Desktop Application Security in Java (DASEC-J)

DAY 1

Cyber security basics

• What is security?
• Threat and risk
• Cyber security threat types
• Consequences of insecure software
  • Constraints and the market
  • The dark side
• Categorization of bugs
  • The Seven Pernicious Kingdoms
  • Common Weakness Enumeration (CWE)
  • CWE Top 25 Most Dangerous Software Errors
  • SEI CERT Secure Coding Guidelines

Input validation

• Input validation principles
  • Blacklists and whitelists
  • Data validation techniques
  • What to validate – the attack surface
  • Where to validate – defense in depth
  • How to validate – validation vs transformations
  • Output sanitization
  • Encoding challenges
  • Validation with regex
• Injection
  • Injection principles
  • Injection attacks
  • Code injection
    • OS command injection
      • OS command injection best practices
      • Using Runtime.exec()
      • Using ProcessBuilder
      • Case study – Shellshock
      • Lab – Shellshock
      • Case study – Command injection via ping
    • Script injection
  • General protection best practices
• Integer handling problems
  • Representing signed numbers
  • Integer visualization
  • Integer overflow
  • Lab – Integer overflow
  • Signed / unsigned confusion in Java
  • Case study – The Stockholm Stock Exchange
  • Integer truncation
  • Best practices
    • Upcasting
    • Precondition testing
    • Postcondition testing
    • Using big integer libraries
    • Integer handling in Java
    • Lab – Integer handling
  • Files and streams
    • Path traversal
    • Path traversal-related examples
    • Lab – Path traversal
    • Additional challenges in Windows
    • Path traversal best practices
  • Unsafe reflection
    • Reflection without validation
    • Lab – Unsafe reflection
  • Unsafe native code
    • Native code dependence
    • Lab – Unsafe JNI
    • Best practices for dealing with native code

DAY 2

Security features

• Authentication
  • Authentication basics
  • Multi-factor authentication
  • Authentication weaknesses – spoofing
  • Case study – PayPal 2FA bypass
  • User interface best practices
  • Lab – On-line password brute forcing
  • Password management
    • Inbound password management
      • Storing account passwords
      • Password in transit
      • Lab – Is just hashing passwords enough?
      • Dictionary attacks and brute forcing
      • Salting
      • Adaptive hash functions for password storage
      • Password policy
        • NIST authenticator requirements for memorized secrets
        • Password length
        • Password hardening
        • Using passphrases
        • Lab – Applying a password policy
      • Case study – The Ashley Madison data breach
        • The dictionary attack
        • The ultimate crack
        • Exploitation and the lessons learned
      • Password database migration
        • Outbound password management
          • Hard coded passwords
          • Best practices
          • Lab – Hardcoded password
          • Protecting sensitive information in memory
            • Challenges in protecting memory
            • Storing sensitive data in memory
• Authorization
  • Access control basics
• Information exposure
  • Exposure through extracted data and aggregation
  • Case study – Strava data exposure
  • System information leakage
    • Leaking system information
  • Information exposure best practices
• Java platform security
  • The Java programming language and runtime environment
  • Type safety and security
  • Security features of the JRE
    • The ClassLoader and the BytecodeVerifier
  • Application-level access control in Java
    • Permissions and the Security Manager
    • Privilege best practices
  • Role-based access control
    • Java Authentication and Authorization Services (JAAS)
  • Protecting Java code and applications
    • Code signing
    • Lab – Code signing and permissions
• UI security
  • UI security principles
  • Sensitive information in the user interface
  • Misinterpretation of UI features or actions
  • Insufficient UI feedback
  • Relying on hidden or disabled UI element
  • Insufficient anti-automation

Time and state

• Race conditions
  • Race condition in object data members
    • Singleton member fields
    • Lab – Singleton member fields
  • File race condition
    • Time of check to time of usage – TOCTTOU
    • Insecure temporary file
  • Database race conditions
    • Lab – Database race conditions
  • Avoiding race conditions in Java

Errors

• Error and exception handling principles
• Error handling
  • Returning a misleading status code
  • Reachable assertion
  • Information exposure through error reporting
• Exception handling
  • In the catch block. And now what?
  • Catching NullPointerException
  • Empty catch block

DAY 3

Cryptography for developers

• Cryptography basics
• Java Cryptographic Architecture (JCA) in brief
• Elementary algorithms
  • Random number generation
    • Pseudo random number generators (PRNGs)
    • Cryptographically strong PRNGs
    • Using virtual random streams
    • Weak and strong PRNGs in Java
    • Using random numbers in Java
    • Case study – Equifax credit account freeze
    • Lab – Random numbers in Java
  • Hashing
    • Hashing basics
    • Common hashing mistakes
    • Hashing in Java
    • Lab – Hashing in JCA
• Confidentiality protection
  • Symmetric encryption
    • Block ciphers
    • Modes of operation
    • Modes of operation and IV – best practices
    • Symmetric encryption in Java
    • Lab – Symmetric encryption in JCA
    • Asymmetric encryption
      • The RSA algorithm
        • Using RSA – best practices
        • RSA in Java
        • Lab – Using RSA in JCA
      • Elliptic Curve Cryptography
        • The ECC algorithm
        • Using ECC – best practices
        • ECC in Java
        • Lab – Using ECC in JCA
      • Combining symmetric and asymmetric algorithms
• Integrity protection
  • Message Authentication Code (MAC)
    • Calculating MAC in Java
    • Lab – Using MAC in JCA
  • Digital signature
    • Digital signature with RSA
    • Digital signature with ECC
    • Digital signature in Java
    • Lab – Digital signature in JCA
• Public Key Infrastructure (PKI)
  • Some further key management challenges
  • Certificates
    • Chain of trust
    • Certificate management – best practices

Common software security weaknesses

• Code quality
  • Data handling
    • Initialization and cleanup
      • Constructors and destructors
      • Class initialization cycles
      • Lab – Initialization cycles
    • Unreleased resource
      • The finalize() method – best practices
  • Object oriented programming pitfalls
    • Accessibility modifiers
      • Are accessibility modifiers a security feature?
      • Accessibility modifiers – best practices
      • Overriding and accessibility modifiers
    • Inheritance and overriding
    • Mutability
      • Lab – Mutable object
    • Cloning

Using vulnerable components

• Assessing the environment
• Hardening
• Vulnerability management
  • Patch management
  • Vulnerability databases
  • Lab – Finding vulnerabilities in third-party components

Wrap up

• Secure coding principles
  • Principles of robust programming by Matt Bishop
  • Secure design principles of Saltzer and Schröder
• And now what?
  • Software security sources and further reading
  • Java resources