This course aims to teach developers and architects how to create secure applications in Java/JEE.

Secure Java/JEE is designed to teach Java enterprise architects and developers alike how to create secure distributed applications by walking through actual code examples. The course covers major security principles, programming vulnerabilities, and Javaspecific security issues.

For many years, information security has focused its effort on securing the network from attackers. The current situation is that the vast majority of attacks now occur at the application layer, many passing over port 80 as legitimate HTTP data.

Information security and development experts have recently started to realize that developers are pivotal to ensuring the creation of secure applications. Security needs to be built into applications, not tacked on afterwards. To this end, developers need to be trained in how to create secure software.

While there are several security awareness courses for developers, many are simply ignored by students. Security Compass has some of the most effective handson application security training classes availablewe consistently receive extremely positive feedback from developers about the real world value of our classes. Our secure coding classes represent years of classroom teaching and curriculum refinement.

The Secure Java/JEE class focuses on teaching developers how to create secure applications in the Java 2 Enterprise Edition platform. While the specific examples and libraries are Java/JEE focused, developers learn concepts that they easily apply in other platforms.

Students start by reviewing infrastructure basics. Our classroom experience shows us that many developers benefit from a review of topics such as TCP/IP, HTTP, etc. This section also serves to build the appropriate background necessary for the remaining sections in the class.

The next section explores principles in information security. These principles are referenced consistently throughout the rest of the class and serve as a background to a continuing education and awareness in application security.

For the remainder of the class, students learn about the major domains of application security: authentication, authorization & access control, session management, cryptography, logging/monitoring & error handling, input validation, and xml & web services. Each section includes unique handson training with actual Java/JEE code examples. Students see first hand the simplicity of an attack and how defensive coding and application configuration can mitigate the risk of an attack Each section includes a quiz so that students have a chance to review the material and clarify and misunderstandings.

• TCP/IP
• HTTP
• Web client / server components
• HTTP methods / HTTP response codes
• SSL / TLS

• Application components
• Application architecture
• Principles of security (The Good)
• Principles of security (The Bad)
• Secure SDLC
• Data classification & Other security concepts

• Overview
• Attacking authentication
• Realms, users, groups, and roles
• JAAS authentication

• Overview
• Access control: page, functional and data levels
• JEE authorization

• What is session management
• Attacking session management
• Container managed sessions
• Other session management development issues

• When to use cryptography
• Java cryptographic architecture
• Java cryptographic extensions
• Java secure socket extensions

• Secure logging & monitoring
• Secure error handling

• Input validation attacks (Parameter / SQL / XSS )
• Apache Struts and input validation
• Spring and Hibernate Frameworks

• Overview of XML (Parsers & validators)
• Attacking XML parsers
• Attacking XML validators
• SOAP protocol
• Web services security standards