Advanced Java, JEE and Web Application Security Training Course

Android is an open platform designed for mobile devices like smartphones and tablets. It offers a wide range of security features to facilitate the development of secure software, although it lacks some security aspects found in other mobile platforms. This course provides a thorough overview of these features, highlighting the most critical shortcomings related to the underlying Linux system, file management, the general environment, and the use of permissions and other Android development components.

Common security pitfalls and vulnerabilities are discussed for both native code and Java applications, along with recommendations and best practices to avoid and mitigate them. Many issues are illustrated with real-life examples and case studies. Additionally, we provide a brief overview of how to use security testing tools to identify any programming errors that could impact security.

Participants attending this course will

• Understand fundamental concepts of security, IT security, and secure coding
• Learn about the security solutions available on Android
• Discover how to use various security features of the Android platform
• Gain insights into recent vulnerabilities in Java on Android
• Understand typical coding mistakes and how to avoid them
• Learn about native code vulnerabilities on Android
• Realize the severe consequences of insecure buffer handling in native code
• Comprehend architectural protection techniques and their limitations
• Access sources and further readings on secure coding practices

Audience

Professionals

Implementing a secure networked application can be challenging, even for developers who have previously used various cryptographic tools like encryption and digital signatures. To help participants understand the role and usage of these cryptographic elements, the course starts by laying a solid foundation on the main requirements of secure communication—secure acknowledgment, integrity, confidentiality, remote identification, and anonymity. It also highlights typical problems that can compromise these requirements and presents real-world solutions.

Since cryptography is a critical aspect of network security, the most important cryptographic algorithms in symmetric cryptography, hashing, asymmetric cryptography, and key agreement are covered. Instead of delving into complex mathematical theories, these elements are discussed from a developer's perspective, with practical use-case examples and considerations related to the implementation of cryptographic techniques, such as public key infrastructures. The course also introduces security protocols across various secure communication areas, focusing on widely-used protocol families like IPSEC and SSL/TLS.

The course addresses typical crypto vulnerabilities associated with certain algorithms and cryptographic protocols, including BEAST, CRIME, TIME, BREACH, FREAK, Logjam, Padding oracle, Lucky Thirteen, POODLE, and similar issues, as well as the RSA timing attack. For each vulnerability, practical considerations and potential consequences are explained without delving into deep mathematical details.

Given that XML technology is central for data exchange in networked applications, the security aspects of XML are thoroughly covered. This includes the use of XML within web services and SOAP messages, along with protection measures like XML signature and XML encryption. The course also explores weaknesses in these protection measures and XML-specific security issues such as XML injection, XML external entity (XXE) attacks, XML bombs, and XPath injection.

Participants attending this course will

• Understand the basic concepts of security, IT security, and secure coding
• Grasp the requirements of secure communication
• Learn about network attacks and defenses at different OSI layers
• Gain a practical understanding of cryptography
• Comprehend essential security protocols
• Understand recent attacks against cryptosystems
• Receive information on recent related vulnerabilities
• Grasp the security concepts of Web services
• Access sources and further readings on secure coding practices

Audience

Developers, Professionals

This three-day course provides an overview of securing C/C++ code to protect against malicious users who might exploit various vulnerabilities related to memory management and input handling. The course focuses on the principles of writing secure code.

Even experienced Java programmers often do not fully grasp the various security services provided by Java, nor are they always aware of the different vulnerabilities that can affect web applications written in Java.

This course covers more than just the security components of Standard Java Edition; it delves into the security challenges of Java Enterprise Edition (JEE) and web services. Before discussing specific services, the course lays a foundation in cryptography and secure communication. Practical exercises focus on declarative and programmatic security techniques in JEE, as well as transport-layer and end-to-end security for web services. Through hands-on exercises, participants can explore the discussed APIs and tools firsthand.

The course also examines and explains the most common and severe programming flaws in the Java language and platform, along with web-related vulnerabilities. It covers both language-specific issues and problems arising from the runtime environment. All vulnerabilities and associated attacks are demonstrated through straightforward exercises, followed by recommended coding guidelines and mitigation techniques.

Participants attending this course will

• Understand fundamental concepts of security, IT security, and secure coding
• Learn about web vulnerabilities beyond the OWASP Top Ten and how to avoid them
• Comprehend the security principles of web services
• Learn to utilize various security features in the Java development environment
• Gain a practical understanding of cryptography
• Understand the security solutions provided by Java EE
• Learn about typical coding mistakes and how to avoid them
• Receive information on recent vulnerabilities in the Java framework
• Acquire practical knowledge in using security testing tools
• Get resources and further readings on secure coding practices

Audience

Developers

Description

The Java language and the Runtime Environment (JRE) were designed to be free from the most problematic common security vulnerabilities often encountered in languages like C/C++. However, software developers and architects should not only know how to leverage the various security features of the Java environment for positive security but should also be aware of the numerous vulnerabilities that remain relevant for Java development, which pertain to negative security.

Before delving into security services, a brief overview of cryptography fundamentals is provided to establish a common understanding of their purpose and operation. The use of these components is explored through several practical exercises where participants can experiment with the discussed APIs firsthand.

The course also covers and explains the most frequent and severe programming flaws in the Java language and platform. This includes both typical bugs made by Java programmers and issues specific to the language and environment. All vulnerabilities and relevant attacks are demonstrated through easy-to-understand exercises, followed by recommended coding guidelines and possible mitigation techniques.

Participants attending this course will

• Understand basic concepts of security, IT security, and secure coding
• Learn about Web vulnerabilities beyond the OWASP Top Ten and how to avoid them
• Gain proficiency in using various security features of the Java development environment
• Acquire a practical understanding of cryptography
• Identify typical coding mistakes and learn how to avoid them
• Receive information about recent vulnerabilities in the Java framework
• Access sources and further readings on secure coding practices

Audience

Developers

A variety of programming languages are available today for compiling code to the .NET and ASP.NET frameworks. The environment offers robust tools for security development, but developers must understand how to apply architectural and coding-level techniques to implement effective security measures and minimize vulnerabilities or their exploitation.

This course aims to teach developers through numerous hands-on exercises how to prevent untrusted code from performing privileged actions, protect resources with strong authentication and authorization, facilitate remote procedure calls, manage sessions, explore different implementations for specific functionalities, and more.

The discussion on various vulnerabilities begins by highlighting typical programming issues that arise when using .NET. The examination of ASP.NET vulnerabilities also covers a range of environment settings and their impacts. Additionally, the course delves into ASP.NET-specific vulnerabilities, addressing both general web application security challenges and unique issues like attacking the ViewState or string termination attacks.

Participants attending this course will

• Understand fundamental concepts of security, IT security, and secure coding
• Learn about Web vulnerabilities beyond the OWASP Top Ten and how to mitigate them
• Gain knowledge in utilizing various security features of the .NET development environment
• Acquire practical skills in using security testing tools
• Identify common coding mistakes and learn how to avoid them
• Stay informed about recent vulnerabilities in .NET and ASP.NET
• Access resources and further readings on secure coding practices

Audience

Developers

This course provides an introduction to common security concepts, offering an overview of the nature of vulnerabilities that can affect software regardless of the programming languages or platforms used. It explains how to manage the risks associated with software security across different phases of the development lifecycle. While avoiding deep technical details, it highlights some of the most significant and pressing vulnerabilities in various software development technologies and discusses the challenges of security testing. Additionally, it introduces techniques and tools that can be applied to identify any existing issues in code.

Participants attending this course will

• Gain an understanding of fundamental concepts related to security, IT security, and secure coding practices.
• Learn about web vulnerabilities on both the server and client sides.
• Recognize the serious consequences of insecure buffer handling.
• Stay informed about recent vulnerabilities in development environments and frameworks.
• Discover typical coding mistakes and how to avoid them.
• Understand various approaches and methodologies for security testing.

Audience

Managers

This course equips PHP developers with the essential skills needed to protect their applications from modern internet-based attacks. It delves into web vulnerabilities using PHP-based examples, extending beyond the OWASP Top Ten to cover a wide range of injection attacks, script injections, session handling issues, insecure direct object references, file upload problems, and more. The course categorizes PHP-related vulnerabilities into standard types such as missing or improper input validation, incorrect error and exception handling, misuse of security features, and time- and state-related issues. Specific examples include open_basedir circumvention, denial-of-service through magic float, and hash table collision attacks. Participants will learn the most effective techniques and functions to mitigate these risks.

A significant focus is placed on client-side security, addressing JavaScript, Ajax, and HTML5 vulnerabilities. The course introduces several PHP extensions for cryptography (hash, mcrypt, OpenSSL) and input validation (Ctype, ext/filter, HTML Purifier). Best practices for hardening PHP configuration (php.ini), Apache, and the server in general are also covered. Additionally, an overview of various security testing tools and techniques is provided, including security scanners, penetration testing kits, sniffers, proxy servers, fuzzing tools, and static source code analyzers.

Both vulnerability introduction and configuration practices are reinforced with hands-on exercises that demonstrate the consequences of successful attacks, show how to apply mitigation techniques, and introduce the use of various extensions and tools.

Participants attending this course will

• Understand fundamental concepts of security, IT security, and secure coding
• Learn about web vulnerabilities beyond the OWASP Top Ten and how to prevent them
• Gain knowledge on client-side vulnerabilities and secure coding practices
• Develop a practical understanding of cryptography
• Learn to utilize various security features of PHP
• Become aware of common coding mistakes and how to avoid them
• Stay informed about recent vulnerabilities in the PHP framework
• Acquire practical knowledge in using security testing tools
• Receive sources and further readings on secure coding practices

Audience

Developers

The Combined SDL core training provides an in-depth look into secure software design, development, and testing through the Microsoft Secure Development Lifecycle (SDL). It offers a foundational overview of the key components of SDL, followed by design techniques to help identify and rectify vulnerabilities at the early stages of the development process.

During the development phase, the course covers common security-related programming errors found in both managed and native code. It presents various attack methods for these vulnerabilities, along with corresponding mitigation strategies. These concepts are reinforced through numerous hands-on exercises that offer participants a live hacking experience. The training also introduces different security testing methods and demonstrates the effectiveness of various testing tools. Participants will gain practical understanding by using these tools on previously discussed vulnerable code.

Participants attending this course will

Gain an understanding of basic concepts in security, IT security, and secure coding.

Become familiar with the essential steps of the Microsoft Secure Development Lifecycle.

Learn about secure design and development practices.

Understand secure implementation principles.

Grasp the methodology behind security testing.

• Receive sources and further readings on secure coding practices.

Audience

Developers, Managers

After gaining an understanding of vulnerabilities and attack methods, participants will explore the general approach and methodology for security testing, along with techniques to uncover specific vulnerabilities. Security testing should begin with gathering information about the system (ToC, i.e., Target of Evaluation), followed by comprehensive threat modeling to identify and assess all potential threats, leading to a risk analysis-driven test plan.

Security evaluations can occur at various stages of the Software Development Life Cycle (SDLC). Therefore, we cover design reviews, code reviews, reconnaissance and information gathering about the system, testing the implementation, and securing the environment for deployment. Detailed introductions to numerous security testing techniques are provided, such as taint analysis, heuristic-based code review, static code analysis, dynamic web vulnerability testing, and fuzzing. Various tools are discussed that can automate the security evaluation of software products, supported by practical exercises where these tools are used to analyze previously discussed vulnerable code. Real-life case studies enhance the understanding of different vulnerabilities.

This course equips testers and QA staff with the necessary skills to effectively plan and execute security tests, choose and use appropriate tools and techniques to identify even hidden security flaws, providing essential practical knowledge that can be applied immediately in their work.

Participants attending this course will

• Understand fundamental concepts of security, IT security, and secure coding
• Learn about Web vulnerabilities beyond the OWASP Top Ten and how to mitigate them
• Gain knowledge on client-side vulnerabilities and secure coding practices
• Comprehend different approaches and methodologies for security testing
• Acquire practical skills in using security testing techniques and tools
• Receive sources and further reading materials on secure coding practices

Audience

Developers, Testers

Ensuring the security of web applications requires well-prepared professionals who are constantly aware of current attack methods and trends. A wide range of technologies and environments exist that facilitate the development of web applications. It is essential not only to be familiar with the security issues relevant to these platforms but also to understand general vulnerabilities that apply regardless of the development tools used.

This course provides an overview of applicable security solutions in web applications, with a particular emphasis on understanding the most important cryptographic solutions to implement. Various web application vulnerabilities are discussed, both on the server side (following the OWASP Top Ten) and the client side, demonstrated through relevant attacks. The recommended coding techniques and mitigation methods to avoid these issues are also covered. The topic of secure coding is concluded by discussing typical security-related programming mistakes in areas such as input validation, improper use of security features, and code quality.

Testing plays a crucial role in ensuring the security and robustness of web applications. Different approaches—from high-level auditing to penetration testing and ethical hacking—can be used to identify various types of vulnerabilities. However, to go beyond the easily discoverable issues, security testing must be well-planned and properly executed. It is important to remember that while security testers should ideally find all bugs to protect a system, adversaries need only find one exploitable vulnerability to gain access.

Practical exercises will help participants understand web application vulnerabilities, programming mistakes, and most importantly, the mitigation techniques. Hands-on trials of various testing tools, from security scanners through sniffers, proxy servers, fuzzing tools, to static source code analyzers, will provide essential practical skills that can be applied immediately in the workplace.

Participants attending this course will

• Understand basic concepts of security, IT security, and secure coding
• Learn about web vulnerabilities beyond the OWASP Top Ten and how to avoid them
• Understand client-side vulnerabilities and secure coding practices
• Gain a practical understanding of cryptography
• Comprehend security testing approaches and methodologies
• Acquire practical knowledge in using security testing techniques and tools
• Stay informed about recent vulnerabilities in various platforms, frameworks, and libraries
• Receive sources and further readings on secure coding practices

Audience

Developers, Testers

In this instructor-led, live course in Uzbekistan, participants will learn how to formulate the proper security strategy to face the DevOps security challenge.

This Course in Uzbekistan aims to help in the following:

1. Help Developers to master the techniques of writing Secure Code
2. Help Software Testers to test the security of the application before publishing to the production environment
3. Help Software Architects to understand the risks surrounding the applications
4. Help Team Leaders to set the security base lines for the developers
5. Help Web Masters to configure the Servers to avoid miss-configurations

This course delves into secure coding concepts and principles using Java, following the Open Web Application Security Project (OWASP) methodology for testing. OWASP is an online community that develops freely available articles, methodologies, documentation, tools, and technologies focused on web application security.

This course delves into secure coding concepts and principles using ASP.NET, guided by the Open Web Application Security Project (OWASP) methodology for testing. OWASP is a vibrant online community that develops freely available articles, methodologies, documentation, tools, and technologies in the realm of web application security.

The course also examines the security features of the .NET Framework and how to implement them to secure web applications.