Secure software doesn’t start in the framework — it starts in the source code, in the APIs you use, and in how you handle input, files, processes, and dependencies. This workshop shows how to implement Secure Coding Practices with Core Java.
Workshop Description
Secure software doesn’t start in the framework and not at deployment. It starts in the source code, in the APIs used, in how inputs are processed, in the handling of files, processes, network access, concurrency, and dependencies. That is exactly where this workshop begins.
The workshop teaches developers how to implement secure coding practices using Core Java. The focus is on secure application development based on the JDK — deliberately emphasising the fundamentals of the language, the standard library, and typical security-critical implementation mistakes that occur independently of any framework.
Participants learn how vulnerabilities can arise during modelling, in data flows, and in concrete implementation. This includes not only classic attacks like injection or insecure file access, but also the secure handling of dependencies, build processes, and the software supply chain.
A major focus is Supply Chain Security from a developer’s perspective: risks from external libraries, tampered packages, and insecure build environments. Typical attack patterns such as Dependency Confusion, Typosquatting, Masquerading, Trojan Packages, and Sensitive Data Stealers are explained and discussed with Java-specific examples.
A further focus is the analysis of typical vulnerabilities directly in Core Java — including insecure input validation, problematic file access, Path Traversal, insecure temporary files, unsafe process invocations, Reflection, dynamic class loading, potential Remote Code Execution scenarios, and weaknesses from the CWE catalogue. Participants learn to identify, assess, and cleanly avoid these risks using JDK means.
The workshop also covers Threat Modelling, fundamental security principles, and key terms such as SBOM, CWE, CVE, EPSS, and Vulnerability. Modern security testing techniques — SAST, DAST, IAST, RASP, Mutation Testing, and Fuzzing — are introduced in terms of their practical relevance for Java projects.
An additional topic block covers obfuscation techniques and how to detect concealed or suspicious code in Java projects — including Identifier Renaming, String Encryption, Control Flow Obfuscation, Reflection, Dynamic Loading, and other techniques used to hide malicious code.
In the practical part, a Java application is analysed and progressively hardened. The goal is to identify insecure implementations, systematically assess risks, and implement concrete improvements directly in the code — with a focus on Core Java and minimal framework magic.
Topics
Target Audience, Prerequisites & Learning Objectives
| Target audience | Java developers, software engineers with a Java focus, software architects, technical security stakeholders with a development background |
| Prerequisites | Practical Java experience; solid understanding of classes, collections, exceptions, I/O, and basic build processes; familiarity with REST or server-side development is helpful but not required |
| Learning objectives | Identify vulnerabilities in Core Java code · Classify attack vectors technically · Assess risks in dependencies and build processes · Integrate security testing more effectively · Systematically harden applications |
| Team benefit | Directly applicable to architecture decisions, code reviews, development guidelines, and team processes |
Positioning
The workshop deliberately focuses on Core Java and avoids tight coupling to specific frameworks. This makes it suitable for classic server applications, REST services, internal tools, libraries, and security-critical backend components alike.
Unlike purely framework-centric secure coding offerings, the central question here is: how can developers write robust, comprehensible, and more secure code using the tools the JDK provides?
Request this workshop