Secure Coding Rules for Java: Serialization

Secure Coding Rules for Java: Serialization

English | MP4 | AVC 1280×720 | AAC 44KHz 2ch | 3h 31m | 452 MB

Secure Coding Rules for Java: Serialization LiveLessons provides developers with practical guidance for securely implementing Java Serialization.

Secure coding expert, Robert C. Seacord trains developers to understand Java serialization and the inherent security risks. Seacord also demonstrates how to securely implement serializable classes and evaluate mitigation strategies and alternative solutions.

Java deserialization is an insecure language features that is widely used both directly by applications and indirectly by Java modules and libraries. Deserialization of untrusted streams can result in remote code execution (RCE), denial-of service (DoS), and a range of other exploits. Applications can be vulnerable to these attacks even when they are free from coding defects.

Learning objectives:

  • Understand Java object serialization
  • Understand serialization security risks
  • Understand deserialization vulnerabilities
  • How to securely implement serializable classes
  • Evaluate migration strategies
  • Evaluate alternative solutions
Table of Contents

01 Secure Coding Rules for Java – Introduction
02 Understand Java object serialization
03 Understand Java object externalization
04 Understand serialization security risks
05 Understand deserialization vulnerabilities
06 Assign versions to serializable classes
07 Do not serialize unencrypted sensitive data
08 Use a customized serialized form
09 Use the proper signatures of serialization methods
10 Don’t call overridable methods such as defaultReadObject during deserialization
11 Maintain invariants during deserialization
12 Write readObject methods defensively
13 Use enum types for instance control
14 Use serialization proxies instead of serialized instances
15 Do not serialize inner classes
16 Add the readObjectNoData method to serializable and extendable classes
17 Sign then seal objects
18 Avoid extending a class or interface that implements Serializable
19 Mitigate deserialization vulnerabilities using LAOIS
20 Apply appropriate security permissions to serialization and deserialization
21 Prevent loss of state due to caching objects in the stream
22 Be wary of alternative solutions to Java Serialization
23 Secure Coding Rules for Java – Summary