Curso Python Programação Advanced
32 horas
Curso Desktop Application Security in Java
24hVisão Geral
Seu aplicativo escrito em Java funciona conforme o esperado, então pronto, certo? Mas você considerou alimentar valores incorretos? 16 GB de dados? Um nulo? Um apóstrofo? Números negativos, ou especificamente -1 ou -231? Porque é isso que os bandidos farão – e a lista está longe de estar completa.
Este Curso Desktop Application Security in Java aborda as armadilhas de segurança da linguagem e estrutura Java.
Objetivo
Após concluir este Curso Desktop Application Security in Java, você será capaz de:
- Familiarizando-se com conceitos essenciais de segurança cibernética
- Identifique vulnerabilidades e suas consequências
- Melhores práticas de segurança em Java
- Abordagens e princípios de validação de entrada
- Entendendo como a criptografia pode oferecer suporte à segurança de aplicativos
- Use APIs criptográficas corretamente em Java
- Gerenciando vulnerabilidades em componentes de terceiros
Publico Alvo
- Desenvolvedores Java trabalhando em aplicativos de desktop
Pre-Requisitos
- Experiência de programação Java
Materiais
Inglês/Português/Lab PraticoConteúdo Programatico
Cyber security basics
- What is security?
- Threat and risk
- Cyber security threat types
- Consequences of insecure software
- Constraints and the market
- The dark side
- Categorization of bugs
- The Seven Pernicious Kingdoms
- Common Weakness Enumeration (CWE)
- CWE Top 25 Most Dangerous Software Errors
- SEI CERT Secure Coding Guidelines
Input validation
- Input validation principles
- Blacklists and whitelists
- Data validation techniques
- What to validate - the attack surface
- Where to validate - defense in depth
- How to validate - validation vs transformations
- Output sanitization
- Encoding challenges
- Validation with regex
- Injection
- Injection principles
- Injection attacks
- Code injection
- OS command injection
- Using Runtime.exec()
- Using ProcessBuilder
- Script injection
- Integer handling problems
- Representing signed numbers
- Integer visualization
- Integer overflow
- Signed / unsigned confusion in Java
- Integer truncation
- Upcasting
- Precondition testing
- Postcondition testing
- Using big integer libraries
- Integer handling in Java
- Files and streams
- Path traversal
- Path traversal-related examples
- Additional challenges in Windows
- Unsafe reflection
- Reflection without validation
- Unsafe native code
- Native code dependence
Security features
- Authentication
- Authentication basics
- Multi-factor authentication
- Authentication weaknesses - spoofing
- Password management
- Inbound password management
- Storing account passwords
- Password in transit
- Dictionary attacks and brute forcing
- Salting
- Adaptive hash functions for password storage
- Password policy
- NIST authenticator requirements for memorized secrets
- Password length
- Password hardening
- Using passphrases
- The dictionary attack
- The ultimate crack
- Exploitation and the lessons learned
- Password database migration
- Outbound password management
- Hard coded passwords
- Protecting sensitive information in memory
- Challenges in protecting memory
- Storing sensitive data in memory
- Authorization
- Access control basics
- Information exposure
- Exposure through extracted data and aggregation
- System information leakage
- Leaking system information
- Java platform security
- The Java programming language and runtime environment
- Type safety and security
- Security features of the JRE
- The ClassLoader and the BytecodeVerifier
- Application-level access control in Java
- Permissions and the Security Manager
- Role-based access control
- Java Authentication and Authorization Services (JAAS)
- Protecting Java code and applications
- Code signing
- UI security
- UI security principles
- Sensitive information in the user interface
- Misinterpretation of UI features or actions
- Insufficient UI feedback
- Relying on hidden or disabled UI element
- Insufficient anti-automation
Time and state
- Race conditions
- Race condition in object data members
- Singleton member fields
- File race condition
- Time of check to time of usage - TOCTTOU
- Insecure temporary file
- Database race conditions
- Avoiding race conditions in Java
Errors
- Error and exception handling principles
- Error handling
- Returning a misleading status code
- Reachable assertion
- Information exposure through error reporting
- Exception handling
- In the catch block. And now what?
- Catching NullPointerException
- Empty catch block
Cryptography for developers
- Cryptography basics
- Java Cryptographic Architecture (JCA) in brief
- Elementary algorithms
- Random number generation
- Pseudo random number generators (PRNGs)
- Cryptographically strong PRNGs
- Using virtual random streams
- Weak and strong PRNGs in Java
- Using random numbers in Java
- Hashing
- Hashing basics
- Common hashing mistakes
- Hashing in Java
- Confidentiality protection
- Symmetric encryption
- Block ciphers
- Modes of operation
- Symmetric encryption in Java
- Asymmetric encryption
- The RSA algorithm
- RSA in Java
- Elliptic Curve Cryptography
- The ECC algorithm
- ECC in Java
- Combining symmetric and asymmetric algorithms
- Integrity protection
- Message Authentication Code (MAC)
- Calculating MAC in Java
- Digital signature
- Digital signature with RSA
- Digital signature with ECC
- Digital signature in Java
- Public Key Infrastructure (PKI)
- Some further key management challenges
- Certificates
- Chain of trust
Common software security weaknesses
- Code quality
- Data handling
- Initialization and cleanup
- Constructors and destructors
- Class initialization cycles
- Unreleased resource
- Object oriented programming pitfalls
- Accessibility modifiers
- Are accessibility modifiers a security feature?
- Overriding and accessibility modifiers
- Inheritance and overriding
- Mutability
- Cloning
Using vulnerable components
- Assessing the environment
- Hardening
- Vulnerability management
- Patch management
- Vulnerability databases
Wrap up
- Secure coding principles
- Principles of robust programming by Matt Bishop
- Secure design principles of Saltzer and Schröder
- And now what?
- Software security sources and further reading
- Java resources
