Friday 30 May 2014

I'm delivering "Writing Secure Java EE Web Applications Training Course" (June 19,20 in London)

Next month I'm teaching a 2 day training course for JBI here in London, on the topic of "Writing Secure Java EE Web Applications Training Course"

As the description mentions (see below), this is going to be a highly interactive course, where I will customise the course depending on the attendees experiences, knowledge and focus.

The cost is £1,500 GBP and if you are interested, you can use the form on this page or ping me directly (so that I put you in touch with the right guys at JBI)

Here is the blurb I wrote for this delivery:
"This interactive, lab-focused, workshop-style course will provide delegates with a sound understanding on how to build secure Java Web applications (JEE).The course is designed to cover at least the OWASP top 10 and the Secure Application Development part of PCI DSS (Payment Card Industry Data Security Standard). Usually (based on delegate’s current focus) a number of other areas are covered, like for example: Unit/Integration Testing, Static Analysis tools, Penetration Testing, Code Reviews, Secure coding in Agile environments, Self-Defending applications, Spring, MVC Security, Struts vulnerabilities, JSP security, AspectJ techniques, Eclipse Customisation, Java AST programming, security as a key component of Continuous Deployment/Delivery.  
This workshop will provide delegates with a solid understanding of the security implications of writing insecure code on applications exposed to malicious traffic (websites, web services, REST APIs and rich clients). The key objective of the course is to make a ‘paradigm shift’ on the delegates, where they learn what are the security properties the applications they are coding should contain. Some aspects covered are generic to all web developers – while others are Java specific, but since vast majority of flaws within applications are due to flawed design, implementation, or programmer errors, the most important outcome is to learn what questions to ask.  
The workshop will simulate a real-world Threat Modeling session, with (ideally) the target being a application currently maintained by some (or all) of the attending delegates. A very common outcome is that new high-risk vulnerabilities are discovered during the course (the backup plan is to use vulnerable-by-design demo applications, but the learning impact is not the same as when the delegates see real-world vulnerabilities in their applications). Although secure coding is a large part of the course, there will be the opportunity to learn and write exploits around multiple OWASP Top 10 vulnerabilities (like XSS, CSRF, SQL Injection or Indirect Object Reference)"
For the demos my plan is to either use a public site from one of the attendees, or exploit/fix a couple vulnerable  apps (for example: an app with multiple Spring MVC vulns, an app with XStream/XmlDecoder vulnerabilities, an app with most of the OWASP Top 10 vulns, etc...).

I'm also going to show how to get the most of the Eclipse Grovy REPL Scripting Environment 1.6.0 and OWASP O2 Platform so if you want to get your head around these tools (and others I use) this is a good course to attend :)