Cloud application security in Java for AWS

Day 1

• Cyber security basics
•        What is security?
•        Threat and risk
•        Cyber security threat types – the CIA triad
•        Cyber security threat types – the STRIDE model
•        Consequences of insecure software
• Cloud security basics
•        Cloud infrastructure basics
•        The Cloud Cube Model and Zero Trust Architecture
• The OWASP Top Ten 2021
•        The OWASP Top 10 2021
•        A01 - Broken Access Control
•                Access control basics
•                Failure to restrict URL access
•                Confused deputy
•                File upload
•                Open redirects and forwards
•                Cross-site Request Forgery (CSRF)
•        A02 - Cryptographic Failures
•                Information exposure
•                Cryptography for developers

Day 2

• A02 - Cryptographic Failures (continued)
•        Cryptography for developers
•        Transport security
• A03 - Injection
•        Injection principles
•        Injection attacks
•        SQL injection
•        NoSQL injection
•        Parameter manipulation
•        Code injection
•        HTML injection - Cross-site scripting (XSS)

Day 3

• A04 - Insecure Design
•        The STRIDE model of threats
•        Secure design principles of Saltzer and Schroeder
•        Client-side security
• A05 - Security Misconfiguration
•        Configuration principles
•        Server misconfiguration
•        AWS configuration best practices
•        Cookie security
•        XML entities
• A06 - Vulnerable and Outdated Components
•        Using vulnerable components
•        Assessing the environment
•        Hardening
•        Untrusted functionality import
•        Vulnerability management
• A07 - Identification and Authentication Failures
•        Authentication
•        Session management
•        Identity and access management (IAM)

Day 4

• A07 - Identification and Authentication Failures (continued)
•        Password management
• A08 - Software and Data Integrity Failures
•        Integrity protection
•        Subresource integrity
•        Insecure deserialization
• A09 - Security Logging and Monitoring Failures
•        Logging and monitoring principles
•        Log forging
•        Log forging – best practices
•        Case study – Log interpolation in log4j
•        Case study – The Log4Shell vulnerability (CVE-2021-44228)
•        Case study – Log4Shell follow-ups (CVE-2021-45046, CVE-2021-45105)
•        Lab – Log4Shell
•        Logging best practices
•        Detection and monitoring
• A10 - Server-side Request Forgery (SSRF)
•        Server-side Request Forgery (SSRF)
•        Case study – SSRF and the Capital One breach

Cloud security

• AWS security
•        Security considerations
•        Data security in the cloud

Day 5

• Cloud security
•        Container security
•                Container security concerns
•                Containerization, virtualization and security
•                The attack surface
•                Docker security
•                Kubernetes security

The OWASP Top Ten 2021

Web application security beyond the Top Ten

• Code quality
• Denial of service

Input validation

• Input validation principles
• Denylists and allowlists
• What to validate – the attack surface
• Where to validate – defense in depth
• When to validate – validation vs transformations
• Validation with regex
• Integer handling problems
•        Representing signed numbers
•        Integer visualization
•        Integer overflow
•        Lab – Integer overflow
•        Signed / unsigned confusion in Java
•        Case study – The Stockholm Stock Exchange
•        Integer truncation
•        Best practices
• Files and streams
•        Path traversal
•        Lab – Path traversal
•        Path traversal-related examples
•        Additional challenges in Windows
•        Virtual resources
•        Path traversal best practices
•        Lab – Path canonicalization
• Unsafe reflection
•        Reflection without validation
•        Lab – Unsafe reflection
• Unsafe native code
•        Native code dependence
•        Lab – Unsafe native code
•        Best practices for dealing with native code

Wrap up

• Secure coding principles
• And now what?