Securing Java Web Application Data

By Josh Cummings
This course gives you the APIs and tools for securing user data in Java as well as the concepts needed to level up your data-security awareness.
Play course overview
Course info
Rating
(19)
Level
Intermediate
Updated
Jun 21, 2019
Duration
2h 40m
Table of contents
Course Overview
Course Overview 2m
Hashing Data
The Three Rules of Data Stewardship 3m Leveraging Sensitive Log Information 2m Queryable Hashes 1m Hashing Is Not Encrypting 3m Using MessageDigest 4m Encoding in Base64 2m Encoding in Hex 2m Can I Use MD5? 6m Review 1m
Managing Keys and Certificates
Keys in Chuukese 2m JCA and the Key Interface 2m Key Generators 2m Key Factories 2m A Simple Key Service 3m Recreating a KeyPair from a PrivateKey 1m Exchanging Specs for Keys 1m The KeyStore API 1m Programmatically Adding Keys to a KeyStore 1m Generating Certificates in Java 2m Key Rotation 2m Key Management in Vault 2m Converting PKCS#1 to PKCS#8 2m Key Rotation with Vault 1m Summary and the Apocalypse 1m
Serializing and Deserializing Data
An Insecure EntityResolver Is Worth a Billion Laughs 3m Billion Laughs Explained 2m XXE Defined 2m Mitigating XXE by Disabling DOCTYPEs 2m Mitigating XXE with No-op Entity Resolvers 1m Mitigating XXE by Disabling Other Features 2m Mitigating XXE with Spring Boot 1m Non-DOCTYPE XML SSRF Vectors 2m Haters Gonna Hate 1m Java and the Deserialization Apocalypse 1m A JSON RCE Attack 1m Mitigating Jackson Insecure Deserialization by Avoiding Default Typing 1m Mitigating Jackson Insecure Deserialization with Whitelisting 1m What's Wrong with Java Serialization? 3m Inadequately Mitigating Java Insecure Deserialization 1m Mitigating Java Insecure Deserialization with Whitelisting 1m Java Serialization Is Construction 1m The Apache Commons Serialization Gadget Chain 1m Serialization and Data Stewardship 1m Securing Serialization with Signatures 2m Securing Serialization with Encryption 2m Bonus Track: A Zip Slip Attack 1m Review 2m
Signing and Verifying Data
Forging Prescriptions 3m Forging Messages 1m Adding a Message Hash 1m Macs in Java 1m Adding a Mac in Terracotta Bank 1m Signatures and Timing Attacks 2m MessageDigest vs. Mac 1m Digital Signatures in Java 1m Adding a Digital Signature in Terracotta Bank 1m Downgrade Attacks 2m Replay Attacks 2m Adding a Nonce to Terracotta Bank 1m Key Rotation and JWS 2m Using Spring Security 5.x JWS Support 2m Conclusion 1m
Encrypting and Decrypting Data
The Babington Plot 1m Signing vs. Encryption 2m Java's Cipher Class 2m AES Encryption in Java 2m How Secure Was That, Really? 2m AES and Block Ciphers 1m Adding Entropy to AES 1m AES CBC in Java 1m Adding Authentication to AES 2m AES GCM in Java 2m Symmetric vs. Asymmetric Encryption 2m Hybrid Encryption with JCA 2m Intro to Google Tink 4m Hybrid Encryption with Google Tink 2m Review + the Backbone of the Secure Internet 2m
Transmitting Data over the Network
The Most Dangerous Code in the World 1m Spot the Vuln 2m Overview of TLS RSA 2m SSLSocket Misconfigurations 2m SSLContext 1m Specifying SSLContext's Algorithm 0m Proving Identity with Key Managers 2m Trusting Identity with Trust Managers 2m Using TrustManager 2m Protocols and Cipher Suites 2m Specifying Protocols and Cipher Suites 1m Hostname Verification 1m Adding Hostname Verification 1m TLS 1.3 2m Using TLS 1.3 1m HttpsURLConnection vs SSLSocket 1m Wrap-up 1m
Description
Course info
Rating
(19)
Level
Intermediate
Updated
Jun 21, 2019
Duration
2h 40m
Description

Nearly every website holds onto or transmits user data, and that user data is a gold mine for hackers. We hear about penetrations into big companies with large troves of personal data almost daily. In this course, Securing Java Web Application Data, you will gain the ability to secure web application data using JCA, JSSE, and common open source Java libraries like Spring Vault Client and Google Tink. First, you will learn how to safely hash data. Next, you will discover secure serialization and deserialization. Finally, you will explore how to sign, verify, encrypt, and decrypt data. When you’re finished with this course, you will have the skills and knowledge of Web Application Security needed to secure its data.

About the author
Josh Cummings
About the author

Like many software craftsmen, Josh eats, sleeps, and dreams in code. He codes for fun, and his kids code for fun! Right now, Josh works as a full-time committer on Spring Security and loves every minute.

More from the author
Securing Spring Data REST APIs
Advanced
1h 41m
Feb 19, 2020
Securing Java Web Applications Through Authentication
Intermediate
2h 20m
Sep 21, 2018
More courses by Josh Cummings
Section Introduction Transcripts
Section Introduction Transcripts

Course Overview
Hi everyone. My name is Josh Cummings, and welcome to my course, Securing Java Web Application Data. I'm a principal software engineer on the Spring Security team. Did you know that even if 99% of all data were unhackable that still leaves a dataset the size of 30 Gmails ready to be intruded upon. The task at hand is truly daunting. This course is about using Java to make your data more secure. Some of the major topics that we'll cover include, the three rules of data stewardship, secure standards for hashing, including what makes MD5 so bad, the Java Deserialization Apocalypse, and how to protect your code from it, a deep dive into the JCA, and other APIs for key management signing and encryption, and how JSSE became associated with the most dangerous code in the world, and what to do about it. By the end of this course, you'll know how to use the principles of encoding, hashing, signing, and encryption in Java. Before beginning the course, you should be familiar with Java, including Java 8. From here, you should feel comfortable diving further into Java web application security with courses like, Securing Java Web Applications, and Securing Java Web Application Authentication. I hope you'll join me on this journey to learn Java web application security with the Securing Java Web Application Data course at Pluralsight.

You're the smartest person in the room

PROVE IT

Your team won't just close the skills gap

THEY'LL HURDLE IT