CanSecWest: Security Masters Dojo Vancouver
Java Security, Understanding Threat Patterns, And Optimize The Defenses
Register for March 5th to 6th Course Instructor(s):
Marc Schoenefeld
Agenda
Day 1:
- Java Security:
- Introduction
- Security Relevant walk-through of Java VM internals
- The Java Security Model
- Security Manager and Access Controller
- JVM Security
- What has changed in Java 7
- The View of the Defenseman
- How to identify weak Java code
- Secure Coding Best Practices
- How to fix weak code on a broad scale
- Approaches, Techniques, Tools
- Undestanding Organizational Security Mechanisms
- Where to get patches (old and new)
- Web Resources, Upgrade Best Practices
- Hotpatching, How to band-aid your JRE
- Debugging, Instrumentation and Life inspection
Day 2:
- The view of the Threat Analyst
- Bug Patterns
- Clean Code and what can still go wrong
- Unterstand Exploitation approaches
- What has changed in Java 7
- Attack Types
- Identifying Serialization attacks
- Understanding Scripting API Misuse
- API Self-assessment with fuzzing
- Identifying native code flaws
- Privileged code, bugs and defenses
- Misusing Enterprise Frameworks
- Closing Application Server holes
- Struts, Spring, Seam etc.
- Examples of Real Life Security Bug Patterns
- Dedicated Topics brought up by the students (send in at least a week before the Dojo)
PREREQUISITE WARNING Each class has prerequisites for software loads and a laptop is mandatory. These individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs.
Prerequisies:
Students are expected to be familiar with the basic principles of Java Programming, and by that be familiar with the API of the fundamental system libraries. Participants should know to handle the standard of procedures of developing Java programs (be able to start the compiler and runtime tools using the command line). Additionally they should be comfortable configuring JRE settings and perform low-level code analysis, including reverse engineering.
The material presented throughout this course is focussed to support the theoretical fundaments with practical examples. Being exposed to real-life examples, the ability to think around the corner and even outside the box is helpful. Nevertheless, the trainer will help you to stay on track.
Prerequisite Material
For the practical parts a virtual machine environment will be provided. For that the student will need a intel based laptop (2Ghz), having at least 2GB of RAM, with a current version (4.1.8+) of VirtualBox installed.
Note: This course covers Java6 and Java7 (a preconfigured CentOS 6 VM can be provided)
