Oreilly - Secure Coding Rules for Java: Serialization
by Robert C. Seacord | Released March 2018 | ISBN: 0135225183
3+ Hours of Video InstructionSecure Coding Rules for Java: Serialization LiveLessons provides developers with practical guidance for securely implementing Java Serialization. OverviewSecure coding expert, Robert C. Seacord trains developers to understand Java serialization and the inherent security risks. Seacord also demonstrates how to securely implement serializable classes and evaluate mitigation strategies and alternative solutions.Java deserialization is an insecure language features that is widely used both directly by applications and indirectly by Java modules and libraries. Deserialization of untrusted streams can result in remote code execution (RCE), denial-of service (DoS), and a range of other exploits. Applications can be vulnerable to these attacks even when they are free from coding defects.Related Titles:Secure Coding Rules in Java: Part 1 LiveLessons (Video)The CERT Oracle Secure Coding Standard for Java (Book)Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs (Book)About the InstructorRobert C. Seacord is a Technical Director with NCC Group where he works with software developers and software development organizations to eliminate vulnerabilities resulting from coding errors before they are deployed. Previously, Robert led the secure coding initiative in the CERT Division of Carnegie Mellon University's Software Engineering Institute (SEI). Robert is also an adjunct professor in the School of Computer Science and the Information Networking Institute at Carnegie Mellon University. Robert is the author of six books, including The CERT C Coding Standard, Second Edition (Addison-Wesley, 2014), Secure Coding in C and C++, Second Edition (Addison-Wesley, 2013), The CERT Oracle Secure Coding Standard for Java (Addison-Wesley, 2012), and Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs (Addison-Wesley, 2014). Robert is on the Advisory Board for the Linux Foundation and an expert on the ISO/IEC JTC1/SC22/WG14 international standardization working group for the C programming language. Skill LevelAdvancedLearning objectives:Understand Java object serializationUnderstand serialization security risksUnderstand deserialization vulnerabilitiesHow to securely implement serializable classesEvaluate migration strategiesEvaluate alternative solutionsWho Should Take This CourseExperienced Java developersCourse RequirementsUnderstanding of programming and developmentExperience with Java programmingAbout Pearson Video TrainingPearson publishes expert-led video tutorials covering a wide selection of technology topics designed to teach you the skills you need to succeed. These professional and personal technology videos feature world-leading author instructors published by your trusted technology brands: Addison-Wesley, Cisco Press, Pearson IT Certification, Prentice Hall, Sams, and Que Topics include: IT Certification, Network Security, Cisco Technology, Programming, Web Development, Mobile Development, and more. Learn more about Pearson Video training at http://www.informit.com/video. Show and hide more
- Introduction
- Secure Coding Rules for Java: Introduction 00:02:01
- Serialization
- Understand Java object serialization 00:15:56
- Understand Java object externalization 00:02:36
- Understand serialization security risks 00:07:10
- Understand deserialization vulnerabilities 00:25:44
- Assign versions to serializable classes 00:13:53
- Do not serialize unencrypted sensitive data 00:15:22
- Use a customized serialized form 00:03:28
- Use the proper signatures of serialization methods 00:06:10
- Don’t call overridable methods such as defaultReadObject during deserialization 00:08:05
- Maintain invariants during deserialization 00:11:16
- Write readObject methods defensively 00:13:09
- Use enum types for instance control 00:09:03
- Use serialization proxies instead of serialized instances 00:09:35
- Do not serialize inner classes 00:02:20
- Add the readObjectNoData method to serializable and extendable classes 00:05:18
- Sign then seal objects 00:02:16
- Avoid extending a class or interface that implements Serializable 00:07:02
- Mitigate deserialization vulnerabilities using LAOIS 00:26:29
- Apply appropriate security permissions to serialization and deserialization 00:08:08
- Prevent loss of state due to caching objects in the stream 00:03:17
- Be wary of alternative solutions to Java Serialization 00:06:08
- Summary
- Secure Coding Rules for Java: Summary 00:06:47
Show and hide more