Secure Coding in Spring Framework

Focused View

Andrew Morgan

7:22:16

0 View

1. Course Overview

1. Course Overview.mp4

01:18

02. A01 - Common Broken Access Control Attack Vectors and Mitigation in Spring Applications

01. Introduction.mp4

02:05

02. Spring Security Overview.mp4

01:03

03. Course Testing Overview.mp4

01:28

04. OWASP Top 10 Overview.mp4

00:27

05. A01 - Broken Access Control.mp4

03:00

06. Force Browsing and Deny by Default.mp4

03:41

07. Access Control with Spring Security Authorizati.mp4

06:33

08. Demo - Adopting Deny by Default.mp4

08:35

09. Force Browsing and Direct Object References.mp4

03:07

10. Indirect Object References in Spring.mp4

00:51

11. Demo - Indirect Object References.mp4

06:32

12. Outro.mp4

00:13

3. A01 - Managing Access Control with Roles

1. Introduction.mp4

01:06

2. Introducing Roles.mp4

01:49

3. Implementing Roles in Spring.mp4

01:29

4. Demo - Role-based Access.mp4

07:49

5. Role Based Access with Parameterized Testing.mp4

04:06

6. Demo - Role Based Access with Parameterized Testing.mp4

06:14

7. Multi-layered Access Control.mp4

02:27

8. Demo - Multi-layered Access Control.mp4

09:22

4. A01 - Managing Access Control with Authorities and Role Hierarchies

1. Introduction.mp4

00:58

2. Authorities Overview.mp4

05:34

3. Demo - Authorities.mp4

10:59

4. Role Hierarchy Overview.mp4

02:59

5. Demo - Role Hierarchies.mp4

08:50

5. A01 - Defence-in-depth with Method-level Security and Permissions

1. Introduction.mp4

01:04

2. What Is Defence-in-depth.mp4

01:54

3. Post Method Invocation Authorization Checks.mp4

04:22

4. Demo - Using the @PostAuthorize and @PostFilter Annotations.mp4

06:59

5. Pre Method Invocation Authorization Checks.mp4

01:59

6. Demo - Using the @PreAuthorize Annotation.mp4

08:14

7. Adopting a Centralized Permissions Service.mp4

03:23

8. Demo - Centralized Permissions Service.mp4

08:57

9. Importance of Access Control Reviews.mp4

01:46

06. A02 - Cryptographic Failures in Transit

01. Introduction.mp4

00:40

02. Overview of OWASP A02.mp4

00:42

03. MITM Attack Overview.mp4

00:49

04. HTTPS Overview.mp4

01:28

05. TLS Certificate Overview.mp4

02:19

06. Java Keytool Quickstart.mp4

01:06

07. Demo - Creating a Self-signed Certificate.mp4

03:14

08. HTTPS in Spring with SSL Bundles.mp4

03:25

09. Demo - HTTPS in Spring with SSL Bundles.mp4

09:14

10. Dont Use HTTP.mp4

01:45

11. Mutual TLS in Spring.mp4

01:49

12. Demo - Mutual TLS in Spring.mp4

02:55

13. Summary.mp4

01:36

07. A02 - Cryptographic Failures with Passwords

01. Introduction.mp4

00:59

02. Plaintext vs. Hashing.mp4

01:46

03. Insecurely Hashed Password Attack Vectors.mp4

00:42

04. Demo - Exploring Insecurely Hashed Password Attack Vectors.mp4

05:47

05. Spring Security Password Encoder Abstraction Overview.mp4

01:15

06. Spring Security BCrypt Password Encoder Overview.mp4

00:44

07. Demo - Spring Security BCrypt Password Encoder.mp4

04:52

08. Spring Security Delegating Password Encoder Overview.mp4

01:09

09. Demo - Spring Security Delegating Password Encoder Overview.mp4

03:53

10. BCrypt Work Factor Overview.mp4

00:33

11. Demo - Configuring Work Factor in Spring Password Encoders.mp4

02:42

12. Further Learning.mp4

00:27

8. A03 - Injection Vulnerabilities in Spring Applications

1. Introduction.mp4

01:13

2. SQL Injection Overview.mp4

04:04

3. SQL Injection in Spring.mp4

03:28

4. Demo - Spring SQL Injection Protection.mp4

05:50

5. Command Injection Overview.mp4

00:42

6. Command Injection in Spring.mp4

03:38

7. Demo - Spring Command Injection Protection.mp4

09:01

09. A04 - Insecure Design

01. Introduction.mp4

00:46

02. What Is Insecure Design.mp4

01:12

03. Secure Design Principles.mp4

01:46

04. Integrating Secure Design into the Software Development Lifecycle.mp4

01:00

05. Identifying Security Requirements.mp4

01:12

06. Choosing a Security Framework.mp4

02:09

07. Threat Modeling Introduction.mp4

01:25

08. Threat Modeling Process.mp4

01:20

09. Applying Threat Modeling.mp4

01:36

10. STRIDE Methodology Overview.mp4

03:20

11. Defining Security User Stories.mp4

01:07

12. Secure Releasing and Operations.mp4

01:12

10. A05 - Security Misconfiguration in Spring Applications

01. Introduction.mp4

00:30

02. What Is Security Misconfiguration.mp4

01:31

03. Accidentally Deploying Insecure Configuration.mp4

02:54

04. Spring Profiles Overview.mp4

01:05

05. Demo - Enabling Spring Configurations with Profiles.mp4

05:22

06. Configuring Property Sources with Profiles.mp4

01:32

07. Demo - Configuring Error Pages Using Profiles and Property Files.mp4

07:43

08. CSRF Protection Overview.mp4

01:56

09. Demo - CSRF Protection With SameSite Cookie Attribute.mp4

04:34

10. CSRF Protection Token Pattern.mp4

01:49

11. Demo - CSRF Protection Token Pattern.mp4

03:39

11. A06 - Vulnerable and Outdated Components

1. Introduction.mp4

00:45

2. OWASP A06 Overview.mp4

01:57

3. CVES Overview.mp4

01:12

4. NVD Overview.mp4

02:04

5. OWASP Dependency Checker Introduction.mp4

01:56

6. Demo - OWASP Dependency Check.mp4

06:54

7. Summary and Best Practice.mp4

01:14

12. A07 - Combatting Identification and Authentication Failures in Spring Framework

01. Introduction.mp4

00:38

02. A07 Overview.mp4

00:27

03. NIST Password Guidelines Overview.mp4

02:39

04. Demo - Updating Outdated Password Policies.mp4

06:06

05. Have I Been Pwned Overview.mp4

00:48

06. Spring Security Have I Been Pwned Integration.mp4

01:20

07. Demo - Using HIBP on Account Registration.mp4

03:43

08. When to Use HIBP.mp4

00:39

09. Demo - Using HIBP on Login.mp4

03:59

10. NIST Account Locking Recommendations.mp4

02:38

11. Demo - Temporary Account Locking.mp4

13:31

13. A07 - Multifactor Authentication in Spring Framework

01. Introduction.mp4

00:26

02. Why Multi-factor Authentication.mp4

01:40

03. Multi-factor Authentication Overview.mp4

02:02

04. Multi-factor Authentication in Spring Demo Overview.mp4

01:11

05. Demo - MFA Part 1 - Redirecting to the OTP Page on Login.mp4

01:56

06. Demo - MFA Part 2 - Setting a Partially Authenticated Role and Redirect Filter.mp4

05:01

07. Demo - MFA Part 3 - Ensuring the OTP Page Is Only Accessible by Partially Authenti.mp4

01:46

08. Demo - MFA Part 4 - Generating and Sending a Secure OTP.mp4

07:20

09. Demo - MFA Part 5 - Validating a Secure OTP and Completing Login.mp4

08:34

10. Demo - MFA Part 6 - Limiting OTP Input Attempts and Account Locking.mp4

05:38

11. Demo - MFA Part 7 - Browser Demo and Run-through.mp4

01:23

12. Password Reset Feature Overview.mp4

00:45

13. Demo - Password Reset.mp4

06:22

14. Summary and Best Practice.mp4

01:06

14. A08 - Software and Data Integrity Failures

01. Introduction.mp4

00:52

02. A02 - Software and Data Integrity Failures Overview.mp4

01:23

03. MITM Attacks.mp4

02:00

04. Maven Snapshots.mp4

00:57

05. Demo - Disabling Maven Snapshots.mp4

01:53

06. Why Checksums.mp4

01:31

07. Demo - Maven Dependency Checksums.mp4

00:58

08. PGP Keys Overview.mp4

03:08

09. Demo - Maven PGP Keys.mp4

04:00

10. Further Recommendations and Outro.mp4

01:06

15. A09 - Security Logging and Monitoring Failures

01. Introduction.mp4

00:44

02. Overview of OWASP A09.mp4

01:43

03. The Importance of Logging Security Events.mp4

01:26

04. Demo - Logging Security Events in Spring.mp4

02:14

05. The Importance of Enriching Logs with Context Metadata.mp4

01:27

06. Leveraging MDC in Spring to Log Additional Context Metadata.mp4

01:43

07. Demo - Adding User and Request Data to the MDC.mp4

06:22

08. Avoiding Sensitive Data Logging with Masking.mp4

01:00

09. Demo - Masking Sensitive Data.mp4

03:26

10. Why Log Data as JSON - ELK Stack Use Case.mp4

01:38

11. Demo - Structured JSON Logging with Elk Stack.mp4

03:19

12. Using Spring Actuator to Monitor Security Metrics.mp4

01:51

13. Demo - Security Metric Monitoring with Spring Actuator and ELK Stack.mp4

04:20

14. Security Incident Alerting Best Practice and Summary.mp4

01:01

16. A10 - Server-Side Request Forgery (SSRF) in Spring Applications

01. Introduction.mp4

00:41

02. Server-side Request Forgery Overview.mp4

02:16

03. Allow List Protection.mp4

01:02

04. Leveraging a Hoverfly Proxy for Testing.mp4

00:32

05. Demo - Allow List Protection.mp4

03:59

06. Bypassing Allow Lists With Redirects.mp4

01:01

07. Demo - Protecting Against Redirects.mp4

03:35

08. Exploiting Unsanitized Input.mp4

01:00

09. Demo - Exploiting Unsanitized Input.mp4

03:28

10. Best Practice and Summary.mp4

01:20

Description

Learn about security vulnerabilities in Spring applications and how to mitigate them effectively, making your applications resilient against potential threats.

What You'll Learn?

Learning how to securely code in Spring will not only enhance your own development skills, but it will drastically reduce potential security incidents within your application. In this course, Securing Coding in the Spring Framework, you'll address the critical concern of security in Spring-based applications, learning how to fortify them against various common threats. First, you’ll explore the OWASP top 10 security threats, in the specific context of Spring application development. Next, you’ll analyze and identify multiple examples of these threats, such as mis-implemented access control, weak cryptography, injection vulnerabilities, and more. Finally, you’ll learn how to refactor your Spring application to mitigate these threats by leveraging the framework to its full potential. By the end of this course, you’ll have the skills and knowledge needed to ensure the security of your Spring applications, making them resilient against common security threats.

More details

User Reviews

Rating

average 0

Total votes0

Focused display

Spring Framework

Andrew Morgan

Instructor's Courses

Andrew is an independent consultant with cross-functional expertise in the design, development, and deployment of enterprise level software systems. Working with various clients, Andrew has been exposed to many different technology stacks, most recently specializing in Java microservices and continuous delivery. Andrew is actively involved in the wider community, presenting at international conferences, delivering training courses, contributing to open source, and writing for InfoQ.

Pluralsight

View courses Pluralsight

Pluralsight, LLC is an American privately held online education company that offers a variety of video training courses for software developers, IT administrators, and creative professionals through its website. Founded in 2004 by Aaron Skonnard, Keith Brown, Fritz Onion, and Bill Williams, the company has its headquarters in Farmington, Utah. As of July 2018, it uses more than 1,400 subject-matter experts as authors, and offers more than 7,000 courses in its catalog. Since first moving its courses online in 2007, the company has expanded, developing a full enterprise platform, and adding skills assessment modules.