GIAC Secure Software Programmer – Java (GSSP-JAVA)

What is the GIAC Secure Software Programmer – Java (GSSP-JAVA) and explanation of certification.

Type: Certification

Course: No Specific training is required for any GIAC certification. If candidates need help in mastering the objectives for this certification, there are many sources of information available. Practical experience is one option; there are also numerous books on the market covering Computer Information Security. Another option is SANS training, or any relevant courses from other training providers.

Target: Individuals who are responsible for coding secure software applications, identifying shortfalls in the security knowledge of other programmers, ensuring other programmers have adequate secure coding skills, and advanced secure programming skills. The GIAC Secure Software Programmers certification allows candidates to demonstrate mastery of the security knowledge and skills needed to deal with common programming errors that lead to most security problems.GIAC Certified secure software programmers (GSSP) have the knowledge, skills, and abilities to write secure code and recognize security shortcomings in existing code.

Requirements: 1 proctored exam – 100 questions – 4-hour time limit – 73% (73 of 100 questions) minimum passing score

Renewal: Every 4 yearsDelivery: Exams are delivered online through a standard web browser. For exams purchased with SANS training, access to the exam will be available 7-10 days following the end of the conference. Standalone challenge exams are issued within 24 hours upon receipt of payment. You will receive an email from GIAC when your exam has been issued to your portal account. You have 120 days to complete the exam from the time we send notice that it is available. The exams are proctored and should be scheduled using our.

Secure Coding in Java/JEE: Developing Defensible Applications. Developer 541

Course  Overview

The Difference between Good and Great Programmers

Great programmers have traditionally distinguished themselves by the elegance, effectiveness, and reliability of their code. That’s still true, but elegance, effectiveness, and reliability have now been joined by security. Major financial institutions and government agencies have informed their internal development teams and outsourcers that programmers must demonstrate mastery of secure coding skills and knowledge, through reliable third-party testing, or lose their right to work on assignments for those organizations. More software buyers are joining the movement every week.

The Only Course Covering the Key Elements of Secure Application Development in Java

Such buyer and management demands create an immediate response from programmers, Where can I learn what is meant by secure coding? This unique SANS course allows you to bone up on the skills and knowledge being measured in the third-party assessments as defined in the Essential Skills for Secure Programmers Using Java/JavaEE. (You can find the Essential Skills document at http://www.sans-ssi.org/blueprint_files/java_blueprint.pdf. )

What Does the Course Cover?

This is a comprehensive course covering a huge set of skills and knowledge. It’s not a high level theory course. It’s about real programming. In this course you will examine actual code, work with real tools, build applications, and gain confidence in the resources you need for the journey to improving security of Java applications.

Rather than teaching students to use a set of tools, we’re teaching students concepts of secure programming. This involves looking at a specific piece of code, identifying a security flaw, and implementing a fix for that flaw.

Here’s a sampling of topics:

Input handling to ensure input from their interfaces are properly processed and validated.

• Ensuring input from multiple sources can be trusted: HTTP Requests, configuration files, backend datastores, command line arguments, environment variables.
• Validate common data types such as string data as well as uncommon input structures, using Regular Expressions, doValidate() and other tools of Java and J2EE
• White-list and black-list approaches; tradeoffs.

Understanding authentication and session management and mastering authentication principals

• Authentication for end-users, 3rd party services, backend systems, etc.
• How to use encryption and certificates in protecting a variety of authentication process, including an understanding of strength-of-function, credential expiration, credential recover/reset, and re-authentication.
• Protection of session tokens
• Gaining familiarity with the more common authentication techniques and APIs available within Java and J2EE.
• What services and protections are and are not provided.

Active enforcement of access control to guaranteeing the confidentiality of user data.

Restricting access to resources and functions, declarative access control, control checks in custom code, and how the Java Authentication and Authorization Service can be used in implementing access control.

Security Implications of built-in data types and java-specific memory management

• Complete mastery of the String class’ immutability and how to compare String objects.
• Limitations of Java’s numerical data types and the resulting security implications
• Security implications of Java Garbage Collector, and how it works
• ArrayList and the Vector: differences and security considerations
• Accessibility modifiers, the final modifier, class comparisons, serialization, clone-ability, and inner classes
• Managing the privileges of code and different protection domains, including Security Manager and its policy file.

Properly handling application faults.

• Java’s try/catch/finally construct, Java’s logging function, configuration to return default error pages for 404 and other errors.

Structuring multi-threaded programs securely

• Avoiding race conditions
• Implementing the Singleton pattern and protecting other resources accessed by multiple threads.

Making connections with other applications securely

• Security risks introduced by using dynamic queries
• How to defend against SQL injection with safe use of the PreparedStatement to interact with databases based on user-supplied input
• How to use output encoding to display data to user interfaces as a defense against cross-site scripting.

Implementing fail-safe connection patterns.

Using JAR Sealing and J2EE Filters effectively

• How JAR sealing is used
• Where they can be used to implement each secure coding technique
• What to avoid in using them

Who Should Attend?

This course is ideal for:

• Developers who want to build more secure applications
• Java EE programmers
• Software engineers
• Software architects
• Application security auditors
• Technical project managers
• Senior software QA specialists
• Penetration testers who want a deeper understanding of target applications or who want to provide more detailed vulnerability remediation options

Pre-requisites:

Students should have at least one year’s experience working with the JEE framework and should have thorough knowledge of Java language and web technology.

Data Validation, Developer 541 – Day 1

Improper data validation is the root cause of the most prevalent web application vulnerabilities today. Cross Site Scripting (XSS) has become the most widely reported issue with web applications. It has reached the point where the Web Application Security Consortium (WASC) estimates that over 80% of the web sites on the Internet are vulnerable to this attack.

Beginning on the first day, you will learn about some of the most prevalent web applications vulnerabilities such as XSS, CSRF, SQL Injection, HTTP Response Splitting, and Parameter Manipulation. You will see how to spot some of these issues and how to recreate them in a running application. Then you will use a variety of methods to actually fix these vulnerabilities in your Java code.

The course is full of hands on exercises where you can apply practical data validation techniques that you can use to prevent common attacks.Topics Covered

Web Application Attacks

• Cross Site Scripting
• Cross Site Request Forgery (CSRF)
• SQL Injection
• HTTP Response Splitting
• Parameter Manipulation

Web Application Proxy

• Using Paros

Validation Concerns

• Character Encoding
• Input Validation
• Output Encoding
• Blacklisting & Whitelisting

Validation Techniques

• Regular Expressions
• Servlet Filters
• HTML Encoding
• Struts Validation
• CAPTCHA
• Prepared Statements
• Stored Procedures
• Aspect Oriented Programming (AOP)

Authentication & Session Management, Developer 541- Day 2

Broken authentication and session management are common issues that can compromise the integrity of your system. Such weak authentication protections can allow an attacker to expose your most sensitive secrets: your data! You will learn about these vulnerabilities and what you can do to design and code stronger authentication protections from the start.

You will learn how to use JEE Container Based Authentication and setup both Basic and Form Based Authentication. You will also learn about Acegi, which is the popular security system for Spring. This course is full of hands on exercises and culminates in a lab where you put everything you learned together into an application that is protected by proper authentication controls.Topics Covered

Authentication Attacks

• Brute Force Attacks
• Weak Password Storage
• Password Reset
• Secret Questions
• Weak Session Management

Protecting Sessions

• Using SSL
• Session Hijacking
• Session Fixation

Authentication

• JEE Container Based Authentication
• Basic Authentication
• Form Based Authentication
• Client Certificates
• Account Lockout
• Password Policy

Acegi Security System for Spring

• Using Acegi

Encryption

• Jasypt

Access Control & Java Security APIs, Developer 541- day 3

Topics Covered

• Access Control/Authorization
  • ACLs
  • JAAS
• Error Handling
  • Exceptions
  • Using try/catch/finally
• Logging
  • java.util.logging
• Race Conditions
  • Using synchronization
• Encryption
  • Encryption of data in transit with JSSE
• Encryption of data at rest with JCA

Java Language & JRE Security Topics, Developer 541- day 4

Topics Covered

• java.lang.String Immutability
• Integer and Double Overflows
• ArrayList/Vector security considerations
• Access modifiers
• Inner classes
• Garbage Collector
• SecurityManager and code privileges
• Jar Sealing
• Jar Signing