Course code Title Language Price # Unit Startdate Hour Enddate Location Signup
JVN035 Securing Java Web Applications on your request on your request Contact Us

Securing Java Web Applications

Securing Java Web Applications

Overview

Course code: 
JVN035
Duration: 
3
Time Unit: 
Day(s)
Overview: 

This advanced course shows experienced developers of Java web applications how to secure those applications and to apply best practices with regard to secure enterprise coding. Authentication, authorization, and input validation are major themes, and students get good exposure to basic Java cryptography for specific development scenarios, as well as thorough discussions of HTTPS configuration and certificate management, error handling, logging, and auditing

Learning Objectives

Generally, be prepared to develop secure Java web applications, or to secure existing applications by refactoring as necessary.
Define security constraints and login configurations that instruct the web container to enforce authentication and authorization policies.
Validate user input aggressively, for general application health and specifically to foil injection and XSS attacks.
Configure a server and/or application to use one-way or two-way HTTPS.
Apply application-level cryptography where necessary.
Secure log files and establish audit trails for especially sensitive information or actions.

Topics

Topics: 

Chapter 1. Secure Web Applications

Threats and Attack Vectors
Server, Network, and Browser Vulnerabilities
Secure Design Principles
GET vs. POST
Container Authentication and Authorization
HTML Forms
Privacy Under /WEB-INF
HTTP and HTTPS
Other Cryptographic Practices
SOA and Web Services
The OWASP Top 10

Chapter 2. Authentication and Authorization

HTTP BASIC and DIGEST Authentication Schemes
Declaring Security Constraints
User Accounts
Safeguarding Credentials in Transit
Replay Attacks
Authorization Over URL Patterns
Roles
FORM Authentication
Login Form Design
EJB Authorization
Programmatic Security
Programmatic Security in JSF

Chapter 3. Secure Application Design

Single Points of Decision
Cross-Site Scripting
Validation vs. Output Escaping
Forceful Browsing
Cross-Site Request Forgery
Request Tokens
Injection Attacks
Protections in JDBC and JPA
Session Management
Taking Care of Cookies
Validating User Input
Validation Practices
Regular Expressions
JSF Validation

Chapter 4. HTTPS and Certificates

Digital Cryptography
Encryption
SSL and Secure Key Exchange
Hashing
Signature
Keystores
keytool
Why Keys Aren't Enough
X.509 Certificates
Certificate Authorities
Obtaining a Signed Certificate
Configuring HTTPS
Client-Side Certificates and Two-Way SSL
PKCS #12 and Trust Stores
CLIENT-CERT Authentication

Chapter 5. Application-Level Cryptography

The Java Cryptography Architecture
Secure Random Number Generation
The KeyStore API
The Signature Class
The SignedObject Class
The MessageDigest Class
The Java Cryptography Extensions
The SecretKey and KeyGenerator Types
The Cipher Class
Choosing Algorithms and Key Sizes
Dangerous Practices

Chapter 6. Secure Development Practices

Secure Development Cycle
Error Handling and Information Leakage
Failing to a Secure Mode
Logging Practices
Appropriate Content for Logs
Auditing
Strategies: Filters, Interceptors, and Command Chains
Penetration Testing
Back Doors

Appendix A. Learning Resources

Prerequisites

Prerequisites: 

Java programming experience is essential
Servlets programming experience is required
JSP page-authoring experience is recommended but not required

Audience

Audience: 

Java developers.