Secure Coding in Java
Producing secure programs requires secure designs. However, even the best designs can lead to insecure programs if developers are unaware of the many security pitfalls inherent in Java programming. This four-day course provides a detailed explanation of common programming errors in Java and describes how these errors can lead to code that is vulnerable to exploitation. The course concentrates on security issues intrinsic to the Java programming languages and associated libraries. The intent is for this course to be useful to anyone involved in developing secure Java programs regardless of the specific application.
Please note: you must bring a laptop computer equipped with the latest version of Adobe Reader and VMware Player. See the Prerequisites section for download information.
The course assumes basic Java programming skills but does not assume an in-depth knowledge of software security. Material in this presentation was derived from the Addison-Wesley books The CERT Oracle Secure Coding Standard for Java and Java Coding Guidelines.
To learn more about the CERT Secure Coding eLearning and Professional Certificates, please go to: SEI Certificates
Audience
This course is designed for Java developers.
Objectives
Participants should come away from this course with a working knowledge of common programming errors that lead to software vulnerabilities, how these errors can be exploited, and effective mitigation strategies for preventing the introduction of these errors. In particular, participants will learn how to
- improve the overall security of any Java application
- avoid injection attacks, such as SQL injection and XSS
- understand Java's memory model, with a thorough grounding of concurrency, and learn how to prevent race conditions while avoiding deadlock
- learn when to throw and catch exceptions
- avoid I/O vulnerabilities, including file-based race conditions
- learn how historical exploits on Java were executed and later disabled
Moreover, this course encourages programmers to adopt security best practices and develop a security mindset that can help protect software from tomorrow's attacks, not just today's.
Topics
- Input Sanitization and Validation
- Objects and Methods
- Exceptions
- File I/O
- The Java Memory Model
- Concurrency
- The Java Security Model
- Historical Vulnerabilities and Exploits
Subjects covered in the first two days are general. Like Java, the material is designed to be platform-independent. However, some platform-specific information is provided when necessary. For example, files have subtly different behavior on Windows vs. POSIX. The final day focuses on Java's security architecture, which allows untrusted code to coexist with trusted code, and concludes with several historical examples of famous exploits.
Materials
The CERT Oracle Secure Coding Standard for Java and Java Coding Guidelines books authored by Long, Mohindra, Seacord, Sutherland, and Svoboda and published by Addison-Wesley will be provided in class. Participants will also receive a DVD containing course and reference materials.
Prerequisites
It is recommended that participants have a basic to intermediate understanding of the Java programming language. Software security knowledge or experience is not required.
Required Equipment
Students must bring a personal computer equipped with
- 8GB of RAM required, 16GB of RAM recommended
- 40GB or greater of free drive space
- DVD drive or USB port for inserting a memory stick
- the latest version of Adobe Reader (this can be downloaded from https://get.adobe.com/reader/)
- the latest version of VMware Workstation Player (this can be downloaded from https://customerconnect.vmware.com/downloads/info/slug/desktop_end_user_computing/vmware_workstation_player/17_0)
- Microsoft Word or LibreOffice
The following item is optional. We provide them, but the student is free to substitute their own if they wish:
- Java programming language development environments (compiler, editor, etc.), such as Eclipse
On the first day of the course, the instructor will provide the attendees with a DVD with the software and course exercises to download on their computers. The instructor will also provide instructions on using the Course Exercises Virtual Machine (VM) from the DVDs.
Schedule
This four-day class meets at the following times:
Days 1-4, 9:00 a.m. - 5:00 p.m. (U.S. Locations)
Days 1-4, 9:30 a.m. - 5:30 p.m. (non-U.S. Locations)
This course may be offered by special arrangement at customer sites. For details, please email course-info@sei.cmu.edu or telephone at +1 412-268-1817.
Course Questions?
Email: course-info@sei.cmu.edu
Phone: 412-268-7388
Related Courses
-
CERT Secure Coding in Java Professional Certificate
ONLINE
The CERT Secure Coding in Java Professional Certificate provides software developers with practical instruction based upon the CERT Secure Coding Standards. The CERT Secure Coding team teaches the essentials of designing and developing secure software in Java. Completion of this Professional Certificate will enable software developers to increase...
Learn More
Training courses provided by the SEI are not academic courses for academic credit toward a degree. Any certificates provided are evidence of the completion of the courses and are not official academic credentials. For more information about SEI training courses, see Registration Terms and Conditions and Confidentiality of Course Records.