Web Application Security Training: Secure Coding for Java

Dates

There are currently no dates scheduled.

Enquire about this course

Certified By

Espion

Venue

Espion Training Centre - Dublin - Ireland

Directions

http://www.espiongroup.com/contact

Aim

This is a 2 Day Course comprising of:

Day 1 - Web Application Security: Fundamentals

Attendees will be introduced to the common security risks within web applications, this will be non-code specific. Attendees will then complete a series of practical exercises that will equip delegates with the knowledge required to identify and correct any exposures.

Day 2 - Web Application Security: Secure Coding for Java

Attendees will take what they have learnt from Day 1 and make it applicable for Java. This will be a hands-on course where we will go through each of the areas outlined in the Day 1 and will demonstrate how to address these issues in Java. This will primarily be a hands on training session with each developer getting a chance to implement all of the secure coding examples that we use to fix the issues within our Sample Vulnerable Web Application.

Price

€1,095

Objectives

With web applications becoming ubiquitous across every organisation, many are unaware of the potential risk they are exposing their organisation by implementing insecure applications. Insecure web applications can result in customer data exposure or downtime of critical systems, leading to significant financial and reputational damage to the organisation. As web applications bring with them new avenues for attack, so to must organisations be trained to understand and address these new risks.

Outline

Day 1 - Web Application Security: Fundamentals

Unit 1:  Web Application Security – As applications become increasingly complex, the risk of vulnerabilities within web application increases dramatically unless securely designed and developed.

Unit 2:  Authentication – We will discuss common issues with authentication mechanisms.

Unit 3:  Session Management – Maintaining session state is essential in all web application. However, attackers can exploit bad session management practices to gain access or escalate privileges within the application.

Unit 4:  Authorisation – Restricting access between users is increasingly important as web application increase in complexity and functionality. Ensure this segregation is critical in any web application.

Unit 5:  Data Validation – All user input should be treated as insecure until sanitised or validated to not contain malicious content. This is one of the most key elements in web application security.

Unit 6:  Information Disclosure – Comments and debugging information used by developers when troubleshooting issues can be a mine of information to potential attackers looking to understand the application and identify vulnerabilities.

Unit 7:  Code Injection – Interpreters provide additional processing outside of the application, when users input is involved in generating the query there exists the potential for an attacker to manipulate the logic. This includes such topics as SQL injection, command injection and XPATH injection.

Unit 8:  Cross site Scripting – In taking input from the user and sending it back to the browser without validation, the application is open to phishing and other scripting attacks that appear completely legitimate to the user.

Unit 9:  Path traversal – Allowing user input to view, upload or delete a file, can compromise not just the application, but also the entire server.

Unit 10:  OWASP Top Ten – The OWASP Top Ten outlines the ten most common web application security vulnerabilities. Reviewing your applications against the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organisation into one that produces secure code.

Unit 11:  Threat Modelling – These methods allow you to effectively find and address the threats and vulnerabilities your application is exposed to.

 

Day 2 - Web Application Security: Secure Coding for Java

While Day 1 is primarily theory based, Day 2 allows attendees to put what they have learnt into practice. Attendees will build on the topics covered in Day 1 and will learn how to apply these best practice principle to Java. This day will be more hands on and practical than Day 1 and will require the use of laptops to carry out real life practical exercises on our sample Web Application. All attendees will be required to address the security issues posed in our sample vulnerable Web Application to ensure they understand the practical implications of what they learnt on Day 1 of the course. Day 2 will focus on eight of the eleven modules covered in Day 1:

Unit 1 – Authentication
Unit 2 – Session Management
Unit 3 – Authorisation
Unit 4 – Data Validation
Unit 5 – Information Disclosure
Unit 6 – Code Injection
Unit 7 – Cross Site Scripting

Duration

2 Days

Training Approach

The attendees will be guided through a series of PowerPoint slides highlighting common mistakes and best practices with regards to Web Application Security. Our instructor will encourage and facilitate interaction among the class. The attendees will then get hands-on technical experience in dealing with the practical elements of Secure Coding in Java. Due to the small class size, attendees will have all queries and issues dealt with by our instructor to guarantee attendee satisfaction.

Assessment & Certification System

Upon completion of the course, attendees will be presented with a certificate of achievement by our instructor.

Participant Profile

This course is aimed at developers who code using Java.

Trainer Profile

Máirtín O’Sullivan – BSc, MSc, CISSP, CISM, CISA, PCIRM. Máirtín O’Sullivan is an information risk and compliance consultant with seven years’ experience in information security. Máirtín has extensive experience in performing information risk management, web application security reviews, penetration testing and assisting organisations in aligning their information security posture with their business objectives. Máirtín has created and taught courses on manual virus disinfection and detection and end user security awareness. Mairtin is also an approved Course Leader for Veridion’s ISO 27005 Certified Risk Manager course, delivered by Espion. Máirtín has recently delivered Secure Coding for Java training to a team of 1,200 software developers for a UK multinational.

Training Facilities

The training will take place in Espion's Headquarters.

Datasheets

Enquire about this course

Associated Courses

Espion Training