SANS Essential Secure Coding Java JEE GSSP

From OWASP
Jump to: navigation, search

SANS : Essential Secure Coding in Java / JEE:DEV530 (Alligned with GSSP Certification)

Course: Essential Secure Coding in Java / JEE
Course ID: SB2DSCJ / SANS Course ID : DEV530
Instructor: SANS Instructor
CPE Credits: 12 CPE’s
Duration: 2 Days
Date: November 19th - 20th, 2009 (9 AM – 6 PM)

Learn about DEV530 course at SANS

Who should attend?
• Developers who want to build more secure applications
• Java EE programmers
• Software engineers
• Software architects
• Application security auditors
• Technical project managers
• Senior software QA specialists
• Penetration testers who want a deeper understanding of target applications or who want to provide more detailed vulnerability remediation options

Class Pre-requisite:
• Students should have at least one year's experience working with the JEE framework and should have thorough knowledge of Java language and web technology.

Class Requirement:
• Laptop with administrative level access
• 5 GB available hard drive space
• 1 GB RAM or higher
• DVD drive (minimum 12x recommended)
• x86 compatible 2Ghz CPU minimum or higher

VMWare
You will use VMware to perform exercises in class. You must have a working copy of one of the following installed on your system prior to coming to class:
• VMware Player 2.0 or later
• VMware Workstation 6.0 or later
• VMware Fusion for Max OS X

VMware Player can be downloaded for free. Alternatively, if you want a more configurable and flexible tool, you can download a free 30-day trial copy of VMware Workstation or VMware Fusion. These products are available at www.vmware.com. VMware will send you a time-limited serial number for VMware Workstation or VMware Fusion if you register for the trial at their Web site. No serial number is required for VMware Player.

Java Documentation
It is recommended that students download the Java SE 6 and Java EE 5 Javadoc documentation for use as reference material while doing the in-class exercises (the Javadoc license prohibits redistribution). The documentation can be found at java.sun.com.
You will receive a DVD containing a Linux VMware image that contains all the course exercises.

Course Description:

This course covers the essential Java/JEE topics that are relevant to a large number of web application developers. It's not a high level theory course. It's about real programming. In this course you will examine actual code, work with real tools, build applications, and gain confidence in the resources you need for the journey to improving the security of your Java applications.
Rather than teaching students to use a set of tools, we're teaching students concepts of secure programming. This involves looking at a specific piece of code, identifying a security flaw, and implementing a fix for that flaw. The course is full of hands on exercises where you can apply practical techniques that you can use to prevent common attacks.
Topics Covered
• Web Application Attacks
• Web Application Proxy
• Validation Concerns
• Validation Techniques
• Authentication
• Session management
• Servlet access control
• Encryption

  1. Encryption of data in transit with JSSE
  2. Encryption of data at rest with JCA

• String immutability

• Integer and Double Overflows
• Numeric data issues
• Race conditions
• Collections
• Singletons