Overview

This comprehensive three-day course equips Java developers with the skills to secure their web applications against common vulnerabilities and advanced threats. Participants will explore core IT security principles, secure coding practices, and specific Java security measures, focusing on vulnerabilities such as SQL injection, cross-site scripting (XSS), authentication flaws, and race conditions.

The course also includes an in-depth analysis of the Java runtime environment, frameworks like Spring, and emerging security issues such as Log4Shell and Spring2Shell. Practical exercises are integrated throughout to ensure hands-on learning and the application of secure coding techniques.

Read more +

Prerequisites

  • General Java development knowledge.
  • Familiarity with web application concepts is beneficial but not mandatory.

Target Audience

  • Java developers building or maintaining web applications.
  • Software engineers seeking to enhance their knowledge of secure coding.
  • IT professionals responsible for application security in Java-based systems.
Read more +

Learning Outcomes

By the end of this course, participants will be able to:

  • Identify and mitigate common web vulnerabilities affecting Java applications, including OWASP Top Ten issues.
  • Implement secure coding practices to prevent injection attacks, XSS, and race conditions.
  • Utilise the security features of Java frameworks, such as Spring Security.
  • Strengthen authentication, session management, and authorisation processes in web applications.
  • Conduct vulnerability assessments using tools like static code analysis and penetration testing frameworks.
  • Apply principles of secure coding and understand key security guidelines from standards like SEI CERT and OWASP.
Read more +

Course Outline

Day 1: Introduction to IT security and secure coding

  • Fundamentals of IT security and risk management.
  • The nature of security flaws and their exploitation in cybercrime.
  • Overview of SEI CERT Oracle Coding Standards and OWASP Top Ten vulnerabilities.
  • Injections:
    • SQL Injection: Attack methods, blind SQL injection, and prevention using prepared statements.
    • OS Command Injection: Detection, prevention techniques, and practical exercises.
    • XML Injection: Understanding and addressing injection risks.
  • Cross-Site Scripting (XSS): Persistent, reflected, and DOM-based XSS attacks with prevention strategies and exercises.

Day 2: Advanced web vulnerabilities and secure coding

  • Authentication and Session Management:
    • Best practices for implementing secure authentication.
    • Common vulnerabilities in session handling (cookies, JWT tokens).
    • Exercises focusing on securing authentication and sessions.
  • Business Logic Vulnerabilities:
  • Identification and prevention of issues like shopping cart manipulation and discount abuse.
  • Exercises to spot and mitigate vulnerabilities.
  • Techniques to secure forms and session tokens against CSRF attacks.
  • Path traversal and file upload vulnerabilities with secure coding practices.
  • Practical exercises on detecting and preventing these flaws.
  • Understanding and mitigating race conditions in multi-threaded environments.
  • Cross-Site Request Forgery (CSRF):
  • File and Path Vulnerabilities:
  • Race Conditions:

Day 3: Java platform and Spring security

  • Java Security:
    • Core language security features, including type safety, memory management, and bytecode verification.
    • Addressing serialization and deserialization vulnerabilities.
    • Mitigation of issues like Log4Shell and improper error handling.
  • Spring Security:
  • Inversion of Control and Aspect-Oriented Programming for security.
  • Addressing vulnerabilities like EL injection and Spring2Shell.
  • Practical exercises on securing endpoints and managing authorisation.
  • Tools and techniques for static code analysis, penetration testing, and vulnerability management.
  • Exercises with tools like Burp Suite, OWASP ZAP, and SQLMap.
  • Applying robust programming principles from Saltzer and Schroeder.
  • Recommended resources and further reading for secure coding.
  • Security Testing and Vulnerability Management:
  • Principles of Secure Coding:

Exams and assessments

  • Multiple-choice exam (60 questions, 50% pass mark).
  • The APMG Proctor-U exam is taken online after course completion.
  • Delegates receive individual access to the APMG candidate portal (available two weeks post-exam).

Read more +

Scademy

In partnership with our Secure Coding partner Scademy.

Click here to view all our Scademy courses.

ELCAS Enhanced Learning Credits Administration Service

 

 

 

 

 

QA is an approved training provider for ELCAS, proud to support service leavers in their transition into the tech industry. Learn more about Elcas approved training here.  

Why choose QA

  • Expert-led training: Learn from seasoned instructors with deep knowledge of Java and security.
  • Practical approach: Hands-on exercises ensure immediate application of secure coding principles.
  • Comprehensive curriculum: Covers the latest vulnerabilities and frameworks, including Log4Shell and Spring Security.
  • Industry recognition: QA is a trusted provider of professional IT and security training.

Cyber Security learning paths

Want to boost your career in cyber security? Click on the roles below to see QA's learning pathways, specially designed to give you the skills to succeed.

= Required
= Certification
AI Security
Application Security
Cyber Blue Team
Cybersecurity Maturity Model Certification (CMMC)
Cloud Security
Continuity & Resilience
DFIR Digital Forensics & Incident Response
Industrial Controls & OT Security
Information Security Management
NIST Pathway
Offensive Security
Privacy Professional
Reverse Engineer
Secure Coding
Security Auditor
Security Architect
Security Risk
Security Tech Generalist
Vulnerability Assessment & Penetration Testing
Security Tech Generalist