Software Security Institute
Software Security Institute
Home > Courses > Secure Coding

Register For
Upcoming Events

No Events Scheduled

Developer 534 ::

Secure Code Review for Java Web Apps

Overview

All software development projects produce at least one artifact - CODE! Conducting security focused code reviews can be one of the most effective methods of finding severe application vulnerabilities and is becoming an integral part of many secure software development processes.

This course focuses on web application vulnerabilities and shows you how to conduct code reviews for security by examining open source web applications built with Java. You will learn how to manually spot security issues and how to use an automated static analysis tool to speed up the code review process. You will also learn some practical approaches to integrating security code review into your Software Development Life Cycle (SDLC). This hands-on class culminates in a Code Review Challenge where you test what you've learned to find security issues in a real-world application.

Sampling of Topics
  • Finding security issues such as
    • Cross Site Scripting (XSS)
    • Cross Site Request Forgery (CSRF)
    • SQL Injection
    • HTTP Response Splitting
    • Parameter Manipulation
    • Authentication & Authorization
    • Session Management
    • Error handling
  • Manual code review
  • Using static analysis tools
  • FindBugs
  • Integrating code review into the SDLC

Sampling of Topics

  • Who Should Attend?
    • Anyone conducting code reviews on web applications built with Java
    • Enterprise web application developers
    • Professional software developers
    • Java EE programmers
    • Security professionals
  • Prerequisites
    • Students should have thorough knowledge of Java/JEE and web technology
    • Students should be comfortable reading code
    • SEC541 Secure Coding in Java/JEE is recommended preparation for this course

Laptop

Laptop Requirements
  • Laptop with administrative level access
  • DVD drive (minimum 12x recommended)
  • 5 GB available hard drive space
  • 1 GB RAM or higher
  • x86 compatible 2Ghz CPU minimum or higher
VMWare

You will use VMWare to perform exercises in class. You must have a working copy of one of the following installed on your system prior to coming to class:

  • VMWare Player 2.0 or later
  • VMWare Workstation 6.0 or later
  • VMWare Fusion for Max OS X

VMWare Player can be downloaded for free. Alternatively, if you want a more configurable and flexible tool, you can download a free 30-day trial copy of VMWare Workstation or VMWare Fusion. These products are available at www.vmware.com. VMware will send you a time-limited serial number for VMware Workstation or VMWare Fusion if you register for the trial at their Web site. No serial number is required for VMware Player.

Java Documentation

It is recommended that students download the Java SE 6 and Java EE 5 Javadoc documentation for use as reference material while doing the in-class exercises (the Javadoc license prohibits redistribution). The documentation can be found at http://java.sun.com.

You will receive a DVD containing a Linux VMWare image which contains all the course exercises.