Certified Java and Web application security

• General Java development knowledge.
• Familiarity with web application concepts is beneficial but not mandatory.

Target Audience

• Java developers building or maintaining web applications.
• Software engineers seeking to enhance their knowledge of secure coding.
• IT professionals responsible for application security in Java-based systems.

By the end of this course, participants will be able to:

• Identify and mitigate common web vulnerabilities affecting Java applications, including OWASP Top Ten issues.
• Implement secure coding practices to prevent injection attacks, XSS, and race conditions.
• Utilise the security features of Java frameworks, such as Spring Security.
• Strengthen authentication, session management, and authorisation processes in web applications.
• Conduct vulnerability assessments using tools like static code analysis and penetration testing frameworks.
• Apply principles of secure coding and understand key security guidelines from standards like SEI CERT and OWASP.

Day 1: Introduction to IT security and secure coding

• Fundamentals of IT security and risk management.
• The nature of security flaws and their exploitation in cybercrime.
• Overview of SEI CERT Oracle Coding Standards and OWASP Top Ten vulnerabilities.
• Injections:
  • SQL Injection: Attack methods, blind SQL injection, and prevention using prepared statements.
  • OS Command Injection: Detection, prevention techniques, and practical exercises.
  • XML Injection: Understanding and addressing injection risks.
• Cross-Site Scripting (XSS): Persistent, reflected, and DOM-based XSS attacks with prevention strategies and exercises.

Day 2: Advanced web vulnerabilities and secure coding

• Authentication and Session Management:
  • Best practices for implementing secure authentication.
  • Common vulnerabilities in session handling (cookies, JWT tokens).
  • Exercises focusing on securing authentication and sessions.
• Business Logic Vulnerabilities:
• Identification and prevention of issues like shopping cart manipulation and discount abuse.
• Exercises to spot and mitigate vulnerabilities.
• Techniques to secure forms and session tokens against CSRF attacks.
• Path traversal and file upload vulnerabilities with secure coding practices.
• Practical exercises on detecting and preventing these flaws.
• Understanding and mitigating race conditions in multi-threaded environments.
• Cross-Site Request Forgery (CSRF):
• File and Path Vulnerabilities:
• Race Conditions:

Day 3: Java platform and Spring security

• Java Security:
  • Core language security features, including type safety, memory management, and bytecode verification.
  • Addressing serialization and deserialization vulnerabilities.
  • Mitigation of issues like Log4Shell and improper error handling.
• Spring Security:
• Inversion of Control and Aspect-Oriented Programming for security.
• Addressing vulnerabilities like EL injection and Spring2Shell.
• Practical exercises on securing endpoints and managing authorisation.
• Tools and techniques for static code analysis, penetration testing, and vulnerability management.
• Exercises with tools like Burp Suite, OWASP ZAP, and SQLMap.
• Applying robust programming principles from Saltzer and Schroeder.
• Recommended resources and further reading for secure coding.
• Security Testing and Vulnerability Management:
• Principles of Secure Coding:

Exams and assessments

• Multiple-choice exam (60 questions, 50% pass mark).
• The APMG Proctor-U exam is taken online after course completion.
• Delegates receive individual access to the APMG candidate portal (available two weeks post-exam).