This course will utilize instructor-led discussions, lab exercises and case studies to illustrate the security patterns for building Java applications. This course will focus on: role of security patterns, strategies and best practices, Secure UP, risk analysis, trade-off analysis (TOA), security patterns catalog, Web-tier patterns, Business-tier patterns, Web services patterns and identity management security patterns.
Each of the different security patterns is covered in-depth and we review the participants and responsibilities, driving forces, pattern relationships, pattern consequences, security factors and risks and coding implementations.
Audience:
Enterprise architects, developers, administrators and project managers that need to design or build security-bound Java applications.
Objectives
Upon conclusion participants
will have acquired these skills:
- Depict role of Secure UP design methodology
and the role of the security wheel
- Illustrate the Secure UP artifacts: requirements,
use cases, white/black box testing and environment
setup
- Demonstrate use of risk analysis (Single
Loss Expectancy and Annualized Loss) and trade-off
analysis matrix\
- Develop complete risk analysis model of case
study application
- Illustrate the utilization of Web tier patterns
- Authentication Enforcer
- Authorization Enforcer
- Intercepting Validator
- Secure Base Action
- Secure Logger
- Secure Pipe
- Secure Service Proxy
- Intercepting Web Agent
- Demonstrate Business tier patterns
- Audit Interceptor
- Container-managed Security
- Dynamic Service Management
- Obfuscated Transfer Object
- Policy Delegate
- Secure Service Façade
- Secure Session Object
- Understand Web Services tier patterns
- Message Inspector
- Message Interceptor Gateway
- Secure Message Router
- Depict usage of Identity Management patterns
- Assertion Builder
- Credential Tokenizer
- Single Sign-on Delegator
- Password Synchronizer
- Demonstrate the relationship between supporting
patterns
- Illustrate the following topics for each
security pattern: their implementation forces,
consequences, risk factors and related patterns
- Demonstrate the use of each security pattern
with an in-depth case study
Prerequisites
Each student should have a basic understanding of the Java programming language.
Course duration
4 days
Course outline
IT
Security Status
- Security myths
- Application and Network flaws
- Impact of Web 2.0
- Security wheel
- Security patterns
- Template
- Categorizations
- Relationships
- Known risks
- Interceptor Gateway
- Message Interceptor
- Assertion Builder
- Audit Interceptor
- Best practices
Java Security Basics
- Core Java technology
- JVM Security
- Java language security
- Platform security
- Security models
- Permissions
- Java Policy files
- Security Manager
- Codebase
- Bytecode Verifier
- Class Loaders
- Java Web Start
- J2ME Security
- Key and Certificate Management
- Keystores
- Policy Tool
- JarSigner
- Keytool
- Public and Private Keys
- Exporting and Importing Certificates
- Signing Requests
- Securing Java source code
Java
Security Manager
- Security Goals
- Solution concepts
- Using UIDs
- Access Control Lists
- Language security
- Java Security mechanism
- Sandbox
- Trusted code
- Fine grained control
- Create Security policy
- Installation
- Stack inspection
- Beyond JVM Security
Using
Secure Socket Layers
- SSL Overview
- SSL Architecture
- Components
- Sessions and Connections
- State changes
- SSL Records
- Protocol processing
- Header
- MAC address
- Encryption
- Alert protocol
- Handshakes
- Key exchange methods
- Server certificate and key exchange
- Client authentication
- Cryptographic computations
- Analyzing SSL records
- Traffic analysis
- Confidentiality
- Authentication
- Cipher attacks
- Key exchange algorithm
Digital
Certificates
- Introduction
- Certificate Authorities
- X.509 Certificates
- Architecture
- Types
- Retrieval
- Distribution
- X.509 Certificate format
- Revocation
- Revocation lists
- Distribution
- Pre-existing Certificates
- Use with SSLs
Java
EE Security
- Relevant standards
- Role and use of annotations
- Defining JAAS
- Authentication vs. Authorization
- Role of Subject
- Defining Principal
- Pluggable Authentication modules
- Creating LoginContext
- LoginModule chaining
- Principal-based authorization
- Codesource vs. ProtectionDomain
- Using AccessController
- Security Policies and Infrastructure
- EJB Security
- Security context
- Use of role names
- Annotations
- Deployment descriptor elements
- Method permissions
- Propogation
- Programmatic vs. Declarative
- Web tier security
Encryption
using javax.crypto
- Cryptography Concepts
- Encryption Keys
- Cipher Algorithms
- Modes and Padding Schemes
- The Cipher Class
- Encrypting and Decrypting Data
- Cipher Output Stream
- Cipher Input Stream
- Encryption using Password Ciphers
- Exchanging Encrypted Keys
- Sealed Objects
Encryption
Methods
- Cryptography techniques
- Symmetric
- Asymmetric
- Combinations
- Standards
- DES
- AES
- Diffie-Hellman
- RSA
- Public vs. Private Keys
- Signing and Padding
- Hashing
- Digital signatures
- Usage
- Role of key
- Methodology
- Use of JCE
- Encryption Keys
- Performance considerations
Java
Authentication and Authorization services
- Authentication and Authorization
- JAAS Overview
- LoginContext
- Subjects, Principals, and PrivilegedActions
- Authentication with the NTLoginModule
- Defining Permissions in Policy Files
- KeyStoreLoginModule
- Callbacks
- NameCallback and PasswordCallback
- The Policy Class
Using
Java EE Security
- Authentication
- Authorization
- Security Layers
- Features
- Topology
- Protocols
- SSL
- Application Server Management
- LTPA
- SSO
- Identity Assertion
- Declarative Security
- Security Roles
- Run-As Delegation
- Securing resources
- Creating Constraints
- Authentication types
- Form
- Digital
- Basic
- Certificate
- Trust Association
- Custom Trust Assocation Interceptors
