Secure Java EE Development

Secure Java EE Development

Bascom Bridge’s Java EE 7 Security Training: Secure Java EE Development course shows experienced developers of Java EE applications and services how to write new code and upgrade existing code for maximum safety.

JAVA EE 7 SECURITY TRAINING OBJECTIVES

All students will:

  • Develop secure Java web applications and services, or secure existing applications and services by refactoring as necessary.
  • Define security constraints and login configurations that instruct the web container to enforce authentication and authorization policies.
  • Guard against common web attacks including XSS, CSRF, and SQL injection.
  • Validate user input aggressively for general application health and specifically to foil injection and XSS attacks.
  • Configure a server and/or application to use one-way or two-way HTTPS.
  • Apply application-level cryptography where necessary.
  • Secure log files and establish audit trails for especially sensitive information or actions.
  • Use HMAC security as appropriate in RESTful web services.
  • Participate in SAML SSO systems and be aware of the security concerns involved in single sign-on.
  • Implement the server and client sides of the OAuth-2.0 initial flow in order to provide third-party authorization to resources in a secure manner.

JAVA EE 7 SECURITY TRAINING PREREQUISITES

  • Java programming experience is essential – Bascom Bridge’s  Beginning Java Application Development is excellent preparation should students need to get up to speed on Java.
  • Servlets programming experience is required – Students should have taken Bascom Bridge’s  Beginning JSP and Servlets or have equivalent experience.
  • JSP page-authoring experience is recommended but not required. Again, consider Beginning JSP and Servlets.
  • Understanding of RESTful web services as implemented in JAX-RS will be highly beneficial, but is not strictly required. Consider Bascom Bridge’s  RESTful Web Services with JAX-RS course for your team.

JAVA EE 7 SECURITY TRAINING MATERIALS

All attendees receive comprehensive courseware covering all topics in the course outline.

SOFTWARE NEEDED FOR EACH PC:

  • Core 2 Duo or faster processor with at least 3 GB RAM
  • Any operating system that supports JDK 7 or later
  • JDK 7 or later
  • Eclipse Luna for Java EE Developers or later version
  • Related lab files that Accelebrate would provide
  • For classes delivered online, all participants need either dual monitors or a separate device logged into the online session so that they can do their work on one screen and watch the instructor on the other. A separate computer connected to a projector or large screen TV would be another way for students to see the instructor’s screen simultaneously with working on their own.

JAVA EE 7 SECURITY TRAINING OUTLINE

  • Introduction
  • Secure Web Applications
    • Threats and Attack Vectors
    • Server, Network, and Browser Vulnerabilities
    • Secure Design Principles
    • GET vs. POST
    • Container Authentication and Authorization
    • HTML Forms
    • Privacy Under /WEB-INF
    • HTTP and HTTPS
    • Other Cryptographic Practices
    • SOA and Web Services
    • The OWASP Top 10
  • Authentication and Authorization
    • HTTP BASIC and DIGEST Authentication Schemes
    • Declaring Security Constraints
    • User Accounts
    • Safeguarding Credentials in Transit
    • Replay Attacks
    • Authorization Over URL Patterns
    • Roles
    • FORM Authentication
    • Login Form Design
    • EJB Authorization
    • Programmatic Security
    • Programmatic Security in JSF
  • Common Web Attacks
    • Single Points of Decision
    • Cross-Site Scripting
    • Validation vs. Output Escaping
    • Forceful Browsing
    • Cross-Site Request Forgery
    • Request Tokens
    • Injection Attacks
    • Protections in JDBC and JPA
    • Session Management
    • Taking Care of Cookies
  • Input Validation
    • Validating User Input
    • Validation Practices
    • Regular Expressions
    • JSF Validation
    • Bean Validation (a/k/a JSR-303)
    • Constraint Annotations
    • Cross-Field Validation
    • Built-In Support in Java EE
    • Using a Validator
    • Producing Error Responses
  • HTTPS and Certificates
    • Digital Cryptography
    • Encryption
    • SSL and Secure Key Exchange
    • Hashing
    • Signature
    • Keystores
    • keytool
    • Why Keys Aren’t Enough
    • X.509 Certificates
    • Certificate Authorities
    • Obtaining a Signed Certificate
    • Configuring HTTPS
    • Client-Side Certificates and Two-Way SSL
    • PKCS #12 and Trust Stores
    • CLIENT-CERT Authentication
  • Application-Level Cryptography
    • The Java Cryptography Architecture
    • Secure Random Number Generation
    • The KeyStore API
    • Digital Signature
    • Hashing
    • Password Hashing
    • Why Hashing Isn’t Enough
    • Salts
    • Slow Algorithms
    • Key Lengthening and Key Strengthening
    • The Java Cryptography Extensions
    • The SecretKey and KeyGenerator Types
    • Symmetric Encryption
    • Choosing Algorithms and Key Sizes
    • Dangerous Practices
  • Secure Development Practices
    • Secure Development Cycle
    • Error Handling and Information Leakage
    • Failing to a Secure Mode
    • Logging Practices
    • Appropriate Content for Logs
    • Auditing
    • Strategies: Filters, Interceptors, and Command Chains
    • Penetration Testing
    • Back Doors
    • Secure Code Review
  • REST Security Basics
    • Security Concerns for REST Services
    • HTTPS
    • HTTP BASIC and DIGEST
    • Authorization by URL Pattern
    • Cross-Site Scripting
    • Injection Attacks
    • Cross-Site Request Forgery
    • Common Countermeasures
  • HMAC Security
    • Use Case: Message Authentication
    • Digital Signature
    • Hashing as Signature: the HMAC
    • Appropriate Salts
    • Canonicalization
    • Amazon S3
    • Timestamps
    • Signing and Verifying Messages
    • XML Cryptography and Canonicalization
    • Canonicalizing JSON
  • SAML SSO
    • Use Case: Single Sign-On
    • SAML Orientation
    • SAML Assertions
    • SAML Protocol
    • HTTP Bindings
    • Speaking “Through” the Browser
    • Artifact and SOAP Bindings
    • SAML Attributes
    • SAML SSO
    • Federated Identity
    • Identity Providers and Service Providers
    • Metadata
    • OpenID
    • Universal Identity
    • Security Concerns in SSO Systems
  • OAuth
    • Use Case: Third-Party Authorization
    • OAuth
    • Initial Flow
    • Grant Types
    • Access Tokens
    • The Google OAuth API
    • Implementing Authorization and Resource Servers
    • Implementing Clients
    • Security Concerns with OAuth
  • Conclusion

Send a Comment

Your email address will not be published.

CONTACT US

+91 9376007676  

INQUIRY NOW


Secure Java EE Development

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...
  •  Theory : 40%
  •  Lab : 60%
  • Duration : 30 hours
  • ava programming experience is essential – Bascom Bridge’s   Beginning Java Application Development is excellent preparation should students need to get up to speed on Java.
  • Servlets programming experience is required – Students should have taken Bascom Bridge’s  Beginning JSP and Servlets or have equivalent experience.
  • JSP page-authoring experience is recommended but not required. Again, consider Beginning JSP and Servlets.
  • Understanding of RESTful web services as implemented in JAX-RS will be highly beneficial, but is not strictly required. Consider Bascom Bridge’s  RESTful Web Services with JAX-RS course for your team.
Scroll Up
Skip to toolbar