Web application security masterclass in Java

Day 1

• Cyber security basics
•        What is security?
•        Threat and risk
•        Cyber security threat types – the CIA triad
•        Consequences of insecure software
•        Constraints and the market
• The OWASP Top Ten 2021
•        The OWASP Top 10 2021
•        A01 - Broken Access Control
•                Access control basics
•                Failure to restrict URL access
•                Confused deputy
•                File upload
•                Open redirects and forwards
•                Cross-site Request Forgery (CSRF)
•        A02 - Cryptographic Failures
•                Information exposure
•                Cryptography for developers

Day 2

• A02 - Cryptographic Failures (continued)
•        Cryptography for developers
•        Certificates
• A03 - Injection
•        Injection principles
•        Injection attacks
•        SQL injection
•        Code injection
•        HTML injection - Cross-site scripting (XSS)

Day 3

• A03 - Injection (continued)
•        Input validation
• A04 - Insecure Design
•        The STRIDE model of threats
•        Secure design principles of Saltzer and Schroeder
•        Client-side security

Day 4

• A05 - Security Misconfiguration
•        Configuration principles
•        Server misconfiguration
•        Cookie security
•        XML entities
• A06 - Vulnerable and Outdated Components
•        Using vulnerable components
•        Assessing the environment
•        Hardening
•        Untrusted functionality import
•        Vulnerability management
• A07 - Identification and Authentication Failures
•        Authentication
•        Session management
•        Password management
• A08 - Software and Data Integrity Failures
•        Integrity protection

Day 5

• A08 - Software and Data Integrity Failures (continued)
•        Subresource integrity
•        Insecure deserialization
• A09 - Security Logging and Monitoring Failures
•        Logging and monitoring principles
•        Insufficient logging
•        Case study – Plaintext passwords at Facebook
•        Log forging
•        Log forging – best practices
•        Case study – Log interpolation in log4j
•        Case study – The Log4Shell vulnerability (CVE-2021-44228)
•        Case study – Log4Shell follow-ups (CVE-2021-45046, CVE-2021-45105)
•        Lab – Log4Shell
•        Logging best practices
•        Monitoring best practices
• A10 - Server-side Request Forgery (SSRF)
•        Server-side Request Forgery (SSRF)
•        Case study – SSRF and the Capital One breach
• Web application security beyond the Top Ten
•        Code quality
•        Denial of service
• Security testing
•        Security testing techniques and tools
•                Code analysis
•                Dynamic analysis
• Wrap up
•        Secure coding principles
•        And now what?