Developing Secure Java Web Applications – Mitigating the OWASP Top 10 Security Vulnerabilities

Training a team? Use a QA Skills Licence and makes better use of your budget
dates, pricing & booking
course description
blogs

Print course outline | Download as PDF document | Link to page: www.qa.com/QAOWASPJAVA

Course dates

Currently scheduled dates for this training course
Location APR MAY JUN JUL View later dates

London

Middlesex Street, E1

2 show prices/book

Scotland

Glasgow

2 show prices/book

Overview

This course provides the necessary skills and techniques to identify security risks in JAVA web applications and mitigate those risks through writing secure code. The course aligns to the OWASP Top 10 (2013) most critical web application security risks and takes students through the exploitation of vulnerable code so that they may experience them first hand. It then discusses mitigations in depths and provides students the opportunity to secure the risks they have just exploited.

The course is presented as a mixture of lectures and hands-on exercises. Students are actively involved in exercising the practices an attacker would employ so that they can fully experience the risks and outcomes of a successful attack first hand. They will also leverage various manual and automated tools to help probe for vulnerabilities in a consistent fashion with what many attackers would use.

Prerequisites

  • Delegates should already have experience of using the JAVA programming language, which can be gained by attending one of our JAVA programming language courses
  • Delegates will be proficient in developing Java web applications within Eclipse.
  • Delegates should have prior experience of delivering real world websites although it is not expected that the experience be extensive.
  • Delegates should understand the basics of building Java web applications and have an understanding of general web technologies such as HTTP. No prior application security knowledge is assumed.

Delegates will learn how to

  • Define and understand common website security risks
  • Remotely identify vulnerabilities in web applications
  • Employ practices to secure discrete units of code
  • Learn about native web browsers security defences
  • Apply the principles of security in depth
  • Automate scanning and detection of risks

Course Outline.

Module 1 : Introduction to Web Security

  • Who's being hacked and who's doing the hacking?
  • The prevalence of website vulnerabilities
  • Key web application security concepts

Module 2: OWASP #1: Injection

  • Exploiting SQL injection in a vulnerable website
  • Whitelist validation
  • Creating parameterised queries
  • ORMs and stored procedures
  • Database permissions and the principle of lease privilege

Module 3: OWASP #2: Broken Authentication and Session Management

  • Exploiting broken authentication in a vulnerable website
  • The JAAS and ESAPI authentication mechanisms
  • Cookieless sessions
  • Increasing session security
  • Account management and password resets

Module 4: OWASP #3: Cross Site Scripting - XSS

  • Exploiting XSS in a vulnerable website
  • Output encoding for different contexts
  • Native browser defences
  • Reflective, persistent and DOM XSS

Module 5: OWASP #4: Insecure Direct Object References

  • Exploiting direct object references in a vulnerable website
  • Implementing access controls
  • Indirect reference maps
  • Obfuscated identifiers

Module 6: OWASP #5: Security Misconfiguration

  • Exploiting security misconfiguration in a vulnerable website
  • Correctly configuring custom errors, tracing and debugging
  • Encrypting configuration data

Module 7: OWASP #6: Sensitive Data Exposure

  • Exploiting cryptographic storage in a vulnerable website
  • Creating secure salted hashes
  • Implementing symmetric encryption
  • Exploiting insufficient transport layer security in a vulnerable website
  • Properly implementing SSL on forms authentication
  • Secure cookies and HSTS
  • The dangers of mixed content

Module 8: OWASP #7: Missing Function Level Access Control

  • Exploiting unrestricted URLs in a vulnerable website
  • Using authorisation and security trimming
  • Leveraging role based authentication
  • Employing principle permissions on classes and methods

Module 9: OWASP #8: Cross-Site Request Forgery - CSRF

  • Exploiting CSRF in a vulnerable website
  • Leveraging the synchroniser token pattern
  • The anti-forgery token
  • Native browser defences against CSRF

Module 10: OWASP # 9: Using Components with Known Vulnerabilities

  • Identifying vulnerable dependencies
  • Identifying vulnerable or old frameworks and libraries

Module 11: OWASP #10: Unvalidated Redirects and Forwards

  • Exploiting unvalidated redirects in a vulnerable website
  • Whitelisting URLs
  • Referrer checking

Module 12: Other risks and tools

  • Mass assignment and other risks beyond the Top 10
  • Employing automated tools to detect vulnerabilities

Module 13: Summary

  • Going beyond technical controls to ensure application security
  • Implementing people processes in the secure development lifecycle

related blogs

App-V 4.x to 5.0 Package conversion: Fixing the broken Pipeline!

Posted by Mark Cresswell on 31 January 2014

The App-V 5.0 package format is very different from the previous 4.5/4.6 version, and the App-V 5.0 client is not compatible with the earlier package versions. To help protect your sequencing investment, Microsoft included two PowerShell commands on the sequencer to aid in migration: Test-AppVLegacyPackage and ConvertFrom-AppVLegacyPackage. The first tests the old package for known constraints, while the second attempts to convert the package to the new format

Top 20 Photoshop Shortcuts

Posted by on

One of the things we're regularly asked on courses is "is there a quicker way to do xyz?" Very often the answer is a resounding 'yes'. So, I thought with this post I'd cover my favourite (and most commonly used) top 20 shortcuts when working with Adobe Photoshop (either in Creative Suite or Creative Cloud).

SP13PermissionsConcern

Posted by John Day on 01 January 0001

Beware of Geeks bringing gifts. The Site Members have more power in SharePoint 2013 than you may want them to.

Apple's Big New Bite - New features in iOS 7 and the iPhone 5 which will benefit businesses

Posted by on

Apple's Big New Bite - It’s been just over a week since the new Apple releases and already more than 10 million iPhone 5s’ have been purchased and there have been more than 200 million iOS 7 downloads. But what new features do the iPhone 5s and iOS 7 offer its users?

Can you make yourself irreplaceable Here’s how to maximise your value at work

Posted by Jennie Marshall on 01 January 0001

Do you know how to be irreplaceable? Is there such a thing? In truth, no one is indispensable. People come and people go. But that does not mean you cannot strive to be irreplaceable.

Microsoft Office 2011 for Mac

Posted by on

It is no secret that in general, the Apple Mac and Windows worlds simply do not want to get along. Owners of either machine constantly argue about who has the better system, whether it is features or simply the hardware itself.

See all related blogs

top of page
  • Apple logo
  • AppSense logo
  • cisco logo
  • citrix logo
  • compTIA logo
  • ec council logo
  • microsoft gold logo
  • novell logo
  • oracle logo
  • redhat logo
  • symantec logo
  • vmware logo
  • Pya -winner -2013 logo
  • Salesforce logo
  • Amazon logo
  • Hortonworks CTP logo
  • novell logo
  • oracle logo
  • cisco logo
  • compTIA logo