Thank you for sending your enquiry! One of our team members will contact you shortly.
Thank you for sending your booking! One of our team members will contact you shortly.
Course Outline
1. IT security and secure coding
- Fundamental Security Principles: Confidentiality, Integrity, and Availability (CIA) in the context of Java applications.
- Secure Software Development Lifecycle (SSDLC): Integrating security from requirements to deployment.
- Secure Coding Paradigms: Defense in depth, least privilege, and fail-safe defaults.
- Standard Vulnerability Classifications: Understanding CWE (Common Weakness Enumeration) and OWASP.
2. Web application security
- Deep Dive into OWASP Top Ten: Detailed analysis of Injection, Broken Authentication, and Sensitive Data Exposure.
- Cross-Site Scripting (XSS): Reflected, Stored, and DOM-based XSS scenarios in Java/JSP.
- Cross-Site Request Forgery (CSRF): Mechanisms of attack and implementation of Anti-CSRF tokens.
- Session Management: Cookie security, session fixation, and timeout management.
- API Security: Securing REST and SOAP endpoints against abuse.
3. Security of Web services
- Web Services vs. Traditional Web Apps: Differences in attack surfaces.
- Transport Layer Security: SSL/TLS configuration for Java clients and servers.
- Message Security: Integrity and Confidentiality at the payload level.
- Authentication Standards: OAuth 2.0, OpenID Connect, and JWT (JSON Web Tokens) implementation.
4. XML security
- XML Parsing Vulnerabilities: Preventing XML External Entity (XXE) attacks.
- XML Schema Validation: Best practices for strict schema enforcement.
- XML Digital Signatures: Implementing signatures to ensure non-repudiation.
- XML Encryption: Standard approaches to encrypting XML content.
5. Foundations of Java security
- The Java Security Architecture: The
java.securitypackage and provider architecture. - Security Providers: Installing and configuring providers like Bouncy Castle.
- Access Control: Policy files, Permissions, and the Security Manager (Legacy vs. Modern).
- KeyStore Management: Creating and managing keystores and truststores for certificates.
6. Practical cryptography
- Cryptographic Algorithms: Overview of Symmetric (AES), Asymmetric (RSA, ECC), and Hashing (SHA-256/512) algorithms.
- Random Number Generation: The dangers of
java.util.Randomvs.java.security.SecureRandom. - Key Management: Key generation, storage, and rotation strategies.
- Java Cryptography Architecture (JCA): Using
Cipher,MessageDigest, andMacclasses. - Java Cryptography Extension (JCE): Understanding policy files and unlimited strength jurisdiction.
7. Java security services
- SSL/TLS in Java: Using
SSLSocketFactoryandHttpsURLConnection. - Trust Managers: Customizing trust verification for private PKI environments.
- Authenticators: Programmatic authentication using
Authenticator.getDefault(). - Certificate Parsing: Reading and analyzing X.509 certificates programmatically.
8. Java EE security
- Declarative Security: Role-based access control (RBAC) using
web.xmland annotations. - Programmatic Security: Using
HttpServletRequest.isUserInRole()andgetRemoteUser(). - JAAS (Java Authentication and Authorization Service): Configuring
login.confand implementingLoginModules. - Servlet Security: Container-managed security constraints and authentication methods (FORM, BASIC, DIGEST).
9. Common coding errors and vulnerabilities
- Insecure Deserialization: The risks of
ObjectInputStreamand bypassing security checks. - Command Injection: Mitigating OS-level execution vulnerabilities.
- Path Traversal: Sanitizing file system inputs to prevent directory traversal.
- Reflection Abuse: Risks associated with
java.lang.reflectand bypassing access control. - Hardcoded Credentials: Identifying and removing secrets from source code.
- Cryptography Implementation Errors: Using ECB mode, weak keys, or static IVs.
10. Knowledge sources
- Static Analysis Tools: Using SonarQube, Checkmarx, and Fortify for automated scanning.
- Dynamic Analysis Tools: Overview of Burp Suite and OWASP ZAP.
- CVE Databases: How to track and react to new Java framework vulnerabilities.
- Recommended Readings: List of books, documentation, and secure coding checklists.
Requirements
None.
21 Hours
Custom Corporate Training
Training solutions designed exclusively for businesses.
- Customized Content: We adapt the syllabus and practical exercises to the real goals and needs of your project.
- Flexible Schedule: Dates and times adapted to your team's agenda.
- Format: Online (live), In-company (at your offices), or Hybrid.
Price per private group, online live training, starting from 4350 € + VAT*
Contact us for an exact quote and to hear our latest promotions
Testimonials (4)
the knowledge of the trainer was very high - he knew what he was talking about, and knew the answers to our questions
Adam - Fireup.PRO
Course - Advanced Java Security
Practical exercises
Olek - Fireup.PRO
Course - Advanced Java Security
coding excercies
Mirek - Fireup.PRO
Course - Advanced Java Security
It opens up a lot and gives lots of insight what security
