Building Secure Web Apps in Java
Building Secure Web Apps in Java
This course teaches the students how to develop secure web applications in today's complex internetworked environment. Students will receive a deep and thorough understanding of the most prevalent and dangerous security defects in today's applications. Additionally, they will learn practical and actionable guidelines on how to remediate against these common defects in JavaEE and how to test for them in their own applications.
This class starts with a description of the security problems faced by today's software developer, as well as a detailed description of the Open Web Application Security Project's (OWASP) Top 10 security defects. These defects are studied in instructor-lead sessions as well as in hands-on lab exercises in which each student learns how to actually exploit the defects to break into a real web application. (The labs are performed in safe test environments.)
Remediation techniques and strategies are then studied for each defect. Practical guidelines on how to integrate secure development practices into the software development process are then presented and discussed.
This course is only available on-site at your location.
- Preparation Phase: Understanding the problem, What are the issues that result in software that is susceptible to attack? Why do software developers continue to develop weak software?
- Overview of available solutions, Top-level discussion of best practices for developing secure software, Security activities that can be integrated throughout a typical software development lifecycle
- Lab setup and demo, Students install and configure software tools to be used in the upcoming exercises, The instructor demonstrates the tools and runs through a sample exercise to ensure all students can use the tools correctly, Review of web application basic, HTTP methods (e.g., GET, POST), Identification and authentication, Session management
- Exploiting web application weaknesses, Walk through numerous web app security defects, including OWASP Top-10 (2013), Injection flaws (including SQLi, XPATH, LDAP), Cross-site scripting (XSS)
- Exploiting web application weaknesses, continued, Additional hands-on walk through of numerous web app security defects, including OWASP Top-10 (2013), Broken authentication and session management, Cross-site request forgery (CSRF)
- Processes, Design activities, Architectural risk analysis using threat modeling, Attack resistance, Ambiguity analysis, Weakness analysis, Compare and contrast common processes for reviewing designs
- Processes, Security testing, Black box vs. white box security testing of software, Overview of common testing methodologies and tools, Penetration testing, Fuzz testing, Dynamic validation
- Processes in depth, Static code analysis, Description of static code review processes, Automated vs. peer review comparison of benefits and weaknesses, Background of available automated static code review tool technology, Integrating a static code review tool into a software development process effectively
- Getting started, Key elements to succeeding with a software security initiative, Developing an action plan, First steps Contest, The Challenge!, Students are put to the test to see who can finish the contest first, The lessons taught in this class are used to solve a puzzle that is highly representative of attacking/testing a modern web application Questions and Answers Closing remarks
The materials within this course focus on the Knowledge Skills and Abilities (KSAs) identified within the Specialty Areas listed below. Click to view Specialty Area details within the interactive National Cybersecurity Workforce Framework.
If you would like to provide feedback for this course, please e-mail the NICCS SO at NICCS@hq.dhs.gov.