applied security conferences and training: CanSecWest | PacSec | EUSecWest |

Security Masters Dojo

Advanced and intermediate security training and technology enhancement for information security professionals.

CanSecWest: Security Masters Dojo Vancouver

Java Security, Understanding Threat Patterns, And Optimize The Defenses

Register for March 8-9 Course

Register for March 10-11 Course

Marc Schoenefeld


Most trainings about Java security focus on the Security API or crypto techniques, and rarely focuses attack and defense on the runtime code itself. This training uses both perspectives, first it addresses the security architect/analyst PoV, and shows approaches how to identify holes in the protection infrastructure and how to close them. For this purpose we present tools like fine-tuning the Java Security Manager, identify potential security bugs with static and dynamics tools, also dive into details to work efficiently with decompilers, debuggers and other tools of the trade (like JVisualVM).

The second part focuses on the attacker perspective and helps to validates protection mechanisms. First it provides knowledge about the attack surface of Java-based software and then presents the attachers mindset to break the defenders assumptions. Using runtime code expertise to identify hooks to execute own code or remote control existing code is an important skill, demonstrated with analysis of real-life OpenJDK code and malware dissection.


Day 1:

Day 2:

PREREQUISITE WARNING Each class has prerequisites for software loads and a laptop is mandatory. These individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs.


Participants should have previous security audit experience (C,C++,Java). This includes conducting source code analysis, static analysis, overview knowledge of common exploitation techniques, runtime instrumentation, debugging post-exploitation activities. You will benefit from experience with programming in the Java Programming Language before. Students are expected to be familiar with the basic principles of Java Programming, and by that be familiar with the API of the fundamental system libraries. Participants should know to handle the standard of procedures of developing Java programs (be able to start the compiler and runtime tools using the command line). Additionally they should be comfortable configuring JRE settings and perform low-level code analysis, including reverse engineering.

The material presented throughout this course is focused to support the theoretical fundaments with practical examples. Being exposed to real-life examples, the ability to think around the corner and even outside the box is helpful. Nevertheless, the trainer will help you to stay on track.

Prerequisite Material

For the practical parts a virtual machine environment will be provided. For that the student will need a laptop (above 2Ghz), having at least 2GB of RAM, with a current version (4.3+) of VirtualBox installed. The laptop should be able to read USB 3 devices.

What to Bring

Students will be provided with a customized work environment utilizing a Virtual Machine image. Students will need to bring their own laptop with: