Certified Java and Web application security
From £4,170 + VAT
- SFIA
Skills Framework for the Information Age (SFIA) identifies and describes over 100 skills and 7 levels of job roles. To find out more, read What is SFIA?
Book online today or, if you need help choosing the right course or would like to discuss business discounts, call us on 0113 220 7150.
Sorry, there are currently no dates available to book. Submit an enquiry to hear from one of our team about when dates might become available.
Overview
This comprehensive three-day course equips Java developers with the skills to secure their web applications against common vulnerabilities and advanced threats. Participants will explore core IT security principles, secure coding practices, and specific Java security measures, focusing on vulnerabilities such as SQL injection, cross-site scripting (XSS), authentication flaws, and race conditions.
The course also includes an in-depth analysis of the Java runtime environment, frameworks like Spring, and emerging security issues such as Log4Shell and Spring2Shell. Practical exercises are integrated throughout to ensure hands-on learning and the application of secure coding techniques.
Prerequisites
- General Java development knowledge.
- Familiarity with web application concepts is beneficial but not mandatory.
Target Audience
- Java developers building or maintaining web applications.
- Software engineers seeking to enhance their knowledge of secure coding.
- IT professionals responsible for application security in Java-based systems.
Learning Outcomes
By the end of this course, participants will be able to:
- Identify and mitigate common web vulnerabilities affecting Java applications, including OWASP Top Ten issues.
- Implement secure coding practices to prevent injection attacks, XSS, and race conditions.
- Utilise the security features of Java frameworks, such as Spring Security.
- Strengthen authentication, session management, and authorisation processes in web applications.
- Conduct vulnerability assessments using tools like static code analysis and penetration testing frameworks.
- Apply principles of secure coding and understand key security guidelines from standards like SEI CERT and OWASP.
Course Outline
Day 1: Introduction to IT security and secure coding
- Fundamentals of IT security and risk management.
- The nature of security flaws and their exploitation in cybercrime.
- Overview of SEI CERT Oracle Coding Standards and OWASP Top Ten vulnerabilities.
- Injections:
- SQL Injection: Attack methods, blind SQL injection, and prevention using prepared statements.
- OS Command Injection: Detection, prevention techniques, and practical exercises.
- XML Injection: Understanding and addressing injection risks.
- Cross-Site Scripting (XSS): Persistent, reflected, and DOM-based XSS attacks with prevention strategies and exercises.
Day 2: Advanced web vulnerabilities and secure coding
- Authentication and Session Management:
- Best practices for implementing secure authentication.
- Common vulnerabilities in session handling (cookies, JWT tokens).
- Exercises focusing on securing authentication and sessions.
- Business Logic Vulnerabilities:
- Identification and prevention of issues like shopping cart manipulation and discount abuse.
- Exercises to spot and mitigate vulnerabilities.
- Techniques to secure forms and session tokens against CSRF attacks.
- Path traversal and file upload vulnerabilities with secure coding practices.
- Practical exercises on detecting and preventing these flaws.
- Understanding and mitigating race conditions in multi-threaded environments.
- Cross-Site Request Forgery (CSRF):
- File and Path Vulnerabilities:
- Race Conditions:
Day 3: Java platform and Spring security
- Java Security:
- Core language security features, including type safety, memory management, and bytecode verification.
- Addressing serialization and deserialization vulnerabilities.
- Mitigation of issues like Log4Shell and improper error handling.
- Spring Security:
- Inversion of Control and Aspect-Oriented Programming for security.
- Addressing vulnerabilities like EL injection and Spring2Shell.
- Practical exercises on securing endpoints and managing authorisation.
- Tools and techniques for static code analysis, penetration testing, and vulnerability management.
- Exercises with tools like Burp Suite, OWASP ZAP, and SQLMap.
- Applying robust programming principles from Saltzer and Schroeder.
- Recommended resources and further reading for secure coding.
- Security Testing and Vulnerability Management:
- Principles of Secure Coding:
Exams and assessments
- Multiple-choice exam (60 questions, 50% pass mark).
- The APMG Proctor-U exam is taken online after course completion.
- Delegates receive individual access to the APMG candidate portal (available two weeks post-exam).
QA is an approved training provider for ELCAS, proud to support service leavers in their transition into the tech industry. Learn more about Elcas approved training here.
NCSC Assured Training
Continuous Professional Development (CPD)
CPD points can be claimed for NCSC assured training courses at the rate of 1 point per hour of training for NCSC assured training courses (up to a maximum of 15 points).
Why choose QA
- Award-winning training, top NPS scores
- Nearly 300,000 learners in 2020
- Our training experts are industry leaders
- Read more about QA
Related courses
Cyber Security learning paths
Want to boost your career in cyber security? Click on the roles below to see QA's learning pathways, specially designed to give you the skills to succeed.