Visão Geral

Seu aplicativo da Web escrito em Java funciona conforme o esperado, então pronto, certo? Mas você considerou alimentar valores incorretos? 16 GB de dados? Um nulo? Um apóstrofo? Números negativos, ou especificamente -1 ou -231? Porque é isso que os bandidos farão – e a lista está longe de estar completa. Lidar com a segurança requer um nível saudável de paranóia, e é isso que este curso oferece: um forte envolvimento emocional de muitos laboratórios práticos e histórias da vida real, tudo para melhorar substancialmente a higiene do código. Erros, consequências e melhores práticas são nosso sangue, suor e lágrimas.

Este Curso Web Application Security in Java cobre os problemas comuns de segurança de aplicativos da Web seguindo o OWASP Top Ten, mas vai muito além, tanto na cobertura quanto nos detalhes. Tudo isso é colocado no contexto de Java e ampliado por questões centrais de programação, discutindo as armadilhas de segurança da linguagem e estrutura Java.

Objetivo

Após concluir este Curso Web Application Security in Java, você será capaz de:

• Familiarizando-se com conceitos essenciais de segurança cibernética
• Noções básicas sobre problemas de segurança de aplicativos da Web
• Análise detalhada dos dez principais elementos do OWASP
• Colocando a segurança de aplicativos da Web no contexto de Java
• Indo além dos frutos mais fáceis de alcançar
• Gerenciando vulnerabilidades em componentes de terceiros
• Identifique vulnerabilidades e suas consequências
• Melhores práticas de segurança em Java
• Abordagens e princípios de validação de entrada

Publico Alvo

• Desenvolvedores Java trabalhando em aplicativos da Web

Pre-Requisitos

• Desenvolvimento geral em Java e Web

Materiais

Conteúdo Programatico

Cyber security basics

1. What is security?
2. Threat and risk
3. Cyber security threat types
4. Consequences of insecure software

The OWASP Top Ten - 1

• OWASP Top 10
• A1 - Injection

1. Injection principles
2. Injection attacks
3. SQL injection
4. SQL injection basics
5. Attack techniques
6. Content-based blind SQL injection
7. Time-based blind SQL injection
8. Input validation
9. Parameterized queries
10. Additional considerations

• Code injection

1. OS command injection
2. Using Runtime.exec()
3. Using ProcessBuilder
4. Script injection

• A2 - Broken Authentication

1. Authentication basics
2. Multi-factor authentication
3. Authentication weaknesses - spoofing
4. Spoofing on the Web
5. Password management
6. Inbound password management
7. Storing account passwords
8. Password in transit
9. Dictionary attacks and brute forcing
10. Salting
11. Adaptive hash functions for password storage
12. Password policy
13. NIST authenticator requirements for memorized secrets
14. The dictionary attack
15. The ultimate crack
16. Exploitation and the lessons learned
17. Password database migration
18. (Mis)handling null passwords

The OWASP Top Ten - 2

• A2 - Broken Authentication
• Session management

1. Session management essentials
2. Why do we protect session IDs - Session hijacking
3. Session fixation
4. Cross-site Request Forgery (CSRF)
5. CSRF defense in depth
6. Cookie security
7. Cookie attributes

• A4 - XML External Entities (XXE)

1. DTD and the entities
2. Entity expansion
3. External Entity Attack (XXE)
4. File inclusion with external entities
5. Server-Side Request Forgery with external entities
6. Preventing XXE

• A5 - Broken Access Control

1. Access control basics
2. Failure to restrict URL access
3. Confused deputy
4. Insecure direct object reference (IDOR)
5. Authorization bypass through user-controlled keys

• File upload

1. Unrestricted file upload
2. Good practices

• A7 - Cross-site Scripting (XSS)

1. Cross-site scripting basics
2. Cross-site scripting types
3. Persistent cross-site scripting
4. Reflected cross-site scripting
5. Client-side (DOM-based) cross-site scripting
6. Protection principles - escaping
7. XSS protection APIs in Java
8. XSS protection in JSP
9. Additional protection layers
10. Client-side protection principles

• A8 - Insecure Deserialization

1. Serialization and deserialization challenges
2. Deserializing untrusted streams
3. Using ReadObject
4. Sealed objects
5. Look ahead deserialization
6. Property Oriented Programming (POP)
7. Creating payload

• A9 - Using Components with Known Vulnerabilities

1. Using vulnerable components
2. Assessing the environment
3. Hardening
4. Untrusted functionality import
5. Importing JavaScript
6. Vulnerability management
7. Patch management
8. Vulnerability databases

The OWASP Top Ten - 3

• Web application security beyond the Top Ten

1. Client-side security
2. Same Origin Policy
3. Tabnabbing

• Frame sandboxing
  1. Cross-Frame Scripting (XFS) attack
  2. Clickjacking beyond hijacking a click

Common software security weaknesses

• Input validation
• Input validation principles

1. Blacklists and whitelists
2. Data validation techniques
3. What to validate - the attack surface
4. Where to validate - defense in depth
5. How to validate - validation vs transformations
6. Output sanitization
7. Encoding challenges
8. Validation with regex

• Integer handling problems

1. Representing signed numbers
2. Integer visualization
3. Integer overflow
4. Signed / unsigned confusion in Java
5. Integer truncation
6. Upcasting
7. Precondition testing
8. Postcondition testing
9. Using big integer libraries
10. Integer handling in Java

• Files and streams

1. Path traversal
2. Path traversal-related examples
3. Additional challenges in Windows

• Unsafe reflection

1. Reflection without validation
2. Unsafe native code
3. Native code dependence

• Code quality
• Data handling

1. Initialization and cleanup
2. Constructors and destructors
3. Class initialization cycles
4. Unreleased resource

• Object oriented programming pitfalls

1. Accessibility modifiers
2. Are accessibility modifiers a security feature?
3. Overriding and accessibility modifiers
4. Inheritance and overriding
5. Mutability
6. Cloning