Java Security

Participants should be comfortable with Java language, syntax and object-oriented application development. They should be familiar with Java 8+.

They should be familiar with Java Web development.

This training provides the skills necessary to develop secure web applications in Java. It teaches developers common security vulnerabilities (OWASP Top Ten) in Java web applications and the best practices to write secure code. The training covers the security testing practices to put into place in order to detect flaws, fix them and strengthen the security of the application as whole.

Concerns for Web Applications

• Threats and Attack Vectors
• Secure Design Principles
• Container Authentication and Authorization
• HTML Forms
• Privacy Under /WEB-INF
• HTTP and HTTPS
• Top ten OWASP Vulnerabilities

Authentication and Authorization using JAAS

• Declaring Security Constraints
• User Accounts and Roles
• Protecting Credentials in Transit
• Authorization Over URL Patterns
• FORM Authentication
• Session Fixation
• Programmatic Security

Protecting against Common Web Attacks

• Injection Attacks
• Cross-Site Scripting
• Cross-Site Request Forgery
• Predictable Resource Locations
• Protections in JDBC and JPA
• Session Management
• Taking Care of Cookies

Implementing OAuth2 and OpenID Connect

• Understanding Delegation and its benefits
• Introducing claims based security
• Understanding tokens and their representation on the net
• Introducing OAuth 2
• OAuth 2 flows
• OpenID Connect: Adding sign-in to OAuth2

Auditing Security

• Static code analysis
• Passive vs. active scanning
• Automated scans with OAWSP Zap
• Auditing authentication, session and access control
• Fuzzing
• Discovering logic flaws
• Reporting

Classroom Courses