Toreon proposes a 3 day, trainer-led, on-site, Java Secure Coding course. Following a successful exam at the end of the
Java Full Training description Toreon proposes a 3 day, trainer-led, on-site, Java Secure Coding course. Following a successful exam at the end of the course, each student will receive a certificate for successful completion of the course. Our partner AppSec Labs provides the training material and online lab environment. Toreon provides experienced trainers to teach this course. All our trainings are content-rich, action-packed, interactive, covering live demos and kept up to date with the latest technological evolutions. The attendees will get access to an exciting individual online lab environment to perform hands-on exercises tailored to the training topics. The students will receive all content as part of an online Learning Management System (LMS), including all training handouts (in English), the lab & exercise instructions and all lab solutions. Java Secure Coding Secure programming is the best defense against hackers. This multilayered hands-on course will demonstrate live real time hacking methods , analyze the code deficiency that enabled the attack and most importantly, teach how to prevent such vulnerabilities by adopting secure coding best practices in order to bullet-proof your J2EE application. The methodology of the Cycle of knowledge is as follows: Understand, Identify, Prevent. This methodology presents the student with analytical tools to keep a deeper understanding of coding vulnerabilities and implement security countermeasures in different areas of the software development lifecycle. The hands on labs will enable the student to get a firsthand experience of the Hackers world and what could be done to stop him. Using sound programming techniques and best practices shown in this course, you will be able to produce high-quality code that stands up to attack. The course covers major security principles in the Java framework, programming vulnerabilities, and specific security issues in J2EE web applications and JNLP applications. This course is aimed at Java developers in J2EE based applications, Designers & architects. Before attending this course, students should be familiar with: o Basic knowledge of the Java framework o Apache/Tomcat, Databases (MySQL/Oracle) & SQL language The students should bring their own laptop. A stable Internet connection to the online training environment is a prerequisite.
3 day course topics Day 1 Introduction to application security • Why web application risks occur? • How is application security different from network security? • Web application exploits & vulnerabilities • Webserver & application vulnerability detection • Secure coding • OWASP Top 10 • Live hacking examples Authentication • What is authentication • Store password securely • Hashing • Brute force • Dictionary attack • Antu automation • CAPTCHA • Account lockout • User enumeration • Basic & Digest authentication • Windows integration • Form based authentication Authorization • Client side authorization • Forceful browsing • UI based security • Parameter tampering • Insecure direct object reference • File authorization • URL authorization • ACL (Access Control List) • RBAC (Role based ACL) Input Validation • OS command injection • SQL Injection • Prepared statement • Secure data conversion • Store procedure • Xpath injection
• • • • •
LDAP injection Data type conversion Black list White list Regular expression
Day 2 Output Encoding • Reflected / Stored Cross site scripting • XSS threats • Encoding types • ESAPI library • XSS prevention cheat sheet Browser Manipulation • Cross Site Request Forgery (CSRF) • Anti CSRF token • Open redirect • Clickjacking • Auto complete • Browser’s cache • Session management • Cookie's properties • Session fixation File Handling • Directory traversal • Canonicalization • File extension handling • Filenames threats • Directory listing Day 3 Data Confidentiality & Integrity • Homemade algorithm • Insecure communication • Secure traffic enforcement • Insecure storage • Symmetric encryption • A-Symmetric encryption • Java Cryptography Architecture (JCA) • Hash functions • Digital signatures
Error Handling • Information disclosure • Exceptions and stack trace • Default error pages Security Logging • Logging technologies • Events you should log • Events you should not log • Log analysis HTML5 • • • • •
Client side storage Browser - SQL storage Offline web application Storage threats Cross origin resource sharing
Student package The course students receive the following package as part of the course: • Student kit: o Access to course book (PDF) o Access labs and 8 hours of hands on labs per student per training day. o Following the completion of the lab session the trainer will enable students to view and review lab solutions • Access to final exam: When enabled by trainer the student may access his exam • Access to feedback form: When enabled by trainer the student may access the feedback form and share his/her thoughts about the training • Receive certificate: Following a successful exam (passing grade defined at 70%) the student will receive certification for successful completion of course. Labs and Virtual Machines As highly skilled professionals with years of experience under our belts we know that there is a gap between academic knowledge and the real world. In order to minimize that gap AppSec Labs has developed a unique lab environment which is cloud based for our students to practice what we have preached and come in full contact with the issues they have studied Hands On. Using this methodology for the hands on training, we provide our students with a robust training experience and the tools to incorporate best practices in their daily work. Each student will get access to a personal Virtual Machine which will come fully prepared for the student to just connect (via the AppSec Labs Training Center) and start working on the lab assignments by performing security tests or writing real code. The virtual machines will be used as an integral part of the training and as mentioned above, each registered student will receive access to a personal machine.