Certified Application Security Engineer - Java (CASE)

Module 01: Understanding Application Security, Threats, and Attacks

• What is a Secure Application
• Need for Application Security
• Most Common Application Level Attacks
• Why Applications become Vulnerable to Attacks
• What Constitutes a Comprehensive Application Security?
• Insecure Application: A Software Development Problem
• Software Security Standards, Models, and Frameworks

Module 02: Security Requirements Gathering

• Importance of Gathering Security Requirements
• Security Requirement Engineering (SRE)
• Abuse Case and Security Use Case Modeling
• Abuser and Security Stories
• Security Quality Requirements Engineering (SQUARE)
• Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

Module 03: Secure Application Design and Architecture

• Relative Cost of Fixing Vulnerabilities at Different Phases of SDLC
• Secure Application Design and Architecture
• Goal of Secure Design Process
• Secure Design Actions
• Threat Modeling
• Decompose Application
• Secure Application Architecture

Module 04: Secure Coding Practices for Input Validation

• Input Validation Pattern
• Validation and Security Issues
• Impact of Invalid Data Input
• Data Validation Techniques
• Input Validation using Frameworks and APIs
• Open Source Validation Framework for Java
• Servlet Filters
• Validation Filters for Servlet
• Data Validation using OWASP ESAPI
• Data Validation: Struts Framework
• Data Validation: Spring Framework
• Input Validation Errors
• Common Secure Coding Practices

Module 05: Secure Coding Practices for Authentication and Authorization

• Introduction to Authentication
• Types of Authentication
• Authentication Weaknesses and Prevention
• Introduction to Authorization
• Access Control Model
• EJB Authorization
• Java Authentication and Authorization (JAAS)
• Java EE Security
• Authorization Common Mistakes and Countermeasures
• Authentication and Authorization in Spring Security Framework
• Defensive Coding Practices against Broken Authentication and Authorization
• Secure Development Checklists: Broken Authentication and Session Management

Module 06: Secure Coding Practices for Cryptography

• Java Cryptography
• Encryption and Secret Keys
• Cipher Class
• Digital Signatures
• Secure Socket Layer (SSL)
• Key Management
• Digital Certificates
• Signed Code Sources
• Hashing
• Java Card Cryptography
• Spring Security: Crypto Module
• Dos and Don’ts in Java Cryptography
• Best Practices for Java Cryptography

Module 07: Secure Coding Practices for Session Management

• Session Management
• Session Tracking
• Session Management in Spring Security
• Session Vulnerabilities and their Mitigation Techniques
• Best Practices and Guidelines for Secured Sessions Management
• Checklist to Secure Credentials and Session IDs
• Guidelines for Secured Session Management

Module 08: Secure Coding Practices for Error Handling

• What are Exceptions/Runtime Errors?
• Need of Secure Error/Exception Handling
• Consequences of Detailed Error Message
• Exposing Detailed Error Messages
• Considerations: Designing Secure Error Messages
• Secure Exception Handling
• Handling Exceptions in an Application
• Defensive Coding practices against Information Disclosure
• Defensive Coding practices against Improper Error Handling
• ASP.NET Core: Secure Error Handling Practices
• Secure Auditing and logging
• Tracing in .NET
• Auditing and Logging Security Checklists

Module 09 Static and Dynamic Application Security Testing (SAST & DAST)

• Introduction to Exceptions
• Erroneous Exceptional Behaviors
• Dos and Don’ts in Error Handling
• Spring MVC Error Handling
• Exception Handling in Struts 2
• Best Practices for Error Handling
• Introduction to Logging
• Logging using Log4j
• Secure Coding in Logging
• Secured Practices in Logging
• Static Application Security Testing
• Manual Secure Code Review for Most Common Vulnerabilities
• Code Review: Check List Approach
• SAST Finding
• SAST Report
• Dynamic Application Security Testing (DAST)
• Automated Application Vulnerability Scanning Tools
• Proxy-based Security Testing Tools
• Choosing Between SAST and DAST

Module 10: Secure Deployment and MaintenanceSecure Deployment

• Secure Deployment
• Prior Deployment Activity
• Deployment Activities: Ensuring Security at Various Levels
• Ensuring Security at Host Level
• Ensuring Security at Network Level
• Ensuring Security at Application Level
• Ensuring Security at Web Container Level (Tomcat)
• Ensuring Security in Oracle
• Security Maintenance and Monitoring

Für eine optimale Teilnahme am Kurs empfehlen wir folgende Vorkenntnisse:

• Java-Entwickler mit mindestens 2 Jahren Erfahrung

• Personen, die mit der Aufgabe betraut sind, Anwendungen zu entwickeln, zu testen, zu verwalten oder Anwendungen schützen