Azerbaycan OWASP Top 10, Java Secure Coding Follow Up Eğitimi

• Learn client-side vulnerabilities and secure coding practices
• Have a practical understanding of cryptography
• Learn to use various security features of the Java development environment

• Client-side security
• Practical cryptography
• Secure communication in Java
• Java security services

Client-side security

• JavaScript security
• Same Origin Policy
• Simple requests
• Preflight requests
• Exercise – Client-side authentication
• Client-side authentication and password management
• Protecting JavaScript code
• Clickjacking
  • Clickjacking
  • Exercise – IFrame, Where is My Car?
  • Protection against Clickjacking
  • Anti frame-busting – dismissing protection scripts
  • Protection against busting frame busting
• AJAX security
  • XSS in AJAX
  • Script injection attack in AJAX
  • Exercise – XSS in AJAX
  • XSS protection in AJAX
  • Exercise CSRF in AJAX – JavaScript hijacking
  • CSRF protection in AJAX

Practical cryptography

• Rule #1 of implementing cryptography
• Cryptosystems
  • Elements of a cryptosystem
  • Java Cryptography Architecture / Extension (JCA/JCE)
  • Using Cryptographic Service Providers
• Symmetric-key cryptography
  • Providing confidentiality with symmetric cryptography
  • Symmetric encryption algorithms
  • Modes of operation
  • Private (symmetric) key cryptography in Java
• Other cryptographic algorithms
  • Hash or message digest
  • Hash algorithms
  • SHAttered
  • Hashing in Java: MessageDigest class
  • MAC and password-based encryption in Java: Mac class
  • Message Authentication Code (MAC)
  • Providing integrity and authenticity with a symmetric key
  • Random number generation
    • Random numbers and cryptography
    • Cryptographically-strong PRNGs
    • Weak and strong PRNGs in Java
    • Hardware-based TRNGs
    • Exercise RandomTest
    • Using random numbers in Java – spot the bug!
• Asymmetric (public-key) cryptography
  • Providing confidentiality with public-key encryption
  • Rule of thumb – possession of private key
  • The RSA algorithm
    • Introduction to RSA algorithm
    • Encrypting with RSA
    • Combining symmetric and asymmetric algorithms
    • Digital signing with RSA
    • Exercise Sign
• Public Key Infrastructure (PKI)
  • Man-in-the-Middle (MitM) attack
  • Digital certificates against MitM attack
  • Certificate Authorities in Public Key Infrastructure
  • X.509 digital certificate
  • The Java Keystore (JKS)
  • Java Certification Path (CertPath)

Secure communication in Java

• SSL and TLS
• Usage options
• Security services of TLS
• SSL/TLS handshake

Java security services

• Java security services – architecture