Here is the course description:
-
This interactive, lab-focused, workshop-style course will provide delegates with a sound understanding on how to build secure Java and Javascript Web applications (with special focus on Spring, Spring MVC and AngularJS).The course is designed to cover at least the OWASP top 10 and the Secure Application Development part of PCI DSS (Payment Card Industry Data Security Standard). Usually (based on delegate’s current focus) a number of other areas are covered, like for example: Unit/Integration Testing, Static Analysis tools, Penetration Testing, Code Reviews, Secure coding in Agile environments, Self-Defending applications, Spring MVC Security, JSP security, AngularJS security, HTML 5 security, Javascript security, Eclipse Customisation, Java AST programming, security as a key component of Continuous Deployment/Delivery.
This workshop will provide delegates with a solid understanding of the security implications of writing insecure code on applications exposed to malicious traffic (websites, web services, REST APIs, rich clients and Javascript driven web apps). The key objective of the course is to make a ‘paradigm shift’ on the delegates, where they learn what are the security properties the applications they are coding should contain. Some aspects covered are generic to all web developers – while others are Java and Javascript specific, but since vast majority of flaws within applications are due to flawed design, implementation, or programmer errors, the most important outcome is to learn what questions to ask.
The workshop will simulate a real-world Threat Modeling session, with (ideally) the target being a application currently maintained by some (or all) of the attending delegates. A very common outcome is that new high-risk vulnerabilities are discovered during the course (the backup plan is to use vulnerable-by-design demo applications, but the learning impact is not the same as when the delegates see real-world vulnerabilities in their applications). Although secure coding is a large part of the course, there will be the opportunity to learn and write exploits around multiple OWASP Top 10 vulnerabilities (like XSS, CSRF, SQL Injection or Indirect Object Reference).
Delegates should come in with an open mind to structure, as many of the topics below will be exposed and discussed in the context of sites and applications being analysed, rather than in the strict sequence below. As time available is short, it may not be possible to cover all topics. Therefore delegates are encouraged to dictate priorities to the instructor at the start of the workshop.