JAVA APPLICATION SECURITY

A comprehensive Java Security Training course to help participants understand the broad range of Java security challenges and the successful remedies. Basic concepts of code security and good secure-coding practices.
COURSE OBJECTIVE:
The course will teach designing and implementing security policies for Java Applications, Servers and Components.
Learn to incorporate JAAS authentication into an application and a JAAS LoginModule to connect to your own application data.
Protection against common web attacks, including XSS, CSRF and SQL injection along with application-level cryptography.
Coverage extended to securing log files and establishing audit trails for especially sensitive information or actions.

LESSON PLANS

SESSION 1: JAVA SE SECURITY
Session Goal:
  • Holistic Security Practices.
  • Threats to the User.
  • The Class Loader and Bytecode Verifier.
  • System Classes and the Core API.
  • SecurityManager and AccessController.
  • Permissions, Implication, CodeSources and Policies.
  • Configuring Java SE Security.
  • Dynamic Policies and Privileged Actions.

SESSION 2: CODE SIGNATURE AND KEY MANAGEMENT
Session Goal:
  • Encryption and Digital Signature.
  • KeyStores.
  • Keys and Certificates.
  • Certificate Authorities.
  • The KeyStore API.
  • Signing JARs.
  • Signed CodeSources.
  • Additional Policy Semantics.

SESSION 3: SECURE DEVELOPMENT PRACTICES: JAVA SE
Session Goal:
  • Code Injection.
  • Final Classes and Methods.
  • Singletons, Factories, and Flyweights.
  • Methods, Collections, and Data Hiding.
  • Sealing JARs.
  • Code Obfuscation.
  • Object Serialization.

SESSION 4: CRYPTOGRAPHY
Session Goal:
  • Threats to Identity and Privacy.
  • The Java Cryptography Extensions.
  • The Signature Class.
  • Signed Objects.
  • The Java Cryptography Extensions.
  • SecretKeys and KeyGenerator.
  • The Cipher Class.
  • Dangerous Practices.
  • HTTP and JSSE.
SESSION 5: JAAS
Session Goal:
  • Pluggable Authentication Logic.
  • JAAS.
  • Packages and Interfaces.
  • Subjects and Principals.
  • ANDs and ORs.
  • Impersonation Methods.
  • Permissions for JAAS Use.
  • LoginContext and LoginModule.
  • Configuring JAAS.
  • CallbackHandler and Callbacks.
  • Implementing a JAAS Client.
  • Implementing a LoginModule.

SESSION 6: JAVA EE SECURITY
Session Goal:
  • Java EE Servers as Code Hosts.
  • Tomcat Security Configuration.
  • Declaring Roles.
  • Securing URLs.
  • HTTP Authentication Schemes.
  • Securing EJBs.
  • Programmatic Security.
  • JAAS in Java EE.
  • Realms and LoginModules.
  • JAAS in Tomcat.
  • JACC.
  • Certifying a Java EE Application.
  • HTTPS Configuration.

SESSION 7: SECURE DEVELOPMENT PRACTICES: JAVA EE
Session Goal:
  • Presentation-Tier Vulnerabilities.
  • User Accounts.
  • MVC and Security.
  • Validating User Input.
  • SQL Injection.
  • Cross-Site Scripting.
  • Reflected XSS and Defeating XSS.
  • OWASP.
  • Penetration Testing.
  • Error Handling and Information Leakage.
  • Logging and Auditing.
CASE STUDY AND PROJECTS
Case studies are integral part of training. As part of this course we will ensure you  implement Real-time Case studies ​in various domains which includes:
  • Banking.
  • Telecom
  • Ecommerce.
  • HealthCare.​
These case studies will be evaluated by domain experts and you would get an opportunity to get Feedback on the work.
TRAINING FEATURES
1) Extensive Real Time Live Examples, Projects & POCs for improved practical competency, ensure deployment readiness and implementation.
2) Custom Lab, Software and Environment provided with Real-time Project Simulation.
3) Recorded Videos complemented with corresponding lecture ppts, materials & lab guides. (Provided in the form of MP4 videos, pdf, ppt for offline access as well).
4) Certification and Job-Interview Counselling & Coaching after every training.