Java/Spring secdev, BUD1904

Budapest, 1904 [past]

Done

Secdev in Java
(Spring-flavored)

Budapest (HU), 2-days workshop

Early tickets till APR18: €580 net [185KHUF+VAT]
Final price: €720 net [230KHUF+VAT]/seat.

timing: Apr 25-26 (Thu-Fri), 9:30-17:30
venue: LogMeIn Labs, Budapest
seats: 15+
trainer: Péter Nyilasy
agenda: course topics
language: Hungarian
upon completion: certificate of attendance

Secure coding of web applications for Java developers (Spring flavored)

The two-days Java secure development workshop will cover the fundamentals of secure coding in Java (extended with some Spring particulars). We will teach the most important webapp vulnerabilities from the perspective of a developer. Participants will learn how to find vulnerabilities during testing, how to recognize those within the source-code, how to avoid and mitigate those.

We will reach an in-depth understanding of injections (SQL, XML, JSON, LDAP, XPath, log, cookie, etc…), and other server-side vulnerabilities (XEE, file-related, http redirection, http parameter pollution, …), and their defenses. We will also understand vulnerabilities specific to the Java language, such as Java’s serialization vulnerabilities, numeric overflow vulnerabilities, etc.

We won’t simply learn about all these concepts theoretically, instead we will use our own vulnerable application to detect vulnerabilities, identify them within the source-code, fix them, and discuss the fix.

We also learn about vulnerabilities specific to the web, such as XSS, CSRF, OSRF, clickjacking, tabnabbing. We will enlighten the significance of CSP and other security-related Http headers.

We also cover the most fundamental authentication and authorization schemes in a web environment.

On the two-days course the audience can choose between the following extra topics:

Java security manager - what it is used for, how it can be configured, and why most projects do not use it.
Cryptography - understanding what the basic crypto primitives do, and which implementation is considered as safe today.
Cryptography of the web - covers TLS, certificate pinning and certificate transparency.
Auth extra - JWT tokens, Oauth2 (how it works, security problems with it, and why is it not an sso solution), OpenId.

If time and the structure of the audience allows it, we can even finish the course by analyzing some of the audience’s own source code, trying to find vulnerabilities and putting into practice what we learned during the course.

: Secdev in Java
(Spring-flavored)

full title: Secure coding of web applications for Java developers (Spring flavored)
course level: practical advanced
audience: Java developers
duration: 2 days (12hrs education time)
gear: a laptop
preinstalled: Java 8 JDK
qualification requirement: familiarity with the Java language and with JEE;
understanding of the HTTP protocol, HTML and Javascript;
familiarity with basic security features of an enterprise application (authentication, authorization, session)

Important vulnerabilities and defense techniques

Common server-side vulnerabilities and their defense: Injections: SQLi, XML injections, JSON, XPath, XSS, cookie injection, open redirection, http header injection, 2 deserialization attacks; Path traversal, XXE, Buffer overflow, Zip bomb, Million laugh, RFI, Insecure file upload, Code execution, Remote file inclusion; Command injection; Server-side template injection; Input validation vs encoding
Common client-side vulnerabilities and their defense: XSS (types, impact, causes, defenses, other html injections, BeEF); CSRF, Clickjacking, Same-origin policy, CORS; Tabnabbing; Client-side template injection
Some security features: Security logging, exception handling, intrusion detection

Framework/language specifics 1

Secure coding in Java/JEE: Java language security (is Java a secure language?); Java-specific issues (Numeric overflow, automatic conversions, Serialization); SEI CERT Oracle Coding Standard for Java; Java security manager
Spring: Spring security (what can it defend, what not); Srping MVC, JSR303 from a security point of view; Known vulnerabilities in previous Spring versions

Security design

Security by design: Business logic vulnerabilities
Cryptography [*]: Cryptography primitives (what do they provide, state of current implementations); Crypto of the web (TLS HTTP certificate pinning, certificate transparency)
Http configuration: CSP, HSTS, Cookie settings, x-content-type-options
Access management: Authentication principles, session management, authorization; RESTful authentication, JSON web tokens (to JWT or not to JWT) [*]; RESTful authorization (OAuth2, OpenID Connect) [*]

Framework/language specifics 2

JS frameworks [*]: Angular JS/TS; React
HTML5 [*]: Local storage/session storage; Web messaging, web sockets

[*] optional, delivered on demand. The audience can vote for some of these non-essential topics.

This workshop was delivered by

Péter Nyilasy

Péter has been doing enterprise web application development for more than a decade now mainly for financial institutions. He has exceptional knowledge of and strong experiences with Java and JEE, and also with several Javascript frameworks. In the recent years Péter turned to software security and does secure development consulting, ASVS-based application audits with secdev.eu and is a resident trainer with defdev.eu.

Meanwhile he stays current with the software production internals working also as a freelance software engineer. Péter also teaches Java for developers.

The workshop was hosted by

For sponsors

def[dev]eu events provide a unique opportunity for the secure development tooling and services providers to get in touch with developers and team leaders from cool European development teams and IT departments

Contact us at [email protected], direct message us on twitter @defdeveu or call +32476222722 [Timur].