About the course
This Secure Java Development course is designed for people involved in the production of Java software applications, and will give delegates useful tools and techniques to harden systems against attack.
It's all too often the case that security comes as an afterthought - if it comes at all, in the drive to keep pushing out new iterations and products. Without being given adequate time to explore security in depth, it's unlikely many development team members will have considered the extent to which businesses are exposed to external - and internal - malicious actors.
This secure Java development course will give you the techniques and hands-on experience with relevant security tools to help protect your business systems from attackers, and help instil a security-first mindset. We also encourage ways to implement security quickly, efficiently, at the right time, and most importantly, effectively too!
This training uses hands-on technical examples, security tools and teamwork to thoroughly analyse and understand the modern security environment.
We will give delegates access to deliberately vulnerable virtual environments which reflect real-world scenaros in order to learn how to fortify against malicious intrusion. We're happy for delegates to choose their preferred Java IDE and can discuss other ways to make the course as relevant as possible to your tech stack.
Our secure Java development course course also takes a good hard look at the Open Web Application Security Project (OWASP) Top Ten most critical web application security risks and how to guard against them.
Instructor-led online and in-house face-to-face options are available - as part of a wider customised training programme, or as a standalone workshop, on-site at your offices or at one of many flexible meeting spaces in the UK and around the World.
-
- Understand the business impact of insecurity and integrate security principles throughout the Software Development Lifecycle (SDLC).
- Explain the most critical web application security risks covered by the OWASP Top 10 and the specific threats targeting APIs in the OWASP API Security Top 10.
- Identify, detect, and implement effective mitigation techniques in Java for a wide range of common web vulnerabilities, including Cross-site Scripting (XSS), Log Injection, CSRF, Response Splitting, and Open Redirect.
- Identify, detect, and implement effective mitigation techniques in Java for file-related vulnerabilities such as Directory Traversal and Malicious File Upload.
- Identify, detect, and implement effective mitigation techniques in Java for SQL and NoSQL Injection vulnerabilities, including using ORMs and bind variables, and understand how to detect them in automated tests.
- Understand and implement defences for the risks in the OWASP API Security Top 10 that are relevant to Java API development
- Explain and implement defence strategies for Unrestricted Resource Consumption and Unsafe Consumption of APIs.
-
This intensive hands-on training course is designed for IT professionals involved in building and securing applications and APIs using the Java platform. It is ideal for:
Java Software Developers who want to write secure code and prevent common vulnerabilities.
Java Architects and Technical Leads responsible for designing secure application architectures and guiding development teams.
Quality Assurance (QA) Engineers and Testers involved in identifying and testing for security vulnerabilities in Java applications, including integrating security checks into automated tests.
Anyone involved in building or maintaining web applications or APIs using Java frameworks (e.g., Spring, Jakarta EE).
-
Participants should have:
Experience developing applications using the Java programming language.
Familiarity with building web applications or APIs using Java frameworks (e.g., Spring, Jakarta EE) is highly recommended, as many examples and demos will focus on web and API vulnerabilities.
A basic understanding of web technologies (HTTP, browsers, client-server, APIs).
We can customise the training to match your team's experience and needs - with more time and coverage of fundamentals for newer developers, for instance.
-
This secure Java coding course is available for private / custom delivery for your team - as an in-house face-to-face workshop at your location of choice, or as online instructor-led training via MS Teams (or your own preferred platform).
Get in touch to find out how we can deliver tailored training which focuses on your project requirements and learning goals.
-
Building in Security First
The Cost of Insecurity
The Security Development Lifecycle
OWASP – The Big Picture
OWASP Top 10
OWASP API Security Top 10
Using the OWASP API Security Top 10
Metrics behind the Top 10 Risks
Preventing Cross-site Scripting Attacks
Detecting Cross-site Scripting in Automated Regression Tests
A Simple Cross-site Scripting Exploit
Mitigating Cross-site Scripting with Blacklisting
Mitigating Cross-site Scripting with Whitelisting
The Importance of Canonicalization
Mitigating Cross-site Scripting with HTTP Response Headers
Defense In-depth with Cross-site Scripting
Mitigating Cross-site Scripting with Spring Security
Detecting Persisted Cross-site Scripting in Automated Regression Tests
Mitigating Cross-site Scripting with Output Encoding
Preventing Log Injection and Log Forgery
Cross-site Scripting the Noc
Detecting Log Injection
Mitigating Log Injection Using Timestamps
Mitigating Log Injection Using Guids
Mitigating Log Injection Using Output Encoding
Preventing CSRF, Response Splitting, and Open Redirect
How to Smuggle in a Carriage Return
Detecting CRLF Injection in Automated Regression Tests
Mitigating CRLF Injection Using Output Encoding
A Perfectly Forged Check
Detecting CSRF in Automated Regression Tests
Mitigating CSRF Using a Custom Header
Mitigating CSRF by Verifying Source and Target Origins
Mitigating CSRF Using Synchronized Tokens
Storing CSRF Synchronized Tokens in a Cookie
Storing CSRF Synchronized Tokens in the Session
Storing CSRF Synchronized Tokens in a JWT
Mitigating CSRF Using Spring Security
Getting CSRF Defense Right
Redirect Dancing with Two Left Feet
Detecting Open Redirect in Automated Regression Tests
Mitigating Open Redirect with State
Mitigating Open Redirect with Whitelisting
Preventing Directory Traversal and Malicious File Upload
Spot-the-forgery
Running Terracotta in a Docker Container
Detecting Malicious File Upload in Automated Regression Tests
Mitigating Malicious File Upload Using File Extensions
Mitigating Malicious File Upload Using Apache Tika
Mitigating Malicious File Upload Using ClamAV
Mitigating Malicious File Upload Using MultipartConfig
Detecting Directory Traversal in Automated Regression Tests
Mitigating Directory Traversal
Preventing SQL and NoSQL Injection
How SQL Injection Makes a Database an Open Book
Detecting SQL Injection in Automated Regression Tests
Mitigating SQL Injection Using Bind Variables
Mitigating SQL Injection Using an ORM
An Infinite Loop in a Haystack
Detecting NoSQL Injection in Automated Regression Tests
Mitigating NoSQL Injection
Broken Object Level Authorization
Understanding Broken Object Level Authorization
Object Level Attacks
Demo: Broken Object Level Attacks
Examining Defenses
Broken Authentication
Understanding Broken Authentication
Password Based Attacks and Defenses
Other Attacks and Defenses
Demo: Common JWT Attacks
Broken Object Property Level Authorization
Understanding Broken Object Property Level Authorization
Object Property Attacks and Defenses
Demo: Exploiting Object Properties
Unrestricted Resource Consumption
Unrestricted Resource Consumption Attacks
Defenses for Resource Consumption
Broken Function Level Authorization
Attacking Broken Function Level Authorization
Demo: Exploiting Broken Function Level Authorization
Defenses
Unrestricted Access to Sensitive Business Flows
Sensitive Business Flows and Potential Attacks
Demo: Attacking an Unrestricted Business Flow
Business Flow Defenses
Server-side Request Forgery
Understanding Server-side Request Forgery
Demo: Forging Requests from the Server
SSRF Defenses
Security Misconfiguration
Misconfiguration and Patching
HTTP Request Chain Misconfigurations
Server Environment Misconfigurations
Misconfiguration in the API and Response Chain
Improper Inventory Management
Understanding Improper Inventory Management
Demo: Deprecated Functionality
Attacks and Defenses
Unsafe Consumption of APIs
Understanding Unsafe Consumption of APIs
API Consumption Attacks
API Consumption Defenses
Oracle – Secure Coding Guidelines for Java
Introduction
Fundamentals
Denial of Service
Confidential Information
Injection and Inclusion
Accessibility and Extensibility
Input Validation
Mutability
Object Construction
Serialization and Deserialization
Access Control
Conclusion
Course Review
Next Steps in Secure Java Development
-
OWASP Official Website: The primary source for all OWASP projects, guides, and communities.
OWASP Top 10 (Latest Version): Detailed information on the most critical web application security risks.
OWASP API Security Top 10 (Latest Version): Focused risks and countermeasures specifically for APIs.
OWASP Cheat Sheet Series: Practical guidance on preventing specific vulnerabilities.
Oracle Secure Coding Guidelines for Java SE: Specific security recommendations for Java developers.
Java Security Documentation: Overview of Java platform security features and APIs (java.security package, etc.).
Spring Security Documentation: If using Spring, this is the essential resource for security features.
OWASP Dependency Check: A tool to find known vulnerabilities in project dependencies (supports Java).
Trusted by
