Advanced Security

Defending Java

Course Learning Objectives

  • Recognize insecure coding practices from web applications vulnerabilities found in the OWASP Top 10
  • Implement defensive coding techniques in Java and learn about common frameworks and tools to help support secure coding in Java
  • Contrast between insecure and secure coding practices through examples taken from our vulnerable Java web application


Understand J2EE vulnerabilities common to the OWASP top 10, and see how these vulnerabilities affect Java web applications. Students will learn to define and identify secure code, differentiate between secure coding methods, employ secure code in practice, and design and judge effectiveness of secure coding practices. This course will build upon high-level concepts in the OWASP Top 10 by deep diving into each concept from a developerÕs perspective and demonstrating insecure vs. secure code.


Java developers / Java architects

Time Required

Tailored learning - 60 minutes total

Course Outline

  1. Defending cross-site request forgery
    • Review of CSRF
    • A CSRF vulnerability in Java
    • ESAPI Anti-CSRF Tokens
    • Generating a CSRF token
    • Implementing Anti-CSRF
    • Reviewing our solution
  2. Defending forced browsing
    • Review of forced browsing
    • Downloading arbitrary files
    • Declarative authorization
    • Reviewing our solution
  3. Defending insecure storage
    • Review of insecure storage
    • Storing information
    • Hashing
    • Salted Hash
    • Cipher Block Chaining
    • EBC vs. CBC
    • AES Encryption
    • Encrypting files
    • Decrypting files
  4. Defending parameter manipulation
    • Tampering parameters
    • Keep parameters on the backend
    • Validate all user-provided input
    • Reviewing our solution
  5. Defending session hijacking
    • Review of session hijacking
    • Configure session timeouts
    • Issuing new session IDs
    • Secure cookies
    • Reviewing our solution
  6. Defending SQL injection
    • Review of SQL Injection
    • SQL injection in Java
    • Query with Bind Parameters
    • Reviewing our solution
  7. Defending redirects
    • Review of unvalidated redirects
    • Random Access Maps
    • Using ESAPI Access Maps
    • Server side redirects
    • Reviewing our solution
  8. Defending cross-site scripting
    • Review of cross-site scripting in Java
    • Escaping
    • The importance of context
    • Using ESAPI Escaping
    • Reviewing our solution
  9. + Expand Course Outline

$200.00 *prices shown in USD Add to Cart or Subscribe your team