Objectives of the training
The objective of this training is to enable participants to gain a comprehensive understanding of Java application security: identifying vulnerabilities, using security APIs (JCE, JAAS), implementing secure coding practices and cryptography, authentication, and auditing mechanisms. It also incorporates best practices for secure development and incident and risk management.Targeted audience
Developers, designers, project managers, technical architectsPrerequisite
Have programming experience in JAVA.Trainers
Benefits for Participants
• Gain a thorough understanding of computer security principles, such as confidentiality, integrity, availability, and authenticity.
• Learn to recognize vulnerabilities specific to Java applications, such as injection flaws, configuration errors, and session management issues.
• Master the use of security APIs provided by Java, such as the Java Security API, Java Cryptography Extension (JCE), and Java Authentication and Authorization Service (JAAS).
• Implement secure coding practices to protect applications from common threats, including injection attacks, XSS attacks, and CSRF attacks.
• Use cryptographic libraries to ensure the security of data in transit and at rest by incorporating encryption, hashing, and signing mechanisms.
• Configure and secure authentication and authorization mechanisms to ensure that only authorized users can access application resources and functionality.
• Implement mechanisms to audit and monitor access and activities within Java applications
to detect and respond to security incidents.
• Integrate secure development best practices throughout the software development lifecycle (SDLC), including static and dynamic code analysis, penetration testing, and code reviews.
• Learn how to respond to security incidents, assess the risks associated with vulnerabilities, and implement appropriate mitigation strategies.
Course architecture
Introduction and reminders
Loading and verifying classes
• Role of the Java compiler
• Role of classloaders
• The different memory areas of the JVM and their management by the garbage collector
• Hierarchy of the different classloaders
• Verifying bytecode
• Dynamic class loading
• Implementing a class loader
• Practical work: Modifying a .class file and executing it with the -noverify option, Implementing a class loader that loads encrypted classes
Security manager and permissions
• Controllable operations
• Activating the security manager
• Protection domain, code source, and permissions
• API overview
• Policy file
• Permission classes
• Implementing a Permission class
• Practical work: Developing a policy file, implementing a Permission class
JAAS, Authentication, and Authorizations
• Introduction to JAAS
• LoginContext and LoginModule
• Configuration and stacking of login modules
• Available LoginModules
• Implementing a specific login module, CallbackHandlers
• Packaging a login module
• Authorizations, Subject Objects, and Principals
• PrivilegedAction interface
• Permission configuration
• Practical work: Implementation of a LoginModule, configuration of authorizations based on user roles
Digital signatures and encryption
• Message digest: SHA1 and MD5
• The keytool tool and keystores
• The jarsigner tool
• Certification authorities
• Deployment of signed code on an intranet or the internet
• Keystore-based permissions
• Data encryption, AES and RSA algorithms
• Practical work: Verifying a fingerprint, Deploying an applet on an intranet, Symmetric and asymmetric encryption
Applying security in a web environment
• Securing a Java application server
• Securing a Java application server
• User authentication, web application deployment descriptor
• Configuring module logins in major application servers
• Declarative security for various Java EE third parties
• SSL
• Practical work: Securing a web application
Web attacks
• OWASP resources
• The ten most critical web application security risks according to OWASP
• Identifying the main risks in cybersecurity
Dynamic application auditing with APPSCAN Standard
• Configuring a scan
• Launching the scan operation
• Analyzing the results
Pedagogical details
Type of training
Private or personalized training
If you have more than 8 people to sign up for a particular course, it can be delivered as a private session right at your offices. Contact us for more details.
Request a quotePrivate or personalized training
If you have more than 8 people to sign up for a particular course, it can be delivered as a private session right at your offices. Contact us for more details.
Request a quote