Securing Java Web Application Data
This course gives you the APIs and tools for securing user data in Java as well as the concepts needed to level up your data-security awareness.
What you'll learn
Nearly every website holds onto or transmits user data, and that user data is a gold mine for hackers. We hear about penetrations into big companies with large troves of personal data almost daily. In this course, Securing Java Web Application Data, you will gain the ability to secure web application data using JCA, JSSE, and common open source Java libraries like Spring Vault Client and Google Tink. First, you will learn how to safely hash data. Next, you will discover secure serialization and deserialization. Finally, you will explore how to sign, verify, encrypt, and decrypt data. When you’re finished with this course, you will have the skills and knowledge of Web Application Security needed to secure its data.
Table of contents
- Keys in Chuukese 2m
- JCA and the Key Interface 2m
- Key Generators 2m
- Key Factories 2m
- A Simple Key Service 3m
- Recreating a KeyPair from a PrivateKey 1m
- Exchanging Specs for Keys 1m
- The KeyStore API 1m
- Programmatically Adding Keys to a KeyStore 1m
- Generating Certificates in Java 2m
- Key Rotation 2m
- Key Management in Vault 2m
- Converting PKCS#1 to PKCS#8 2m
- Key Rotation with Vault 1m
- Summary and the Apocalypse 1m
- An Insecure EntityResolver Is Worth a Billion Laughs 3m
- Billion Laughs Explained 2m
- XXE Defined 2m
- Mitigating XXE by Disabling DOCTYPEs 2m
- Mitigating XXE with No-op Entity Resolvers 1m
- Mitigating XXE by Disabling Other Features 2m
- Mitigating XXE with Spring Boot 1m
- Non-DOCTYPE XML SSRF Vectors 2m
- Haters Gonna Hate 1m
- Java and the Deserialization Apocalypse 1m
- A JSON RCE Attack 1m
- Mitigating Jackson Insecure Deserialization by Avoiding Default Typing 1m
- Mitigating Jackson Insecure Deserialization with Whitelisting 1m
- What's Wrong with Java Serialization? 3m
- Inadequately Mitigating Java Insecure Deserialization 1m
- Mitigating Java Insecure Deserialization with Whitelisting 1m
- Java Serialization Is Construction 1m
- The Apache Commons Serialization Gadget Chain 1m
- Serialization and Data Stewardship 1m
- Securing Serialization with Signatures 2m
- Securing Serialization with Encryption 2m
- Bonus Track: A Zip Slip Attack 1m
- Review 2m
- Forging Prescriptions 3m
- Forging Messages 1m
- Adding a Message Hash 1m
- Macs in Java 1m
- Adding a Mac in Terracotta Bank 1m
- Signatures and Timing Attacks 2m
- MessageDigest vs. Mac 1m
- Digital Signatures in Java 1m
- Adding a Digital Signature in Terracotta Bank 1m
- Downgrade Attacks 2m
- Replay Attacks 2m
- Adding a Nonce to Terracotta Bank 1m
- Key Rotation and JWS 2m
- Using Spring Security 5.x JWS Support 2m
- Conclusion 1m
- The Babington Plot 1m
- Signing vs. Encryption 2m
- Java's Cipher Class 2m
- AES Encryption in Java 2m
- How Secure Was That, Really? 2m
- AES and Block Ciphers 1m
- Adding Entropy to AES 1m
- AES CBC in Java 1m
- Adding Authentication to AES 2m
- AES GCM in Java 2m
- Symmetric vs. Asymmetric Encryption 2m
- Hybrid Encryption with JCA 2m
- Intro to Google Tink 4m
- Hybrid Encryption with Google Tink 2m
- Review + the Backbone of the Secure Internet 2m
- The Most Dangerous Code in the World 1m
- Spot the Vuln 2m
- Overview of TLS RSA 2m
- SSLSocket Misconfigurations 2m
- SSLContext 1m
- Specifying SSLContext's Algorithm 0m
- Proving Identity with Key Managers 2m
- Trusting Identity with Trust Managers 2m
- Using TrustManager 2m
- Protocols and Cipher Suites 2m
- Specifying Protocols and Cipher Suites 1m
- Hostname Verification 1m
- Adding Hostname Verification 1m
- TLS 1.3 2m
- Using TLS 1.3 1m
- HttpsURLConnection vs SSLSocket 1m
- Wrap-up 1m
About the author
Like many software craftsmen, Josh eats, sleeps, and dreams in code. He codes for fun, and his kids code for fun! Right now, Josh works as a full-time committer on Spring Security and loves every minute. Hailing from Salt Lake City, Utah, Josh loves to hike and be in the outdoors when he's not hacking away at some new Java library. He also loves to juggle, especially on every third Saturday in June. Application Security holds a special place in his heart, a place diametrically opposed to and cos... more