Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Secure Web App Development Overview - Java / JEE
Secure Java Web Application Development Lifecycle is a lab-intensive, hands-on Java / JEE security training course that provides 360-degree coverage of Java application security. In this course, students begin with penetration testing, hunting for bugs in Java web applications. They then thoroughly examine best practices for defensively coding web applications, covering all the OWASP Top Ten as well as several additional prominent vulnerabilities (such as file uploads, CSRF and direct object references). Students will repeatedly attack and then defend various assets associated with fully functional web applications and services. This hands-on approach drives home the mechanics of how to secure JEE web applications in the most practical of terms.
Finally, students examine the controls (defenses) related to the phases that attackers work through when exploiting web applications. The course focuses on three specific activities that are interrelated and move the security process farther to the left in the development process. The course ends with an extensive discussion of what a mature application security presence would provide to the developers within an organization.
Course Overview
- Familiarity with Java and JEE is required.
- Real world programming experience is highly recommended.
- Ideally students should have approximately 6 months to a year of Java and JEE working knowledge.
8890 McGaw Road
Suite 200
Columbia, MD 21045
625 W Adams Street
Chicago, IL 60661
5908 Headquarters Drive
Suite 400
Plano, TX 75024
201 N Franklin St
Floor 37
Tampa, FL 33602
40 E. Rio Salado Parkway
Suite 200
Tempe, AZ 85281
- Providers
- Courses
- Course and Provider Quantity
Learning Objectives
- Ensure that any hacking and bug hunting is performed in a safe and appropriate manner
- Identify defect/bug reporting mechanisms within their organizations
- Work with specific tools for targeted vulnerabilities
- Avoid common mistakes that are made in bug hunting and vulnerability testing
- Understand the concepts and terminology behind defensive, secure coding including the phases and goals of a typical exploit
- Develop an appreciation for the need and value of a multilayered defense in depth
- Understand potential sources for untrusted data
- Understand the consequences for not properly handling untrusted data such as denial of service, cross-site scripting, and injections
- To test web applications with various attack techniques to determine the existence of and effectiveness of layered defenses
- Prevent and defend the many potential vulnerabilities associated with untrusted data
- Understand the vulnerabilities of associated with authentication and authorization
- Detect, attack, and implement defenses for authentication and authorization functionality and services
- Understand the dangers and mechanisms behind Cross-Site Scripting (XSS) and Injection attacks
- Detect, attack, and implement defenses against XSS and Injection attacks
- Understand the risks associated with XML processing, file uploads, and server-side interpreters and how to best eliminate or mitigate those risks
- Learn the strengths, limitations, and use for tools such as code scanners, dynamic scanners, and web application firewalls (WAFs)
- Understand techniques and measures that can used to harden web and application servers as well as other components in your infrastructure
- Recognize and characterize existing and planned defensive controls
- Relate controls and activities to the phases of a typical exploit
- Understand and implement the processes and measures associated with the security development lifecycle (SDL)
- Identify appropriate security objectives and regulations including evolving privacy considerations
- Develop a list of risk escalators as well as potential mitigations based on an understanding of vulnerabilities
- Recognize design features that can significantly increase an application’s attack surface
- Build an asset inventory and begin the process of prioritizing their value
- Work with a baseline asset inventory to develop an initial asset inventory for a software application
- Understand and apply defensive options to data assets
Framework Connections
The materials within this course focus on the NICE Framework Task, Knowledge, and Skill statements identified within the indicated NICE Framework component(s):
Competency Areas
Feedback
If you would like to provide feedback on this course, please e-mail the NICCS team at NICCS@mail.cisa.dhs.gov. Please keep in mind that NICCS does not own this course or accept payment for course entry. If you have questions related to the details of this course, such as cost, prerequisites, how to register, etc., please contact the course training provider directly. You can find course training provider contact information by following the link that says “Visit course page for more information...” on this page.