Call : (+91) 968636 4243
Mail : info@EncartaLabs.com
EncartaLabs

Desktop Application Security in Java

( Duration: 3 Days )

Your application written in Java works as intended, so you are done, right? But did you consider feeding in incorrect values? 16Gbs of data? A null? An apostrophe? Negative numbers, or specifically -1 or -231? Because that’s what the bad guys will do - and the list is far from complete.

This Desktop Application Security in Java training course addresses security pitfalls of the Java language and framework.

By attending Desktop Application Security in Java workshop, delegates will learn to:

  • Getting familiar with essential cyber security concepts
  • Identify vulnerabilities and their consequences
  • Security best practices in Java
  • Input validation approaches and principles
  • Understanding how cryptography can support appplication security
  • Use cryptographic APIs correctly in Java
  • Managing vulnerabilities in third party components

  • Java Programming Experience

The Desktop Application Security in Java class is ideal for:

  • Java developers working on desktop applications

COURSE AGENDA

1

Cyber security basics

  • What is security?
  • Threat and risk
  • Cyber security threat types
  • Consequences of insecure software
    • Constraints and the market
    • The dark side
  • Categorization of bugs
    • The Seven Pernicious Kingdoms
    • Common Weakness Enumeration (CWE)
    • CWE Top 25 Most Dangerous Software Errors
    • SEI CERT Secure Coding Guidelines
2

Input validation

  • Input validation principles
    • Blacklists and whitelists
    • Data validation techniques
    • What to validate - the attack surface
    • Where to validate - defense in depth
    • How to validate - validation vs transformations
    • Output sanitization
    • Encoding challenges
    • Validation with regex
  • Injection
    • Injection principles
    • Injection attacks
    • Code injection
      • OS command injection
      • Using Runtime.exec()
      • Using ProcessBuilder
      • Script injection
  • Integer handling problems
    • Representing signed numbers
    • Integer visualization
    • Integer overflow
    • Signed / unsigned confusion in Java
    • Integer truncation
      • Upcasting
      • Precondition testing
      • Postcondition testing
      • Using big integer libraries
      • Integer handling in Java
    • Files and streams
      • Path traversal
      • Path traversal-related examples
      • Additional challenges in Windows
    • Unsafe reflection
      • Reflection without validation
    • Unsafe native code
      • Native code dependence
3

Security features

  • Authentication
    • Authentication basics
    • Multi-factor authentication
    • Authentication weaknesses - spoofing
    • Password management
      • Inbound password management
      • Storing account passwords
      • Password in transit
      • Dictionary attacks and brute forcing
      • Salting
      • Adaptive hash functions for password storage
      • Password policy
      • NIST authenticator requirements for memorized secrets
      • Password length
      • Password hardening
      • Using passphrases
      • The dictionary attack
      • The ultimate crack
      • Exploitation and the lessons learned
      • Password database migration
      • Outbound password management
      • Hard coded passwords
      • Protecting sensitive information in memory
      • Challenges in protecting memory
      • Storing sensitive data in memory
  • Authorization
    • Access control basics
  • Information exposure
    • Exposure through extracted data and aggregation
    • System information leakage
      • Leaking system information
  • Java platform security
    • The Java programming language and runtime environment
    • Type safety and security
    • Security features of the JRE
      • The ClassLoader and the BytecodeVerifier
    • Application-level access control in Java
      • Permissions and the Security Manager
    • Role-based access control
      • Java Authentication and Authorization Services (JAAS)
    • Protecting Java code and applications
      • Code signing
  • UI security
    • UI security principles
    • Sensitive information in the user interface
    • Misinterpretation of UI features or actions
    • Insufficient UI feedback
    • Relying on hidden or disabled UI element
    • Insufficient anti-automation
4

Time and state

  • Race conditions
    • Race condition in object data members
      • Singleton member fields
    • File race condition
      • Time of check to time of usage - TOCTTOU
      • Insecure temporary file
    • Database race conditions
    • Avoiding race conditions in Java
5

Errors

  • Error and exception handling principles
  • Error handling
    • Returning a misleading status code
    • Reachable assertion
    • Information exposure through error reporting
  • Exception handling
    • In the catch block. And now what?
    • Catching NullPointerException
    • Empty catch block
6

Cryptography for developers

  • Cryptography basics
  • Java Cryptographic Architecture (JCA) in brief
  • Elementary algorithms
    • Random number generation
      • Pseudo random number generators (PRNGs)
      • Cryptographically strong PRNGs
      • Using virtual random streams
      • Weak and strong PRNGs in Java
      • Using random numbers in Java
    • Hashing
      • Hashing basics
      • Common hashing mistakes
      • Hashing in Java
  • Confidentiality protection
    • Symmetric encryption
      • Block ciphers
      • Modes of operation
      • Symmetric encryption in Java
      • Asymmetric encryption
      • The RSA algorithm
      • RSA in Java
      • Elliptic Curve Cryptography
      • The ECC algorithm
      • ECC in Java
      • Combining symmetric and asymmetric algorithms
  • Integrity protection
    • Message Authentication Code (MAC)
      • Calculating MAC in Java
    • Digital signature
      • Digital signature with RSA
      • Digital signature with ECC
      • Digital signature in Java
  • Public Key Infrastructure (PKI)
    • Some further key management challenges
    • Certificates
      • Chain of trust
7

Common software security weaknesses

  • Code quality
    • Data handling
      • Initialization and cleanup
      • Constructors and destructors
      • Class initialization cycles
      • Unreleased resource
    • Object oriented programming pitfalls
      • Accessibility modifiers
      • Are accessibility modifiers a security feature?
      • Overriding and accessibility modifiers
      • Inheritance and overriding
      • Mutability
      • Cloning
8

Using vulnerable components

  • Assessing the environment
  • Hardening
  • Vulnerability management
    • Patch management
    • Vulnerability databases
9

Wrap up

  • Secure coding principles
    • Principles of robust programming by Matt Bishop
    • Secure design principles of Saltzer and Schröder
  • And now what?
    • Software security sources and further reading
    • Java resources

Encarta Labs Advantage

  • One Stop Corporate Training Solution Providers for over 6,000 various courses on a variety of subjects
  • All courses are delivered by Industry Veterans
  • Get jumpstarted from newbie to production ready in a matter of few days
  • Trained more than 50,000 Corporate executives across the Globe
  • All our trainings are conducted in workshop mode with more focus on hands-on sessions

View our other course offerings by visiting https://www.encartalabs.com/course-catalogue-all.php

Contact us for delivering this course as a public/open-house workshop/online training for a group of 10+ candidates.

Top
Notice
X