Title: Yin and Yang of Java Security Programming
Trainer: Marc Schönefeld
Capacity: 24 pax
Seats left: CLASS IS CANCELLED
Duration: 2 days
Cost: (per pax) RM2800 (early bird) / RM3200 (non early-bird)

Content:

Opposed to the legends most white papers tell software written in Java is not secure by default. This course will provide the participants with the awareness to threats for java based software. It focuses on the current java (1.4.x , Tiger and Mustang releases) code based security features which are used to protect typical java application patterns (J2EE, Desktop Java, Applet, Servlets).

Secure Java Coding always starts from Sun’s secure programming guidelines which are presented by associating attack types and possibilities for refactoring to harden the system. Executed java classes are based on bytecode, therefore knowledge of Java bytecode is essential to understand and extend java static code analysis tools like BCEL and findbugs.

Other important terms in java code-based security are “protection domains” and “permission collections”. To reverse engineer protection domains an approach to extend the Java securitymanager is presented. A framework is presented that allows defining custom and complete permission sets when deploying java applications.

After hardening the JDK itself the java security engineer is concerned with raising the protection level of open source java middlweware components like Web servers (Jetty, Tomcat) or databases (cloudscape, pointbase).

Prerequisites
A laptop capable of compiling java code (preinstalled Sun JDK 1.4.2_x and IBM Eclipse IDE 3.0.x).

The student should have an understanding of most of the following concepts and technologies:

* Knowledge of basic Java programming tools (java, javac, javah).
* Basic to advanced Java and java bytecode programming knowledge as well as the core Java API is beneficial for understanding the key concepts
* Knowledge of basic security concepts like least privilege and security models
* Knowledge of common C based software threats is helpful for the JNI part

Day 1:

1. Introduction

   1. Security
      in a broader sense

   2. The
      history of Java security (Felten, LSD, …)

2. Java
   and security

   1. J2SE
      Java 1.4 application areas

      1. Desktop
         Java (J2SE)

      2. WebServer
         Java (J2EE/JSP)

      3. BackendServer
         Java (J2EE/EJB)

      4. DatabaseServer
         Java (J2EE/JDBC)

3. What
   to attack and protect

   1. Attacks
      on Integrity

   2. Attacks
      on Confidentiality

   3. Attacks
      on Availability

4. Java
   security architecture

   1. Core
      java runtime environment security:

      1. JVM
         security

      2. Java
         language security

      3. Core
         API security

      4. Classloaders
         and protection domains

   2. Application
      security:

      1. JSSE
         and SSL

      2. GSSAPI

      3. JAAS

About Marc

Marc Schonefeld is an external PhD student at the University of Bamberg in Germany. His research covers the analysis of interdependencies between programming flaws (antipatterns) and vulnerabilities in software. By developing a framework for flaw detection he found a range of serious bugs in current java runtime environments (JDK) and other java based applications and middleware systems(like Jboss, Cloudscape database, …). Some of his findings led to the publication of a number of advisories by Sun Microsystems. In 2004 he presented at DIMVA and D-A-CH conferences and was speaker at Blackhat and RSA in 2003. Also in 2004 he was finalist for the European Information Security Award for his work on java based security antipatterns.