Secure Java Web Application Development is a lab-intensive, hands-on Java / JEE security training course that provides 360-degree coverage of Java application security. In this course, students begin with penetration testing, hunting for bugs in Java web applications. They then thoroughly examine best practices for defensively coding web applications, covering all the OWASP Top Ten as well as several additional prominent vulnerabilities (such as file uploads, CSRF and direct object references). Students will repeatedly attack and then defend various assets associated with fully functional web applications and services. This hands-on approach drives home the mechanics of how to secure JEE web applications in the most practical of terms. Finally, students examine the controls (defenses) relative to the phases that attackers work through when exploiting web applications. The course focuses on three specific activities that are interrelated and move the security process farther to the left in the development process. The course ends with an extensive discussion of what a mature application security presence would provide to the developers within an organization.
Although this edition of the course is Java-specific, it may also be presented using .Net or other programming languages.
Students who attend Secure Java Web Application Development will leave the course armed with the skills required to recognize actual and potential software vulnerabilities, implement defenses for those vulnerabilities, and test those defenses for sufficiency. This course begins by developing the skills required to fingerprint a web application and then scan it for vulnerabilities and bugs. Practical labs using current tools and techniques provide students with the experience needed to begin testing their own applications. Students also gain a deeper understanding of how attackers probe applications to understand the runtime environment as well as find potential weaknesses. This course the introduces developers to the most common security vulnerabilities faced by web applications today. Each vulnerability is examined from a Java/JEE perspective through a process of describing the threat and attack mechanisms, recognizing associated vulnerabilities, and, finally, designing, implementing, and testing effective defenses. Next, the course introduces the skills required to begin the process of integrating security early in the software lifecycle. There are hands-on labs on several analysis and design activities: Identifying Security (and Privacy) Objectives, Risk Escalator Identification and Mitigation, and Asset Inventory and Prioritization.
Practical labs reinforce these concepts with real vulnerabilities and attacks. Students are then challenged to design and implement the layered defenses they will need in defending their own applications. There is an emphasis on the underlying vulnerability patterns since the technologies, use cases, and methods of attack as constantly changing. The patterns remain the same through all the change and flux.
Working in a dynamic, lab-intensive hands-on coding environment students will learn to:
- Ensure that any hacking and bug hunting is performed in a safe and appropriate manner
- Identify defect/bug reporting mechanisms within their organizations
- Work with specific tools for targeted vulnerabilities
- Avoid common mistakes that are made in bug hunting and vulnerability testing
- Understand the concepts and terminology behind defensive, secure coding including the phases and goals of a typical exploit
- Develop an appreciation for the need and value of a multilayered defense in depth
- Understand potential sources for untrusted data
- Understand the consequences for not properly handling untrusted data such as denial of service, cross-site scripting, and injections
- To test web applications with various attack techniques to determine the existence of and effectiveness of layered defenses
- Prevent and defend the many potential vulnerabilities associated with untrusted data
- Understand the vulnerabilities of associated with authentication and authorization
- Detect, attack, and implement defenses for authentication and authorization functionality and services
- Understand the dangers and mechanisms behind Cross-Site Scripting (XSS) and Injection attacks
- Detect, attack, and implement defenses against XSS and Injection attacks
- Understand the risks associated with XML processing, file uploads, and server-side interpreters and how to best eliminate or mitigate those risks
- Learn the strengths, limitations, and use for tools such as code scanners, dynamic scanners, and web application firewalls (WAFs)
- Understand techniques and measures that can used to harden web and application servers as well as other components in your infrastructure
- Recognize and characterize existing and planned defensive controls
- Relate controls and activities to the phases of a typical exploit
- Understand and implement the processes and measures associated with the security development lifecycle (SDL)
- Identify appropriate security objectives and regulations including evolving privacy considerations
- Develop a list of risk escalators as well as potential mitigations based on an understanding of vulnerabilities
- Recognize design features that can significantly increase an application’s attack surface
- Build an asset inventory and begin the process of prioritizing their value
- Work with a baseline asset inventory to develop an initial asset inventory for a software application
- Understand and apply defensive options to data assets
Need different skills or topics? If your team requires different topics or tools, additional skills or custom approach, this course may be further adjusted to accommodate. We offer additional Java / JEE programming, secure coding, secure software development, hacking, database security, bug hunting and other related topics that may be blended with this course for a track that best suits your needs. Our team will collaborate with you to understand your needs and will target the course to focus on your specific learning objectives and goals.
This is an intermediate -level programming course, designed for experienced Java developers who wish to get up and running on developing well defended software applications. Familiarity with Java and JEE is required and real world programming experience is highly recommended. Ideally students should have approximately 6 months to a year of Java and JEE working knowledge.
Please see the Related Courses Tab for Pre-Requisite course specifics and links, links to similar courses you might review as an alternative, as well as suggested Next-Step Follow-On Courses and Learning Path recommendations.
Hands-on Setup Made Simple! All course materials, data sets, course software (limited version, for course use only), course notes and related resources (as applicable) are provided for attendees in our easy access, no installation required, remote lab environment for the duration of the course. In most cases, we can also offer local (non-cloud) set up as an alternative. Our tech team will help set up, test and verify lab access for each attendee prior to the course start date, ensuring a smooth start to class and successful hands-on course experience for all participants.
Every-Course Extras = High-Value & Long-Term Learning Support! Most courses also include our unique EveryCourse Extras package (Post-Course Resource Site access, Review Labs, Live Instructor Follow-on Support, Free *Live* Course Refresh Re-Takes, early access to Special Offers, Free Courses & more). Please ask for details.