Securing Java Web Applications Through Authentication

1 Course Overview
2 How Secure Is Your Password
3 The Ashley Madison Hack
4 What Can You and I Do
5 Ashley Madison, Part II
6 What Is Enumeration
7 Detecting Enumeration Using Tests
8 How Would a Hacker Guess My Username
9 Exploiting Enumeration to Find Usernames
10 Neither Confirm Nor Deny
11 Mitigating Enumeration with Error Messaging
12 The Trouble with Constant-time
13 Timing Vulnerabilities with .equals()
14 Timing Vulnerabilities with Authentication
15 Mitigating Enumeration with a Constant-time Algorithm
16 Mitigating Enumeration with Indexes
17 Mitigating Enumeration with Focused Queries
18 Mitigating Enumeration with Asynchronous Dispatch
19 Anti-pattern Mitigating Enumeration with Random Jitter
20 Review
21 Hackers and Three-year Olds
22 Brute Forcing and the ASVS
23 Detecting Brute Force with Tests
24 Spot the Bad Password
25 Brute Forcing with John the Ripper
26 Have You Changed All Your Default Passwords
27 Mitigating Brute Force by Removing Trojans
28 Mitigating Brute Force by Automating Default Password Change
29 Soft Lockout vs. Hard Lockout
30 Mitigating Brute Force with a Soft Lockout
31 Securely Verifying the IP Address
32 Mitigating Brute Force with IP Soft Lockouts
33 One More Reason to Add Two-factor Authentication
34 Using RFC 6238 to Add Two-factor Authentication
35 Mitigating Brute Force with Two-factor Authentication
36 Testing It All Out
37 Further Strengthening Two-factor Authentication
38 Passwords and Panic Attacks
39 No Plaintext Passwords Anywhere
40 Performing MITM with Bettercap
41 TLS in Java
42 Generating and Trusting a Self-signed Certificate with Keytool – Securing Java Web Applications Through Authenticatio
43 Getting Browsers to Trust Your Self-signed Certificate
44 Enforcing HTTPS with Java Servlets
45 Enforcing HTTPS with Spring Boot and Spring Security
46 Enforcing HTTPS with HSTS
47 Token-based Authentication
48 Protecting Passwords with OAuth
49 Federation
50 Protecting Passwords with Federation
51 Review
52 Name That Password
53 The Importance of Entropy
54 Allowing Special Characters and Long Passwords
55 Why LUNS Isn’t Enough
56 Improving on LUNS with Nbvcxz
57 One Trillion Guesses Per Second
58 Verifying High Entropy with Unit Tests
59 Password Storage Maturity Model, Level One
60 Password Storage Maturity Model, Level Two
61 Password Storage Maturity Model, Level Three
62 Strengthening Password Storage with BCrypt
63 Upgrading Password Storage with Spring Security
64 Scripting Password Storage Upgrades with Spring Security
65 Rehashing Insecure Storage Mechanisms
66 Rehashing Insecure Storage Mechanisms with Spring Security
67 Exploiting Password Change Vulnerabilities
68 Password Change and the ASVS
69 What Is Transactional Authorization
70 Securing Password Change with Old Passwords
71 Token-based Transactional Authorization
72 Token-based Transaction Service Design Principles
73 A Secure Password Recovery Outline
74 Mitigating Password Recovery Vulnerabilities
75 Mitigating Password Recovery Enumeration
76 Cleaning up Password Recovery Tokens
77 Review
78 Things Will Go Wrong
79 FOMO on an Epic Hack
80 Logging Authentication Events
81 Logging as an Aspect
82 Logging Authentication Events with Spring Security
83 Logging Change Events
84 Logging Change Events with Spring Security
85 Logging Change Events with Spring Actuator
86 Logging Availability, Resource, and Badness Events
87 Better Logging for Soft Lockout
88 What Information Should Go in a Log
89 Never Log These
90 Metrics vs. Logs
91 A Real-time Log Pipeline
92 Creating a Secure Log with Logback
93 Monitoring for Secure Events + Conclusion