Objectives of the training
The objective of this training is to enable participants to gain a comprehensive understanding of Java application security: identifying vulnerabilities, using security APIs (JCE, JAAS), implementing secure coding practices and cryptography, authentication, and auditing mechanisms. It also incorporates best practices for secure development and incident and risk management.Targeted audience
Developers, designers, project managers, technical architectsPrerequisite
Have programming experience in JAVA.Trainers
Benefits for Participants
Course architecture
Introduction and reminders
Loading and verifying classes
• Role of the Java compiler
• Role of classloaders
• The different memory areas of the JVM and their management by the garbage collector
• Hierarchy of the different classloaders
• Verifying bytecode
• Dynamic class loading
• Implementing a class loader
• Practical work: Modifying a .class file and executing it with the -noverify option, Implementing a class loader that loads encrypted classes
Security manager and permissions
• Controllable operations
• Activating the security manager
• Protection domain, code source, and permissions
• API overview
• Policy file
• Permission classes
• Implementing a Permission class
• Practical work: Developing a policy file, implementing a Permission class
JAAS, Authentication, and Authorizations
• Introduction to JAAS
• LoginContext and LoginModule
• Configuration and stacking of login modules
• Available LoginModules
• Implementing a specific login module, CallbackHandlers
• Packaging a login module
• Authorizations, Subject Objects, and Principals
• PrivilegedAction interface
• Permission configuration
• Practical work: Implementation of a LoginModule, configuration of authorizations based on user roles
Digital signatures and encryption
• Message digest: SHA1 and MD5
• The keytool tool and keystores
• The jarsigner tool
• Certification authorities
• Deployment of signed code on an intranet or the internet
• Keystore-based permissions
• Data encryption, AES and RSA algorithms
• Practical work: Verifying a fingerprint, Deploying an applet on an intranet, Symmetric and asymmetric encryption
Applying security in a web environment
• Securing a Java application server
• Securing a Java application server
• User authentication, web application deployment descriptor
• Configuring module logins in major application servers
• Declarative security for various Java EE third parties
• SSL
• Practical work: Securing a web application
Web attacks
• OWASP resources
• The ten most critical web application security risks according to OWASP
• Identifying the main risks in cybersecurity
Dynamic application auditing with APPSCAN Standard
• Configuring a scan
• Launching the scan operation
• Analyzing the results
Pedagogical details
Type of training
Private or personalized training
Do you have several employees interested in the same training course? Whether in person at your offices or remotely in virtual mode, we offer private training courses tailored to your team's needs. Group rates are available. Contact us for more details or request a quote online.
Request a quotePrivate or personalized training
Do you have several employees interested in the same training course? Whether in person at your offices or remotely in virtual mode, we offer private training courses tailored to your team's needs. Group rates are available. Contact us for more details or request a quote online.
Request a quote