Secure Coding for Java
The essential toolkit for developing secure web applications from the ground up
This training provides answers to the following questions
- What do realistic attacks look like and what are the consequences?
- How can errors be avoided in the design phase?
- How do I avoid common implementation errors?
- How do I identify vulnerabilities in existing code?
Headline 3
Text 3
Description
Working individually or in small groups within our modern training environment, participants identify realistic vulnerabilities, correct them, verify solutions, and engage in discussions. The following questions are consistently addressed, specifically tailored to each scenario:
- What do realistic attacks look like and what are the consequences?
- How can errors be avoided or limited "theoretically" (e.g., in the design phase)?
- How do I avoid common implementation errors?
How do I identify vulnerabilities in existing code?
During the training, dedicated, exemplary code examples with built-in vulnerabilities, primarily from the "OWASP Top 10", are analyzed and then independently corrected, discussed, and, if necessary, statically or dynamically verified. Our training environment ensures efficient access to the exercise material. The solutions and solution approaches of the participants are jointly discussed and reviewed.
All content can be specifically adapted for you in consultation with you!
Course content
- Comprehensive structuring
- Input and output handling
- Authentication and Password Management
- Session Management
- Access Control
- Cryptography
- Error Handling and Logging
- Data Protection
- Communication Security
- System Configuration
- Database Security
- File Management
- Memory Management
- Selection of considered technologies (customizable):
- Bean Validation
- Bcrypt/Scrypt
- JCE, JCA, JSSE
- JPA / Prepared Statements
- Servlet, JSP, JSTL, JSF, Facelets
- JSoup
- Coverity
- JSON Web Token (JWT)
- JQuery
- DOMPurify
- Xerces, JAXB, Jackson, Jersey, etc.
This training is aimed at companies and organizations. It is individually tailored to your requirements and the team's prior knowledge and can be carried out in-house or online. This training can be economical from as few as three participants.
Target Group
- Architects
- Software developers
- Project managers
Duration & Format
- 3 to 5 days, individually tailored
- On-site or online training
- Working environment: NinjaDVA
Prerequisites
Best practices for secure web applications or equivalent knowledge
Additional module: Bring your own code
Provide us with any of your own code in advance.
We prepare the training content in such a way that your code can be used as a subject of investigation and illustrative material during the training. This makes the training more lively, and in addition to learning about the topic in a very practical way, participants benefit directly from the identification and discussion of real vulnerabilities in their own application.
- Preliminary Assessment Procedure:
Your delivered code is analyzed by our in-house scanners – none of your code lines leave our network!
- A locally deployed, code-specialized LLM automatically evaluates the delivered findings, filters out false positives, and assigns a criticality level to the remaining findings.
- The training leader assesses the most critical findings and decides which of them are relevant for the training.
- The training addresses the vulnerabilities found. Corresponding countermeasures can thus be discussed very practically in the group and deepened if necessary.
Our trainers
Our promise: from practice, for practice & always up to date. That's why all our trainers are active experts with many years of experience in the subject area they teach.
More ABOUT Dr. Bastian Braun
Bastian Braun is a Senior Consultant IT Security at mgm security partners. He works on the development of secure web applications using agile processes, leads seminars for developers, project managers and penetration testers, performs product and security analyses, and advises clients on all aspects of web security.
He has been involved in web security for more than 15 years from an academic research perspective and as applied best practice. He particularly enjoys transferring academic research results into everyday industrial practice. He is a board member of the German OWASP Chapter and a regular speaker at relevant conferences.
Dr. Bastian Braun
More ABOUT Dr. Benjamin Kellermann
Benjamin Kellermann is an information security consultant and penetration tester at mgm security partners in Dresden. Since 2004, he has been intensively involved in information security and conducted research on secure web applications at the Chair of Data Protection and Data Security with Prof. Andreas Pfitzmann. For several years he taught in the field of information security and is a speaker at numerous conferences. Through many security audits and penetration tests, Mr. Kellermann has the necessary expertise to address even technically very detailed questions.
Dr. Benjamin Kellermann
More ABOUT Mirko Richter
Mirko Richter is an SSDLC consultant, SAST specialist, penetration tester and branch manager at mgm security partners in Dresden and has many years of experience as a developer, project manager and architect.
He has in-depth know-how and experience in hardening software solutions in the web-based area. In order to maintain this know-how, he is still actively involved in software projects alongside his consulting work and can therefore respond to relevant questions in great detail.
Mirko Richter
More ABOUT Björn Kirschner
Björn Kirschner is an information security consultant and penetration tester at mgm security partners in Munich. Björn can look back on many penetration tests of a wide variety of technologies (web applications, mobile apps, network infrastructure, servers, ...). In addition to seminars, he conducts source code analyses and advises clients on many aspects of web application security, especially within the framework of a secure development process.
Björn Kirschner
More ABOUT Reinhard Böhme
Reinhard Böhme is an experienced IT security consultant and trainer with a broad technical background and practical expertise in penetration testing (Web, Mobile, Infrastructure, Host Audits, ASVS) and cloud security (Azure, AWS). He combines in-depth knowledge of modern cloud infrastructures and information security with practical experience, making complex security topics practical and interesting for his seminar participants.
Reinhard Böhme
Your Benefit
Our training courses not only impart knowledge, they also change mindsets. Your developers will learn to identify security vulnerabilities early on and avoid them in a targeted manner. The result: more robust applications, more confidence - and a clear advantage in everyday project work.
All trainers are actively working Security Consultants. They contribute their experience with everyday problems, which often conflict with security requirements, and thus contribute to a pragmatic, realistic approach to security.
- Practical methods instead of theory to avoid typical security gaps in web applications and mobile apps.
- Content according to the latest standards by actively working, experienced Security Consultants.
- Secure coding for long-term maintainability and quality of the source code.
- Increased security awareness in the team prevents pitfalls at an early stage.
- Protection against liability risks & damage to reputation.