We created this Green Belt path for developers coding in Java. It includes our standard 13 Green Belt Secure Development lesson with the addition of 27 Java lessons. Each of our lessons are short and conclude with a brief ten question assessment. The learning module length is purposeful – they are perfect for filling gaps in a developer’s day while code is deploying.
Secure Development Core Lesson Modules
Intro to Secure Development
The definition of secure development and it’s pieces. Each developer has secure development responsibilities. Secure development starts and ends with the developer. Your software, hardware, and infrastructure are only as safe as you make them. Developers are the first line of defense.
The need for secure coding, what are secure coding standards and how does a developer use them, and the potential dangers of Stack Overflow. Languages are complex. Secure coding is about creating code that is correct and secure.
Secure Coding Best Practices: Part 1
Explore the OWASP Proactive Controls, including Define Security Requirements, Leverage Security Frameworks and Libraries, Secure Database Access, Encode and Escape Data, and Validate All Inputs. OWASP Proactive Controls is security information written for developers, by developers.
Secure Coding Best Practices: Part 2
Explore the OWASP Proactive Controls, including Enforce Access Control, Protect Data Everywhere, Implement Security Logging and Monitoring, and Handle All Errors and Exceptions. OWASP Proactive Controls is security information written for developers, by developers.
In this module, we explain how a languages type system is categorized and what the main categories are. We discuss the difference between static and dynamic languages as well as weak and strongly typed languages.
Securing the Development Environment
The threats that your development environment faces, how to reduce development environment risk, and the ten tips to secure your development environment. Development environment threats are real and following simple tips to secure your development environment can significantly reduce your exposure.
Protecting your Code Repository
Why you need to protect your code repository, the security challenges in choosing a repository, the impact of not protecting access credentials and separating secrets in the source code. Your code is your product or application. If it is left unsecured, it could fall into the hands of a competitor.
Producing a Clean, Maintainable, & Secure Code Culture
The sources of complexity in software that led to security vulnerabilities and the twelve laws that act as the foundation for a clean, maintainable, and secure code culture. Developers must strive for secure code. Secure code is both clean and maintainable.
Potential security threats are impacting your release and deployment process and ways to improve the security of your release and deployment process. The release and deployment process is how our code gets delivered to our customers. The introduction of an unauthorized piece of code by an attacker could be devastating.
Designing a Secure App or Product
The four pillars of a secure application or product, secure application or product decisions, and the categories of the design of a secure application or product. A new application or product deserves a secure design. Security becomes a reality through careful design choices.
Thinking Like A Penetration Tester
The tools and methodologies to help a developer think like a penetration tester, how penetration testers use browsers and intercepting proxies, testing, fuzzing, and reverse engineering, and applying the knowledge of these topics to your world as a developer. Developers generally focus on the build; to better secure your applications, products, and systems, think like one who breaks.
Secure Design Principles in Action: Part 1
The economy of mechanism, secure the weakest link, establish trust boundaries, defense in-depth, don’t reinvent the wheel, usable security and default deny. Secure design principles require action to achieve “secure by design.”
Secure Design Principles in Action: Part 2
In this module, we explore secure design principles such as minimizing the attack surface, fail securely, least privileged, separation of duties, do not trust services/ infrastructure, and secure defaults. Employing a common understanding of secure design principles encourages secure design, and secure design equals fewer vulnerabilities.
Syntactic & Semantic Input Validation
Input-validation focuses on preventing improperly-formed data from entering the system. Input validation is one of the defenses against the injection class of attacks. Syntactic and semantic input validation explores the basic types of input validation and how to perform them in the Java context. Review the three primary rules of input validation and code examples for performing syntactical and semantic input validation. A review of whitelisting with a code example is also covered.
Input Validation with Range Checks, Regex, & Enums
Input validation is a multi-faceted toolbox, and this module adds intermediate level input validation techniques for Java, including range checks to evaluate minimum and maximum values for numbers and dates, use of regular expressions as input validation techniques, validation of e-mail addresses, and using enums to validate all types of data.
Web Input Validation: Bean Validation API and Spring
Model-based validation is the first line of defense against malicious web input. Learn how to perform input validation with the Bean Validation API, Spring, and Hibernate. Perform model-based validation using the Bean Validation API and implement custom validators in Spring.
Web Input Validation: JSF
JavaServer™ Faces (JSF) is a standard component-oriented user interface (UI) framework for the Java EE platform. JSF, like everything else, needs input validation. Recognize how to perform input validation in JavaServer Faces (JSF) and perform input validation using some of JSF's built-in validator tags and custom validators.
Parameterization with SQL
SQL is foundational within web applications, and improperly validating input to SQL results in a data breach. SQL injection can have a devastating impact on a web application. Recognize the flaw in using concatenation with strings to perform SQL queries and learn the secure approach to execute SQL queries using parameterized queries.
Securely Working with SQL
Secure SQL is more than just parameterized queries. SQL Injection can sneak in through stored procedures and LINQ and Entity Framework. Excessive privilege on SQL Server can provide an attacker unbridled access if they exploit an underlying vulnerability. Error information from your application can assist an attacker in fine-tuning an attack. Learn how to mitigate all of these issues.
Securely Working with XML
Insecure use of XML can result in an XML External Entity (XXE) attack, which may lead to the disclosure of confidential data, denial of service, server-side request forgery, and port scanning from the parser’s machine. Explore how to create and parse XML using safe methods and learn to construct XXE-free XML in Java.
Avoiding Insecure Serialization & Deserialization
.NET has many ways of serializing and deserializing data. Deserializing untrusted data with an insecure deserializer can lead to remote code execution and complete system compromise. Serializing types without proper attributes can expose sensitive data. Describe the risk of exposing sensitive data via serialization and explore unsafe and safe methods for serialization with .NET. Investigate risky and secure ways for deserialization with JSON.NET and BinaryFormatter with a custom SerializationBinder and review tips for preventing serialization/deserialization vulnerabilities.
Encoding and escaping are defensive techniques meant to stop an injection or cross-site scripting attack. Review the concept of Cross Site Scripting or XSS and consider why XSS is such a big problem and explore the different methods to defend against XSS in ASP.NET, including the AntiXssEncoder. Learn how to spot XSS and fix the associated problem in your code.
Authentication: Basic and Kerberos
Basic and Windows (Kerberos) authentication are widespread in corporate internal environments and may exist in legacy code. Developers must know how to implement and fix it properly. Explore the steps to perform basic authentication and windows integrated authentication securely.
Form authentication is the modern approach for authentication with web applications. Examine how server-side stateful sessions with client-side ids and stateless bearer-tokens for authentication work. Learn which authentication type is best for specific scenarios and explore examples of how to implement form-based authentication in Java using Spring Security, and which password encoders are safe to use.
Token authentication is primarily used for API and 3rd party external provider integration. Learn how to unpack an original token request and response, and how a token gets used from the end-point to the server-side. Explore code examples of token-based authentication in action.
JSON Web Tokens are an alternative for authentication. Understand how JSON Web Token (JWT) based authentication works and weigh the pros and cons to determine if JWT is right for your application. Explore examples of how to implement JWT securely in Java.
Authentication: External authentication
External authentication protocols provide single sign-on (SSO) capabilities, allowing users to have a unique username and password that gives access to multiple web applications. Learn the different types of external authentication, including OAuth, OpenID Connect, and WS-Fed. Explore library-based solutions to implement external authentication and code examples of how to use OAuth, Open ID Connect and WS-Fed with ASP.Net.
CSRF results in any allowed logged-in user action performed without user’s knowledge or consent (ex. transfer of funds, change of account password, purchase and shipment of merchandise). An open redirect results in a user being forwarded to an attacker’s site even though the link they clicked on appeared to go to a legitimate site; the attacker spoofs the official website and tricks the user into believing that the user continues to work/interact with the official site. Walkthrough an example of CSRF and Open Redirect and explore the .NET Framework-specific solutions to address CSRF and Open Redirect.
Authorization: Simple, Role-Based, & View-Based
Authorization enforces access control within your application, both for users and administrators. .NET has multiple solutions for access control. Compare simple, role-based, and view-based authorization. Explore code examples of implementing the various authorization types.
Session and cookies track the results of the previous authentication and improve user experience. Explore session and cookie basics and warnings. Review the Java implementation and the importance of data protection for session cache. Learn how to implement sessions and cookies for models and JSP pages and consider all the available cookie options and their most secure settings.
Logging is used to understand the activities of the system, which aids in diagnosing problems, both security, and non-security. Logging frameworks make it easy to write logs to different places by simply changing a configuration. Explore the popular logging frameworks for .NET, including log4net, Nlog, Serilog, and Common. Logging. Understand the differences between unstructured and structured logging and how to implement each of the popular logging frameworks.
Error Handling and Exceptions
Improper error handling can cause information leakage, which can assist/enable an attacker. Investigate how to generate exceptions securely through various Java methods. Learn how to recognize information leakages via error-messaging mechanisms that can be exploited by attackers, and how to mitigate via sanitizing/homogenizing such messages to reveal as little as possible to a potential attacker.
HTTPS is the protocol that, together with TLS, enables data in transit confidentiality protection. Experience the creation of a Certificate Signing Request with IIS and installation of a certificate and investigate how to use Let’s Encrypt and certbot for free certificates.
Content Security Policy is an effective "defense in depth" technique that helps prevent content injection attacks. It is a declarative policy that informs the user agent what valid sources to load from are. Explore Content Security Policy headers, source lists, and policy directives and how to implement CSP based on example policies.
Security headers enhance the security capabilities of your web applications, servers, and user’s browsers. Understand the various security headers available to your web applications and how to implement security headers at the IIS server level and disable negative headers that provide information to attackers.
Application Secrets Storage
Applications need secrets and must ditch the environment variable approach to security. Unpack the secret of secure secrets storage. Explore HashiCorp Vault, Azure KeyVault, and Amazon Secrets Manager to securely store application secrets. Implement examples of key-value storage, data encryption, and transparent protection of application properties using .NET and the command line.
Passwords are still the most common method that we use to authenticate our users. Each application must adequately protect the passwords that it stores and enable protection through hashing the password. Storage of secrets must occur securely. Learn how to implement password hashing and how to utilize different security mechanisms.
File-upload-related attacks cause resource exhaustion and Denial-of-Service (DoS), and also could be used to upload an attack that the application processes. Explore the potential risks of file upload and mitigations to minimize risk. Learn how to implement file upload with Java securely.
Multi-threaded scenarios require thread-safe programming (constructs/patterns) to avoid bugs. Without thread safety, flaws will lead to security vulnerabilities. Explore the different classes of timing issues and how to implement threads safely.
Insecure Coding with Java
Different ways of writing the most vulnerable code possible, including creating SQL queries with string concatenation, skipping input validation/sanitization, skip output encoding, disable CSRF protection, and using software with known third-party vulnerabilities. Looking at how to do something badly can be a fun way to see what we should do.