Application Security Recipes for Java/JEE

Chapter 1: Introduction to Application Security Chapter Goal: Fundamental aspects of an application security, why application security importance growing day by day, Basic terminology required to understand application security aspects. Application Security Importance. * Understand Risk Management Terminology.* Different Flavors of System Security.* Is security just a Non-Functional Requirement?* Recent Noteworthy Hacking Incidents.Chapter 2: Capture Security Requirements Chapter Goal: To develop highly secure and hack-resilient system one must have a thorough knowledge on end-to-end system security requirements. Different types of security requirements, How to capture security requirements and Sources to capture these requirements. Classify the business data to define security requirements. * Data classification to define system security.* Different types of security requirements.* Sources for capturing Security Requirements.* Traceability Matrix for security requirements.Chapter 3: Secure Software Design Chapter Goal: Define secure design policies, Securing commonly used architectures, Design considerations for all captured security requirements. Threat Modeling. Design process. * Secure Design Process.* Secure commonly used architectures* Design for security requirements* Threat ModelingChapter 4: Data Validation Chapter Goal: Data validation helps to build h ighly secure applications. Server side validation is a key to build hack-resilient system. What are the various possible ways to bypass validation controls be explained. * Validate Input from All Sources* How to Validate Input* Finding and confirming Input Validation Issues* Different ways to spot Input Validation IssuesChapter 5: Data Validation Best Practices Chapter Goal: User input should be validated both at client side and server side. Input validation best practices and output encoding best practices will be explained. Java API for doing input validation and output encoding will be introduced. * Blacklisting vs Whitelisting* Normalize Input* Canonicalize Input* Sanitize data sent to other Systems* Output Encoding* Character EncodingChapter 6: Implementing Security Requirements Chapter Goal: How to implement core security requirements with JAVA,OWASP top 10, OWASP mobile top 10,Defensive coding practices, Anti-tampering Techniques (e.g. code signing, obfuscation), Source Code and Versioning. * Implementing core security requirementsChapter 7: Input Injection Attacks Chapter Goal: Various input injection attacks will be explained with a simplified and easy to follow approach like vulnerable usage scenarios and secure usage scenarios for a given attack. * SQL Injection* Stored Procedure Injection* ORM Injection - Hibernate* ORM Injection - JPA* LDAP Injection* Command Injection* Directory Traversal* Parameter Manipulation* File Inclusion* Log Forging* Format-String Vulnerability* XML Injection* XPath Injection* XQuery Injection* XSLT Injection* XML Entity Expansion Injection* XML External Entity Injection* SOAP InjectionChapter 8: Web Security Chapter Goal: How to attack client side controls, authentication and session management controls. Various ways to break web applications will be explained. * Cross-Site Scripting (XSS)* Cross-Site Request Forgery (CSRF,XSRF)* Cross-Site Script Inclusion (XSSI)* Header Injection (Response Splitting)* Open Redirection* Referer Leakage* Mixed Content* Cache poisoning* Clickjacking* Content and character set sniffing* Cookie forcing (or cookie injection)* Framebusting* HTTP downgradeChapter 9: Web Services Security Chapter Goal: End-to-end web services security will be explained. Common web service attacks. Importance of OAuth, SAML and SSO. * SOAP Security* REST Security* OAuth* SAML* Single Sign OnChapter 10: Security Testing Chapter Goal: Verification and validation of a hack-resilient system is very important step before moving to production so various ways to certify the product will be explained. * Security Testing (e.g., white box and black box)* Attack Surface Validation* Types of Testing- Penetration, Scanning (e.g., vulnerability, content, privacy),Cryptographic validation (e.g., PRNG)Chapter 11: Threat Modeling Chapter Goal: Steps to decompose an application architecture to discover vulnerabilities. How to identify and document threats that are relevant to your application * Strategies for Threat Modeling* STRIDE* Processing and Managing Threats* Threat Modeling ToolsChapter 12: Cryptography Chapter Goal: The application and use of cryptography, the cryptographic life cycle (e.g., cryptographic limitations, algorithm/protocol governance),key management processes, non-repudiation and Public Key Infrastructure (PKI) * Explain Cryptography* Understand Cryptographic Keys Management* Symmetric Cryptography* Asymmetric Cryptography* PKI (Public Key Infrastructure)* HashingChapter 13: Java Security Chapter Goal: Java built-in security features will be explained. * Class Loaders* Bytecode Verification* Security Managers and Permissions* User Authentication* Digital Signatures* Code SigningChapter 14: Java Coding Practices Chapter Goal: Java API level security coding practices will be explained. * Denial of Service* Confidential Information* Injection and Inclusion* Accessibility and Extensibility* Mutability* Object Construction* Serialization and Deserialization* Access Control* 9. ThreadsChapter 15: Android Security Chapter Goal: Understand Android security model. Finding vulnerabilities in android applications . * Android Architecture And Security Model* Android Application Pen testing and Exploitation* Android's Attack Surface* Finding Vulnerabilities with Fuzz Testing* Debugging and Analyzing Vulnerabilities* Android Device And Data SecurityChapter 16: Cloud Security Chapter Goal: Basics of cloud security, data security, compliance and legal issue with cloud. * Security Challenges in the Cloud* Infrastructure Security in the Cloud* Policy and Governance for Cloud Computing* Compliance and Legal Considerations* Data Security in the CloudChapter 16: Spring Security Chapter Goal: Spring framework security module will be explained. * Introducing Spring Security* Securing web applications using servlet filters* Authentication against databases and LDAP* Transparently securing method invocationsAppendix1 Input validation RulesAppendix2 Secure Design Check List - Authentication & Password ManagementAppendix3 Secure Design Check List - Session ManagementAppendix4 Secure Design Check List - Access Control, Error Handling, LoggingAppendix5 Security assessment tools