Secure Coding in Java/JEE: Developing Defensible Applications Break Down
The author created this free Secure Coding in Java/JEE study guide by collecting various free multimedia resources and code examples from the internet.
Do It Yourself (DIY) is the best way of learning Secure Java Coding, therefore, I highly recommend you to setup a virtue machine and experiment the defense techniques you learned here.
Data Validation
- XSS
- CSRF
- SQL Injection
- Blind SQL Injection
- Parameter Manipulation
- HTTP Response Splitting
- Insecure Directory Object Reference Attacks
- Directory Traversal
- Command Injection
- Character encoding (unicode, UTF-8, ASCII)
- Canonicaliztion
- Blacklisting & Whitelisting
- Regular Expressions
- ServletFilters
- Output Encoding/Escaping
- OWASP ESAPI Encoding
- Struts Validation
- CSRF Protection
- CAPTCHA with SimpleCaptcha
- executeQuery() vs executeUpdate() vs execute()
- Anti SQL Injection
- Prepared Statements
- Hibernet sql mapper defense
- iBatis mapper defense
- Aspect oriented Programming (AOP)
- AspectJ
- Spring AOP
Authentication, Session Management, and Access Control
Authentication, Authorization and Session Control
- HTTP basic and Form-based Authentication
- openssl and client-certificate-based Authentication
- Session Management Basics
- Cookies
- request.getSession(true)
Common code vulnerability and attacks
- password related developer mistakes
- Dictionary/birthday paradox attacks
- “forget my password” attacks
- Hashing and rainbow table attacks
- Session hijacking
- Session fixation
- misconfiguration and Access Control Bypass
- Unvalidated Redirects and Forwards
- Pass the Hash Attack
J2EE build-in Authentication and Authorization mechanisms
- Enable SSL in server.xml
- Enable realm in server.xml
- Guarantee SSL use in web.xml
- Configure Basic/Form-based Auth in web.xml
- Configure Client-cert-based Auth in web.xml
- Configure timeout/cookie in web.xml
- Configure access control in web.xml and
- Password policy
- Account lock out
- Declarative access control
- JSR 250 Annotations
- Servlet 2.5 Annotations
- Servlet 3.0 Annotations
Java Language & Security APIs
Java Security Manager
- Java Protection Domains
- Java Security Manager and Policy Files
- How To Create New Java Permissions
- How To Sign a jar File
- RuntimePermission
Java Exception Handling & Logging
- Java Exception Overview
- Checked Exception vs Unchecked Exception
- Exception Handling Common Pitfalls & Best practices
- try catch finally block
- Configure Exception Handling in web.xml
- Logging philosophy
- Log categories (Perimeter devices, Server, Application, Database)
- java.util.logging
- org.apache.log4j
- org.owasp.esapi.Logger & LogFactory
- Log Forging
- Public Key Infrastructure (PKI)
- Java Secure Sockets Extension (JSSE) Overview
- Key Management
- JSSE server/client SSL connection Example
- Java Cryptography Architecture (JCA) Overview
- Basic Cryptography Concepts walk through (Message Digest, Pseudo-Random Number, HMAC, Symmetric Encryption)
- How To Create Java MessageDigest and Salted MessageDigest
- How To Generate Java Pseudo-Random Number
- How To Use Message Authentication Code (MAC) and Hash MAC (HMAC) in Java Code
- How To Encrypt/Decrypt Data with Java Cipher and IvParameterSpec Class
Java Language Hardening
- Java Accessibility (public, protected, private, package, none)
- Java Inner Classes
- Java Final and Static Keyword
- Java Class Loader
- Java Serialization and Deserialization
- Java Class Clone
- Java Resource Management and Denial of Service attacks
- Java Garbage Collector
- Java String Types (String Class, String literal, StringBuilder, StringBuffer)
- Java String Comparison (Surprise)
- Java Integer overflows and java.math.BigInteger
- Java Floating Point overflows/errors and java.math.BigDecimal
- How Java deal with POSITIVE_INFINITY, NEGATIVE_INFINITY and NaN
Race Conditions
- Java Threads Overview
- Attacks related to Race Conditions
- Three Ways of Preventing Race Conditions in Java
- deadlock, stale copies
- Java Vector v.s. ArrayList v.s. CopyOnWriteArrayList (multi-threading)
- java.util.concurrent overview
- Java Singleton Common Pitfalls & Best Practices
Secure Development Challenge
- Defects and Security Touchpoints
- Code Review
- Conduct Static Code Review with FindBugs
- Conduct XSS and CSRF testing with tool BeEF
- Conduct SQL injection testing with tool sqlmap
References:
https://www.owasp.org/index.php/Cheat_Sheets
http://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html
Read Full Post | Make a Comment ( None so far )
ICND1 and ICND2 break down
Notice post links now point to site http://xyznetwork.blogspot.com/.
If you haven’t decided what CCNA test to take, read this post first.
The author created this free CCENT and CCNA study guide by collecting various free multimedia resources from the network, including a lot of youtube videos. Also check out the CCNA Lab for the labs corresponding to this tutorial, and verify your knowledge with pre-make Practice Exams .
Do It Yourself (DIY) is the best way of learning TCP/IP network, therefore, I highly recommend you to download wireshark and packet tracer. With wireshark, you can capture your network traffic and see exactly what’s going on under the hood; with packet tracer, you can set up LAN and WAN virtually and do experiments on them.
Good luck with your CCENT and CCNA test!
(CCENT – ICND1)
Lesson 1
Introduction to Networking and the Networking Models
Cover the theory needed for the exam, to accelerate Cisco networking career and for troubleshooting experience
* The Data Transmission Process
* Ports, Sockets and Port Numbers
Lesson 2
Ethernet Standards and Cable Types
The CCNA Exam will Hammer You with Questions About Ethernet… so this course breaks down everything you need to know about cable types. this is also crucial for setting up and running a network in the real world.
* Ethernet Types And Standards
* The Need For And Operation of CSMA/CD
* Ethernet Connectors and Cable Types
Lession 3
Switching
I Explain How (and WHY) Switches Work… in theory, for real world application and for the exam.
* Repeaters, Hubs, Bridges, Switches and Routers
* MAC address learning and filter/forward decisions
* Cisco Three-Layer Switching Model
Lesson 4
Common Router and Switch Commands
Typical Switch (And Router) Commands are Broken Down. This information is necessary both on exam day and also when working in the real world as a network admin, as these commands are used daily.
* Video Lab – Packet Tracer Interface Overview
* Physical Connections and Passwords
* Physical Side of Cisco Switches
* User, Enable and Privilege Modes
* Basic Switch managment commands
* Switch/Router passwords configurations
* Switch Port Security Defaults, Options and Configurations
* Banners, “logging synch”, and “exec-timeout”
* Keystroke Shortcuts and Manipulating History
Lesson 5
IP Addressing and the Routing Process
This section covers must know (and memorize) fundamentals, which are needed for the exam and necessary for future videos: binary math, subnetting, and working with network and port address translations.
* IP Addressing and Binary Conversions
* Intro to the Routing Process
* Routing Process Continued — Behind the “PING”
* Basic Router management commands
* Switch/Router Interfaces and Physical Ports
Lesson 6
ARP, DNS and DHCP
This section will teach you these fundamental protocols which are necessary for use within any network.
* The ARP RARP and DHCP Process
* Broadcast, Multicast, and Unicast
* Intro to Security Device Manager (SDM)
Lesson 7
Memory Components and Config Files
This video introduces the student to basic password and security configurations, as well as assigning privilege levels; so, it’s really the foundation for their knowledge of router security as well as the basic password recovery process.
* Configuration Files and IOS Upgrading
Lesson 8
Intro to Wireless Networks (WLANs)
Learn the standards of wireless, which relates to all wireless, not just Cisco. This is the fastest evolving and growing field. It’s also necessary to memorize this information for the exam.
* SSID, MAC Address Authentication, WEP, WPA, and WPA2
Lesson 9
Binary Math and Subnetting
Fundamentals for the exam. Also, essential for IP addressing and IP address conservation. #1 topic that causes otherwise well prepared students to fail CCNA.
* Decimal > Binary, Binary > Decimal
* Four common subnetting scenarios
Lesson 10
Static Routing and RIP – Part 1
More fundamentals for the exam, and you will see the work done over a Cisco router. You will learn how to manually set up routing. This video will pave the way for future exam and real world success.
* Video Lab -Static Routing and RIP Routing
Lesson 11
Wide Area Networks (WANs)
Learn to link routers with other routers for communication.
* WAN interface of Cisco Router and WAN Cabling
* Video Lab – Internet Connections with NAT and PAT
* Video Lab – Router as DHCP Server
Lesson 12
Introduction to Network Security
You will learn about network attackers and intruders, how they get in, and how to keep your network save by keeping them out.
* The need for network security
* Intro to PIX, ASA, IDS, and IPS
* Viruses, Worms, and Trojan Horses
Lesson 13
Troubleshooting
95% of work in the real world is troubleshooting, so it’s necessary for real world success.
* Cisco Discovery protocol (CDP)
* Telnet and SSH Maintenance Commands
* Administrative Distance
* Extended Ping and Traceroute
(ICND2)
Introduction to ICND2
* Videos Introduction
* Instructor’s Introduction
* Exam Types
Lesson 1
Switching II
* STP
* Root Bridges, Root Ports, and Designated Ports
* STP Timers and Port States
* Portfast
* VLANs and Trunking
* Access and Trunk Port Comparison
* VTP
* “Router on a Stick”
* RSTP and PVST
* Etherchannels
Video 2
PTP WAN Links, HDLC, PPP, and Frame Relay
This will help you when working on real production networks. All topics are shown being configured on live equipment. Frame Relay is a major topic on the exam and in the real world.
* HDLC vs. PPP
* PPP Features
* PAP and CHAP
* Frame Relay Introduction
* Frame Relay LMI Theory
* Frame Relay Configs, DLCIs, Frame Maps, and Inverse ARP
* Frame Sub-Interfaces3
* Split Horizon
* Frame Relay LMI Show, Debug, and Lab
* FECN, BECN, DE bits
* PVC Status Meanings
Lesson 3
Static Routing and RIP
This video expands on the CCENT video, covering advanced topics found on the ICND2 and in the real world.
* Static Routing Theory and Configuration
* Distance Vector Protocol Behavior – Split Horizon and Route Poisoning
* RIP Theory and Version Differences
* The Joy of “show ip protocols”
* RIP Limitations
* RIP Timers
* Floating Static Routes
Lesson 4
OSPF
OSPF is an Internet protocol. In this video you will look at types of OSPF and how to configure on a live network. Experience with OSPF is necessary for the CCNA, for the real world, and to build upon for CCNP & CCIE.
* Link State Routing Protocol Concepts and Basics
* The DR and BDR
* Hello Packets
* Troubleshooting Adjacency Issues
* Hub-and-Spoke NBMA OSPF Networks
* Broadcast Networks
* The OSPF RID
* OSPF Router Types
* Advantages of OSPF
* Point-to-Point OSPF Networks
* Default-Information Originate (always?)
* OSPF Authentication
Lesson 5
EIGRP
Learn the theory and practice with labs to learn this hybrid routing protocol which has increased operational efficiency from it predecessor. Learn the capabilities and attributes.
* Introduction to EIGRP
* Successors and Feasible Successors
* EIGRP vs. RIPv2
* Basic Configuration
* Wildcard Masks
* Load Sharing (Equal and Unequal-cost)
* EIGRP, RIPv2, and Autosummarization
* Passive vs. Active Routes
Lesson 6
IP Version 6 and NAT
Learn the basic theory and routing protocol. You will need to know the basics for the CCNA exam and for working with networks. IP Version 6 is everywhere and becoming more prevalent, so understanding this material is vital for future success.
* IPv6 Theory and Introduction
* Zero Compression and Leading Zero Compression
* IPv6 Reserved Addresses
* The Autoconfiguration Process
* OSPF v3 Basics
* Transition Strategies
* NAT Theory and Introduction
* Static NAT Configuration
* Dynamic NAT Configuration
* PAT Configuration
Lesson 7
VPNs and IPSec
Learn key terminology & definitions for the exam.
* Definitions and Tunneling Protocols
* Data Encryption Technologies
* Key Encryption Schemes
* IPSec, AH and ESP
* A VPN in Your Web Browser
Video 8
ACLs and Route Summarization
Learn to configure and control ACLs to get them to do what you want for the exam and in the real world. Learn the basic breakdown and how to summarize routes. Learn common commands for working with RIP & EIGRP.
* ACL Login and the Implicit Deny
* Standard ACLs and Remarks
* “Host” and “Any”
* The Order of the Lines
* Extended ACLs
* Named ACLs
* Telnet Access, Placing ACLs, and Blocking Pings
* Dynamic and Time-Based ACLs
* Port Number Review
* Route Summarization with RIP and EIGRP
Read Full Post | Make a Comment ( 19 so far )
IT Security 