on-demand course

Secure Coding Rules for Java: Serialization

with Robert C. Seacord

March 2018

Advanced

3h 31m

English

Pearson

Closed Captioning available in English, Japanese, Korean, Chinese (Simplified), Chinese (Traditional)

Watch now

Unlock full access

Includes

Badge

Course outline

Secure Coding Rules for Java: Introduction
2m 1s
Understand Java object serialization
15m 56s
Understand Java object externalization
2m 36s
Understand serialization security risks
7m 10s
Understand deserialization vulnerabilities
25m 44s
Assign versions to serializable classes
13m 53s
Do not serialize unencrypted sensitive data
15m 22s
Use a customized serialized form
3m 28s
Use the proper signatures of serialization methods
6m 10s
Don’t call overridable methods such as defaultReadObject during deserialization
8m 5s
Maintain invariants during deserialization
11m 16s
Write readObject methods defensively
13m 9s
Use enum types for instance control
9m 3s
Use serialization proxies instead of serialized instances
9m 35s
Do not serialize inner classes
2m 20s
Add the readObjectNoData method to serializable and extendable classes
5m 18s
Sign then seal objects
2m 16s
Avoid extending a class or interface that implements Serializable
7m 2s
Mitigate deserialization vulnerabilities using LAOIS
26m 29s
Apply appropriate security permissions to serialization and deserialization
8m 8s
Prevent loss of state due to caching objects in the stream
3m 17s
Be wary of alternative solutions to Java Serialization
6m 8s
Secure Coding Rules for Java: Summary
6m 47s

Overview

3+ Hours of Video Instruction

Secure Coding Rules for Java: Serialization LiveLessons provides developers with practical guidance for securely implementing Java Serialization.

Overview

Secure coding expert, Robert C. Seacord trains developers to understand Java serialization and the inherent security risks. Seacord also demonstrates how to securely implement serializable classes and evaluate mitigation strategies and alternative solutions.

Java deserialization is an insecure language features that is widely used both directly by applications and indirectly by Java modules and libraries. Deserialization of untrusted streams can result in remote code execution (RCE), denial-of service (DoS), and a range of other exploits. Applications can be vulnerable to these attacks even when they are free from coding defects.

About the Instructor

Robert C. Seacord is a Technical Director with NCC Group where he works with software developers and software development organizations to eliminate vulnerabilities resulting from coding errors before they are deployed. Previously, Robert led the secure coding initiative in the CERT Division of Carnegie Mellon University’s Software Engineering Institute (SEI). Robert is also an adjunct professor in the School of Computer Science and the Information Networking Institute at Carnegie Mellon University. Robert is the author of six books, including The CERT C Coding Standard, Second Edition (Addison-Wesley, 2014), Secure Coding in C and C++, Second Edition (Addison-Wesley, 2013), The CERT Oracle Secure Coding Standard for Java (Addison-Wesley, 2012), and Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs (Addison-Wesley, 2014). Robert is on the Advisory Board for the Linux Foundation and an expert on the ISO/IEC JTC1/SC22/WG14 international standardization working group for the C programming language.

Skill Level

Advanced

Learning objectives:

Understand Java object serialization
Understand serialization security risks
Understand deserialization vulnerabilities
How to securely implement serializable classes
Evaluate migration strategies
Evaluate alternative solutions

Who Should Take This Course

Experienced Java developers

Course Requirements

Understanding of programming and development
Experience with Java programming

About Pearson Video Training

Pearson publishes expert-led video tutorials covering a wide selection of technology topics designed to teach you the skills you need to succeed. These professional and personal technology videos feature world-leading author instructors published by your trusted technology brands: Addison-Wesley, Cisco Press, Pearson IT Certification, Prentice Hall, Sams, and Que Topics include: IT Certification, Network Security, Cisco Technology, Programming, Web Development, Mobile Development, and more. Learn more about Pearson Video training at http://www.informit.com/video.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Watch now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Getting started with LLVM core libraries

Publisher Resources

ISBN: 9780135225189

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills