Secure coding of web applications for Java developers (Spring flavored)
The two-days Java secure development workshop will cover the fundamentals of secure coding in Java (extended with some Spring particulars). We will teach the most important webapp vulnerabilities from the perspective of a developer. Participants will learn how to find vulnerabilities during testing, how to recognize those within the source-code, how to avoid and mitigate those.
We will reach an in-depth understanding of injections (SQL, XML, JSON, LDAP, XPath, log, cookie, etc…), and other server-side vulnerabilities (XEE, file-related, http redirection, http parameter pollution, …), and their defenses.
We will also understand vulnerabilities specific to the Java language, such as Java’s serialization vulnerabilities, numeric overflow vulnerabilities, etc.
We won’t simply learn about all these concepts theoretically, instead we will use our own vulnerable application to detect vulnerabilities, identify them within the source-code, fix them, and discuss the fix.
We also learn about vulnerabilities specific to the web, such as XSS, CSRF, OSRF, clickjacking, tabnabbing. We will enlighten the significance of CSP and other security-related Http headers.
We also cover the most fundamental authentication and authorization schemes in a web environment.
On the two-days course the audience can choose between the following extra topics:
Java security manager - what it is used for, how it can be configured, and why most projects do not use it.
Cryptography - understanding what the basic crypto primitives do, and which implementation is considered as safe today.
Cryptography of the web - covers TLS, certificate pinning and certificate transparency.
Auth extra - JWT tokens, Oauth2 (how it works, security problems with it, and why is it not an sso solution), OpenId.
If time and the structure of the audience allows it, we can even finish the course by analyzing some of the audience’s own source code, trying to find vulnerabilities and putting into practice what we learned during the course.
Secdev in Java
- full title
- Secure coding of web applications for Java developers (Spring flavored)
- course level
- practical advanced
2 days (12hrs education time)
- a laptop
Java 8 JDK
- qualification requirement
familiarity with the Java language and with JEE;
familiarity with basic security features of an enterprise application (authentication, authorization, session)
Important vulnerabilities and defense techniques
- Common server-side vulnerabilities and their defense
- Injections: SQLi, XML injections, JSON, XPath, XSS, cookie injection, open redirection, http header injection, 2 deserialization attacks
- Path traversal, XXE, Buffer overflow, Zip bomb, Million laugh, RFI, Insecure file upload, Code execution, Remote file inclusion
- Command injection
- Server-side template injection
- Input validation vs encoding
- Common client-side vulnerabilities and their defense
- XSS (types, impact, causes, defenses, other html injections, BeEF)
- CSRF, Clickjacking, Same-origin policy, CORS
- Client-side template injection
- Some security features
- Security logging, exception handling, intrusion detection
Framework/language specifics 1
- Secure coding in Java/JEE
- Java language security (is Java a secure language?)
- Java-specific issues
(Numeric overflow, automatic conversions, Serialization)
- SEI CERT Oracle Coding Standard for Java
- Java security manager
- Spring security (what can it defend, what not)
- Srping MVC, JSR303 from a security point of view
- Known vulnerabilities in previous Spring versions
- Security by design
- Business logic vulnerabilities
- Cryptography [*]
- Cryptography primitives (what do they provide, state of current implementations)
- Crypto of the web (TLS HTTP certificate pinning, certificate transparency)
- Http configuration
- CSP, HSTS, Cookie settings, x-content-type-options
- Access management
- Authentication principles, session management, authorization
- RESTful authentication, JSON web tokens (to JWT or not to JWT) [*]
- RESTful authorization (OAuth2, OpenID Connect) [*]
Framework/language specifics 2
[*] optional, delivered on demand. The audience can vote for some of these non-essential topics.
- JS frameworks [*]
- Angular JS/TS
- HTML5 [*]
- Local storage/session storage
- Web messaging, web sockets