Faites confiance à votre formation en TI |
Oracle University reconnaît ExitCertified comme Partenaire en formation de l’année en Amérique du Nord.
ExitCertified renforce sa relation avec Red Hat en obtenant le statut de revendeur avancés.
Oracle University décerne à ExitCertified le prix de Qualité exceptionnelle des instructeurs.
ExitCertified en vedette dans le répertoire des Entrepreneurs dynamiques du 21e siècle.
ExitCertified est mis en candidature une troisième fois pour les prix de la Chambre de commerce.
ExitCertified élargit sa relation avec Apple en ajoutant la diffusion de formation agréée Mac OS à Phoenix, en Arizona.
 |
Secure Java Coding - Lifecycle (TT-8205-J) |
 |
|
| Format: Formation virtuelle avec formateur |
| Autres formats: |
|
|
|
|
|
|
| |
Secure Java Coding – Lifecycle is a hands-on, lab-intensive Java security, code-level training course that teaches students the best practices
for designing, implementing, and deploying secure programs in Java. Students will take an application from requirements through to
implementation, analyzing and testing for software vulnerabilities. This course explores well beyond basic programming skills, teaching
developers sound processes and practices to apply to the entire software development lifecycle. Perhaps just as significantly, students learn
about current, real examples that illustrate the potential consequences of not following these best practices. This course is short on theory
and long on application, providing students with in-depth, code-level labs.
Security experts agree that the least effective approach to security is "penetrate and patch". It is far more effective to "bake" security into
an application throughout its lifecycle. After spending significant time trying to defend a poorly designed (from a security perspective) web
application, developers are ready to learn how to build secure web applications starting at project inception. The final portion of this course
builds on the previously learned mechanics for building defenses by exploring how design and analysis can be used to build stronger applications
from the beginning of the software lifecycle.
A key component to our Best Defense IT Security Training Series, this workshop is a companion course with several developer-oriented courses
and seminars. Although this edition of the course is Java-specific, it may also be presented using .Net (TT8200-N) or other programming
languages. |
|
|
|
|
|
|
|
 |
|
 |
Compétences acquises |
| |
Students who attend Secure Java Coding - Lifecycle will leave
the course armed with the required skills to recognize software
vulnerabilities (actual and potential) and implement defenses for
those vulnerabilities. This course quickly introduces developers to
the various types of threats against their software.
The concept and process of Threat Modeling is introduced as a key
enabler for implementing effective and appropriate security for
software and information assets. This course includes coverage of
the many security-related technologies and APIs that exist in the
Java world.
The initial portion of the course lays down the foundation in
basic terminology and concepts that is built upon in subsequent
lessons. The second portion of the course steps through a series
of vulnerabilities illustrating in very real terms the right way to
implement secure web applications. The last portion of the course
examines several design patterns that can be used to facilitate
better application architecture, design, implementation, and
deployment.
Working in a lab-intensive, hands-on programming environment,
led by our expert security team, students will learn to:
|
| |
Understand the concepts and terminology behind defensive coding.
Understand and use Threat Modeling as a tool in identifying software vulnerabilities based on realistic threats against meaningful assets.
Learn the entire spectrum of threats and attacks that take place against software applications in today’s world.
Use Threat Modeling to identify potential vulnerabilities in a real life case study.
Perform both static code reviews and dynamic application testing to uncover vulnerabilities in Java applications.
Understand the vulnerabilities of the Java programming language and the JVM as well as how to harden both.
Understand and work with Java 2 platform security to gain an appreciation for what is protected and how
Understand the role that Java Authentication and Authorization Service (JAAS) has in Java applications.
| |
Use JAAS in conjunction with a Java application for both authentication and authorization.
Understand the basics of Java Cryptography (JCA) and Encryption (JCE) and where they fit in the overall security picture.
Understand the fundamentals of XML Digital Signature and XML Encryption
Understand and implement the processes and measures associated with the Secure Software Development (SSD)
Acquire the skills, tools, and best practices for design and code reviews as well as testing initiatives
Understand the basics of security testing and planning
Work through a comprehensive testing plan for recognized vulnerabilities and weaknesses
| |
|
|
|
|
Qui peut en profiter |
| |
This is an intermediate-level Java programming course designed
for application project stakeholders who wish to get up and
running on developing well defended Java applications. Familiarity
with the Java programming language is required, and real world
programming experience is highly recommended. |
|
|
|
|
Préalables |
| |
Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:
|
| |
TT4000 Understanding Internet Architectures
| |
TT2100 Core Java Programming for OO Developers (C++, etc) or TT2120 Java Fundamentals for Non-OO Programmers or TT5140 Core Java Programming for Server Side Developers New to OO
| |
|
|
|
|
Delivery Environment: Tools to Use |
| |
Although this training is skills-centric, this course can be delivered
using a variety of software combinations, including but not limited
to: Eclipse Helios/Ganymede, MyEclipse, IBM® WebSphere Rational
Application Developer (RAD75), Oracle JDeveloper or other IDEs.
This course may also run using Java 5. Please inquire for details and
options.
Our detailed workbooks are complete with software-specific
screen shots and step-by-step tutorials for using the software you
select. In most cases we can easily port our classes to run in the
environment of your choosing. |
|
|
|
|
Experiential Learning: Hands-On Labs |
| |
This class is “technology-centricâ€, designed to train attendees in
essential defensive coding development skills, coupling the most
current, effective techniques with the soundest coding practices.
As a programming class, this course provides multiple challenges
labs for students to work through during the class.
This workshop is about 50% hands-on lab and 50% lecture.
Throughout the course students will be led through a series of
progressively advanced topics, where each topic consists of lecture,
group discussion, comprehensive hands-on lab exercises, and lab
review. Multiple detailed lab exercises are laced throughout the
course, designed to reinforce fundamental skills and concepts
learned in the lessons. At the end of each lesson, developers will
be tested with a set of review questions to ensure that he/she has
fully understands that topic. |
|
|
|
|
Optional Pre / Post-Testing & Skills Assessment |
| |
We work with you to ensure that your resources are well spent. Through our basic course pre-testing and/or post-course assessments, we ensure your team is up to the challenges that this course offers. Our goal is to structure the best solution that ensures your needs are met, whether we customize the material, or devise a different educational path to prepare for this course.
Please contact us for details about our online pre and post test assessment services, custom managed training plans for one student or your entire organization, or our custom online training program management system for monitoring the courses or progress while skilling your students of all experience levels. |
|
|
|
| |
 | Ce cours de qualité supérieure est donné par des formateurs certifiés.
Il y a une différence. Découvrez-la  |
|
 |
| Code: |
TT-8205-J |
| Format: |
Formation virtuelle avec formateur |
|
| Durée: |
4 days |
| Certifié par: |
Trivera |
|
| Frais d’inscription (CAD): $contact |
|
|
 |
|
|
|
|
 | Ce cours n'est pas prévu à l'horaire pour l'instant. Si vous êtes intéressé à suivre ce cours, utilisez le lien ci-dessous pour demander une date. |
|
|
|
Secure Java Coding - Lifecycle (TT-8205-J) Contenu détaillé |
| |
| |
- Misconceptions: Thriving Industry of Identity Theft; Causes of Data Breaches; 2010 Attacks Continue to Evolve; 2010 Dishonor Roll for Data Breaches; TJX: Anatomy of a Disaster?; Heartland – Slipping Past PCI Compliance; Verizon’s 2011 Data Breach Report; US Secret Service Continues to Battle; Verizon AppSec Recommendations
-
Security Concepts: Terminology and Players; Assets, Threats, and Attacks; OWASP; WASC
-
Defensive Coding Principles: Security Is a Lifecycle Issue; Bolted on Versus Baked; Minimize Attack Surface Area; Examples of Minimization; Defense in Depth; Manage Resources; Layers of Defense: Tenacious D; Compartmentalize; Consider All Application States; Do NOT Trust the Untrusted; Fix Security Defects Correctly; Learning From Vulnerabilities
-
Reality: Recent, Relevant Incidents; Finding Security Defects In Web Applications
| |
- Unvalidated Input
-
Broken Access Control
-
Broken Authentication And Session Management
-
Cross Site Scripting (XSS) Flaws
-
Injection Flaws
-
Error Handling And Information Leakage
-
Insecure Storage
-
Insecure Management of Configuration
-
Direct Object Access
-
Spoofing and Redirects
| |
| Session: Java Security Fundamentals | - Perimeter Defenses
-
Java Security Architecture
-
JVM Defenses
-
Extending the defenses
| |
| Session: Cryptography Overview | - Cryptography defined
-
Strong Encryption
-
Ciphers and algorithms
-
Message digests
-
Keys and key management
-
Types of keys
-
JCA and JCE
-
Key management in Java
-
Certificate management in Java
-
Encryption/Decryption
| |
| Session: Code Location-Based Security | - Java 2 Security and Applets
-
Work with Java 2 Security
-
Byte Code verifier
-
Class loaders
-
Class loader tunnels
-
Signing code
-
Trusted code
-
Java permission management
-
Extending Java permissions
| |
| Session: User-based J2SE Security | - JAAS Overview
-
JAAS Authentication
-
Extending JAAS authentication
-
JAAS Authorization
| |
| |
| Session: Java Network Security | - SSL Support
-
HTTPS
-
GSS
-
SASL protocols
| |
| Session: Code Level Security Best Practices | - What Java security provides for
-
Preventing remote hacking
-
Preventing accessing of restricted resources
-
Retaining credibility with Java code
| |
- Understanding Common Attacks And How To Defend
-
Operating In Safe Mode
-
Using Standards-Based Security
-
XML-Aware Security Infrastructure
-
JAXP Safe Mode
| |
| Session: Understanding What’s Important | - Prioritizing Your Efforts
-
Common Vulnerabilities and Exposures for 2011
-
OWASP Top Ten for 2010
-
CWE/SANS Top 25 Programming Errors: Categories; What they mean to for web applications; Monster Mitigations
-
Java Best Practices: Code Obfuscation; JAAS Usage; Java 2 Security and Policy Files; Signing JAR Files
| |
| Session: Secure Software Development (SSD) | - SSD Process Overview: CLASP Defined; CLASP Applied
-
Asset, Boundary, and Vulnerability Identification
-
Vulnerability Response
-
Design and Code Reviews
-
Applying Processes and Practices
-
Risk Analysis
| |
| Session: Security Testing | - Testing as Lifecycle Process
-
Testing Planning and Documentation
-
Testing Tools And Processes: Principles; Reviews; Testing; Tools
-
Static and Dynamic Code Analysis
-
Testing Practices: Authentication Testing; Session Management Testing; Data Validation Testing; Denial Of Service Testing
| |
| |
|
