LiveLessons
2 total works
3+ Hours of Video Instruction
Secure Coding Rules for Java: Serialization LiveLessons provides developers with practical guidance for securely implementing Java Serialization.
Overview
Secure coding expert, Robert C. Seacord trains developers to understand Java serialization and the inherent security risks. Seacord also demonstrates how to securely implement serializable classes and evaluate mitigation strategies and alternative solutions.
Java deserialization is an insecure language features that is widely used both directly by applications and indirectly by Java modules and libraries. Deserialization of untrusted streams can result in remote code execution (RCE), denial-of service (DoS), and a range of other exploits. Applications can be vulnerable to these attacks even when they are free from coding defects.
Reviews:
5 Stars - Safari Books Online Reviewer, April 11, 2018
Related Titles:
Secure Coding Rules in Java: Part 1 LiveLessons (Video)
The CERT Oracle Secure Coding Standard for Java (Book)
Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs (Book)
About the Instructor
Robert C. Seacord is a Technical Director with NCC Group where he works with software developers and software development organizations to eliminate vulnerabilities resulting from coding errors before they are deployed. Previously, Robert led the secure coding initiative in the CERT Division of Carnegie Mellon University's Software Engineering Institute (SEI). Robert is also an adjunct professor in the School of Computer Science and the Information Networking Institute at Carnegie Mellon University. Robert is the author of six books, including The CERT C Coding Standard, Second Edition (Addison-Wesley, 2014), Secure Coding in C and C++, Second Edition (Addison-Wesley, 2013), The CERT Oracle Secure Coding Standard for Java (Addison-Wesley, 2012), and Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs (Addison-Wesley, 2014). Robert is on the Advisory Board for the Linux Foundation and an expert on the ISO/IEC JTC1/SC22/WG14 international standardization working group for the C programming language.
Skill Level
*Advanced
Learning objectives:
*Understand Java object serialization(
*Understand serialization security risks(
*Understand deserialization vulnerabilities(
*How to securely implement serializable classes(
*Evaluate migration strategies(
*Evaluate alternative solutions(
Who Should Take This Course
*Experienced Java developers(
Course Requirements
*Understanding of programming and development
*Experience with Java programming
About Pearson Video Training
Pearson publishes expert-led video tutorials covering a wide selection of technology topics designed to teach you the skills you need to succeed. These professional and personal technology videos feature world-leading author instructors published by your trusted technology brands: Addison-Wesley, Cisco Press, Pearson IT Certification, Prentice Hall, Sams, and Que Topics include: IT Certification, Network Security, Cisco Technology, Programming, Web Development, Mobile Development, and more. Learn more about Pearson Video training at http://www.informit.com/video.
Secure Coding Rules for Java: Serialization LiveLessons provides developers with practical guidance for securely implementing Java Serialization.
Overview
Secure coding expert, Robert C. Seacord trains developers to understand Java serialization and the inherent security risks. Seacord also demonstrates how to securely implement serializable classes and evaluate mitigation strategies and alternative solutions.
Java deserialization is an insecure language features that is widely used both directly by applications and indirectly by Java modules and libraries. Deserialization of untrusted streams can result in remote code execution (RCE), denial-of service (DoS), and a range of other exploits. Applications can be vulnerable to these attacks even when they are free from coding defects.
Reviews:
5 Stars - Safari Books Online Reviewer, April 11, 2018
Related Titles:
Secure Coding Rules in Java: Part 1 LiveLessons (Video)
The CERT Oracle Secure Coding Standard for Java (Book)
Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs (Book)
About the Instructor
Robert C. Seacord is a Technical Director with NCC Group where he works with software developers and software development organizations to eliminate vulnerabilities resulting from coding errors before they are deployed. Previously, Robert led the secure coding initiative in the CERT Division of Carnegie Mellon University's Software Engineering Institute (SEI). Robert is also an adjunct professor in the School of Computer Science and the Information Networking Institute at Carnegie Mellon University. Robert is the author of six books, including The CERT C Coding Standard, Second Edition (Addison-Wesley, 2014), Secure Coding in C and C++, Second Edition (Addison-Wesley, 2013), The CERT Oracle Secure Coding Standard for Java (Addison-Wesley, 2012), and Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs (Addison-Wesley, 2014). Robert is on the Advisory Board for the Linux Foundation and an expert on the ISO/IEC JTC1/SC22/WG14 international standardization working group for the C programming language.
Skill Level
*Advanced
Learning objectives:
*Understand Java object serialization(
*Understand serialization security risks(
*Understand deserialization vulnerabilities(
*How to securely implement serializable classes(
*Evaluate migration strategies(
*Evaluate alternative solutions(
Who Should Take This Course
*Experienced Java developers(
Course Requirements
*Understanding of programming and development
*Experience with Java programming
About Pearson Video Training
Pearson publishes expert-led video tutorials covering a wide selection of technology topics designed to teach you the skills you need to succeed. These professional and personal technology videos feature world-leading author instructors published by your trusted technology brands: Addison-Wesley, Cisco Press, Pearson IT Certification, Prentice Hall, Sams, and Que Topics include: IT Certification, Network Security, Cisco Technology, Programming, Web Development, Mobile Development, and more. Learn more about Pearson Video training at http://www.informit.com/video.
2+ Hours of Video Instruction
Overview
Java Professional Development LiveLessons provides developers with practical guidance for developing Java programs that are robust and secure. These LiveLessons complement The CERT Oracle Secure Coding Standard for Java.
Description
In this video training, Robert provides complementary coverage to the rules in The CERT Oracle Secure Coding Standard for Java, demonstrating common Java programming errors and their consequences using Java 8 and Eclipse. Robert describes language behaviors left to the discretion of JVM and compiler implementers and guides developers in the proper use of Java's APIs including lang, util, Collections, Concurrency Utilities, Logging, Management, Reflection, Regular Expressions, Zip, I/O, JMX, JNI, Math, Serialization, and JAXP.
About the Instructor
Robert C. Seacord is the secure coding technical manager in the CERT Division of Carnegie Mellon's Software Engineering Institute (SEI) in Pittsburgh, Pennsylvania. Robert is also a professor in the Institute for Software Research and the Information Networking Institute at Carnegie Mellon University. He is the author of eight books on software development including The CERT (R) Oracle (R) Secure Coding Standard for Java (TM) (Addison- Wesley, 2012) and Java (TM) Coding Guidelines 75 Recommendations for Reliable and Secure Programs (Addison-Wesley, 2013). He has also published more than sixty papers on software security, component-based software engineering, web-based system design, legacy-system modernization, component repositories and search engines, and user interface design and development.
Skill Level
Advanced
What You Will Learn
How to perform common Java language programming tasks correctly
How to avoid programming errors that are not detected or reported by the compiler.
How to develop programs that are robust, reliable, secure, and fast.
Who Should Take This Course
Java developers who wish to make the transition from a skilled amateur to a software professional capable of developing code that has to work.
Course Requirements
Understanding of programming and development
Experience with Java programming
Familiarity with Eclipse
Table of Contents
Part I (of III)
Introduction
Lesson 1: Java Security Concepts
1.1 Injection attacks
1.2 Leaking sensitive data
1.3 Denial-of-service attacks
Lesson 2: Input Validation and Data Sanitization (IDS)
IDS00-J. Prevent SQL Injection
IDS01-J. Normalize strings before validating them
IDS03-J. Do not log unsanitized user input
IDS04-J. Safely extract files from ZipInputStream
IDS06-J. Exclude unsanitized user input from format strings
IDS07-J. Do not pass untrusted, unsanitized data to the Runtime.exec() method
IDS08-J. Sanitize untrusted data passed to a regex
IDS11-J. Perform any string modifications before validation
IDS16-J. Prevent XML Injection
IDS17-J. Prevent XML External Entity Attacks
Lesson 3: Declarations and Initialization (DCL):
DCL00-J. Prevent class initialization cycles
Lesson 4: Expressions (EXP)
EXP00-J. Do not ignore values returned by methods
EXP01-J. Never dereference null pointers
EXP02-J. Do not use the Object.equals() method to compare two arrays
EXP03-J. Do not use the equality operators when comparing values of boxed primitives
EXP04-J. Do not pass arguments to certain Java Collections Framework methods that are a different type than the collection parameter type
EXP06-J. Expressions used in assertions must not produce side effects
Lesson 5: Numeric Types and Operations (NUM)
NUM00-J. Detect or prevent integer overflow
NUM01-J. Do not perform bitwise and arithmetic operations on the same data
NUM02-J. Ensure that division and modulo operations do not result in divide-by-zero errors
NUM03-J. Use integer types that can fully represent the possible range of unsigned data
NUM04-J. Do not use floating-point numbers if precise computation is required
NUM05-J. Do not use denormalized numbers
NUM07-J. Do not attempt comparisons with NaN
NUM08-J. Check floating-point inputs for exceptional values
NUM09-J. Do not use floating-point variables as loop counters
NUM10-J. Do not construct BigDecimal objects from floating-point literals
NUM11-J. Do not compare or inspect the string representation of floating-point values
NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data
NUM13-J. Avoid loss of precision when converting primitive integers to floating-point
Lesson 6: Characters and Strings (STR)
STR00-J. Use an int to capture the return value of methods that read a character or byte
STR01-J. Don't form strings containing partial characters
STR02-J. Specify an appropriate locale when comparing locale-dependent data
STR03-J. Do not convert between strings and bytes without specifying a valid character encoding
STR04-J. Use compatible character encodings on both sides of file or network I/O
Summary
About LiveLessons Video Training
The LiveLessons Video Training series publishes hundreds of hands-on, expert-led video tutorials covering a wide selection of technology topics designed to teach you the skills you need to succeed. This professional and personal technology video series features world-leading author instructors published by your trusted technology brands: Addison-Wesley, Cisco Press, IBM Press, Pearson IT Certification, Prentice Hall, Sams, and Que. Topics include: IT Certification, Programming, Web Development, Mobile Development, Home and Office Technologies, Business and Management, and more. View all LiveLessons on InformIT at: http://www.informit.com/livelessons
Overview
Java Professional Development LiveLessons provides developers with practical guidance for developing Java programs that are robust and secure. These LiveLessons complement The CERT Oracle Secure Coding Standard for Java.
Description
In this video training, Robert provides complementary coverage to the rules in The CERT Oracle Secure Coding Standard for Java, demonstrating common Java programming errors and their consequences using Java 8 and Eclipse. Robert describes language behaviors left to the discretion of JVM and compiler implementers and guides developers in the proper use of Java's APIs including lang, util, Collections, Concurrency Utilities, Logging, Management, Reflection, Regular Expressions, Zip, I/O, JMX, JNI, Math, Serialization, and JAXP.
About the Instructor
Robert C. Seacord is the secure coding technical manager in the CERT Division of Carnegie Mellon's Software Engineering Institute (SEI) in Pittsburgh, Pennsylvania. Robert is also a professor in the Institute for Software Research and the Information Networking Institute at Carnegie Mellon University. He is the author of eight books on software development including The CERT (R) Oracle (R) Secure Coding Standard for Java (TM) (Addison- Wesley, 2012) and Java (TM) Coding Guidelines 75 Recommendations for Reliable and Secure Programs (Addison-Wesley, 2013). He has also published more than sixty papers on software security, component-based software engineering, web-based system design, legacy-system modernization, component repositories and search engines, and user interface design and development.
Skill Level
Advanced
What You Will Learn
How to perform common Java language programming tasks correctly
How to avoid programming errors that are not detected or reported by the compiler.
How to develop programs that are robust, reliable, secure, and fast.
Who Should Take This Course
Java developers who wish to make the transition from a skilled amateur to a software professional capable of developing code that has to work.
Course Requirements
Understanding of programming and development
Experience with Java programming
Familiarity with Eclipse
Table of Contents
Part I (of III)
Introduction
Lesson 1: Java Security Concepts
1.1 Injection attacks
1.2 Leaking sensitive data
1.3 Denial-of-service attacks
Lesson 2: Input Validation and Data Sanitization (IDS)
IDS00-J. Prevent SQL Injection
IDS01-J. Normalize strings before validating them
IDS03-J. Do not log unsanitized user input
IDS04-J. Safely extract files from ZipInputStream
IDS06-J. Exclude unsanitized user input from format strings
IDS07-J. Do not pass untrusted, unsanitized data to the Runtime.exec() method
IDS08-J. Sanitize untrusted data passed to a regex
IDS11-J. Perform any string modifications before validation
IDS16-J. Prevent XML Injection
IDS17-J. Prevent XML External Entity Attacks
Lesson 3: Declarations and Initialization (DCL):
DCL00-J. Prevent class initialization cycles
Lesson 4: Expressions (EXP)
EXP00-J. Do not ignore values returned by methods
EXP01-J. Never dereference null pointers
EXP02-J. Do not use the Object.equals() method to compare two arrays
EXP03-J. Do not use the equality operators when comparing values of boxed primitives
EXP04-J. Do not pass arguments to certain Java Collections Framework methods that are a different type than the collection parameter type
EXP06-J. Expressions used in assertions must not produce side effects
Lesson 5: Numeric Types and Operations (NUM)
NUM00-J. Detect or prevent integer overflow
NUM01-J. Do not perform bitwise and arithmetic operations on the same data
NUM02-J. Ensure that division and modulo operations do not result in divide-by-zero errors
NUM03-J. Use integer types that can fully represent the possible range of unsigned data
NUM04-J. Do not use floating-point numbers if precise computation is required
NUM05-J. Do not use denormalized numbers
NUM07-J. Do not attempt comparisons with NaN
NUM08-J. Check floating-point inputs for exceptional values
NUM09-J. Do not use floating-point variables as loop counters
NUM10-J. Do not construct BigDecimal objects from floating-point literals
NUM11-J. Do not compare or inspect the string representation of floating-point values
NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data
NUM13-J. Avoid loss of precision when converting primitive integers to floating-point
Lesson 6: Characters and Strings (STR)
STR00-J. Use an int to capture the return value of methods that read a character or byte
STR01-J. Don't form strings containing partial characters
STR02-J. Specify an appropriate locale when comparing locale-dependent data
STR03-J. Do not convert between strings and bytes without specifying a valid character encoding
STR04-J. Use compatible character encodings on both sides of file or network I/O
Summary
About LiveLessons Video Training
The LiveLessons Video Training series publishes hundreds of hands-on, expert-led video tutorials covering a wide selection of technology topics designed to teach you the skills you need to succeed. This professional and personal technology video series features world-leading author instructors published by your trusted technology brands: Addison-Wesley, Cisco Press, IBM Press, Pearson IT Certification, Prentice Hall, Sams, and Que. Topics include: IT Certification, Programming, Web Development, Mobile Development, Home and Office Technologies, Business and Management, and more. View all LiveLessons on InformIT at: http://www.informit.com/livelessons