Infusing Security Tools Within Software Development, A Purple Team Approach
If, like about 10 million other folks, you're a Java developer, you probably want to know how to keep Java code secure by using hacker-simulation tools to conduct security testing to check whether features are secure and work as expected. You may be exploring various implementations for serialization and deserialization vulnerabilities by staying away from using vulnerable methods.
12 hours (12 CPE points)
What will you learn?
- Best practices on using the security features of Java and of Java frameworks and how to address some of the common security issues reported by OWASP.
- Building custom extensions on intercepting tools for automated security scans.
You will learn the usage of combining security tools in your development lifecycle and spot checking the low hanging vulnerable fruit, thereby efficiently contributing to the Secure Software Development Lifecyle (SSDL).
What skills will you gain?
- Using Spring Boot to build applications for security testing
- Avoid Insecure Direct Object References by using scope-based authorizations.
- Avoid and mitigate injection attacks, use of safe API’s, parametrized queries and implementing a whitelisting approach at the server side for the data/input that could be accepted and processed.
- Issues with Java Deserialization and how to exploit it.
- Improve error messages that reveal technical information to the attackers and design simplified APIs with strong security defenses implemented by default.
What tools will you use?
- Spring Boot
- Hands-on usage of intercepting proxy tool - Zed Attack Proxy (ZAP) from the OWASP project
- Writing custom extensions on ZAP to automate the security scans to ease the developer in SSDL methodology
- Using POSTMAN client tool and redirecting its request to ZAP for security analysis
- Using Eclipse IDE for developing secure REST APIs
What will you need?
- Windows OS (Windows 10 preferred)
- Latest installation of ZAP tool (version 2.7.0)
- Latest installation of POSTMAN client
- Eclipse WEB-IDE (oxygen preferred)
- WAMP server
What should you know before you join?
- Good understanding of client-server architecture
- Basic SQL commands and database queries
- Java Programming
- Understanding of different HTTP methods
Topic: Secure Development LifeCycle And Chain of Security Tools.
Description: This module mainly focuses on the introduction of security terminology and attacking vectors involved in an application. It also provides an overview of application architecture and the role of different tools involved during the entire course. Its content provides an offensive security methodology from a secure development perspective.
- JAVA Spring Boot features and its advantages
- Developing a Spring Boot-based REST API
- Enabling session time-out in the REST API
- Hands-on introduction to ZAP and POSTMAN
- What is:
- Insecure Direct Object Reference
- SQL injection
- CSRF token
- Intercepting proxy tool
Module 1 Exercises:
- Clone the Spring Boot REST API from git repository and configure the cookies with domain, HTTP and Secure flag being set and explore additional Spring Boot security features
- Use of POSTMAN client tool to trigger a request to API
- Intercept the HTTP traffic via proxy tool (ZAP)
- Modify the traffic and analyze the different sets of data (headers, tokens, etc.) being passed
- Create a report on what security feature is missing in the HTTP traffic analysis of your developed API
Topic: Deserialization Issues in JAVA, Testing, and Mitigating
Description: This module focuses on the different annotation features provided by Spring Boot and develop serialization-deserialization functionality in your API. It provides an overview of the issues related to deserialization in JAVA and how to mitigate these flaws in your API development, as well as different techniques to mitigate input validation bypass issue. It also covers creating custom extensions on ZAP.
- Identifying Issues with deserialization
- How to exploit deserialization issues
- How to mitigate and fix deserialization issues
- Validating input on the server side
- Introduction to writing custom extensions on ZAP
- Implementing a passive scanner on ZAP to check the API request-response
- Using a basic authentication method for the APIs to restrict public access
Module 2 Exercises:
- Implement a passive scanner on ZAP with the following features:
- Session cookie without 'HTTP Only' and ‘Secure’ flag in the developed API (from module-1)
- to test whether CSRF token enabled for POST method or not (DVWA app)
Topic: Security Configuration in Spring Boot and Active Scanning using ZAP
Description: This module focuses on implementing the scope-based authorization features of Spring Boot, secure configuration of an API, along with restricting end-points and internal methods. Moreover, it presents blacklisting of potential dangerous commands in your API Introduction to active scanning feature of ZAP tool.
- Spring Security libraries and java-container-security as dependency in POM file
- Configuring Spring Security
- Implementing Scope based authorizations and method level checks
- Introduction to Spring Boot actuator end-points
- Introduction to CVSS and active scanning of ZAP
- Implementing an active scanner feature in ZAP with the following features:
- Trigger a request on an unauthorized end-point and flag the HTTP code in response
- Tamper HTTP verb in the API request and flag the response
- Defining CVSS score and priority in case of a successful attack
Module 3 Exercises:
- Implementing method level authorizations in a REST API
- Enable relevant actuator end-points securely
- Implement an active scanner on ZAP with the following features to check permitted actuator end-points
In this final exercise, you would work on the offensive and defensive side of security, attacking your own developed APIs and mitigating the issues found during your attack.
- Secure Development of a REST API with the following features:
- Development of a REST API with the following features
- authentication via OAuth 2.0 protocol using third party Authentication Server (Facebook, Google, etc.)
- input validation scenario using regular expression:
- Implement passive scanner and active scanner script on OWASP ZAP tool to check for the CSRF token bypass vulnerability (API would be provided to you)
- empty value in CSRF
- provide CVSS rating to the issues detected
- Provide a Final Secure analysis report of your API security testing against the OWASP Top10 attacks using the tools learned in this course.
If any security issues are found during the test, mitigate/fix them and provide a PoC on the fix.
Evaluation would be based on the number of implemented features from the above-mentioned exercise and on the number of vulnerabilities found and mitigated in the report.
About your instructor
Mithun Smith Dias has been working as a Product Security Expert with deep insights into conducting formal Penetration tests on Web Applications and providing suggestions to overcome security weaknesses in the organization.
He is also a CEH certified and JAVA security Expert with deep knowledge in Secure development, Cloud Foundry and automation via scripting. He develops his security knowledge by participating in CTF events, bug bounties, OWASP meet-ups etc. Aside from security Mithun Smith enjoys playing football, trekking and cycling.
- The course is self-paced – you can visit the training whenever you want and your content will be there.
- Once you’re in, you keep access forever, even when you finish the course.
- There are no deadlines, except for the ones you set for yourself.
- We designed the course so that a diligent student will need about 18 hours of work to complete the training.
- The course contains video and text materials, accompanied by practical labs and exercises.