دوره (Java Security (Secure Java Development
بازدید: 4205
دوره آموزشی امنیت جاوا از جمله دوره های فوق تخصصی ست که در حوزه ی توسعه نرم افزار در فناوران آنیسا به صورت حرفه ای تدریس می گردد. علاقه مندان و متخصصان این حوزه می توانند این دوره آموزشی را که هدف آن آموزش چگونگی دفاع در برابر حملات در زبان برنامه نویسی جاوا ست در "خانه لینوکس ایران" بگذرانند و پس از اخذ آموزش های تخصصی و تجربه عملی، مدرک معتبر دوره را دریافت نمایند.
مرور اجمالی دوره:
Generally, be prepared to develop secure Java web applications and services, or to secure existing applications and services by refactoring as necessary -
Define security constraints and login configurations that instruct the web container to enforce authentication and authorization policies -
Guard against common web attacks including XSS, CSRF, and SQL injection -
Validate user input aggressively, for general application health and specifically to foil injection and XSS attacks -
Configure a server and/or application to use one-way or two-way HTTPS -
Apply application-level cryptography where necessary -
Store sensitive information securely, hash user passwords, and understand the importance of salting and of using slow hashing algorithms and processes, to maximize the safety of stored credentials -
Use HMAC security as appropriate in RESTful web services -
Participate in SAML SSO systems, and be aware of the security concerns involved in single sign-on -
Implement server and client sides of the OAuth-2.0 initial flow in order to provide third-party authorization to resources in a secure manner-
هدف : چگونگی دفاع در برابر حملات در زبان برنامه نویسی java
مدت دوره : ۴۴ ساعت
زمان برگزاری: لطفا به تقویم آموزشی مراجعه فرمایید.
سرفصل دوره:
Java SE Security
Holistic Security Practices
Threats to the User
The Class Loader and Bytecode Verifier
System Classes and the Core API
SecurityManager and AccessController
Permissions
Implication
CodeSources
Policies
Configuring Java SE Security
Dynamic Policies
Privileged Actions
Code Signature and Key Management
Encryption and Digital Signature
Keystores
Keys and Certificates
Certificate Authorities
The KeyStore API
Signing JARs
Signed CodeSources
Additional Policy Semantics
Secure Development Practices: Java SE
Code Injection
Final Classes and Methods
Singletons, Factories, and Flyweights
Methods, Collections, and Data Hiding
Sealing JARs
Code Obfuscation
Object Serialization
Cryptography
Threats to Identity and Privacy
The Java Cryptography Extensions
The Signature Class
SignedObjects
The Java Cryptography Extensions
SecretKeys and KeyGenerator
The Cipher Class
Dangerous Practices
HTTP and JSSE
JAAS
Pluggable Authentication Logic
JAAS
Packages and Interfaces
Subjects and Principals
ANDs and ORs
Impersonation Methods
Permissions for JAAS Use
LoginContext and LoginModule
Configuring JAAS
CallbackHandler and Callbacks
Implementing a JAAS Client
Implementing a LoginModule
Concerns for Web Applications
Threats and Attack Vectors
Server, Network, and Browser Vulnerabilities
Secure Design Principles
GET vs. POST
Container Authentication and Authorization
HTML Forms
Privacy Under /WEB-INF
HTTP and HTTPS
Other Cryptographic Practices
SOA and Web Services
The OWASP Top 10
Authentication and Authorization
HTTP BASIC and DIGEST Authentication Schemes
Declaring Security Constraints
User Accounts
Safeguarding Credentials in Transit
Replay Attacks
Authorization Over URL Patterns
Roles
FORM Authentication
Login Form Design
Session Fixation
Protections
Programmatic Security
Programmatic Security in JSF
Common Web Attacks
Forceful Browsing
Predictable Resource Locations
Using Random Numbers
Cross-Site Scripting
Output Escaping
Cross-Site Request Forgery
Synchronizer Tokens
Injection Attacks
Protections in JDBC and JPA
Session Management
Taking Care of Cookies
Input Validation
Validating User Input
Validation Practices
Regular Expressions
Bean Validation (a/k/a JSR-303)
Constraint Annotations
Cross-Field Validation
Built-In Support in Java EE
Using a Validator
Producing Error Responses
JSF Validation
HTTPS and Certificates
Digital Cryptography
Encryption
SSL and Secure Key Exchange
Hashing
Signature
Keystores
keytool
Why Keys Aren't Enough
X.509 Certificates
Certificate Authorities
Obtaining a Signed Certificate
Configuring HTTPS
Client-Side Certificates and Two-Way SSL
PKCS #12 and Trust Stores
CLIENT-CERT Authentication
Application-Level Cryptography
The Java Cryptography Architecture
Secure Random Number Generation
The KeyStore API
Digital Signature
Hashing
Password Hashing
Why Hashing Isn't Enough
Salts
Key Lengthening and Key Strengthening
Slow Algorithms
The Java Cryptography Extensions
The SecretKey and KeyGenerator Types
Symmetric Encryption
Choosing Algorithms and Key Sizes
Dangerous Practices
Storing and Managing Keys
Secure Development Practices
Secure Development Cycle
Penetration Testing
Secure Code Review
Error Handling and Information Leakage
Failing to a Secure Mode
Designing for Failure
Back Doors
Logging Practices
Appropriate Content for Logs
Auditing Strategies
REST Security Basics
Security Concerns for REST Services
HTTPS
HTTP BASIC and DIGEST
Authorization by URL Pattern
Cross-Site Scripting
Injection Attacks
Cross-Site Request Forgery
Common Countermeasures
HMAC Security
Use Case: Message Authentication
Digital Signature
Hashing as Signature: the HMAC
Keyed Hashing
The Hmac Utility
Appropriate Salts
Canonicalization
Amazon S3
Timestamps
Signing and Verifying Messages
XML Cryptography and Canonicalization
Canonicalizing JSON
SAML SSO
The Challenge of Single Sign-On
Federated Identity
SAML 2.0
The Web Browser SSO Profile
Identity Providers and Service Providers
SAML Assertions
SAML Protocol
SAML Bindings
Speaking "Through" the Browser
The HTTP Redirect Binding
Artifact and SOAP Bindings
SAML Attributes
Security Concerns in SSO Systems
OAuth
Use Case: Third-Party Authorization
OAuth
Initial Flow
Grant Types
Access Tokens
The Google OAuth API
Implementing Authorization and Resource Servers
Implementing Clients
Security Concerns with OAuth
