{"course":{"productid":36450,"modality":1,"active":true,"language":"fr","title":"API security in Java","productcode":"ASIJ","vendorcode":"CY","vendorname":"Cydrill","fullproductcode":"CY-ASIJ","courseware":{"has_ekit":false,"has_printkit":true,"language":""},"url":"https:\/\/portal.flane.ch\/course\/cydrill-asij","objective":"<ul>\n<li>Getting familiar with essential cyber security concepts<\/li><li>Understanding API security issues<\/li><li>Detailed analysis of the OWASP API Security Top Ten elements<\/li><li>Putting API security in the context of Java<\/li><li>Going beyond the low hanging fruits<\/li><li>Managing vulnerabilities in third party components<\/li><li>Input validation approaches and principles<\/li><\/ul>","essentials":"<p>General Java development<\/p>","audience":"<p>Java API developers<\/p>","contents":"<h4>Day 1<\/h4>\n<ul> <li>Cyber security basics <ul> <li>What is security?<\/li><li>Threat and risk<\/li><li>Cyber security threat types &ndash; the CIA triad<\/li><li>Consequences of insecure software<\/li><\/ul><\/li><li>OWASP API Security Top Ten <ul> <li>OWASP API Security Top 10 2023<\/li><li>API1 &ndash; Broken Object Level Authorization<\/li><li>Confused deputy<\/li><li>Insecure direct object reference (IDOR)<\/li><li>Lab &ndash; Insecure Direct Object Reference<\/li><li>Authorization bypass through user-controlled keys<\/li><li>Case study &ndash; Remote takeover of Nexx garage doors and alarms<\/li><li>Lab &ndash; Horizontal authorization<\/li><li>File upload<\/li><li>Unrestricted file upload<\/li><li>Good practices<\/li><li>Lab &ndash; Unrestricted file upload<\/li><li>Case study &ndash; File upload vulnerability in Netflix Genie<\/li><\/ul><\/li><li>API2 &ndash; Broken Authentication <ul> <li>Authentication basics<\/li><li>Multi-factor authentication (MFA)<\/li><li>Case study &ndash; The InfinityGauntlet attack<\/li><li>Time-based One Time Passwords (TOTP)<\/li><li>Password management<\/li><li>Storing account passwords<\/li><li>Password in transit<\/li><li>Lab &ndash; Is just hashing passwords enough?<\/li><li>Dictionary attacks and brute forcing<\/li><li>Salting<\/li><li>Adaptive hash functions for password storage<\/li><li>Lab &ndash; Using adaptive hash functions in JCA<\/li><li>Using password cracking tools<\/li><li>Password cracking in Windows<\/li><li>Password change<\/li><li>Password recovery issues<\/li><li>Password recovery best practices<\/li><li>Lab &ndash; Password reset weakness<\/li><li>Case study &ndash; Facebook account takeover via recovery code<\/li><li>Case study &ndash; GitLab account takeover<\/li><li>Anti-automation<\/li><li>Password policy<\/li><li>NIST authenticator requirements for memorized secrets<\/li><li>Password hardening<\/li><li>Using passphrases<\/li><li>Password database migration<\/li><li>(Mis)handling null passwords<\/li><\/ul><\/li><\/ul>\n<h4>Day 2<\/h4>\n<ul> <li>API3 &ndash; Broken Object Property Level Authorization <ul> <li>Information exposure<\/li><li>Exposure through extracted data and aggregation<\/li><li>Case study &ndash; Strava data exposure<\/li><li>System information leakage<\/li><li>Leaking system information<\/li><li>Information exposure best practices<\/li><li>Secrets management<\/li><li>Hard coded passwords<\/li><li>Best practices<\/li><li>Lab &ndash; Hardcoded password<\/li><li>Protecting sensitive information in memory<\/li><li>Challenges in protecting memory<\/li><li>Case study &ndash; Microsoft secret key theft via dump files<\/li><li>Storing sensitive data in memory<\/li><li>Lab &ndash; Using secret-handling classes in Java<\/li><\/ul><\/li><li>API4 &ndash; Unrestricted Resource Consumption <ul> <li>Denial of service<\/li><li>Flooding<\/li><li>Resource exhaustion<\/li><li>Sustained client engagement<\/li><li>Denial of service problems in Java<\/li><li>Infinite loop<\/li><li>Economic Denial of Sustainability (EDoS)<\/li><li>Algorithmic complexity issues<\/li><li>Regular expression denial of service (ReDoS)<\/li><li>Lab &ndash; ReDoS<\/li><li>Dealing with ReDoS<\/li><\/ul><\/li><li>API5 &ndash; Broken Function Level Authorization <ul> <li>Authorization<\/li><li>Access control basics<\/li><li>Access control types<\/li><li>Missing or improper authorization<\/li><li>Case study &ndash; Broken authn\/authz in Apache OFBiz<\/li><li>Failure to restrict URL access<\/li><\/ul><\/li><li>API6 &ndash; Unrestricted Access to Sensitive Business Flows <ul> <li>Security by design<\/li><li>The STRIDE model of threats<\/li><li>Secure design principles of Saltzer and Schroeder<\/li><li>Economy of mechanism<\/li><li>Fail-safe defaults<\/li><li>Complete mediation<\/li><li>Open design<\/li><li>Separation of privilege<\/li><li>Least privilege<\/li><li>Least common mechanism<\/li><li>Psychological acceptability<\/li><li>Logging and monitoring<\/li><li>Logging and monitoring principles<\/li><li>Insufficient logging<\/li><li>Case study &ndash; Plaintext passwords at Facebook<\/li><li>Log forging<\/li><li>Web log forging<\/li><li>Log forging &ndash; best practices<\/li><li>Case study &ndash; Log interpolation in log4j<\/li><li>Case study &ndash; The Log4Shell vulnerability (CVE-2021-44228)<\/li><li>Case study &ndash; Log4Shell follow-ups (CVE-2021-45046, CVE-2021-45105)<\/li><li>Lab &ndash; Log4Shell<\/li><li>Logging best practices<\/li><li>Monitoring best practices<\/li><\/ul><\/li><li>API7 &ndash; Server Side Request Forgery <ul> <li>Server-side Request Forgery (SSRF)<\/li><li>Case study &ndash; SSRF in Ivanti Connect Secure<\/li><\/ul><\/li><li>API8 &ndash; Security Misconfiguration <ul> <li>Information exposure through error reporting<\/li><li>Information leakage via error pages<\/li><li>Case study &ndash; Information leakage via errors in Apache Superset<\/li><li>Same Origin Policy<\/li><li>Simple request<\/li><li>Preflight request<\/li><li>Cross-Origin Resource Sharing (CORS)<\/li><li>Configuring XML parsers<\/li><li>DTD and the entities<\/li><li>Entity expansion<\/li><li>External Entity Attack (XXE)<\/li><li>File inclusion with external entities<\/li><li>Server-Side Request Forgery with external entities<\/li><li>Lab &ndash; External entity attack<\/li><li>Preventing XXE<\/li><li>Lab &ndash; Prohibiting DTD<\/li><li>Case study &ndash; XXE vulnerability in Ivanti products<\/li><\/ul><\/li><\/ul>\n<h4>Day 3<\/h4>\n<ul> <li>API9 &ndash; Improper Inventory Management <ul> <li>Documentation blindspots<\/li><li>Dataflow blindspots<\/li><li>Using vulnerable components<\/li><li>Untrusted functionality import<\/li><li>Case study &ndash; The Polyfill.io supply chain attack<\/li><li>Vulnerability management<\/li><li>Lab &ndash; Finding vulnerabilities in third-party components<\/li><\/ul><\/li><li>API10 &ndash; Unsafe Consumption of APIs <ul> <li>Input validation<\/li><li>Input validation principles<\/li><li>Denylists and allowlists<\/li><li>What to validate &ndash; the attack surface<\/li><li>Where to validate &ndash; defense in depth<\/li><li>When to validate &ndash; validation vs transformations<\/li><li>Output sanitization<\/li><li>Encoding challenges<\/li><li>Unicode challenges<\/li><li>Validation with regex<\/li><\/ul><\/li><li>Injection <ul> <li>Injection principles<\/li><li>Injection attacks<\/li><li>SQL injection<\/li><li>SQL injection basics<\/li><li>Lab &ndash; SQL injection<\/li><li>Attack techniques<\/li><li>Content-based blind SQL injection<\/li><li>Time-based blind SQL injection<\/li><li>SQL injection best practices<\/li><li>Input validation<\/li><li>Parameterized queries<\/li><li>Lab &ndash; Using prepared statements<\/li><li>Database defense in depth<\/li><li>Case study &ndash; SQL injection in Fortra FileCatalyst<\/li><li>Code injection<\/li><li>OS command injection<\/li><li>OS command injection best practices<\/li><li>Using Runtime.exec()<\/li><li>Case study &ndash; Shellshock<\/li><li>Lab &ndash; Shellshock<\/li><li>Case study &ndash; Command injection in VMware Aria<\/li><\/ul><\/li><li>Open redirects and forwards <ul> <li>Open redirects and forwards &ndash; best practices<\/li><\/ul><\/li><li>Files and streams <ul> <li>Path traversal<\/li><li>Lab &ndash; Path traversal<\/li><li>Additional challenges in Windows<\/li><li>Case study &ndash; File spoofing in WinRAR<\/li><li>Case study &ndash; RCE via path traversal in Apache OFBiz<\/li><li>Path traversal best practices<\/li><li>Lab &ndash; Path canonicalization<\/li><\/ul><\/li><li>Unsafe reflection <ul> <li>Reflection without validation<\/li><li>Lab &ndash; Unsafe reflection<\/li><\/ul><\/li><li>Wrap up <ul> <li>Secure coding principles<\/li><li>Principles of robust programming by Matt Bishop<\/li><li>Secure design principles of Saltzer and Schroeder<\/li><li>And now what?<\/li><li>Software security sources and further reading<\/li><li>Java resources<\/li><\/ul><\/li><\/ul>","outline":"<ul>\n<li>Cyber security basics<\/li><li>OWASP API Security Top Ten<\/li><li>API1 - Broken Object Level Authorization<\/li><li>API2 - Broken Authentication<\/li><li>API3 - Broken Object Property Level Authorization<\/li><li>API4 - Unrestricted Resource Consumption<\/li><li>API5 - Broken Function Level Authorization<\/li><li>API6 - Unrestricted Access to Sensitive Business Flows<\/li><li>API7 - Server Side Request Forgery<\/li><li>API8 - Security Misconfiguration<\/li><li>API9 - Improper Inventory Management<\/li><li>API10 - Unsafe Consumption of APIs<\/li><li>Wrap up<\/li><\/ul>","summary":"<p>Your application written in Java works as intended, so you are done, right? But do your APIs behave well for incorrect values? 16Gbs of data? A null? An apostrophe? Negative numbers, or specifically -1 or -2^31? Because these are the values the bad guys will feed in &ndash; and the list is far from complete.<\/p>\n<p>The course provides a comprehensive walkthrough on the OWASP API Security Top Ten, equipping developers, security professionals, and architects with the knowledge to identify, mitigate, and prevent the most critical security risks in modern API-driven applications. Each of the ten risks &ndash; including Broken Object, Property and Function Level Authorization (BOLA, BOPLA and BFLA), Unrestricted Resource Consumption, Unsafe Consumption of APIs, and more &ndash; are discussed in detail with real-world examples, hands-on labs, and mitigation strategies. Topics are discussed in the context of classic APIs, rest APIs as well as GraphQL.<\/p>\n<p>Beyond the top ten list, the course can also expand into further key security topics that are crucial for developers but often overlooked in API security, such as cryptography, integer overflows, and code quality.<\/p>\n<p>Whether you are a beginner in API security or an experienced developer looking to sharpen your skills, this course offers valuable knowledge to build APIs that are not only functional and efficient but also secure and resilient.<\/p>\n<p>So that you are prepared for the forces of the dark side.<\/p>\n<p>So that nothing unexpected happens.<\/p>\n<p>Nothing.<\/p>","objective_plain":"- Getting familiar with essential cyber security concepts\n- Understanding API security issues\n- Detailed analysis of the OWASP API Security Top Ten elements\n- Putting API security in the context of Java\n- Going beyond the low hanging fruits\n- Managing vulnerabilities in third party components\n- Input validation approaches and principles","essentials_plain":"General Java development","audience_plain":"Java API developers","contents_plain":"Day 1\n\n\n - Cyber security basics  - What is security?\n- Threat and risk\n- Cyber security threat types \u2013 the CIA triad\n- Consequences of insecure software\n- OWASP API Security Top Ten  - OWASP API Security Top 10 2023\n- API1 \u2013 Broken Object Level Authorization\n- Confused deputy\n- Insecure direct object reference (IDOR)\n- Lab \u2013 Insecure Direct Object Reference\n- Authorization bypass through user-controlled keys\n- Case study \u2013 Remote takeover of Nexx garage doors and alarms\n- Lab \u2013 Horizontal authorization\n- File upload\n- Unrestricted file upload\n- Good practices\n- Lab \u2013 Unrestricted file upload\n- Case study \u2013 File upload vulnerability in Netflix Genie\n- API2 \u2013 Broken Authentication  - Authentication basics\n- Multi-factor authentication (MFA)\n- Case study \u2013 The InfinityGauntlet attack\n- Time-based One Time Passwords (TOTP)\n- Password management\n- Storing account passwords\n- Password in transit\n- Lab \u2013 Is just hashing passwords enough?\n- Dictionary attacks and brute forcing\n- Salting\n- Adaptive hash functions for password storage\n- Lab \u2013 Using adaptive hash functions in JCA\n- Using password cracking tools\n- Password cracking in Windows\n- Password change\n- Password recovery issues\n- Password recovery best practices\n- Lab \u2013 Password reset weakness\n- Case study \u2013 Facebook account takeover via recovery code\n- Case study \u2013 GitLab account takeover\n- Anti-automation\n- Password policy\n- NIST authenticator requirements for memorized secrets\n- Password hardening\n- Using passphrases\n- Password database migration\n- (Mis)handling null passwords\n\nDay 2\n\n\n - API3 \u2013 Broken Object Property Level Authorization  - Information exposure\n- Exposure through extracted data and aggregation\n- Case study \u2013 Strava data exposure\n- System information leakage\n- Leaking system information\n- Information exposure best practices\n- Secrets management\n- Hard coded passwords\n- Best practices\n- Lab \u2013 Hardcoded password\n- Protecting sensitive information in memory\n- Challenges in protecting memory\n- Case study \u2013 Microsoft secret key theft via dump files\n- Storing sensitive data in memory\n- Lab \u2013 Using secret-handling classes in Java\n- API4 \u2013 Unrestricted Resource Consumption  - Denial of service\n- Flooding\n- Resource exhaustion\n- Sustained client engagement\n- Denial of service problems in Java\n- Infinite loop\n- Economic Denial of Sustainability (EDoS)\n- Algorithmic complexity issues\n- Regular expression denial of service (ReDoS)\n- Lab \u2013 ReDoS\n- Dealing with ReDoS\n- API5 \u2013 Broken Function Level Authorization  - Authorization\n- Access control basics\n- Access control types\n- Missing or improper authorization\n- Case study \u2013 Broken authn\/authz in Apache OFBiz\n- Failure to restrict URL access\n- API6 \u2013 Unrestricted Access to Sensitive Business Flows  - Security by design\n- The STRIDE model of threats\n- Secure design principles of Saltzer and Schroeder\n- Economy of mechanism\n- Fail-safe defaults\n- Complete mediation\n- Open design\n- Separation of privilege\n- Least privilege\n- Least common mechanism\n- Psychological acceptability\n- Logging and monitoring\n- Logging and monitoring principles\n- Insufficient logging\n- Case study \u2013 Plaintext passwords at Facebook\n- Log forging\n- Web log forging\n- Log forging \u2013 best practices\n- Case study \u2013 Log interpolation in log4j\n- Case study \u2013 The Log4Shell vulnerability (CVE-2021-44228)\n- Case study \u2013 Log4Shell follow-ups (CVE-2021-45046, CVE-2021-45105)\n- Lab \u2013 Log4Shell\n- Logging best practices\n- Monitoring best practices\n- API7 \u2013 Server Side Request Forgery  - Server-side Request Forgery (SSRF)\n- Case study \u2013 SSRF in Ivanti Connect Secure\n- API8 \u2013 Security Misconfiguration  - Information exposure through error reporting\n- Information leakage via error pages\n- Case study \u2013 Information leakage via errors in Apache Superset\n- Same Origin Policy\n- Simple request\n- Preflight request\n- Cross-Origin Resource Sharing (CORS)\n- Configuring XML parsers\n- DTD and the entities\n- Entity expansion\n- External Entity Attack (XXE)\n- File inclusion with external entities\n- Server-Side Request Forgery with external entities\n- Lab \u2013 External entity attack\n- Preventing XXE\n- Lab \u2013 Prohibiting DTD\n- Case study \u2013 XXE vulnerability in Ivanti products\n\nDay 3\n\n\n - API9 \u2013 Improper Inventory Management  - Documentation blindspots\n- Dataflow blindspots\n- Using vulnerable components\n- Untrusted functionality import\n- Case study \u2013 The Polyfill.io supply chain attack\n- Vulnerability management\n- Lab \u2013 Finding vulnerabilities in third-party components\n- API10 \u2013 Unsafe Consumption of APIs  - Input validation\n- Input validation principles\n- Denylists and allowlists\n- What to validate \u2013 the attack surface\n- Where to validate \u2013 defense in depth\n- When to validate \u2013 validation vs transformations\n- Output sanitization\n- Encoding challenges\n- Unicode challenges\n- Validation with regex\n- Injection  - Injection principles\n- Injection attacks\n- SQL injection\n- SQL injection basics\n- Lab \u2013 SQL injection\n- Attack techniques\n- Content-based blind SQL injection\n- Time-based blind SQL injection\n- SQL injection best practices\n- Input validation\n- Parameterized queries\n- Lab \u2013 Using prepared statements\n- Database defense in depth\n- Case study \u2013 SQL injection in Fortra FileCatalyst\n- Code injection\n- OS command injection\n- OS command injection best practices\n- Using Runtime.exec()\n- Case study \u2013 Shellshock\n- Lab \u2013 Shellshock\n- Case study \u2013 Command injection in VMware Aria\n- Open redirects and forwards  - Open redirects and forwards \u2013 best practices\n- Files and streams  - Path traversal\n- Lab \u2013 Path traversal\n- Additional challenges in Windows\n- Case study \u2013 File spoofing in WinRAR\n- Case study \u2013 RCE via path traversal in Apache OFBiz\n- Path traversal best practices\n- Lab \u2013 Path canonicalization\n- Unsafe reflection  - Reflection without validation\n- Lab \u2013 Unsafe reflection\n- Wrap up  - Secure coding principles\n- Principles of robust programming by Matt Bishop\n- Secure design principles of Saltzer and Schroeder\n- And now what?\n- Software security sources and further reading\n- Java resources","outline_plain":"- Cyber security basics\n- OWASP API Security Top Ten\n- API1 - Broken Object Level Authorization\n- API2 - Broken Authentication\n- API3 - Broken Object Property Level Authorization\n- API4 - Unrestricted Resource Consumption\n- API5 - Broken Function Level Authorization\n- API6 - Unrestricted Access to Sensitive Business Flows\n- API7 - Server Side Request Forgery\n- API8 - Security Misconfiguration\n- API9 - Improper Inventory Management\n- API10 - Unsafe Consumption of APIs\n- Wrap up","summary_plain":"Your application written in Java works as intended, so you are done, right? But do your APIs behave well for incorrect values? 16Gbs of data? A null? An apostrophe? Negative numbers, or specifically -1 or -2^31? Because these are the values the bad guys will feed in \u2013 and the list is far from complete.\n\nThe course provides a comprehensive walkthrough on the OWASP API Security Top Ten, equipping developers, security professionals, and architects with the knowledge to identify, mitigate, and prevent the most critical security risks in modern API-driven applications. Each of the ten risks \u2013 including Broken Object, Property and Function Level Authorization (BOLA, BOPLA and BFLA), Unrestricted Resource Consumption, Unsafe Consumption of APIs, and more \u2013 are discussed in detail with real-world examples, hands-on labs, and mitigation strategies. Topics are discussed in the context of classic APIs, rest APIs as well as GraphQL.\n\nBeyond the top ten list, the course can also expand into further key security topics that are crucial for developers but often overlooked in API security, such as cryptography, integer overflows, and code quality.\n\nWhether you are a beginner in API security or an experienced developer looking to sharpen your skills, this course offers valuable knowledge to build APIs that are not only functional and efficient but also secure and resilient.\n\nSo that you are prepared for the forces of the dark side.\n\nSo that nothing unexpected happens.\n\nNothing.","version":"1.0","duration":{"unit":"d","value":3,"formatted":"3 jours"},"pricelist":{"List Price":{"DE":{"country":"DE","currency":"EUR","taxrate":19,"price":2250},"SI":{"country":"SI","currency":"EUR","taxrate":20,"price":2250},"AT":{"country":"AT","currency":"EUR","taxrate":20,"price":2250},"SE":{"country":"SE","currency":"EUR","taxrate":25,"price":2250},"CH":{"country":"CH","currency":"CHF","taxrate":8.1,"price":2250}}},"lastchanged":"2025-10-29T08:53:52+01:00","parenturl":"https:\/\/portal.flane.ch\/swisscom\/fr\/json-courses","nexturl_course_schedule":"https:\/\/portal.flane.ch\/swisscom\/fr\/json-course-schedule\/36450","source_lang":"fr","source":"https:\/\/portal.flane.ch\/swisscom\/fr\/json-course\/cydrill-asij"}}