ShareSafe’s mission is to provide online file-sharing-as-a-service and, as its developer, your mission is to build that service with robust security that will keep ShareSafe’s customers coming back. Using Java Spring Boot, you’ll build a simple file transfer REST API service that supports uploading and downloading of files, and you’ll identify and tackle file-upload vulnerabilities. You’ll add security by implementing a user-authentication layer using JSON Web Tokens (JWTs) and leveraging macaroons (cryptographic cookies) for secure file sharing.
To boost security, you’ll add file integrity checks and logging of all user and file activities. Then, you’ll take your REST API service’s security up a level by configuring AWS S3 to enable malware analysis, and implementing VirusTotal, a service that provides dynamic and behavioral analysis of shared files. When you’re done with these liveProjects, you’ll have built a file-sharing REST API with high availability, durability, and security, and ShareSafe’s customers will enjoy a secure file-sharing experience.
Give ShareSafe’s online file-sharing service a security boost. You’re a developer for a company whose customers can upload and share personal documents, photos, and videos onto its website using APIs. Your task is to enhance the security of ShareSafe’s file transfer REST API service by adding file integrity checks. Using JSON Web Tokens (JWTs), you’ll implement basic key generation, signing, and validation of data. You’ll refactor the API with the ability to validate digital signatures, and you’ll make identifying suspicious requests easier (and satisfy compliance requirements) by adding logging of all user and file activities.
Build a better defense! As a developer at ShareSafe, a company that provides online file-sharing-as-a-service, your task is to uplevel the security of its REST API file-transfer service by adding functionality for checking uploaded files for malware. You’ll set up a robust infrastructure for malware analysis of files stored in AWS S3 buckets, integrate the infrastructure with the REST API service, and implement VirusTotal, a threat intelligence service that provides dynamic and behavioral analysis to shared files. When you’re finished, you’ll have built a solid line of defense against known malware and provided users with a secure file-sharing experience.
Help ShareSafe’s customers share with confidence. You’re a developer for a company that provides online file-sharing-as-a service. Its users can upload and share personal documents, photos, and videos onto ShareSafe’s website using APIs. Your task is to add security to ShareSafe’s file-transfer REST API service. You’ll implement a user-authentication layer using JSON Web Tokens (JWTs), provide authorization for shareable URLs by establishing the relationship between users and files, and leverage macaroons (cryptographic cookies) to provide a secure way for users to share files.
You’re a developer for ShareSafe, a company whose customers can upload personal documents, photos, and videos onto ShareSafe’s website using APIs. Your task is to enable ShareSafe’s users to share their files with others. Using Java Spring Boot, you’ll build a simple file transfer REST API service that supports uploading and downloading of files, and you’ll identify and tackle the file upload vulnerabilities of your REST API service. For backend file storage, you’ll implement Amazon Simple Storage Service (AWS S3). Finally, you’ll harden your service against the most common vulnerabilities by configuring and implementing AWS S3 encryption and access-management features. When you’re finished, you’ll have built a file transfer service that provides high scalability, durability, encryption, and backups, and allows your users to share their files with ease.
In this liveProject series, the online gift store Zozo is experiencing unprecedented web traffic during the holiday shopping season. As Zozo’s DevSecOps engineer, your goal is to keep the site operating efficiently and securely. You need to meet demand by scaling the API server using Docker containers while protecting sensitive customer data.
Take the next step in securing Zozo’s online store by securing the environments running the Docker services—the host machine, Docker daemon, and container—at run time, continuing to work with open-source e-commerce project Shopizer, and hardening the host and Docker instances using global best practices.
As the DevSecOps engineer for Zozo, an online gift store, you’ll write Docker files and build secure Docker images that keep Zozo’s customers happy and your manager even happier. Along the way, you’ll spot potential security vulnerabilities using several open source tools, and ward against cyberattacks with digital signatures.
In this series of liveProjects, you’ll step into the role of a security engineer working for blog aggregator site ReadBytes. Your company takes news, blogs, and articles from across the web and condenses them into one feed for your clients. These aggregated articles can be accessed via web API. In order to improve the security of ReadBytes, your challenge in these liveProjects is to both encrypt website traffic to your website and provide a rate limit on the number of API requests per user. To do this, you’ll add encryption and rate limiting by using popular open-source web server NGINX.
In this liveProject series, you’ll add secure Google Sign-In functionality to the API of a news aggregator site. You’ll take on the role of a developer for the ReadBytes website, working to enhance user experience and reduce friction with a social sign-on. Each project in this series is self-contained, letting you pick and choose the skills that are relevant to you.
In this series of liveProjects, you’ll develop and implement role-based access controls to limit which employees can access a REST API. You’ll step into the shoes of a developer modernizing their company’s personal time-off request application, taking on essential access control tasks such as adding HTTP authentication, securely storing passwords in a database, and authorizing leave requests by employees based on user role. Each liveProject in this series can be tackled by itself or as part of an extended learning course.
In this series of liveProjects, you’ll go hands on to secure a potentially vulnerable API from the most common web-based attacks. You’ll step into the role of a developer for Three Cliffs Travel Adventures looking to ensure that your company’s widely used bus ticket booking API is resistant to code-level vulnerabilities identified by the OWASP Top 10 API Security list. Each project in this series focuses on a new type of attack for you to defend against, so you can build a skill set that’s best for your career.
In this series of liveProjects, you’ll set up authentication, authorization, and audit management capabilities for a REST API used by an HR employee leave management application. This application has both web and mobile versions, and handles sensitive employee data. It’s essential that the API is safe and secure. Each liveProject in this series covers a different part of the process, so you can choose the right experience for your needs.
In this series of liveProjects, you’re a software developer at a startup called SimplySpend, which helps companies track employee spending. You are entrusted with building procurement applications by creating REST APIs for web and mobile apps. As the apps contain sensitive financial information, you need to add JWT (JSON Web Token)-based authentication and authorization. You’ll use a JWT mechanism to ensure an API is secure against different types of attacks, while still remaining accessible for clients. Each project in this series covers a different part of token authentication, so you can learn the skills that are most relevant to you.
In this liveProject, you’ll establish functionalities to provide role-based authorization for leave requests made through a Personal Time Off API. Using the Lightweight Directory Access Protocol (LDAP), you’ll set up access controls so that only managers and other authorized users can retrieve non-personal leave records and approve leave requests.
In this liveProject, you’ll add basic HTTP authentication to an API for granting Personal Time Off requests using the Lightweight Directory Access Protocol (LDAP). This application contains sensitive personal information and so its security is essential. You’ll establish authentication that ensures only registered users can access the API and provides login requirements to authenticate users before they get access.
In this liveProject, you’ll step into the shoes of a security engineer working for news aggregator ReadBytes. Your site uses a REST API to distribute its content, which is vulnerable to the ever-increasing risks of attacks like brute forcing and credential stuffing. Your manager wants you to provide rate limiting of requests to help secure your API. To do this, you’ll first perform your own brute force attack, then implement and test a rate limiter.
In this liveProject, you’ll take on the challenge of encrypting web traffic to the ReadBytes news aggregator site. ReadBytes uses a REST API to distribute its content, and you’ll encrypt traffic with the popular open-source web server NGINX. You’ll inspect HTTP traffic, implement HTTPS protocols, and then inspect the HTTPS traffic again.
In this liveProject, you’ll enhance the security of your social sign-in with two-factor authentication. In order to counterattack cyber attacks like phishing, you’ll implement a time-based one-time password protocol in your application.
In this liveProject, you’ll use the Google Sign-Out protocol to add logout, session monitoring and disconnect-user flows to your login. You’ll implement UI changes to add a “Logout” button that calls to Google’s API, and add the functionality to permanently remove a user from your service.
In this liveProject, you’ll register your app with Google to generate a sign-in code, then build a basic UI for your login page. You’ll make use of the OpenID Connect Protocol and Google Platform Library, then set up basic HTTP authentication for your API.
In this liveProject, you will secure your REST API by identifying and fixing the basic vulnerabilities in JWT implementations in addition to tackling Cross-Site Scripting vulnerabilities, finding and fixing Cross-Site Request Forgery vulnerabilities, and exploiting and then securing Cross-Origin Resource Sharing misconfiguration.
In this liveProject, you’ll implement role-based access controls to authorize user operations with JWT. You’ll set up a workflow whereby a purchase order must be approved by a manager, and then develop a functionality to remove permissions from a user once they leave an organization.
In this liveProject, you’ll implement authentication using JSON Web Tokens (JWT) for a REST API. You’ll set up sign-up, login, and logout functionality, as well as authenticated retrieval of user details. You’ll even generate the skeleton implementation of the API, then test your code with Postman.
In this liveProject, you’ll learn how to log all the requests to your API for the purpose of audit and transparency. You’ll start by implementing logging for all user login attempts, and persist the audit events to the database for future reference. You’ll then set up logging for authorization requests, making sure that you replace passwords and usernames with uniquely identifiable yet anonymized user identifiers.
This liveProject was implemented by Natan Streppel.
In this liveProject, you’ll implement HTTP authentication so that leave requests can be authorized based on user role. You will set up three Role Based Access Control (RBAC) functionalities for the REST API. The first RBAC will allow a reportee user account to access its own leave requests while keeping other data secure. The second RBAC will allow managers to see all the leave requests of employees they are responsible for. Finally, you’ll establish an RBAC for approving leave requests.
This liveProject was implemented by Natan Streppel.
In this liveProject, you’ll add secure session management to the API for granting employee leave. You’ll implement an authenticated leave retrieval call, a user logout flow, and a password update flow for users whose credentials are forgotten or compromised. These are essential building blocks for creating a secure API.
This liveProject was implemented by Natan Streppel.
In this liveProject, you’ll implement username-based HTTP authentication for your API in order to securely store passwords in your database. You’ll develop user signup functionality to ensure only registered users can leverage the REST API, build a user login for authenticating users as they access your REST API, and test its functionality using Postman.
This liveProject was implemented by Natan Streppel.
In this liveProject, you’ll tackle the kind of file upload vulnerabilities that allow attackers to upload huge amounts of junk data, overwrite existing files, or even deploy a virus. It is vitally important to test and validate the file upload capabilities in your API implementations. You’ll investigate the bugs that might be causing these issues, and then apply a code-level fix.
This liveProject was implemented by Natan Streppel.
In this liveProject, you’ll handle XXE processing vulnerabilities in Java code. XXE vulnerabilities are particularly common in Java applications as many XML parsers don’t automatically enable security settings. To handle this vulnerability, you’ll investigate to ensure your XML parsers are correctly set up, and then apply and test a code-level fix to the issue.
This liveProject was implemented by Natan Streppel.
In this liveProject, you’ll learn to tackle remote OS command injections—a dangerous vulnerability responsible for many high-profile cyber breaches. This vulnerability exploits times when an application calls an operating system command passing untrusted user-supplied input. You’ll investigate places where your application calls operating system commands, then apply and test a code-level fix.
This liveProject was implemented by Natan Streppel.
In this liveProject, you’ll patch SQL injection vulnerabilities in your company’s bus ticket API. SQL injection is one of the most common ways of attacking a web application, and your challenges will include investigating this code-level vulnerability and applying a fix in the Java code. You’ll get experience using Postman to test your API’s functionality before and after applying your fix.
This liveProject was implemented by Natan Streppel.