Developing Secure Java Web Applications Mitigating the OWASP Top 10 Security Vulnerabilities

4 Day Course

This course has been retired. Please view currently available Javascript Training Courses.


Collapse all

Module 1: Introduction to Web Security (3 topics)

  • Who's being hacked and who's doing the hacking?
  • The prevalence of website vulnerabilities
  • Key web application security concepts

Module 2: OWASP #1: Injection (5 topics)

  • Exploiting SQL injection in a vulnerable website
  • Whitelist validation
  • Creating parameterised queries
  • ORMs and stored procedures
  • Database permissions and the principle of lease privilege

Module 3: OWASP #2: Cross Site Scripting - XSS (5 topics)

  • Exploiting XSS in a vulnerable website
  • Implementing validation in Java by using filters and wrappers
  • Output encoding for different contexts
  • Native browser defences
  • Reflective, persistent and DOM XSS

Module 4: OWASP #3: Broken Authentication and Session Management (4 topics)

  • Exploiting broken authentication in a vulnerable website
  • Cookieless sessions
  • Increasing session security
  • Account management and password resets

Module 5: OWASP #4: Insecure Direct Object References (4 topics)

  • Exploiting direct object references in a vulnerable website
  • Implementing access controls
  • Indirect reference maps
  • Obfuscated identifiers

Module 6: OWASP #5: Cross-Site Request Forgery - CSRF (4 topics)

  • Exploiting CSRF in a vulnerable website
  • Leveraging the synchroniser token pattern
  • Using the OWASP CSRF Guard module for Java
  • Native browser defences against CSRF

Module 7: OWASP #6: Security Misconfiguration (4 topics)

  • Exploiting security misconfiguration in a vulnerable website
  • Using Maven to keep dependencies up to date
  • Correctly configuring custom errors, tracing and debugging
  • Encrypting configuration data

Module 8: OWASP #7: Insecure Cryptographic Storage (4 topics)

  • Exploiting cryptographic storage in a vulnerable website
  • Creating secure salted hashes
  • Secure password storage options in Java
  • Implementing symmetric encryption

Module 9: OWASP #8: Failure to Restrict URL Access (4 topics)

  • Exploiting unrestricted URLs in a vulnerable website
  • Using authorisation and security trimming
  • Leveraging the role provider
  • Employing principle permissions on classes and methods

Module 10: OWASP # 9: Insufficient Transport Layer Protection (4 topics)

  • Exploiting insufficient transport layer security in a vulnerable website
  • Properly implementing SSL on forms authentication
  • Secure cookies and HSTS
  • The dangers of mixed content

Module 11: OWASP #10: Unvalidated Redirects and Forwards (3 topics)

  • Exploiting unvalidated redirects in a vulnerable website
  • Whitelisting URLs
  • Referrer checking

Module 12: Other risks and tools (2 topics)

  • Clickjacking and other risks beyond the Top 10
  • Employing automated tools to detect vulnerabilities

Module 13: Summary (2 topics)

  • Going beyond technical controls to ensure application security
  • Implementing people processes in the secure development lifecycle


Delegates should already have experience of using the Java programming language, which can be gained by attending our Java programming language course. Delegates should be proficient with developing Java web applications. They should have prior experience of delivering real world web sites although it is not expected that their experience be extensive. Delegates should also already have experience of data access and data binding using APIs such as JDBC, JPA, and/or Hibernate.

Course PDF