulnerability in Ivanti products</li></ul></li></ul> <h4>Day 3</h4> <ul> <li>API9 – Improper Inventory Management <ul> <li>Documentation blindspots</li><li>Dataflow blindspots</li><li>Using vulnerable components</li><li>Untrusted functionality import</li><li>Case study – The Polyfill.io supply chain attack</li><li>Vulnerability management</li><li>Lab – Finding vulnerabilities in third-party components</li></ul></li><li>API10 – Unsafe Consumption of APIs <ul> <li>Input validation</li><li>Input validation principles</li><li>Denylists and allowlists</li><li>What to validate – the attack surface</li><li>Where to validate – defense in depth</li><li>When to validate – validation vs transformations</li><li>Output sanitization</li><li>Encoding challenges</li><li>Unicode challenges</li><li>Validation with regex</li></ul></li><li>Injection <ul> <li>Injection principles</li><li>Injection attacks</li><li>SQL injection</li><li>SQL injection basics</li><li>Lab – SQL injection</li><li>Attack techniques</li><li>Content-based blind SQL injection</li><li>Time-based blind SQL injection</li><li>SQL injection best practices</li><li>Input validation</li><li>Parameterized queries</li><li>Lab – Using prepared statements</li><li>Database defense in depth</li><li>Case study – SQL injection in Fortra FileCatalyst</li><li>Code injection</li><li>OS command injection</li><li>OS command injection best practices</li><li>Using Runtime.exec()</li><li>Case study – Shellshock</li><li>Lab – Shellshock</li><li>Case study – Command injection in VMware Aria</li></ul></li><li>Open redirects and forwards <ul> <li>Open redirects and forwards – best practices</li></ul></li><li>Files and streams <ul> <li>Path traversal</li><li>Lab – Path traversal</li><li>Additional challenges in Windows</li><li>Case study – File spoofing in WinRAR</li><li>Case study – RCE via path traversal in Apache OFBiz</li><li>Path traversal best practices</li><li>Lab – Path canonicalization</li></ul></li><li>Unsafe reflection <ul> <li>Reflection without validation</li><li>Lab – Unsafe reflection</li></ul></li><li>Wrap up <ul> <li>Secure coding principles</li><li>Principles of robust programming by Matt Bishop</li><li>Secure design principles of Saltzer and Schroeder</li><li>And now what?</li><li>Software security sources and further reading</li><li>Java resources</li></ul></li></ul><ul> <li>Cyber security basics</li><li>OWASP API Security Top Ten</li><li>API1 - Broken Object Level Authorization</li><li>API2 - Broken Authentication</li><li>API3 - Broken Object Property Level Authorization</li><li>API4 - Unrestricted Resource Consumption</li><li>API5 - Broken Function Level Authorization</li><li>API6 - Unrestricted Access to Sensitive Business Flows</li><li>API7 - Server Side Request Forgery</li><li>API8 - Security Misconfiguration</li><li>API9 - Improper Inventory Management</li><li>API10 - Unsafe Consumption of APIs</li><li>Wrap up</li></ul>- Getting familiar with essential cyber security concepts - Understanding API security issues - Detailed analysis of the OWASP API Security Top Ten elements - Putting API security in the context of Java - Going beyond the low hanging fruits - Managing vulnerabilities in third party components - Input validation approaches and principlesGeneral Java developmentJava API developersDay 1 - Cyber security basics - What is security? - Threat and risk - Cyber security threat types – the CIA triad - Consequences of insecure software - OWASP API Security Top Ten - OWASP API Security Top 10 2023 - API1 – Broken Object Level Authorization - Confused deputy - Insecure direct object reference (IDOR) - Lab – Insecure Direct Object Reference - Authorization bypass through user-controlled keys - Case study – Remote takeover of Nexx garage doors and alarms - Lab – Horizontal authorization - File upload - Unrestricted file upload - Good practices - Lab – Unrestricted file upload - Case study – File upload vulnerability in Netflix Genie - API2 – Broken Authentication - Authentication basics - Multi-factor authentication (MFA) - Case study – The InfinityGauntlet attack - Time-based One Time Passwords (TOTP) - Password management - Storing account passwords - Password in transit - Lab – Is just hashing passwords enough? - Dictionary attacks and brute forcing - Salting - Adaptive hash functions for password storage - Lab – Using adaptive hash functions in JCA - Using password cracking tools - Password cracking in Windows - Password change - Password recovery issues - Password recovery best practices - Lab – Password reset weakness - Case study – Facebook account takeover via recovery code - Case study – GitLab account takeover - Anti-automation - Password policy - NIST authenticator requirements for memorized secrets - Password hardening - Using passphrases - Password database migration - (Mis)handling null passwords Day 2 - API3 – Broken Object Property Level Authorization - Information exposure - Exposure through extracted data and aggregation - Case study – Strava data exposure - System information leakage - Leaking system information - Information exposure best practices - Secrets management - Hard coded passwords - Best practices - Lab – Hardcoded password - Protecting sensitive information in memory - Challenges in protecting memory - Case study – Microsoft secret key theft via dump files - Storing sensitive data in memory - Lab – Using secret-handling classes in Java - API4 – Unrestricted Resource Consumption - Denial of service - Flooding - Resource exhaustion - Sustained client engagement - Denial of service problems in Java - Infinite loop - Economic Denial of Sustainability (EDoS) - Algorithmic complexity issues - Regular expression denial of service (ReDoS) - Lab – ReDoS - Dealing with ReDoS - API5 – Broken Function Level Authorization - Authorization - Access control basics - Access control types - Missing or improper authorization - Case study – Broken authn/authz in Apache OFBiz - Failure to restrict URL access - API6 – Unrestricted Access to Sensitive Business Flows - Security by design - The STRIDE model of threats - Secure design principles of Saltzer and Schroeder - Economy of mechanism - Fail-safe defaults - Complete mediation - Open design - Separation of privilege - Least privilege - Least common mechanism - Psychological acceptability - Logging and monitoring - Logging and monitoring principles - Insufficient logging - Case study – Plaintext passwords at Facebook - Log forging - Web log forging - Log forging – best practices - Case study – Log interpolation in log4j - Case study – The Log4Shell vulnerability (CVE-2021-44228) - Case study – Log4Shell follow-ups (CVE-2021-45046, CVE-2021-45105) - Lab – Log4Shell - Logging best practices - Monitoring best practices - API7 – Server Side Request Forgery - Server-side Request Forgery (SSRF) - Case study – SSRF in Ivanti Connect Secure - API8 – Security Misconfiguration - Information exposure through error reporting - Information leakage via error pages - Case study – Information leakage via errors in Apache Superset - Same Origin Policy - Simple request - Preflight request - Cross-Origin Resource Sharing (CORS) - Configuring XML parsers - DTD and the entities - Entity expansion - External Entity Attack (XXE) - File inclusion with external entities - Server-Side Request Forgery with external entities - Lab – External entity attack - Preventing XXE - Lab – Prohibiting DTD - Case study – XXE vulnerability in Ivanti products Day 3 - API9 – Improper Inventory Management - Documentation blindspots - Dataflow blindspots - Using vulnerable components - Untrusted functionality import - Case study – The Polyfill.io supply chain attack - Vulnerability management - Lab – Finding vulnerabilities in third-party components - API10 – Unsafe Consumption of APIs - Input validation - Input validation principles - Denylists and allowlists - What to validate – the attack surface - Where to validate – defense in depth - When to validate – validation vs transformations - Output sanitization - Encoding challenges - Unicode challenges - Validation with regex - Injection - Injection principles - Injection attacks - SQL injection - SQL injection basics - Lab – SQL injection - Attack techniques - Content-based blind SQL injection - Time-based blind SQL injection - SQL injection best practices - Input validation - Parameterized queries - Lab – Using prepared statements - Database defense in depth - Case study – SQL injection in Fortra FileCatalyst - Code injection - OS command injection - OS command injection best practices - Using Runtime.exec() - Case study – Shellshock - Lab – Shellshock - Case study – Command injection in VMware Aria - Open redirects and forwards - Open redirects and forwards – best practices - Files and streams - Path traversal - Lab – Path traversal - Additional challenges in Windows - Case study – File spoofing in WinRAR - Case study – RCE via path traversal in Apache OFBiz - Path traversal best practices - Lab – Path canonicalization - Unsafe reflection - Reflection without validation - Lab – Unsafe reflection - Wrap up - Secure coding principles - Principles of robust programming by Matt Bishop - Secure design principles of Saltzer and Schroeder - And now what? - Software security sources and further reading - Java resources- Cyber security basics - OWASP API Security Top Ten - API1 - Broken Object Level Authorization - API2 - Broken Authentication - API3 - Broken Object Property Level Authorization - API4 - Unrestricted Resource Consumption - API5 - Broken Function Level Authorization - API6 - Unrestricted Access to Sensitive Business Flows - API7 - Server Side Request Forgery - API8 - Security Misconfiguration - API9 - Improper Inventory Management - API10 - Unsafe Consumption of APIs - Wrap up3 days2250.002250.002250.002250.002250.00