Free OWASP Top 10 CBT

Language agnostic. Complete at your own pace.
Real exploit concepts around web application threats, vulnerabilities & strategies to mitigate them.

3 Day Training

3 Day Training

Intermediate Level

Intermediate Level

Java Developers

Java Developers

Instructor Led<br />CBT / Remote<br /> Training Available

Instructor Led
CBT / Remote
Training Available

Course Overview

Students will gain valuable insight in to developing secure Java applications.

The course will assist students in understanding web application attacks and how they occur due to insecure coding practices. Students will then see how we employ Java secure coding techniques to defend against these coding defects.

Students will learn to define and identify secure code, differentiate between secure coding methods, employ secure code in practice, and design and judge effectiveness of secure coding practice.

Students completing this class will find their secure coding abilities materially sharpened and able to integrate these techniques in your organization.

Learning Objectives

  • Express the vulnerabilities and exploits facing modern web applications including common weaknesses when programming with Java
  • Learn and implement defensive coding methods in Java and the frameworks and tools that can help support secure coding
  • Hands-on experience in writing secure code and adding security controls into vulnerable source code examples

Course Outline

1. Defending CSRF

  • Review of the problem
    • Non-tokenizer pattern
    • CSRF in JAVA
  • ESAPI Anti-CSRF Tokens
    • Generating an ESAPI CSRF token
    • Implementing Anti-CSRF
    • Solution

2. Defending Forced Browsing

  • Review of the problem
    • Downloading arbitrary files
    • Forced Browsing
  • Declarative authorization
    • Implementing web.xml
    • Solution

3. Defending Insecure Storage

  • Review of the problem
    • Storing information
    • Hashing
  • Salted Hash
    • Adding a salt
    • Solution
  • Cipher Block Chaining
    • EBC vs. CBC
    • Solution
  • AES Encryption
    • Encrypting files
    • Decrypting files

4. Defending Parameters

  • Review of the problem
    • Buying a cheap TV
  • HMACs
    • Implementing HMAC
    • Solution
  • Regular Expressions

5. Defending Session Hijacking

  • Timeouts
    • Configuring web.xml
    • Solution
  • Issuing new SessionIDs
    • New session after login
    • Solution
  • Secure Cookies
    • Configuring web.xml
    • Solution

6. Defending SQL Injection

  • Review of the problem
    • Accessing Customers
    • SQL Injection
  • Parameterized Queries
    • Implementing bind parameters
    • Solution

7. Defending Redirects

  • Review of the problem
    • Redirect Parameter
    • Unchecked Redirects
  • Random Access Maps
    • Using ESAPI Access Maps
    • Solution
  • Server side redirects
    • Solution

8. Defending XSS

  • Review of the problem
    • How XSS happens
    • XSS
  • EASPI Escaping
    • The importance of context
    • Using ESAPI Escaping
    • Solution

Download Datasheet

Download Datasheet

Security Compass training courses are offered using a variety of delivery methods. Download the data sheet to learn more.

Public Classes

Security Compass offers this course as a public class. Contact us for a schedule of all our upcoming public training classes.