SIGN IN YOUR ACCOUNT TO HAVE ACCESS TO DIFFERENT FEATURES

FORGOT YOUR PASSWORD?

FORGOT YOUR DETAILS?

AAH, WAIT, I REMEMBER NOW!
Need Help? Email [email protected]
  • LOGIN

E-SPIN Group

CONTACT US / GET A QUOTE
  • No products in cart.
  • HOME
  • PROFILE
    • Corporate Profile
    • About us
    • Customer Overview
    • Investor Relations
    • Procurement
  • GLOBAL THEMES
    • Artificial Intelligence (AI)
    • Big Data
    • Blockchain
    • Cloud Computing
    • Cognitive Computing
    • Cyber Security
    • DevSecOps
    • Digital Transformation (DT)
    • Modern Workplace
    • Internet of Things (IoT)
    • Quantum Computing
    • More theme and feature topics
  • SOLUTIONS
    • Application Security
    • DevSecOps
    • Digital Forensics
    • IT Operations Management (ITOM)
    • Malware Analysis and Reverse Engineering
    • Network Management System (NMS)
    • Network Operation (NetOps)
    • Network Performance Monitoring and Diagnostics (NPMD)
    • Penetration Testing
    • Secure Development
    • Security Information & Event Management (SIEM)
  • INDUSTRIES
    • Aerospace & Defense
    • Automotive
    • Banking & Financial Markets
    • Chemical & Petroleum
    • Commercial and Professional Services
    • Construction & Real Estate
    • Consumer Products
    • Education
    • Electronics
    • Energy & Utilities
    • Food & Beverage
    • Information Technology
    • Insurance
    • Healthcare
    • Goverment
    • Telecommunications
    • Transportation
    • Travel
    • Manufacturing
    • Media & Entertainment
    • Mining & Natural Resources
    • Life Sciences
    • Retail
  • PRODUCTS
    • Brand Overview
      • Acunetix
      • E-Lock
      • Hex-Rays
      • Immunity
      • Progress | Ipswitch
      • Metageek
      • Qualys
      • Parasoft
      • Tenable
      • Titania
      • Veracode
    • Rest of Brands
      • Adobe
      • BeyondTrust
      • Core Security
      • DefenseCode
      • HCL
      • ImmuniWeb
      • LiveAction
      • McAfee
      • Micro Focus
      • Microsoft
        • Microsoft Surface
      • Netsparker
      • Nutanix
      • Paessler
      • PECB
      • Portswigger
      • Red Hat
      • Riverbed
      • RSA
      • Solarwinds
      • TamoSoft
      • Trend Micro
      • TSFactory
      • Trustwave
      • VMware
      • VanDyke
      • Visiwave
    • Services Overview
    • Line Card
  • e-STORE
    • e-STORE
    • eSTORE Guide
    • SUPPORT
  • CAREERS
    • Careers
    • Culture, Values and CSR
    • How We Hire
    • Job Openings
  • BLOG / NEWS
    • Blogs and News
    • Resources Library
    • Calendar of Events
  • CONTACT
  • Home
  • Solution
  • GIAC Secure Software Programmer – Java (GSSP-JAVA)
Global Information Assurance Certification (GIAC)
0
E-SPIN
Thursday, 19 July 2012 / Published in Solution

GIAC Secure Software Programmer – Java (GSSP-JAVA)

What is the GIAC Secure Software Programmer – Java (GSSP-JAVA) and explanation of certification.

Type: Certification

Course: No Specific training is required for any GIAC certification. If candidates need help in mastering the objectives for this certification, there are many sources of information available. Practical experience is one option; there are also numerous books on the market covering Computer Information Security. Another option is SANS training, or any relevant courses from other training providers.

Target: Individuals who are responsible for coding secure software applications, identifying shortfalls in the security knowledge of other programmers, ensuring other programmers have adequate secure coding skills, and advanced secure programming skills. The GIAC Secure Software Programmers certification allows candidates to demonstrate mastery of the security knowledge and skills needed to deal with common programming errors that lead to most security problems.GIAC Certified secure software programmers (GSSP) have the knowledge, skills, and abilities to write secure code and recognize security shortcomings in existing code.

Requirements: 1 proctored exam – 100 questions – 4-hour time limit – 73% (73 of 100 questions) minimum passing score

Renewal: Every 4 yearsDelivery: Exams are delivered online through a standard web browser. For exams purchased with SANS training, access to the exam will be available 7-10 days following the end of the conference. Standalone challenge exams are issued within 24 hours upon receipt of payment. You will receive an email from GIAC when your exam has been issued to your portal account. You have 120 days to complete the exam from the time we send notice that it is available. The exams are proctored and should be scheduled using our.

Secure Coding in Java/JEE: Developing Defensible Applications. Developer 541

Course  Overview

The Difference between Good and Great Programmers

Great programmers have traditionally distinguished themselves by the elegance, effectiveness, and reliability of their code. That’s still true, but elegance, effectiveness, and reliability have now been joined by security. Major financial institutions and government agencies have informed their internal development teams and outsourcers that programmers must demonstrate mastery of secure coding skills and knowledge, through reliable third-party testing, or lose their right to work on assignments for those organizations. More software buyers are joining the movement every week.

The Only Course Covering the Key Elements of Secure Application Development in Java

Such buyer and management demands create an immediate response from programmers, Where can I learn what is meant by secure coding? This unique SANS course allows you to bone up on the skills and knowledge being measured in the third-party assessments as defined in the Essential Skills for Secure Programmers Using Java/JavaEE. (You can find the Essential Skills document at http://www.sans-ssi.org/blueprint_files/java_blueprint.pdf. )

What Does the Course Cover?

This is a comprehensive course covering a huge set of skills and knowledge. It’s not a high level theory course. It’s about real programming. In this course you will examine actual code, work with real tools, build applications, and gain confidence in the resources you need for the journey to improving security of Java applications.

Rather than teaching students to use a set of tools, we’re teaching students concepts of secure programming. This involves looking at a specific piece of code, identifying a security flaw, and implementing a fix for that flaw.

Here’s a sampling of topics:

Input handling to ensure input from their interfaces are properly processed and validated.

  • Ensuring input from multiple sources can be trusted: HTTP Requests, configuration files, backend datastores, command line arguments, environment variables.
  • Validate common data types such as string data as well as uncommon input structures, using Regular Expressions, doValidate() and other tools of Java and J2EE
  • White-list and black-list approaches; tradeoffs.

Understanding authentication and session management and mastering authentication principals

  • Authentication for end-users, 3rd party services, backend systems, etc.
  • How to use encryption and certificates in protecting a variety of authentication process, including an understanding of strength-of-function, credential expiration, credential recover/reset, and re-authentication.
  • Protection of session tokens
  • Gaining familiarity with the more common authentication techniques and APIs available within Java and J2EE.
  • What services and protections are and are not provided.

Active enforcement of access control to guaranteeing the confidentiality of user data.

Restricting access to resources and functions, declarative access control, control checks in custom code, and how the Java Authentication and Authorization Service can be used in implementing access control.

Security Implications of built-in data types and java-specific memory management

  • Complete mastery of the String class’ immutability and how to compare String objects.
  • Limitations of Java’s numerical data types and the resulting security implications
  • Security implications of Java Garbage Collector, and how it works
  • ArrayList and the Vector: differences and security considerations
  • Accessibility modifiers, the final modifier, class comparisons, serialization, clone-ability, and inner classes
  • Managing the privileges of code and different protection domains, including Security Manager and its policy file.

Properly handling application faults.

  • Java’s try/catch/finally construct, Java’s logging function, configuration to return default error pages for 404 and other errors.

Structuring multi-threaded programs securely

  • Avoiding race conditions
  • Implementing the Singleton pattern and protecting other resources accessed by multiple threads.

Making connections with other applications securely

  • Security risks introduced by using dynamic queries
  • How to defend against SQL injection with safe use of the PreparedStatement to interact with databases based on user-supplied input
  • How to use output encoding to display data to user interfaces as a defense against cross-site scripting.

Implementing fail-safe connection patterns.

Using JAR Sealing and J2EE Filters effectively

  • How JAR sealing is used
  • Where they can be used to implement each secure coding technique
  • What to avoid in using them

Who Should Attend?

This course is ideal for:

  • Developers who want to build more secure applications
  • Java EE programmers
  • Software engineers
  • Software architects
  • Application security auditors
  • Technical project managers
  • Senior software QA specialists
  • Penetration testers who want a deeper understanding of target applications or who want to provide more detailed vulnerability remediation options

Pre-requisites:

Students should have at least one year’s experience working with the JEE framework and should have thorough knowledge of Java language and web technology.

Data Validation, Developer 541 – Day 1

Improper data validation is the root cause of the most prevalent web application vulnerabilities today. Cross Site Scripting (XSS) has become the most widely reported issue with web applications. It has reached the point where the Web Application Security Consortium (WASC) estimates that over 80% of the web sites on the Internet are vulnerable to this attack.

Beginning on the first day, you will learn about some of the most prevalent web applications vulnerabilities such as XSS, CSRF, SQL Injection, HTTP Response Splitting, and Parameter Manipulation. You will see how to spot some of these issues and how to recreate them in a running application. Then you will use a variety of methods to actually fix these vulnerabilities in your Java code.

The course is full of hands on exercises where you can apply practical data validation techniques that you can use to prevent common attacks.Topics Covered

Web Application Attacks

  • Cross Site Scripting
  • Cross Site Request Forgery (CSRF)
  • SQL Injection
  • HTTP Response Splitting
  • Parameter Manipulation

Web Application Proxy

  • Using Paros

Validation Concerns

  • Character Encoding
  • Input Validation
  • Output Encoding
  • Blacklisting & Whitelisting

Validation Techniques

  • Regular Expressions
  • Servlet Filters
  • HTML Encoding
  • Struts Validation
  • CAPTCHA
  • Prepared Statements
  • Stored Procedures
  • Aspect Oriented Programming (AOP)

Authentication & Session Management, Developer 541- Day 2

Broken authentication and session management are common issues that can compromise the integrity of your system. Such weak authentication protections can allow an attacker to expose your most sensitive secrets: your data! You will learn about these vulnerabilities and what you can do to design and code stronger authentication protections from the start.

You will learn how to use JEE Container Based Authentication and setup both Basic and Form Based Authentication. You will also learn about Acegi, which is the popular security system for Spring. This course is full of hands on exercises and culminates in a lab where you put everything you learned together into an application that is protected by proper authentication controls.Topics Covered

Authentication Attacks

  • Brute Force Attacks
  • Weak Password Storage
  • Password Reset
  • Secret Questions
  • Weak Session Management

Protecting Sessions

  • Using SSL
  • Session Hijacking
  • Session Fixation

Authentication

  • JEE Container Based Authentication
  • Basic Authentication
  • Form Based Authentication
  • Client Certificates
  • Account Lockout
  • Password Policy

Acegi Security System for Spring

  • Using Acegi

Encryption

  • Jasypt

Access Control & Java Security APIs, Developer 541- day 3

Improper access control can lead to unauthorized users gaining access to sensitive information or functionality. In this module you will learn about authorization, access control lists, and the Java Authentication & Authorization Service (JAAS). From there you will learn about a number of other security topics including how to do proper error handling using Java Exceptions and try/catch/finally blocks as well as the importance of logging. With hands on exercises you will also write code to encrypt both data in transit and data at rest using the Java Secure Socket Extension (JSSE) and the Java Cryptography Architecture (JCA). You will also learn about race conditions and how they can be prevented using synchronization features in Java.

Topics Covered

  • Access Control/Authorization
    • ACLs
    • JAAS
  • Error Handling
    • Exceptions
    • Using try/catch/finally
  • Logging
    • java.util.logging
  • Race Conditions
    • Using synchronization
  • Encryption
    • Encryption of data in transit with JSSE
  • Encryption of data at rest with JCA

Java Language & JRE Security Topics, Developer 541- day 4

Java is the language of choice for the development of many mission critical applications. As such, it is vital to understand the security features and implications of using the Java language itself and the Java Runtime Environment (JRE). Through the numerous hands on exercises you will learn about the SecurityManager and how code privileges are managed and how to seal and sign jar files. Through hands on examples you will also learn about String immutability, integer and double overflows, and about numerous Java language features that you should consider while writing secure code.

Topics Covered

  • java.lang.String Immutability
  • Integer and Double Overflows
  • ArrayList/Vector security considerations
  • Access modifiers
  • Inner classes
  • Garbage Collector
  • SecurityManager and code privileges
  • Jar Sealing
  • Jar Signing
Tagged under: Certification, Class, espin, espincorp, GIAC Secure Software Programmer - Java (GSSP-JAVA), Training

What you can read next

WhatsUp Gold Wireless Monitoring Technical Overview by E-SPIN
How to achieve Windows Server SNMP v3 Security Compliance
Blink Endpoint Protection
Hardware Security Modules (HSMs)

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recent Posts

  • IoC related to threat and vulnerability management

    More and more enterprise customers are now payi...
  • Operations in the next normal

    Operations in the next normal, it is time to re...
  • Top 4 Digital Technologies trends in Retail Industry

    Advantages of Composite AI Approach in Industries

    What are the advantages of Composite AI approac...
  • Composite AI Approach is a Key to Good Business

    Composite AI approach is a key to good business...
  • E-SPIN Seasonal Greeting Happy Ramadan 2021

    E-SPIN Group would like to take this season gre...

Recent Comments

  • Dorai M on 5 Common ML Challenges Data Scientists Face

Archives

  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • March 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • January 2016
  • December 2015
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • January 2015
  • December 2014
  • October 2014
  • September 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • October 2013
  • September 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013
  • December 2012
  • November 2012
  • October 2012
  • September 2012
  • August 2012
  • July 2012
  • June 2012
  • May 2012
  • February 2012
  • July 2011
  • June 2011
  • February 2009
  • July 2008

Categories

  • Acunetix
  • Adobe
  • Aerospace and Defence
  • AppSec Labs
  • Automotive
  • Banking and Financial Markets
  • BeyondTrust
  • Brand
  • Chemical and petroleum
  • Codified Security
  • Commercial and Professional Services
  • Construction and Real Estate
  • Consumer products
  • Contact Us
  • Core Impact
  • Core Security
  • DefenseCode
  • E-Lock
  • Education
  • Electronics
  • Energy and utilities
  • FAQ
  • Food and Beverage (F&B)
  • GFI
  • Global Themes and Feature Topics
  • Government
  • HCL
  • Healthcare
  • Hex-Rays
  • IBM
  • Immunity
  • ImmuniWeb
  • Industries
  • Information Technology
  • Insurance
  • Ipswitch
  • Job
  • Life Science
  • LiveAction
  • Logpoint
  • Manufacturing
  • McAfee
  • Media and Entertainment
  • Metageek
  • Micro Focus
  • Microsoft
  • Mining and Natural Resources
  • Nessus
  • Netsparker
  • News
  • Nutanix
  • Paessler
  • Parasoft
  • PECB
  • PortSwigger
  • Pradeo
  • Product
  • Qualys
  • Rapid7
  • RedHat
  • Retail
  • Retina
  • Riverbed
  • RSA
  • Security Innovation
  • Security Roots
  • Services
  • SILICA
  • Smart City
  • Soft Activity
  • SolarWinds
  • Solution
  • Symantec
  • TamoSoft
  • Telecommunications
  • Tenable
  • Titania
  • Transportation
  • Travel
  • Trend Micro
  • Trustwave
  • TSFactory
  • Uncategorized
  • Vandyke
  • Veracode
  • Videos
  • VisiWave
  • VMware
  • Webinar Archive

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

CORPORATE

  • Profile
  • About us
  • Careers
  • Investor Relations
  • Procurement

SOLUTIONS & PRODUCTS

  • Industries
  • Solutions
  • Products
  • Brand Overview
  • Services

STORE & SUPPORT

  • Shop
  • Cart
  • Checkout
  • My Account
  • Support

PRODUCTS & SERVICES

  • Industries
  • Solutions
  • Products
  • Brand Overview
  • Services

FOLLOW US

  • Facebook
  • Twitter
  • Pinterest
  • LinkedIn
  • YouTube
  • WordPress Blog
© 2005 - 2021 E-SPIN Group of Companies | All rights reserved.
  • Contact
  • Privacy
  • Terms of use
TOP