Budapest, APR25-26
Budapest, APR25-26
Sold out
Secdev in Java

Budapest (HU), 2-days workshop

Early tickets till APR18: €580 net [185KHUF+VAT]
Final price: €720 net [230KHUF+VAT]/seat.

(No lunch included.)

Apr 25-26 (Thu-Fri), 9:30-17:30
LogMeIn Labs, Budapest
 Péter Nyilasy
course topics
upon completion
certificate of attendance
(with the vouchers booked)

Secure coding of web applications for Java developers (Spring flavored)

The two-days Java secure development workshop will cover the fundamentals of secure coding in Java (extended with some Spring particulars). We will teach the most important webapp vulnerabilities from the perspective of a developer. Participants will learn how to find vulnerabilities during testing, how to recognize those within the source-code, how to avoid and mitigate those.

We will reach an in-depth understanding of injections (SQL, XML, JSON, LDAP, XPath, log, cookie, etc…), and other server-side vulnerabilities (XEE, file-related, http redirection, http parameter pollution, …), and their defenses. We will also understand vulnerabilities specific to the Java language, such as Java’s serialization vulnerabilities, numeric overflow vulnerabilities, etc.

We won’t simply learn about all these concepts theoretically, instead we will use our own vulnerable application to detect vulnerabilities, identify them within the source-code, fix them, and discuss the fix.

We also learn about vulnerabilities specific to the web, such as XSS, CSRF, OSRF, clickjacking, tabnabbing. We will enlighten the significance of CSP and other security-related Http headers.

We also cover the most fundamental authentication and authorization schemes in a web environment.

On the two-days course the audience can choose between the following extra topics:

  • Java security manager - what it is used for, how it can be configured, and why most projects do not use it.
  • Cryptography - understanding what the basic crypto primitives do, and which implementation is considered as safe today.
  • Cryptography of the web - covers TLS, certificate pinning and certificate transparency.
  • Auth extra - JWT tokens, Oauth2 (how it works, security problems with it, and why is it not an sso solution), OpenId.

If time and the structure of the audience allows it, we can even finish the course by analyzing some of the audience’s own source code, trying to find vulnerabilities and putting into practice what we learned during the course.

Secdev in Java

full title
Secure coding of web applications for Java developers (Spring flavored)
course level
practical advanced
Java developers
2 days (12hrs education time)
a laptop
Java 8 JDK
qualification requirement
familiarity with the Java language and with JEE;
understanding of the HTTP protocol, HTML and Javascript;
familiarity with basic security features of an enterprise application (authentication, authorization, session)

Important vulnerabilities and defense techniques

Common server-side vulnerabilities and their defense
Injections: SQLi, XML injections, JSON, XPath, XSS, cookie injection, open redirection, http header injection, 2 deserialization attacks
Path traversal, XXE, Buffer overflow, Zip bomb, Million laugh, RFI, Insecure file upload, Code execution, Remote file inclusion
Command injection
Server-side template injection
Input validation vs encoding
Common client-side vulnerabilities and their defense
XSS (types, impact, causes, defenses, other html injections, BeEF)
CSRF, Clickjacking, Same-origin policy, CORS
Client-side template injection
Some security features
Security logging, exception handling, intrusion detection

Framework/language specifics 1

Secure coding in Java/JEE
Java language security (is Java a secure language?)
Java-specific issues (Numeric overflow, automatic conversions, Serialization)
SEI CERT Oracle Coding Standard for Java
Java security manager
Spring security (what can it defend, what not)
Srping MVC, JSR303 from a security point of view
Known vulnerabilities in previous Spring versions

Security design

Security by design
Business logic vulnerabilities
Cryptography [*]
Cryptography primitives (what do they provide, state of current implementations)
Crypto of the web (TLS HTTP certificate pinning, certificate transparency)
Http configuration
CSP, HSTS, Cookie settings, x-content-type-options
Access management
Authentication principles, session management, authorization
RESTful authentication, JSON web tokens (to JWT or not to JWT) [*]
RESTful authorization (OAuth2, OpenID Connect) [*]

Framework/language specifics 2

JS frameworks [*]
Angular JS/TS
HTML5 [*]
Local storage/session storage
Web messaging, web sockets

[*] optional, delivered on demand. The audience can vote for some of these non-essential topics.

This workshop is delivered by

Péter has been doing enterprise web application development for more than a decade now mainly for financial institutions. He has exceptional knowledge of and strong experiences with Java and JEE, and also with several Javascript frameworks. In the recent years Péter turned to software security and does secure development consulting, ASVS-based application audits with and is a resident trainer with

Meanwhile he stays current with the software production internals working also as a freelance software engineer. Péter also teaches Java for developers.

The workshop is hosted by

Booking assistance,
feedback, questions 

Do not hesitate to call or otherwise contact our support!  select/copy assistance form  google form
@defdeveu  direct message us +36309225777   from noon to 9pm

Do not hesitate to ask questions, request assistance, call for support, ask about the course, invoicing, payment options, visa support, hotels, etc.

We also understand that buying expensive tickets still requires a decision making process, even if our trainings are superior. ,)

We also suggest you walk through:

  • The course abstract and its topics above
  • The tickets booking and enrollment guide below
  • The FAQ section on the main page.

Booking/enrollment guide

  • Use the corresponding booking form to indicate your order (the 'book tickets' button/tab on the event page will ignite a link similar to which will redirect to the google form).
    It doesn't matter at this step whether you book a seat for yourself or seats for others.
  • When booking please check the header of the form for details and instructions.
  • Upon receipt of your booking form we will contact you in email.
  • We send you an invoice when all the particulars are clear for us and confirmed on your side.
  • Upon receipt of payment we send you vouchers, one voucher per seat (visitor).
    The vouchers are 6 characters codes.
  • If your were helping your colleagues to book their seats, you forward the vouchers one-by-one to the eligible individuals.
  • The enrollment form is available via the 'Enroll w voucher' tab on the event page.
    The enrollment link is something similar to which will redirect to the google form.
  • A visitor enrolls herself to the course using her personal voucher code at the corresponding form.
  • When the event is approaching we will contact the enrolled/registered visitors with a so called "student's doc" which will contain all the details of the course. May that document not be shared with a student/visitor 5 days prior the event, please alarm us at the above channels!
Fast booking/reservation

May the above corporate flow not fit your situation, you can choose to pay €50 now as a deposit to reserve your seat at the price of today, receive your invoice, and pay the rest cca. 3 weeks before the event.

  • Hit the 'Reserve fast (€50 deposit)' button/tab on the event card. Pay that deposit instantly at PayPal / with any debit/credit card.
  • We will contact you in email within a day to confirm your reservation.
What payment options are available?

Wiretransfer (SEPA/SWIFT/TransferWise), credit/debit cards, Paypal-to-Paypal.

What VAT rate applies/payable/included/excluded?
  • In case of EU VAT subjects (except the Hungarian businesses) and of non-EU clients the rate is 0%.
    Thus ticket price of €1000 is net 1K + 0 VAT payable.
  • For all the other clients -- EU individuals and Hungarian companies -- the VAT is 27%, and is NOT included in the announced ticket prices.
    Thus the announced ticket price of €1000 means €1'270 payable for them (including VAT).
  • Note: special fiscal/taxation regulation cases may apply.
Are the tickets refundable?

We refund the price you paid with deduction of a €50 cancellation fee per seat when cancellation is requested by a client latest on the 32nd day prior the event. In case of the later requests we are ready to suspend and reassign your order to an other training (€50 re-booking fee per seat applies).

Why is that weird note at the event card: "In the unlikely case of low demand this training can be gracefully cancelled..."?

One of the standard conditions of our public trainings is that the booked tickets are to cover the costs. If on the 32nd day prior to the event we see that the announced training may end up in losses then we may cancel it with full rollback. All parties retire back to square one. You as the client get full refund of the money transfered for the tickets of the cancelled event.

Who issues the invoices and is the beneficiary of payments? Kft., Budapest, Hungary
VAT: HU13804079, Estd: 2006, EU ID: HUOCCSZ.01-09-874089 [in Hungarian only, but the official registry, pass the captcha first]
PayPal merchant ID: FUBRZGH72QGZQ

We require special kind of invoice due to our local regulations, is it possible to get such?

Sure! Let's arrange that at the booking stage.

Other standard questions? (eg. discounts)

Please, browse the other FAQ section below. Also, don't hesitate to contact us on the above channels: assistance form, email, twitter dm, call.

The full catalog of our courses is available at

For sponsors

def[dev]eu events provide a unique opportunity for the secure development tooling and services providers to get in touch with developers and team leaders from cool European development teams and IT departments

Contact us at, direct message us on twitter @defdeveu or call +12318468790 [Timur].

The training is supported by