Cloud application security in Java for AWS

Cloud application security in Java for AWS CASEC-JAWSCYCydrillCY-CASEC-JAWS1<ul> <li>Understand cloud security specialties</li><li>Getting familiar with essential cyber security concepts</li><li>Understanding how cryptography supports security</li><li>Learning how to use cryptographic APIs correctly in Java</li><li>Understanding Web application security issues</li><li>Detailed analysis of the OWASP Top Ten elements</li><li>Putting Web application security in the context of Java</li><li>Going beyond the low hanging fruits</li><li>Managing vulnerabilities in third party components</li><li>Learn to deal with cloud infrastructure security</li><li>Input validation approaches and principles</li><li>Identify vulnerabilities and their consequences</li><li>Learn the security best practices in Java</li></ul><p>General Java and Web development</p><p>Java developers working on Web applications and AWS</p><h4>Day 1</h4><ul> <li><strong>Cyber security basics</strong><ul> <li>What is security?</li><li>Threat and risk</li><li>Cyber security threat types – the CIA triad</li><li>Cyber security threat types – the STRIDE model</li><li>Consequences of insecure software</li></ul></li><li><strong>Cloud security basics</strong><ul> <li>Cloud infrastructure basics</li><li>The Cloud Cube Model and Zero Trust Architecture</li></ul></li><li><strong>The OWASP Top Ten 2021</strong><ul> <li>The OWASP Top 10 2021</li><li>A01 - Broken Access Control<ul> <li>Access control basics</li><li>Failure to restrict URL access</li><li>Confused deputy</li><li>File upload</li><li>Open redirects and forwards</li><li>Cross-site Request Forgery (CSRF)</li></ul></li><li>A02 - Cryptographic Failures<ul> <li>Information exposure</li><li>Cryptography for developers</li></ul></li></ul> <h4>Day 2</h4><ul> <li><strong>A02 - Cryptographic Failures (continued)</strong><ul> <li>Cryptography for developers</li><li>Transport security</li></ul></li><li><strong>A03 - Injection</strong><ul> <li>Injection principles</li><li>Injection attacks</li><li>SQL injection</li><li>NoSQL injection</li><li>Parameter manipulation</li><li>Code injection</li><li>HTML injection - Cross-site scripting (XSS)</li></ul></li></ul> <h4>Day 3</h4><ul> <li><strong>A04 - Insecure Design</strong><ul> <li>The STRIDE model of threats</li><li>Secure design principles of Saltzer and Schroeder</li><li>Client-side security</li></ul></li><li><strong>A05 - Security Misconfiguration</strong><ul> <li>Configuration principles</li><li>Server misconfiguration</li><li>AWS configuration best practices</li><li>Cookie security</li><li>XML entities</li></ul></li><li><strong>A06 - Vulnerable and Outdated Components</strong><ul> <li>Using vulnerable components</li><li>Assessing the environment</li><li>Hardening</li><li>Untrusted functionality import</li><li>Vulnerability management</li></ul></li><li><strong>A07 - Identification and Authentication Failures</strong><ul> <li>Authentication</li><li>Session management</li><li>Identity and access management (IAM)</li></ul></li></ul> <h4>Day 4</h4><ul> <li><strong>A07 - Identification and Authentication Failures (continued)</strong><ul> <li>Password management</li></ul></li><li><strong>A08 - Software and Data Integrity Failures</strong><ul> <li>Integrity protection</li><li>Subresource integrity</li><li>Insecure deserialization</li></ul></li><li><strong>A09 - Security Logging and Monitoring Failures</strong><ul> <li>Logging and monitoring principles</li><li>Log forging</li><li>Log forging – best practices</li><li>Case study – Log interpolation in log4j</li><li>Case study – The Log4Shell vulnerability (CVE-2021-44228)</li><li>Case study – Log4Shell follow-ups (CVE-2021-45046, CVE-2021-45105)</li><li>Lab – Log4Shell</li><li>Logging best practices</li><li>Detection and monitoring</li></ul></li><li><strong>A10 - Server-side Request Forgery (SSRF) </strong><ul> <li>Server-side Request Forgery (SSRF)</li><li>Case study – SSRF and the Capital One breach</li></ul></li></ul> <h4>Cloud security</h4> <strong>AWS security</strong><ul> <li>Security considerations</li><li>Data security in the cloud</li></ul> <h4>Day 5</h4> <strong>Cloud security</strong><ul> <li><strong>Container security</strong><ul> <li>Container security concerns</li><li>Containerization, virtualization and security</li><li>The attack surface</li><li>Docker security</li><li>Kubernetes security</li></ul></li></ul></li></ul><h4>The OWASP Top Ten 2021</h4><p> <strong>Web application security beyond the Top Ten</strong></p> <ul> <li>Code quality</li><li>Denial of service</li></ul><h4>Input validation</h4><ul> <li>Input validation principles</li><li>Denylists and allowlists</li><li>What to validate – the attack surface</li><li>Where to validate – defense in depth</li><li>When to validate – validation vs transformations</li><li>Validation with regex</li><li><strong>Integer handling problems</strong><ul> <li>Representing signed numbers</li><li>Integer visualization</li><li>Integer overflow</li><li>Lab – Integer overflow</li><li>Signed / unsigned confusion in Java</li><li>Case study – The Stockholm Stock Exchange</li><li>Integer truncation</li><li>Best practices</li></ul></li><li><strong>Files and streams</strong><ul> <li>Path traversal</li><li>Lab – Path traversal</li><li>Path traversal-related examples</li><li>Additional challenges in Windows</li><li>Virtual resources</li><li>Path traversal best practices</li><li>Lab – Path canonicalization</li></ul></li><li><strong>Unsafe reflection</strong><ul> <li>Reflection without validation</li><li>Lab – Unsafe reflection</li></ul></li><li><strong>Unsafe native code</strong><ul> <li>Native code dependence</li><li>Lab – Unsafe native code</li><li>Best practices for dealing with native code</li></ul></li></ul><h4>Wrap up</h4><ul> <li>Secure coding principles</li><li>And now what?</li></ul>- Understand cloud security specialties - Getting familiar with essential cyber security concepts - Understanding how cryptography supports security - Learning how to use cryptographic APIs correctly in Java - Understanding Web application security issues - Detailed analysis of the OWASP Top Ten elements - Putting Web application security in the context of Java - Going beyond the low hanging fruits - Managing vulnerabilities in third party components - Learn to deal with cloud infrastructure security - Input validation approaches and principles - Identify vulnerabilities and their consequences - Learn the security best practices in JavaGeneral Java and Web developmentJava developers working on Web applications and AWSDay 1 - Cyber security basics - What is security? - Threat and risk - Cyber security threat types – the CIA triad - Cyber security threat types – the STRIDE model - Consequences of insecure software - Cloud security basics - Cloud infrastructure basics - The Cloud Cube Model and Zero Trust Architecture - The OWASP Top Ten 2021 - The OWASP Top 10 2021 - A01 - Broken Access Control - Access control basics - Failure to restrict URL access - Confused deputy - File upload - Open redirects and forwards - Cross-site Request Forgery (CSRF) - A02 - Cryptographic Failures - Information exposure - Cryptography for developers Day 2 - A02 - Cryptographic Failures (continued) - Cryptography for developers - Transport security - A03 - Injection - Injection principles - Injection attacks - SQL injection - NoSQL injection - Parameter manipulation - Code injection - HTML injection - Cross-site scripting (XSS) Day 3 - A04 - Insecure Design - The STRIDE model of threats - Secure design principles of Saltzer and Schroeder - Client-side security - A05 - Security Misconfiguration - Configuration principles - Server misconfiguration - AWS configuration best practices - Cookie security - XML entities - A06 - Vulnerable and Outdated Components - Using vulnerable components - Assessing the environment - Hardening - Untrusted functionality import - Vulnerability management - A07 - Identification and Authentication Failures - Authentication - Session management - Identity and access management (IAM) Day 4 - A07 - Identification and Authentication Failures (continued) - Password management - A08 - Software and Data Integrity Failures - Integrity protection - Subresource integrity - Insecure deserialization - A09 - Security Logging and Monitoring Failures - Logging and monitoring principles - Log forging - Log forging – best practices - Case study – Log interpolation in log4j - Case study – The Log4Shell vulnerability (CVE-2021-44228) - Case study – Log4Shell follow-ups (CVE-2021-45046, CVE-2021-45105) - Lab – Log4Shell - Logging best practices - Detection and monitoring - A10 - Server-side Request Forgery (SSRF) - Server-side Request Forgery (SSRF) - Case study – SSRF and the Capital One breach Cloud security AWS security - Security considerations - Data security in the cloud Day 5 Cloud security - Container security - Container security concerns - Containerization, virtualization and security - The attack surface - Docker security - Kubernetes security The OWASP Top Ten 2021 Web application security beyond the Top Ten - Code quality - Denial of service Input validation - Input validation principles - Denylists and allowlists - What to validate – the attack surface - Where to validate – defense in depth - When to validate – validation vs transformations - Validation with regex - Integer handling problems - Representing signed numbers - Integer visualization - Integer overflow - Lab – Integer overflow - Signed / unsigned confusion in Java - Case study – The Stockholm Stock Exchange - Integer truncation - Best practices - Files and streams - Path traversal - Lab – Path traversal - Path traversal-related examples - Additional challenges in Windows - Virtual resources - Path traversal best practices - Lab – Path canonicalization - Unsafe reflection - Reflection without validation - Lab – Unsafe reflection - Unsafe native code - Native code dependence - Lab – Unsafe native code - Best practices for dealing with native code Wrap up - Secure coding principles - And now what?5 Tage3750.003750.003750.003750.003750.003750.003750.003750.00