Cloud application security in Java for AWS

Day 1

• Cyber security basics
  • What is security?
  • Threat and risk
  • Cyber security threat types – the CIA triad
  • Cyber security threat types – the STRIDE model
  • Consequences of insecure software
• Cloud security basics
  • Cloud infrastructure basics
  • The Cloud Cube Model and Zero Trust Architecture
• The OWASP Top Ten 2021
  • The OWASP Top 10 2021
  • A01 – Broken Access Control
    • Access control basics
    • Failure to restrict URL access
    • Confused deputy
    • File upload
    • Open redirects and forwards
    • Cross-site Request Forgery (CSRF)
  • A02 – Cryptographic Failures
    • Information exposure
    • Cryptography for developers

  Day 2

  • A02 – Cryptographic Failures (continued)
    • Cryptography for developers
    • Transport security
  • A03 – Injection
    • Injection principles
    • Injection attacks
    • SQL injection
    • NoSQL injection
    • Parameter manipulation
    • Code injection
    • HTML injection – Cross-site scripting (XSS)

  Day 3

  • A04 – Insecure Design
    • The STRIDE model of threats
    • Secure design principles of Saltzer and Schroeder
    • Client-side security
  • A05 – Security Misconfiguration
    • Configuration principles
    • Server misconfiguration
    • AWS configuration best practices
    • Cookie security
    • XML entities
  • A06 – Vulnerable and Outdated Components
    • Using vulnerable components
    • Assessing the environment
    • Hardening
    • Untrusted functionality import
    • Vulnerability management
  • A07 – Identification and Authentication Failures
    • Authentication
    • Session management
    • Identity and access management (IAM)

  Day 4

  • A07 – Identification and Authentication Failures (continued)
    • Password management
  • A08 – Software and Data Integrity Failures
    • Integrity protection
    • Subresource integrity
    • Insecure deserialization
  • A09 – Security Logging and Monitoring Failures
    • Logging and monitoring principles
    • Log forging
    • Log forging – best practices
    • Case study – Log interpolation in log4j
    • Case study – The Log4Shell vulnerability (CVE-2021-44228)
    • Case study – Log4Shell follow-ups (CVE-2021-45046, CVE-2021-45105)
    • Lab – Log4Shell
    • Logging best practices
    • Detection and monitoring
  • A10 – Server-side Request Forgery (SSRF)
    • Server-side Request Forgery (SSRF)
    • Case study – SSRF and the Capital One breach

  Cloud security

  AWS security

  • Security considerations
  • Data security in the cloud

  Day 5

  Cloud security

  • Container security
    • Container security concerns
    • Containerization, virtualization and security
    • The attack surface
    • Docker security
    • Kubernetes security

The OWASP Top Ten 2021

Web application security beyond the Top Ten

• Code quality
• Denial of service

Input validation

• Input validation principles
• Denylists and allowlists
• What to validate – the attack surface
• Where to validate – defense in depth
• When to validate – validation vs transformations
• Validation with regex
• Integer handling problems
  • Representing signed numbers
  • Integer visualization
  • Integer overflow
  • Lab – Integer overflow
  • Signed / unsigned confusion in Java
  • Case study – The Stockholm Stock Exchange
  • Integer truncation
  • Best practices
• Files and streams
  • Path traversal
  • Lab – Path traversal
  • Path traversal-related examples
  • Additional challenges in Windows
  • Virtual resources
  • Path traversal best practices
  • Lab – Path canonicalization
• Unsafe reflection
  • Reflection without validation
  • Lab – Unsafe reflection
• Unsafe native code
  • Native code dependence
  • Lab – Unsafe native code
  • Best practices for dealing with native code

Wrap up

• Secure coding principles
• And now what?