Security Testing Java Applications

Security Testing Java ApplicationsSECT-JWACYCydrillCY-SECT-JWA1.0<ul> <li>Getting familiar with essential cyber security concepts</li><li>Understanding Web application security issues</li><li>Detailed analysis of the OWASP Top Ten elements</li><li>Putting Web application security in the context of Java</li><li>Going beyond the low hanging fruits</li><li>Understanding security testing methodology and approaches</li><li>Getting familiar with common security testing techniques and tools</li><li>Managing vulnerabilities in third party components</li><li>Identify vulnerabilities and their consequences</li><li>Learn the security best practices in Java</li><li>Input validation approaches and principles</li></ul>General Java and Web development, testing and QAJava developers and testers working on Web applications<ul> <li>Cyber security basics</li><li>The OWASP Top Ten</li><li>Security testing</li><li>Common software security weaknesses</li><li>Wrap up</li></ul>DAY 1 Cyber security basics <ul> <li>What is security?</li><li>Threat and risk</li><li>Cyber security threat types</li><li>Consequences of insecure software</li></ul>The OWASP Top Ten <ul> <li>OWASP Top 10 – 2017</li><li>A1 – Injection <ul> <li>Injection principles</li><li>Injection attacks</li><li>SQL injection <ul> <li>SQL injection basics</li><li>Lab – SQL injection</li><li>Attack techniques</li><li>Content-based blind SQL injection</li><li>Time-based blind SQL injection</li></ul></li><li>SQL injection best practices <ul> <li>Input validation</li><li>Parameterized queries</li><li>Additional considerations</li><li>Lab – Using prepared statements</li><li>Case study – Hacking Fortnite accounts</li><li>Testing for SQL injection</li></ul></li><li>Code injection <ul> <li>OS command injection <ul> <li>OS command injection best practices</li><li>Using Runtime.exec()</li><li>Using ProcessBuilder</li><li>Case study – Shellshock</li><li>Lab – Shellshock</li><li>Case study – Command injection via ping</li><li>Testing for command injection</li></ul></li><li>Script injection</li></ul></li><li>General protection best practices</li></ul></li><li>A2 – Broken Authentication <ul> <li>Authentication basics</li><li>Multi-factor authentication</li><li>Authentication weaknesses – spoofing</li><li>Spoofing on the Web</li><li>Testing for weak authentication</li><li>Case study – PayPal 2FA bypass</li><li>Password management <ul> <li>Inbound password management <ul> <li>Storing account passwords</li><li>Password in transit</li><li>Lab – Is just hashing passwords enough?</li><li>Dictionary attacks and brute forcing</li><li>Salting</li><li>Adaptive hash functions for password storage</li><li>Password policy <ul> <li>NIST authenticator requirements for memorized secrets</li></ul></li><li>Case study – The Ashley Madison data breach <ul> <li>The dictionary attack</li><li>The ultimate crack</li><li>Exploitation and the lessons learned</li></ul></li><li>Password database migration <ul> <li>(Mis)handling null passwords</li><li>Testing for password management issues</li></ul></li></ul></li></ul></li></ul></li></ul>DAY 2 Security testing <ul> <li>Security testing vs functional testing</li><li>Manual and automated methods</li><li>Security testing methodology <ul> <li>Security testing – goals and methodologies</li><li>Overview of security testing processes</li><li>Identifying and rating assets <ul> <li>Preparation</li><li>Identifying assets</li><li>Identifying the attack surface</li><li>Assigning security requirements</li><li>Lab – Identifying and rating assets</li></ul></li><li>Threat modeling <ul> <li>SDL threat modeling</li><li>Mapping STRIDE to DFD</li><li>DFD example</li><li>Attack trees</li><li>Attack tree example</li><li>Lab – Crafting an attack tree</li><li>Misuse cases</li><li>Misuse case examples</li><li>Risk analysis</li><li>Lab – Risk analysis</li></ul></li><li>Security testing approaches <ul> <li>Reporting, recommendations, and review</li></ul></li></ul></li></ul>The OWASP Top Ten <ul> <li>A3 – Sensitive Data Exposure <ul> <li>Information exposure</li><li>Exposure through extracted data and aggregation</li><li>Case study – Strava data exposure</li></ul></li><li>A4 – XML External Entities (XXE) <ul> <li>DTD and the entities</li><li>Entity expansion</li><li>External Entity Attack (XXE) <ul> <li>File inclusion with external entities</li><li>Server-Side Request Forgery with external entities</li><li>Lab – External entity attack</li><li>Case study – XXE vulnerability in SAP Store</li><li>Preventing XXE</li><li>Lab – Prohibiting DTD expansion</li></ul></li></ul></li><li>A5 – Broken Access Control <ul> <li>Access control basics</li><li>Failure to restrict URL access</li><li>Testing for authorization issues</li><li>Confused deputy <ul> <li>Insecure direct object reference (IDOR)</li><li>Lab – Insecure Direct Object Reference</li><li>Authorization bypass through user-controlled keys</li><li>Case study – Authorization bypass on Facebook</li><li>Lab – Horizontal authorization</li><li>Testing for confused deputy weaknesses</li></ul></li><li>File upload <ul> <li>Unrestricted file upload</li><li>Good practices</li><li>Lab – Unrestricted file upload</li><li>Testing for file upload vulnerabilities</li></ul></li></ul></li><li>A6 – Security Misconfiguration <ul> <li>Configuration principles</li><li>Configuration management</li><li>Java related components – best practices <ul> <li>Testing for misconfiguration issues</li></ul></li></ul></li><li>A7 – Cross-site Scripting (XSS) <ul> <li>Cross-site scripting basics</li><li>Cross-site scripting types <ul> <li>Persistent cross-site scripting</li><li>Reflected cross-site scripting</li><li>Client-side (DOM-based) cross-site scripting</li><li>Lab – Stored XSS</li><li>Lab – Reflected XSS</li><li>Case study – XSS in Fortnite accounts</li></ul></li><li>XSS protection best practices <ul> <li>Protection principles – escaping</li><li>XSS protection APIs in Java</li><li>XSS protection in JSP</li><li>Lab – XSS fix / stored</li><li>Lab – XSS fix / reflected</li><li>Additional protection layers</li><li>Client-side protection principles</li><li>Testing for XSS</li></ul></li></ul></li></ul>DAY 3 The OWASP Top Ten <ul> <li>A8 – Insecure Deserialization <ul> <li>Serialization and deserialization challenges</li><li>Deserializing untrusted streams</li><li>Deserialization best practices</li><li>Using ReadObject</li><li>Sealed objects</li><li>Look ahead deserialization</li><li>Testing for insecure deserialization</li><li>Property Oriented Programming (POP) <ul> <li>Creating payload</li><li>POP best practices</li><li>Lab – Creating a POP payload</li><li>Lab – Using the POP payload</li></ul></li></ul></li><li>A9 – Using Components with Known Vulnerabilities <ul> <li>Using vulnerable components</li><li>Untrusted functionality import</li><li>Importing JavaScript</li><li>Lab – Importing JavaScript</li><li>Case study – The British Airways data breach</li><li>Vulnerability management <ul> <li>Patch management</li><li>Vulnerability databases</li><li>Lab – Finding vulnerabilities in third-party components</li><li>DevOps, the build process and CI / CD</li><li>Dependency checking in Java</li><li>Lab – Detecting vulnerable components</li></ul></li></ul></li><li>A10 – Insufficient Logging & Monitoring <ul> <li>Logging and monitoring principles</li><li>Insufficient logging</li><li>Plaintext passwords at Facebook</li><li>Logging best practices</li><li>OWASP security logging library for Java</li></ul></li><li>Web application security beyond the Top Ten <ul> <li>Client-side security</li><li>Tabnabbing</li><li>Lab – Reverse tabnabbing</li><li>Frame sandboxing <ul> <li>Cross-Frame Scripting (XFS) attack</li><li>Lab – Clickjacking</li><li>Clickjacking beyond hijacking a click</li><li>Clickjacking protection best practices</li><li>Lab – Using CSP to prevent clickjacking</li></ul></li></ul></li></ul>Security testing <ul> <li>Security testing techniques and tools <ul> <li>Code analysis <ul> <li>Security aspects of code review</li><li>Static Application Security Testing (SAST)</li><li>Lab – Using static analysis tools</li></ul></li><li>Dynamic analysis <ul> <li>Security testing at runtime</li><li>Penetration testing</li><li>Stress testing</li><li>Dynamic analysis tools <ul> <li>Dynamic Application Security Testing (DAST)</li><li>Web vulnerability scanners</li><li>Lab – Using web vulnerability scanners</li><li>SQL injection tools</li><li>Proxy servers</li></ul></li><li>Fuzzing</li></ul></li></ul></li></ul>Common software security weaknesses <ul> <li>Input validation <ul> <li>Input validation principles <ul> <li>Blacklists and whitelists</li><li>Data validation techniques</li><li>Lab – Input validation</li><li>What to validate – the attack surface</li><li>Where to validate – defense in depth</li><li>How to validate – validation vs transformations</li><li>Output sanitization</li><li>Encoding challenges</li><li>Lab – Encoding challenges</li><li>Validation with regex</li></ul></li><li>Unsafe reflection <ul> <li>Reflection without validation</li><li>Lab – Unsafe reflection</li></ul></li></ul></li></ul>Wrap up <ul> <li>Secure coding principles <ul> <li>Principles of robust programming by Matt Bishop</li><li>Secure design principles of Saltzer and Schröder</li></ul></li><li>And now what? <ul> <li>Software security sources and further reading</li><li>Java resources</li><li>Security testing resources</li></ul></li></ul>- Getting familiar with essential cyber security concepts - Understanding Web application security issues - Detailed analysis of the OWASP Top Ten elements - Putting Web application security in the context of Java - Going beyond the low hanging fruits - Understanding security testing methodology and approaches - Getting familiar with common security testing techniques and tools - Managing vulnerabilities in third party components - Identify vulnerabilities and their consequences - Learn the security best practices in Java - Input validation approaches and principlesGeneral Java and Web development, testing and QAJava developers and testers working on Web applications- Cyber security basics - The OWASP Top Ten - Security testing - Common software security weaknesses - Wrap upDAY 1 Cyber security basics - What is security? - Threat and risk - Cyber security threat types - Consequences of insecure software The OWASP Top Ten - OWASP Top 10 – 2017 - A1 – Injection - Injection principles - Injection attacks - SQL injection - SQL injection basics - Lab – SQL injection - Attack techniques - Content-based blind SQL injection - Time-based blind SQL injection - SQL injection best practices - Input validation - Parameterized queries - Additional considerations - Lab – Using prepared statements - Case study – Hacking Fortnite accounts - Testing for SQL injection - Code injection - OS command injection - OS command injection best practices - Using Runtime.exec() - Using ProcessBuilder - Case study – Shellshock - Lab – Shellshock - Case study – Command injection via ping - Testing for command injection - Script injection - General protection best practices - A2 – Broken Authentication - Authentication basics - Multi-factor authentication - Authentication weaknesses – spoofing - Spoofing on the Web - Testing for weak authentication - Case study – PayPal 2FA bypass - Password management - Inbound password management - Storing account passwords - Password in transit - Lab – Is just hashing passwords enough? - Dictionary attacks and brute forcing - Salting - Adaptive hash functions for password storage - Password policy - NIST authenticator requirements for memorized secrets - Case study – The Ashley Madison data breach - The dictionary attack - The ultimate crack - Exploitation and the lessons learned - Password database migration - (Mis)handling null passwords - Testing for password management issues DAY 2 Security testing - Security testing vs functional testing - Manual and automated methods - Security testing methodology - Security testing – goals and methodologies - Overview of security testing processes - Identifying and rating assets - Preparation - Identifying assets - Identifying the attack surface - Assigning security requirements - Lab – Identifying and rating assets - Threat modeling - SDL threat modeling - Mapping STRIDE to DFD - DFD example - Attack trees - Attack tree example - Lab – Crafting an attack tree - Misuse cases - Misuse case examples - Risk analysis - Lab – Risk analysis - Security testing approaches - Reporting, recommendations, and review The OWASP Top Ten - A3 – Sensitive Data Exposure - Information exposure - Exposure through extracted data and aggregation - Case study – Strava data exposure - A4 – XML External Entities (XXE) - DTD and the entities - Entity expansion - External Entity Attack (XXE) - File inclusion with external entities - Server-Side Request Forgery with external entities - Lab – External entity attack - Case study – XXE vulnerability in SAP Store - Preventing XXE - Lab – Prohibiting DTD expansion - A5 – Broken Access Control - Access control basics - Failure to restrict URL access - Testing for authorization issues - Confused deputy - Insecure direct object reference (IDOR) - Lab – Insecure Direct Object Reference - Authorization bypass through user-controlled keys - Case study – Authorization bypass on Facebook - Lab – Horizontal authorization - Testing for confused deputy weaknesses - File upload - Unrestricted file upload - Good practices - Lab – Unrestricted file upload - Testing for file upload vulnerabilities - A6 – Security Misconfiguration - Configuration principles - Configuration management - Java related components – best practices - Testing for misconfiguration issues - A7 – Cross-site Scripting (XSS) - Cross-site scripting basics - Cross-site scripting types - Persistent cross-site scripting - Reflected cross-site scripting - Client-side (DOM-based) cross-site scripting - Lab – Stored XSS - Lab – Reflected XSS - Case study – XSS in Fortnite accounts - XSS protection best practices - Protection principles – escaping - XSS protection APIs in Java - XSS protection in JSP - Lab – XSS fix / stored - Lab – XSS fix / reflected - Additional protection layers - Client-side protection principles - Testing for XSS DAY 3 The OWASP Top Ten - A8 – Insecure Deserialization - Serialization and deserialization challenges - Deserializing untrusted streams - Deserialization best practices - Using ReadObject - Sealed objects - Look ahead deserialization - Testing for insecure deserialization - Property Oriented Programming (POP) - Creating payload - POP best practices - Lab – Creating a POP payload - Lab – Using the POP payload - A9 – Using Components with Known Vulnerabilities - Using vulnerable components - Untrusted functionality import - Importing JavaScript - Lab – Importing JavaScript - Case study – The British Airways data breach - Vulnerability management - Patch management - Vulnerability databases - Lab – Finding vulnerabilities in third-party components - DevOps, the build process and CI / CD - Dependency checking in Java - Lab – Detecting vulnerable components - A10 – Insufficient Logging & Monitoring - Logging and monitoring principles - Insufficient logging - Plaintext passwords at Facebook - Logging best practices - OWASP security logging library for Java - Web application security beyond the Top Ten - Client-side security - Tabnabbing - Lab – Reverse tabnabbing - Frame sandboxing - Cross-Frame Scripting (XFS) attack - Lab – Clickjacking - Clickjacking beyond hijacking a click - Clickjacking protection best practices - Lab – Using CSP to prevent clickjacking Security testing - Security testing techniques and tools - Code analysis - Security aspects of code review - Static Application Security Testing (SAST) - Lab – Using static analysis tools - Dynamic analysis - Security testing at runtime - Penetration testing - Stress testing - Dynamic analysis tools - Dynamic Application Security Testing (DAST) - Web vulnerability scanners - Lab – Using web vulnerability scanners - SQL injection tools - Proxy servers - Fuzzing Common software security weaknesses - Input validation - Input validation principles - Blacklists and whitelists - Data validation techniques - Lab – Input validation - What to validate – the attack surface - Where to validate – defense in depth - How to validate – validation vs transformations - Output sanitization - Encoding challenges - Lab – Encoding challenges - Validation with regex - Unsafe reflection - Reflection without validation - Lab – Unsafe reflection Wrap up - Secure coding principles - Principles of robust programming by Matt Bishop - Secure design principles of Saltzer and Schröder - And now what? - Software security sources and further reading - Java resources - Security testing resources3 jours2250.002250.002250.002250.002250.002250.002250.002250.002250.002250.002250.00