Budapest, APR25-26
Budapest, 1904 [past]
Secdev in Java

Budapest (HU), 2-days workshop

Early tickets till APR18: €580 net [185KHUF+VAT]
Final price: €720 net [230KHUF+VAT]/seat.

Apr 25-26 (Thu-Fri), 9:30-17:30
LogMeIn Labs, Budapest
 Péter Nyilasy
course topics
upon completion
certificate of attendance

Secure coding of web applications for Java developers (Spring flavored)

The two-days Java secure development workshop will cover the fundamentals of secure coding in Java (extended with some Spring particulars). We will teach the most important webapp vulnerabilities from the perspective of a developer. Participants will learn how to find vulnerabilities during testing, how to recognize those within the source-code, how to avoid and mitigate those.

We will reach an in-depth understanding of injections (SQL, XML, JSON, LDAP, XPath, log, cookie, etc…), and other server-side vulnerabilities (XEE, file-related, http redirection, http parameter pollution, …), and their defenses. We will also understand vulnerabilities specific to the Java language, such as Java’s serialization vulnerabilities, numeric overflow vulnerabilities, etc.

We won’t simply learn about all these concepts theoretically, instead we will use our own vulnerable application to detect vulnerabilities, identify them within the source-code, fix them, and discuss the fix.

We also learn about vulnerabilities specific to the web, such as XSS, CSRF, OSRF, clickjacking, tabnabbing. We will enlighten the significance of CSP and other security-related Http headers.

We also cover the most fundamental authentication and authorization schemes in a web environment.

On the two-days course the audience can choose between the following extra topics:

  • Java security manager - what it is used for, how it can be configured, and why most projects do not use it.
  • Cryptography - understanding what the basic crypto primitives do, and which implementation is considered as safe today.
  • Cryptography of the web - covers TLS, certificate pinning and certificate transparency.
  • Auth extra - JWT tokens, Oauth2 (how it works, security problems with it, and why is it not an sso solution), OpenId.

If time and the structure of the audience allows it, we can even finish the course by analyzing some of the audience’s own source code, trying to find vulnerabilities and putting into practice what we learned during the course.

Secdev in Java

full title
Secure coding of web applications for Java developers (Spring flavored)
course level
practical advanced
Java developers
2 days (12hrs education time)
a laptop
Java 8 JDK
qualification requirement
familiarity with the Java language and with JEE;
understanding of the HTTP protocol, HTML and Javascript;
familiarity with basic security features of an enterprise application (authentication, authorization, session)

Important vulnerabilities and defense techniques

Common server-side vulnerabilities and their defense
Injections: SQLi, XML injections, JSON, XPath, XSS, cookie injection, open redirection, http header injection, 2 deserialization attacks
Path traversal, XXE, Buffer overflow, Zip bomb, Million laugh, RFI, Insecure file upload, Code execution, Remote file inclusion
Command injection
Server-side template injection
Input validation vs encoding
Common client-side vulnerabilities and their defense
XSS (types, impact, causes, defenses, other html injections, BeEF)
CSRF, Clickjacking, Same-origin policy, CORS
Client-side template injection
Some security features
Security logging, exception handling, intrusion detection

Framework/language specifics 1

Secure coding in Java/JEE
Java language security (is Java a secure language?)
Java-specific issues (Numeric overflow, automatic conversions, Serialization)
SEI CERT Oracle Coding Standard for Java
Java security manager
Spring security (what can it defend, what not)
Srping MVC, JSR303 from a security point of view
Known vulnerabilities in previous Spring versions

Security design

Security by design
Business logic vulnerabilities
Cryptography [*]
Cryptography primitives (what do they provide, state of current implementations)
Crypto of the web (TLS HTTP certificate pinning, certificate transparency)
Http configuration
CSP, HSTS, Cookie settings, x-content-type-options
Access management
Authentication principles, session management, authorization
RESTful authentication, JSON web tokens (to JWT or not to JWT) [*]
RESTful authorization (OAuth2, OpenID Connect) [*]

Framework/language specifics 2

JS frameworks [*]
Angular JS/TS
HTML5 [*]
Local storage/session storage
Web messaging, web sockets

[*] optional, delivered on demand. The audience can vote for some of these non-essential topics.

This workshop was delivered by

Péter has been doing enterprise web application development for more than a decade now mainly for financial institutions. He has exceptional knowledge of and strong experiences with Java and JEE, and also with several Javascript frameworks. In the recent years Péter turned to software security and does secure development consulting, ASVS-based application audits with and is a resident trainer with

Meanwhile he stays current with the software production internals working also as a freelance software engineer. Péter also teaches Java for developers.

The workshop was hosted by

For sponsors

def[dev]eu events provide a unique opportunity for the secure development tooling and services providers to get in touch with developers and team leaders from cool European development teams and IT departments

Contact us at [email protected], direct message us on twitter @defdeveu or call +32476222722 [Timur].

The training was supported by