Victor Rentea

Java Champion, ex Lead Architect @IBM
Victor (@VictorRentea) is a Java Champion, and one of the top Technical Trainers, having trained more than 1.5K developers in dozens of companies worldwide.
Victor’s talks are regularly top-rated at the largest international conferences in Europe: his live-coding sessions are lightning-fast but well crafted, full of enthusiasm, deep insights and take-away tips. His passion is Simple Design, Refactoring, and Unit Testing, about which he regularly talks at top conferences. His personal commitment is to seed passion for writing clean, professional code.

Workshop topic:
Secure Coding in Java

Time & Date:
April 13th & 14th | 9am-5pm CEST

About workshop

This workshop starts by reviewing the essential cryptography and web-security concepts and techniques. The top web attacks identified by OWASP (https://owasp.org/) are then explained and fixed with Spring Framework in several ways comparing the tradeoffs of each option. We’ll then dive into the two main coordinates of security: authentication and authorization and we’ll explore the mainstream practices as well as some advanced use-cases that will lead us to discover many details of the Spring Security framework.

Agenda

  • Cryptography Basics:
      » Encryption: Symmetric / Asymmetric; [opt] Java code exercise
      » Hashing; [opt] Java code workshop
      » Digital Signatures; [opt] Raw Java code workshop
      » Certificates, Certificate Authorities, Self-Signed; steps for creating a certificate; signing certificates vs end certificates
      » Keytool workshop
  • Web Security Concepts:
      » SSL, 2-SSL; Setting up SSL on a Tomcat/Spring Boot App; TLS-1.2 outdated
      » Sessions and Cookies; httpOnly flag
      » CORS Workshop
  • Authentication Mechanisms
      » Form-login
      » Basic + Digest
      » API Token
      » Token-based (JWT), performance considerations, design alternatives
  • OAuth2:
      » Main Concepts
      » Manually login via Postman calls
      » Workshop: Implementing WebSSO using KeyCloak + Spring Boot OAuth
  • OWASP Top 10 Web Application Security Risks (https://owasp.org/www-project-top-ten/):
      » Injection: SQL, *QL
      » Uploading Files, zip bombs and zip slips
      » Broken Authentication
      » Sensitive Data Exposure
      » XXE Attacks: exposing sensitive files, Denial-of-Service with xml bombs
      » Broken Access Control (best practices discussed in the next section)
      » Cross-Site Scripting (XSS): input HTML sanitization (eg vs RichText)
      » Cross-Site Request Forgery (CSRF) + token protection
      » Insecure Deserialization + fix
      » Using Components with known vulnerabilities-example:

    https://nvd.nist.gov/vuln/detail/CVE-2020-25649#vulnConfigurationsArea

      » Monitoring security threats
  • Implementing Authorization using Spring:
      » URL-based (Spring/web.xml)
      » Annotation Based (@PreAuthorized/@RolesAllowed)
      » Data jurisdiction (ACLs)
      » Custom Permission Evaluator
      » Enhancing user data from an internal user data source
      » Automated Testing Backend Authorization using Spring Boot Tests or bash scripts [opt]

You can download the full program for this workshop at the following LINK.

* If you're interested in this program, please contact us at info@itkonekt.com to find out more about availability and prices.