Desktop Application Security in Java

Desktop Application Security in JavaDASEC-JCYCydrillCY-DASEC-J1.0<ul> <li>Getting familiar with essential cyber security concepts</li><li>Identify vulnerabilities and their consequences</li><li>Learn the security best practices in Java</li><li>Input validation approaches and principles</li><li>Understanding how cryptography can support appplication security</li><li>Learning how to use cryptographic APIs correctly in Java</li><li>Managing vulnerabilities in third party components</li></ul>General Java developmentJava developers working on desktop applications<ul> <li>Cyber security basics</li><li>Input validation</li><li>Security features</li><li>Time and state</li><li>Errors</li><li>Cryptography for developers</li><li>Common software security weaknesses</li><li>Using vulnerable components</li><li>Wrap up</li></ul>DAY 1 Cyber security basics <ul> <li>What is security?</li><li>Threat and risk</li><li>Cyber security threat types</li><li>Consequences of insecure software <ul> <li>Constraints and the market</li><li>The dark side</li></ul></li><li>Categorization of bugs <ul> <li>The Seven Pernicious Kingdoms</li><li>Common Weakness Enumeration (CWE)</li><li>CWE Top 25 Most Dangerous Software Errors</li><li>SEI CERT Secure Coding Guidelines</li></ul></li></ul>Input validation <ul> <li>Input validation principles <ul> <li>Blacklists and whitelists</li><li>Data validation techniques</li><li>What to validate – the attack surface</li><li>Where to validate – defense in depth</li><li>How to validate – validation vs transformations</li><li>Output sanitization</li><li>Encoding challenges</li><li>Validation with regex</li></ul></li><li>Injection <ul> <li>Injection principles</li><li>Injection attacks</li><li>Code injection <ul> <li>OS command injection <ul> <li>OS command injection best practices</li><li>Using Runtime.exec()</li><li>Using ProcessBuilder</li><li>Case study – Shellshock</li><li>Lab – Shellshock</li><li>Case study – Command injection via ping</li></ul></li><li>Script injection</li></ul></li><li>General protection best practices</li></ul></li><li>Integer handling problems <ul> <li>Representing signed numbers</li><li>Integer visualization</li><li>Integer overflow</li><li>Lab – Integer overflow</li><li>Signed / unsigned confusion in Java</li><li>Case study – The Stockholm Stock Exchange</li><li>Integer truncation</li><li>Best practices <ul> <li>Upcasting</li><li>Precondition testing</li><li>Postcondition testing</li><li>Using big integer libraries</li><li>Integer handling in Java</li><li>Lab – Integer handling</li></ul></li><li>Files and streams <ul> <li>Path traversal</li><li>Path traversal-related examples</li><li>Lab – Path traversal</li><li>Additional challenges in Windows</li><li>Path traversal best practices</li></ul></li><li>Unsafe reflection <ul> <li>Reflection without validation</li><li>Lab – Unsafe reflection</li></ul></li><li>Unsafe native code <ul> <li>Native code dependence</li><li>Lab – Unsafe JNI</li><li>Best practices for dealing with native code</li></ul></li></ul></li></ul>DAY 2 Security features <ul> <li>Authentication <ul> <li>Authentication basics</li><li>Multi-factor authentication</li><li>Authentication weaknesses – spoofing</li><li>Case study – PayPal 2FA bypass</li><li>User interface best practices</li><li>Lab – On-line password brute forcing</li><li>Password management <ul> <li>Inbound password management <ul> <li>Storing account passwords</li><li>Password in transit</li><li>Lab – Is just hashing passwords enough?</li><li>Dictionary attacks and brute forcing</li><li>Salting</li><li>Adaptive hash functions for password storage</li><li>Password policy <ul> <li>NIST authenticator requirements for memorized secrets</li><li>Password length</li><li>Password hardening</li><li>Using passphrases</li><li>Lab – Applying a password policy</li></ul></li><li>Case study – The Ashley Madison data breach <ul> <li>The dictionary attack</li><li>The ultimate crack</li><li>Exploitation and the lessons learned</li></ul></li><li>Password database migration <ul> <li>Outbound password management <ul> <li>Hard coded passwords</li><li>Best practices</li><li>Lab – Hardcoded password</li><li>Protecting sensitive information in memory <ul> <li>Challenges in protecting memory</li><li>Storing sensitive data in memory</li></ul></li></ul></li></ul></li></ul></li></ul></li></ul></li><li>Authorization <ul> <li>Access control basics</li></ul></li><li>Information exposure <ul> <li>Exposure through extracted data and aggregation</li><li>Case study – Strava data exposure</li><li>System information leakage <ul> <li>Leaking system information</li></ul></li><li>Information exposure best practices</li></ul></li><li>Java platform security <ul> <li>The Java programming language and runtime environment</li><li>Type safety and security</li><li>Security features of the JRE <ul> <li>The ClassLoader and the BytecodeVerifier</li></ul></li><li>Application-level access control in Java <ul> <li>Permissions and the Security Manager</li><li>Privilege best practices</li></ul></li><li>Role-based access control <ul> <li>Java Authentication and Authorization Services (JAAS)</li></ul></li><li>Protecting Java code and applications <ul> <li>Code signing</li><li>Lab – Code signing and permissions</li></ul></li></ul></li><li>UI security <ul> <li>UI security principles</li><li>Sensitive information in the user interface</li><li>Misinterpretation of UI features or actions</li><li>Insufficient UI feedback</li><li>Relying on hidden or disabled UI element</li><li>Insufficient anti-automation</li></ul></li></ul>Time and state <ul> <li>Race conditions <ul> <li>Race condition in object data members <ul> <li>Singleton member fields</li><li>Lab – Singleton member fields</li></ul></li><li>File race condition <ul> <li>Time of check to time of usage – TOCTTOU</li><li>Insecure temporary file</li></ul></li><li>Database race conditions <ul> <li>Lab – Database race conditions</li></ul></li><li>Avoiding race conditions in Java</li></ul></li></ul>Errors <ul> <li>Error and exception handling principles</li><li>Error handling <ul> <li>Returning a misleading status code</li><li>Reachable assertion</li><li>Information exposure through error reporting</li></ul></li><li>Exception handling <ul> <li>In the catch block. And now what?</li><li>Catching NullPointerException</li><li>Empty catch block</li></ul></li></ul>DAY 3 Cryptography for developers <ul> <li>Cryptography basics</li><li>Java Cryptographic Architecture (JCA) in brief</li><li>Elementary algorithms <ul> <li>Random number generation <ul> <li>Pseudo random number generators (PRNGs)</li><li>Cryptographically strong PRNGs</li><li>Using virtual random streams</li><li>Weak and strong PRNGs in Java</li><li>Using random numbers in Java</li><li>Case study – Equifax credit account freeze</li><li>Lab – Random numbers in Java</li></ul></li><li>Hashing <ul> <li>Hashing basics</li><li>Common hashing mistakes</li><li>Hashing in Java</li><li>Lab – Hashing in JCA</li></ul></li></ul></li><li>Confidentiality protection <ul> <li>Symmetric encryption <ul> <li>Block ciphers</li><li>Modes of operation</li><li>Modes of operation and IV – best practices</li><li>Symmetric encryption in Java</li><li>Lab – Symmetric encryption in JCA</li><li>Asymmetric encryption <ul> <li>The RSA algorithm <ul> <li>Using RSA – best practices</li><li>RSA in Java</li><li>Lab – Using RSA in JCA</li></ul></li><li>Elliptic Curve Cryptography <ul> <li>The ECC algorithm</li><li>Using ECC – best practices</li><li>ECC in Java</li><li>Lab – Using ECC in JCA</li></ul></li><li>Combining symmetric and asymmetric algorithms</li></ul></li></ul></li></ul></li><li>Integrity protection <ul> <li>Message Authentication Code (MAC) <ul> <li>Calculating MAC in Java</li><li>Lab – Using MAC in JCA</li></ul></li><li>Digital signature <ul> <li>Digital signature with RSA</li><li>Digital signature with ECC</li><li>Digital signature in Java</li><li>Lab – Digital signature in JCA</li></ul></li></ul></li><li>Public Key Infrastructure (PKI) <ul> <li>Some further key management challenges</li><li>Certificates <ul> <li>Chain of trust</li><li>Certificate management – best practices</li></ul></li></ul></li></ul>Common software security weaknesses <ul> <li>Code quality <ul> <li>Data handling <ul> <li>Initialization and cleanup <ul> <li>Constructors and destructors</li><li>Class initialization cycles</li><li>Lab – Initialization cycles</li></ul></li><li>Unreleased resource <ul> <li>The finalize() method – best practices</li></ul></li></ul></li><li>Object oriented programming pitfalls <ul> <li>Accessibility modifiers <ul> <li>Are accessibility modifiers a security feature?</li><li>Accessibility modifiers – best practices</li><li>Overriding and accessibility modifiers</li></ul></li><li>Inheritance and overriding</li><li>Mutability <ul> <li>Lab – Mutable object</li></ul></li><li>Cloning</li></ul></li></ul></li></ul>Using vulnerable components <ul> <li>Assessing the environment</li><li>Hardening</li><li>Vulnerability management <ul> <li>Patch management</li><li>Vulnerability databases</li><li>Lab – Finding vulnerabilities in third-party components</li></ul></li></ul>Wrap up <ul> <li>Secure coding principles <ul> <li>Principles of robust programming by Matt Bishop</li><li>Secure design principles of Saltzer and Schröder</li></ul></li><li>And now what? <ul> <li>Software security sources and further reading</li><li>Java resources</li></ul></li></ul>- Getting familiar with essential cyber security concepts - Identify vulnerabilities and their consequences - Learn the security best practices in Java - Input validation approaches and principles - Understanding how cryptography can support appplication security - Learning how to use cryptographic APIs correctly in Java - Managing vulnerabilities in third party componentsGeneral Java developmentJava developers working on desktop applications- Cyber security basics - Input validation - Security features - Time and state - Errors - Cryptography for developers - Common software security weaknesses - Using vulnerable components - Wrap upDAY 1 Cyber security basics - What is security? - Threat and risk - Cyber security threat types - Consequences of insecure software - Constraints and the market - The dark side - Categorization of bugs - The Seven Pernicious Kingdoms - Common Weakness Enumeration (CWE) - CWE Top 25 Most Dangerous Software Errors - SEI CERT Secure Coding Guidelines Input validation - Input validation principles - Blacklists and whitelists - Data validation techniques - What to validate – the attack surface - Where to validate – defense in depth - How to validate – validation vs transformations - Output sanitization - Encoding challenges - Validation with regex - Injection - Injection principles - Injection attacks - Code injection - OS command injection - OS command injection best practices - Using Runtime.exec() - Using ProcessBuilder - Case study – Shellshock - Lab – Shellshock - Case study – Command injection via ping - Script injection - General protection best practices - Integer handling problems - Representing signed numbers - Integer visualization - Integer overflow - Lab – Integer overflow - Signed / unsigned confusion in Java - Case study – The Stockholm Stock Exchange - Integer truncation - Best practices - Upcasting - Precondition testing - Postcondition testing - Using big integer libraries - Integer handling in Java - Lab – Integer handling - Files and streams - Path traversal - Path traversal-related examples - Lab – Path traversal - Additional challenges in Windows - Path traversal best practices - Unsafe reflection - Reflection without validation - Lab – Unsafe reflection - Unsafe native code - Native code dependence - Lab – Unsafe JNI - Best practices for dealing with native code DAY 2 Security features - Authentication - Authentication basics - Multi-factor authentication - Authentication weaknesses – spoofing - Case study – PayPal 2FA bypass - User interface best practices - Lab – On-line password brute forcing - Password management - Inbound password management - Storing account passwords - Password in transit - Lab – Is just hashing passwords enough? - Dictionary attacks and brute forcing - Salting - Adaptive hash functions for password storage - Password policy - NIST authenticator requirements for memorized secrets - Password length - Password hardening - Using passphrases - Lab – Applying a password policy - Case study – The Ashley Madison data breach - The dictionary attack - The ultimate crack - Exploitation and the lessons learned - Password database migration - Outbound password management - Hard coded passwords - Best practices - Lab – Hardcoded password - Protecting sensitive information in memory - Challenges in protecting memory - Storing sensitive data in memory - Authorization - Access control basics - Information exposure - Exposure through extracted data and aggregation - Case study – Strava data exposure - System information leakage - Leaking system information - Information exposure best practices - Java platform security - The Java programming language and runtime environment - Type safety and security - Security features of the JRE - The ClassLoader and the BytecodeVerifier - Application-level access control in Java - Permissions and the Security Manager - Privilege best practices - Role-based access control - Java Authentication and Authorization Services (JAAS) - Protecting Java code and applications - Code signing - Lab – Code signing and permissions - UI security - UI security principles - Sensitive information in the user interface - Misinterpretation of UI features or actions - Insufficient UI feedback - Relying on hidden or disabled UI element - Insufficient anti-automation Time and state - Race conditions - Race condition in object data members - Singleton member fields - Lab – Singleton member fields - File race condition - Time of check to time of usage – TOCTTOU - Insecure temporary file - Database race conditions - Lab – Database race conditions - Avoiding race conditions in Java Errors - Error and exception handling principles - Error handling - Returning a misleading status code - Reachable assertion - Information exposure through error reporting - Exception handling - In the catch block. And now what? - Catching NullPointerException - Empty catch block DAY 3 Cryptography for developers - Cryptography basics - Java Cryptographic Architecture (JCA) in brief - Elementary algorithms - Random number generation - Pseudo random number generators (PRNGs) - Cryptographically strong PRNGs - Using virtual random streams - Weak and strong PRNGs in Java - Using random numbers in Java - Case study – Equifax credit account freeze - Lab – Random numbers in Java - Hashing - Hashing basics - Common hashing mistakes - Hashing in Java - Lab – Hashing in JCA - Confidentiality protection - Symmetric encryption - Block ciphers - Modes of operation - Modes of operation and IV – best practices - Symmetric encryption in Java - Lab – Symmetric encryption in JCA - Asymmetric encryption - The RSA algorithm - Using RSA – best practices - RSA in Java - Lab – Using RSA in JCA - Elliptic Curve Cryptography - The ECC algorithm - Using ECC – best practices - ECC in Java - Lab – Using ECC in JCA - Combining symmetric and asymmetric algorithms - Integrity protection - Message Authentication Code (MAC) - Calculating MAC in Java - Lab – Using MAC in JCA - Digital signature - Digital signature with RSA - Digital signature with ECC - Digital signature in Java - Lab – Digital signature in JCA - Public Key Infrastructure (PKI) - Some further key management challenges - Certificates - Chain of trust - Certificate management – best practices Common software security weaknesses - Code quality - Data handling - Initialization and cleanup - Constructors and destructors - Class initialization cycles - Lab – Initialization cycles - Unreleased resource - The finalize() method – best practices - Object oriented programming pitfalls - Accessibility modifiers - Are accessibility modifiers a security feature? - Accessibility modifiers – best practices - Overriding and accessibility modifiers - Inheritance and overriding - Mutability - Lab – Mutable object - Cloning Using vulnerable components - Assessing the environment - Hardening - Vulnerability management - Patch management - Vulnerability databases - Lab – Finding vulnerabilities in third-party components Wrap up - Secure coding principles - Principles of robust programming by Matt Bishop - Secure design principles of Saltzer and Schröder - And now what? - Software security sources and further reading - Java resources3 days2250.002250.002250.002250.002250.002250.002250.002250.002250.002250.002250.00