Extended web application security in Java

Day 1

• Cyber security basics
•        What is security?
•        Threat and risk
•        Cyber security threat types - the CIA triad
•        Consequences of insecure software
• The OWASP Top Ten 2021
•        The OWASP Top 10 2021
•        A01 - Broken Access Control
•                Access control basics
•                Confused deputy
•                File upload
•                Open redirects and forwards
•        A02 - Crytographic Failures
•                Information exposure
•                Cryptography for developers

Day 2

• A03 - Injection
•        Input validation
•        Injection
•        SQL injection
•        SQL injection best practices
•        Parameter manipulation
•        Code injection
•        Script injection
•        Dangerous file inclusion
•        HTML injection - Cross-site scripting (XSS)

Day 3

• A04 - Insecure Design
•        The STRIDE model of threats
•        Secure design principles of Saltzer and Schroeder
•        Client-side security
• A05 - Security Misconfiguration
•        Configuration principles
•        Server misconfiguration
•        Cookie security
•        XML entities
• A06 - Vulnerable and Outdated Components
•        Using vulnerable components
•        Assessing the environment
•        Hardening
•        Untrusted functionality import
•        Vulnerability management
• A07 - Identification and Authentication Failures
•        Authentication
•        Session management

Day 4

• A07 - Identification and Authentication Failures (continued)
•        Password management
• A08 - Software and Data Integrity Failures
•        Integrity protection
•        Subresource integrity
•        Insecure deserialization
• A09 - Security Logging and Monitoring Failures
•        Logging and monitoring principles
•        Insufficient logging
•        Case study - Plaintext passwords at Facebook
•        Log forging
•        Logging best practices
• A10 - Server-Side Request Forgery (SSRF)
•        Server-side Request Forgery (SSRF)
•        Case study - SSRF and the Capital One Breach
• Web application security beyond the Top Ten
•        Denial of service
• Wrap up
•        Secure coding principles
•        And now what?