Visão Geral

Seu aplicativo escrito em Java funciona conforme o esperado, então pronto, certo? Mas você considerou alimentar valores incorretos? 16 GB de dados? Um nulo? Um apóstrofo? Números negativos, ou especificamente -1 ou -231? Porque é isso que os bandidos farão – e a lista está longe de estar completa.

Este Curso Desktop Application Security in Java aborda as armadilhas de segurança da linguagem e estrutura Java.

Objetivo

Após concluir este Curso Desktop Application Security in Java, você será capaz de:

• Familiarizando-se com conceitos essenciais de segurança cibernética
• Identifique vulnerabilidades e suas consequências
• Melhores práticas de segurança em Java
• Abordagens e princípios de validação de entrada
• Entendendo como a criptografia pode oferecer suporte à segurança de aplicativos
• Use APIs criptográficas corretamente em Java
• Gerenciando vulnerabilidades em componentes de terceiros

Publico Alvo

• Desenvolvedores Java trabalhando em aplicativos de desktop

Pre-Requisitos

• Experiência de programação Java

Materiais

Conteúdo Programatico

Cyber security basics

1. What is security?
2. Threat and risk
3. Cyber security threat types
4. Consequences of insecure software
5. Constraints and the market
6. The dark side

• Categorization of bugs

1. The Seven Pernicious Kingdoms
2. Common Weakness Enumeration (CWE)
3. CWE Top 25 Most Dangerous Software Errors
4. SEI CERT Secure Coding Guidelines

Input validation

• Input validation principles
  1. Blacklists and whitelists
  2. Data validation techniques
  3. What to validate - the attack surface
  4. Where to validate - defense in depth
  5. How to validate - validation vs transformations
  6. Output sanitization
  7. Encoding challenges
  8. Validation with regex
• Injection

1. Injection principles
2. Injection attacks
3. Code injection
4. OS command injection
5. Using Runtime.exec()
6. Using ProcessBuilder
7. Script injection

• Integer handling problems

1. Representing signed numbers
2. Integer visualization
3. Integer overflow
4. Signed / unsigned confusion in Java
5. Integer truncation
6. Upcasting
7. Precondition testing
8. Postcondition testing
9. Using big integer libraries
10. Integer handling in Java

• Files and streams

1. Path traversal
2. Path traversal-related examples
3. Additional challenges in Windows

• Unsafe reflection

1. Reflection without validation

• Unsafe native code

1. Native code dependence

Security features

• Authentication

1. Authentication basics
2. Multi-factor authentication
3. Authentication weaknesses - spoofing
4. Password management
5. Inbound password management
6. Storing account passwords
7. Password in transit
8. Dictionary attacks and brute forcing
9. Salting
10. Adaptive hash functions for password storage
11. Password policy
12. NIST authenticator requirements for memorized secrets
13. Password length
14. Password hardening
15. Using passphrases
16. The dictionary attack
17. The ultimate crack
18. Exploitation and the lessons learned
19. Password database migration
20. Outbound password management
21. Hard coded passwords
22. Protecting sensitive information in memory
23. Challenges in protecting memory
24. Storing sensitive data in memory

• Authorization

1. Access control basics

• Information exposure

1. Exposure through extracted data and aggregation
2. System information leakage
3. Leaking system information

• Java platform security

1. The Java programming language and runtime environment
2. Type safety and security
3. Security features of the JRE
4. The ClassLoader and the BytecodeVerifier

• Application-level access control in Java

1. Permissions and the Security Manager

• Role-based access control

1. Java Authentication and Authorization Services (JAAS)

• Protecting Java code and applications

1. Code signing

• UI security

1. UI security principles
2. Sensitive information in the user interface
3. Misinterpretation of UI features or actions
4. Insufficient UI feedback
5. Relying on hidden or disabled UI element
6. Insufficient anti-automation

Time and state

• Race conditions

1. Race condition in object data members

• Singleton member fields

1. File race condition
2. Time of check to time of usage - TOCTTOU
3. Insecure temporary file
4. Database race conditions
5. Avoiding race conditions in Java

Errors

• Error and exception handling principles
• Error handling
  1. Returning a misleading status code
  2. Reachable assertion
  3. Information exposure through error reporting
• Exception handling
  1. In the catch block. And now what?
  2. Catching NullPointerException
  3. Empty catch block

Cryptography for developers

1. Cryptography basics
2. Java Cryptographic Architecture (JCA) in brief
3. Elementary algorithms

• Random number generation

1. Pseudo random number generators (PRNGs)
2. Cryptographically strong PRNGs
3. Using virtual random streams
4. Weak and strong PRNGs in Java
5. Using random numbers in Java

• Hashing

1. Hashing basics
2. Common hashing mistakes
3. Hashing in Java

• Confidentiality protection

1. Symmetric encryption
2. Block ciphers
3. Modes of operation
4. Symmetric encryption in Java
5. Asymmetric encryption
6. The RSA algorithm
7. RSA in Java
8. Elliptic Curve Cryptography
9. The ECC algorithm
10. ECC in Java
11. Combining symmetric and asymmetric algorithms

• Integrity protection

1. Message Authentication Code (MAC)
2. Calculating MAC in Java

• Digital signature

1. Digital signature with RSA
2. Digital signature with ECC
3. Digital signature in Java
4. Public Key Infrastructure (PKI)
5. Some further key management challenges
6. Certificates
7. Chain of trust

Common software security weaknesses

• Code quality

1. Data handling
2. Initialization and cleanup
3. Constructors and destructors
4. Class initialization cycles
5. Unreleased resource

• Object oriented programming pitfalls

1. Accessibility modifiers
2. Are accessibility modifiers a security feature?
3. Overriding and accessibility modifiers
4. Inheritance and overriding
5. Mutability
6. Cloning

Using vulnerable components

• Assessing the environment
• Hardening
• Vulnerability management

1. Patch management
2. Vulnerability databases

Wrap up

• Secure coding principles

1. Principles of robust programming by Matt Bishop
2. Secure design principles of Saltzer and Schröder

• And now what?

1. Software security sources and further reading
2. Java resources