**Security**
- The Security Development LifeCycle
    - https://social.technet.microsoft.com/wiki/contents/articles/7100.the-security-development-lifecycle.aspx
    - Phase 1: Core Security Training
        - Individuals in technical roles must attend at least one unique security training class each year
            - Secure Design
            - Threat Modeling
            - Secure Coding
            - Security Testing
            - Privacy
    - Phase 2: Requirements
        - Establish Security Requirements
        - Create Quality Gates/bug Bars
        - Security and Privacy Assessment
    - Phase 3: Design
        - Establish Design Requirements (specifications?)
        - Attack Surface Analysis/Reduction
        - Threat Modeling
    - Phase 4: Implementation
        - Use Approved Tools
        - Deprecate Unsafe Functions
        - Perform Static Analysis (code)
    - Phase 5: Verification
        - Dynamic Analysis (runtime)
        - Fuzz Testing
        - Attack Surface Review
    - Phase 6: Release
        - Incident Response Plan (SPOCs)
        - Final Security Review
        - Release/Archive
    - Phase 7: Response
        - Execute Incident Response Plan
- Guidelines
    - Client Data Protection (CDP, mylearning)
    - EU General Data Protection Regulation (GDPR, Datenschutz-Grundverordnung)
        - Determine whether the app really needs all the requested personal data (Only related to natural persons not products)
        - Encrypt all personal data and inform users about it
        - Make sure sessions and cookies expire and are destroyed after logout
        - Do not track user activity for business intelligence 
        - Tell users about logs that save location or IP addresses 
        - Store logs in a safe place, preferably encrypted
        - Create clear terms and conditions and make sure users read them
        - Inform users about any data sharing with third parties  
        - Create clear policies for data breaches
        - Delete data of users who cancel their service
        - Patch web vulnerabilities (developer’s job)
        - Inform the customers about any data breach (not the developer’s job)
    - Open Web Application Security Project (OWASP)
        - https://www.owasp.org/index.php/Main_Page
    - National Vulerability Database (NVD)
        - National Institute of Standards and Technology (NIST)
        - https://nvd.nist.gov/
    - Secure Coding from CDP (mylearning)
        - Input Validation
        - Database Security
        - System Configuration
        - Error Handling and Logging
    - Java Secure Coding Guidelines
        - https://www.oracle.com/technetwork/java/seccodeguide-139067.html
- Java Security
    - https://www.baeldung.com/java-security-overview
    - Language Features
        - Static Data Typing
        - Access Modifiers
        - Automatic Memory Management
        - Bytecode Verification
        - Security Manager
    - Security Architecture in Java
        - Interoperable and extensible Provider implementations
        - eg Cryptographic Algorithms, Key generation, etc
    - Cryptography
        - https://docs.oracle.com/javase/9/security/java-cryptography-architecture-jca-reference-guide.htm
        - Message digests (one way hashing)
        - Symmetric and asymmetric ciphers
        - Digital signatures (hash + asym crypto)
        - Message authentication codes
        - Key generators and key factories
        - Example
    - Public Key Infrastructure
        - KeyStore: cryptographic keys and trusted certificates
        - CertStore: repository of potentially untrusted certificates and revocation lists
        - Java has a built-in trust-store called “cacerts”
        - Tools
            - “keytool” to create and manage key-store and trust-store
            - “jarsigner” that we can use to sign and verify JAR files
    - Secure Communication
        - SSL/TLS
        - https://www.baeldung.com/java-ssl
        - Https
    - Access Control in Java
        - SecurityManager verifies the requested Permission against the installed Policy
        - “policytool”, a graphical utility to compose policy files
        - Example
    - Spring Validation
        - javax.validation.constraints.*
        - Exercise
    - Transport Layer Security (Https)
        - Exercise
        - https://www.baeldung.com/spring-boot-https-self-signed-certificate
    - Spring Security
        - Exercise
        - https://howtodoinjava.com/spring-boot2/security-rest-basic-auth-example/  
- Static Code Analysis Tools
    - SpotBugs
        - https://spotbugs.github.io/ (eclipse marketplace)
        - https://find-sec-bugs.github.io/(manual download plugin)
    - Sonar
        - https://www.sonarlint.org/ (eclipse marketplace)
    - OWASP Dependency Check
        - https://www.owasp.org/index.php/OWASP_Dependency_Check
        - https://jeremylong.github.io/DependencyCheck/dependency-check-maven/ (maven plugin)
    - Fortify
    - https://www.owasp.org/index.php/Source_Code_Analysis_Tools
    - Exercise
        - Fix bugs
- WebGoat
    - https://github.com/WebGoat/WebGoat