Certified Java and Web application security Training

This comprehensive three-day course equips Java developers with the skills to secure their web applications against common vulnerabilities and advanced threats. Participants will explore core IT security principles, secure coding practices, and specific Java security measures, focusing on vulnerabilities such as SQL injection, cross-site scripting (XSS), authentication flaws, and race conditions.

The course also includes an in-depth analysis of the Java runtime environment, frameworks like Spring, and emerging security issues such as Log4Shell and Spring2Shell. Practical exercises are integrated throughout to ensure hands-on learning and the application of secure coding techniques.

• General Java development knowledge.
• Familiarity with web application concepts is beneficial but not mandatory.

Target Audience

• Java developers building or maintaining web applications.
• Software engineers seeking to enhance their knowledge of secure coding.
• IT professionals responsible for application security in Java-based systems.

By the end of this course, participants will be able to:

• Identify and mitigate common web vulnerabilities affecting Java applications, including OWASP Top Ten issues.
• Implement secure coding practices to prevent injection attacks, XSS, and race conditions.
• Utilise the security features of Java frameworks, such as Spring Security.
• Strengthen authentication, session management, and authorisation processes in web applications.
• Conduct vulnerability assessments using tools like static code analysis and penetration testing frameworks.
• Apply principles of secure coding and understand key security guidelines from standards like SEI CERT and OWASP.

Day 1: Introduction to IT security and secure coding

• Fundamentals of IT security and risk management.
• The nature of security flaws and their exploitation in cybercrime.
• Overview of SEI CERT Oracle Coding Standards and OWASP Top Ten vulnerabilities.
• Injections:
  • SQL Injection: Attack methods, blind SQL injection, and prevention using prepared statements.
  • OS Command Injection: Detection, prevention techniques, and practical exercises.
  • XML Injection: Understanding and addressing injection risks.
• Cross-Site Scripting (XSS): Persistent, reflected, and DOM-based XSS attacks with prevention strategies and exercises.

Day 2: Advanced web vulnerabilities and secure coding

• Authentication and Session Management:
  • Best practices for implementing secure authentication.
  • Common vulnerabilities in session handling (cookies, JWT tokens).
  • Exercises focusing on securing authentication and sessions.
• Business Logic Vulnerabilities:
• Identification and prevention of issues like shopping cart manipulation and discount abuse.
• Exercises to spot and mitigate vulnerabilities.
• Techniques to secure forms and session tokens against CSRF attacks.
• Path traversal and file upload vulnerabilities with secure coding practices.
• Practical exercises on detecting and preventing these flaws.
• Understanding and mitigating race conditions in multi-threaded environments.
• Cross-Site Request Forgery (CSRF):
• File and Path Vulnerabilities:
• Race Conditions:

Day 3: Java platform and Spring security

• Java Security:
  • Core language security features, including type safety, memory management, and bytecode verification.
  • Addressing serialization and deserialization vulnerabilities.
  • Mitigation of issues like Log4Shell and improper error handling.
• Spring Security:
• Inversion of Control and Aspect-Oriented Programming for security.
• Addressing vulnerabilities like EL injection and Spring2Shell.
• Practical exercises on securing endpoints and managing authorisation.
• Tools and techniques for static code analysis, penetration testing, and vulnerability management.
• Exercises with tools like Burp Suite, OWASP ZAP, and SQLMap.
• Applying robust programming principles from Saltzer and Schroeder.
• Recommended resources and further reading for secure coding.
• Security Testing and Vulnerability Management:
• Principles of Secure Coding:

Exams and assessments

• Multiple-choice exam (60 questions, 50% pass mark).
• The APMG Proctor-U exam is taken online after course completion.
• Delegates receive individual access to the APMG candidate portal (available two weeks post-exam).