Combined JAVA, PHP and Web Application Security Training Course

Android serves as an open platform for mobile devices, including smartphones and tablets. While it offers a broad array of security features designed to facilitate the development of secure software, it also lacks certain security aspects found in other handheld platforms. This course provides a comprehensive overview of these features and highlights critical shortcomings related to the underlying Linux architecture, the file system, and the general environment. It also addresses issues concerning permissions and other Android software development components.

Typical security pitfalls and vulnerabilities associated with both native code and Java applications are described, along with recommendations and best practices to prevent and mitigate them. Many of the discussed issues are illustrated with real-life examples and case studies. Finally, the course offers a brief overview of how to utilize security testing tools to uncover security-related programming bugs.

Participants attending this course will

• Understand fundamental concepts of security, IT security, and secure coding
• Learn about security solutions available on Android
• Learn to utilize various security features of the Android platform
• Gain information about recent vulnerabilities in Java on Android
• Learn about common coding mistakes and how to avoid them
• Understand vulnerabilities in native code on Android
• Recognize the severe consequences of insecure buffer handling in native code
• Understand architectural protection techniques and their weaknesses
• Access resources and further readings on secure coding practices

Audience

Professionals

Implementing a secure networked application can be challenging, even for developers who have previously used various cryptographic building blocks like encryption and digital signatures. To help participants grasp the role and usage of these cryptographic primitives, the course first establishes a solid foundation on the main requirements of secure communication – including secure acknowledgment, integrity, confidentiality, remote identification, and anonymity. It also presents typical problems that can undermine these requirements along with real-world solutions.

Since cryptography is a critical aspect of network security, the course discusses the most important algorithms in symmetric cryptography, hashing, asymmetric cryptography, and key agreement. Rather than focusing on deep mathematical background, these concepts are explored from a developer's perspective, illustrating typical use-case examples and practical considerations related to cryptography, such as public key infrastructures. Various security protocols across different areas of secure communication are introduced, with a detailed discussion on widely-used protocol families like IPSEC and SSL/TLS.

Typical crypto vulnerabilities are discussed, covering both specific algorithms and protocols. This includes issues such as BEAST, CRIME, TIME, BREACH, FREAK, Logjam, Padding oracle, Lucky Thirteen, POODLE, and others, as well as RSA timing attacks. For each issue, practical considerations and potential consequences are described, again without delving into complex mathematical details.

Finally, given that XML technology is central for data exchange by networked applications, the security aspects of XML are described. This includes the usage of XML within web services and SOAP messages alongside protection measures such as XML signature and XML encryption – as well as weaknesses in those protection measures and XML-specific security issues such as XML injection, XML external entity (XXE) attacks, XML bombs, and XPath injection.

Participants attending this course will

• Understand basic concepts of security, IT security and secure coding
• Understand the requirements of secure communication
• Learn about network attacks and defenses at different OSI layers
• Have a practical understanding of cryptography
• Understand essential security protocols
• Understand some recent attacks against cryptosystems
• Get information about some recent related vulnerabilities
• Understand security concepts of Web services
• Get sources and further readings on secure coding practices

Audience

Developers, Professionals

This three-day course introduces the fundamental principles of securing C/C++ code against malicious actors who might exploit vulnerabilities related to memory management and input handling. Participants will learn the key practices for writing secure software.

Even seasoned Java developers often do not fully grasp the array of security services provided by Java, nor are they always aware of the various vulnerabilities that affect web applications built with Java.

Aside from introducing the security components of the Standard Java Edition, this course addresses security concerns related to Java Enterprise Edition (JEE) and web services. The discussion of specific services begins with the fundamentals of cryptography and secure communication. A variety of exercises focus on declarative and programmatic security techniques in JEE, while both transport-layer and end-to-end security for web services are explored. All components are demonstrated through practical exercises, allowing participants to experiment with the APIs and tools covered.

The course also examines and explains the most common and critical programming flaws in the Java language and platform, as well as web-related vulnerabilities. In addition to typical errors made by Java programmers, the security vulnerabilities presented cover both language-specific issues and problems arising from the runtime environment. Each vulnerability and the corresponding attacks are illustrated through easy-to-understand exercises, followed by recommended coding guidelines and potential mitigation strategies.

Participants attending this course will

• Understand fundamental concepts of security, IT security, and secure coding
• Learn about web vulnerabilities beyond the OWASP Top Ten and know how to prevent them
• Understand the security concepts of Web services
• Learn to utilize various security features within the Java development environment
• Gain a practical understanding of cryptography
• Understand security solutions available in Java EE
• Learn about common coding mistakes and how to avoid them
• Receive information about recent vulnerabilities in the Java framework
• Acquire practical experience using security testing tools
• Access resources and further reading on secure coding practices

Audience

Developers

Description

The Java language and the Java Runtime Environment (JRE) were designed to be free from many of the common security vulnerabilities found in other languages, such as C and C++. However, software developers and architects must do more than just learn how to use the positive security features of the Java environment; they must also be aware of the numerous vulnerabilities that remain relevant to Java development (negative security).

Before introducing security services, the course provides a brief overview of cryptography fundamentals, establishing a common baseline for understanding the purpose and operation of the relevant components. Participants will explore the use of these components through practical exercises, allowing them to try out the discussed APIs firsthand.

The course also examines and explains the most frequent and severe programming flaws in the Java language and platform, covering both typical bugs made by Java programmers and issues specific to the language and environment. All vulnerabilities and corresponding attacks are demonstrated through easy-to-understand exercises, followed by recommended coding guidelines and possible mitigation techniques.

Participants attending this course will

• Understand the basic concepts of security, IT security, and secure coding
• Learn about web vulnerabilities beyond the OWASP Top Ten and know how to avoid them
• Learn to use various security features of the Java development environment
• Gain a practical understanding of cryptography
• Learn about typical coding mistakes and how to avoid them
• Get information about some recent vulnerabilities in the Java framework
• Access sources and further readings on secure coding practices

Audience

Developers

Today, various programming languages are available to compile code for the .NET and ASP.NET frameworks. While this environment offers robust tools for security development, it is essential for developers to master the architectural and coding-level techniques necessary to implement effective security measures, prevent vulnerabilities, or mitigate their impact.

This course is designed to equip developers with practical skills through numerous hands-on exercises. Participants will learn how to prevent untrusted code from executing privileged actions, safeguard resources via strong authentication and authorization mechanisms, implement remote procedure calls, manage sessions, explore diverse implementations for specific functionalities, and more.

The curriculum introduces various vulnerabilities by first highlighting typical programming issues encountered in .NET. It then examines ASP.NET vulnerabilities, focusing on how different environment settings influence security. Furthermore, the section on ASP.NET-specific vulnerabilities addresses both general web application security challenges and specialized attack vectors, such as ViewState attacks and string termination attacks.

Participants in this course will

• Grasp the fundamental concepts of security, IT security, and secure coding
• Explore web vulnerabilities beyond the OWASP Top Ten and learn how to avoid them
• Utilize various security features within the .NET development environment
• Gain practical expertise in using security testing tools
• Understand common coding mistakes and strategies to avoid them
• Learn about recent vulnerabilities affecting .NET and ASP.NET
• Access resources and further readings on secure coding practices

Audience

Developers

This course provides an introduction to fundamental security concepts and offers a broad overview of vulnerability types that exist independently of specific programming languages or platforms. It explains how to manage software security risks across the various stages of the software development lifecycle. Rather than delving into technical minutiae, the course highlights some of the most critical and prevalent vulnerabilities across different development technologies. It also outlines the challenges associated with security testing and introduces practical techniques and tools to help identify potential issues within your code.

Participants in this course will

• Grasp the core concepts of security, IT security, and secure coding practices
• Gain a comprehensive understanding of web vulnerabilities affecting both server and client sides
• Recognize the serious implications of improper buffer handling
• Stay informed about recent vulnerabilities found in development environments and frameworks
• Learn to identify typical coding errors and discover how to prevent them
• Understand the approaches and methodologies used in security testing

Target Audience

Managers

This course equips PHP developers with the essential skills needed to make their applications resilient against modern internet threats. It explores web vulnerabilities through PHP examples that go beyond the OWASP Top Ten, addressing various injection attacks, script injections, session handling issues, insecure direct object references, file upload vulnerabilities, and more. PHP-related vulnerabilities are categorized into standard types such as missing or improper input validation, incorrect error and exception handling, misuse of security features, and time- or state-related issues. For the latter, we examine attacks like open_basedir circumvention, denial-of-service via magic float, and hash table collision attacks. In each scenario, participants will learn the key techniques and functions required to mitigate these risks.

Particular emphasis is placed on client-side security, addressing issues related to JavaScript, Ajax, and HTML5. The course introduces various PHP extensions for cryptography (such as hash, mcrypt, and OpenSSL) and for input validation (including Ctype, ext/filter, and HTML Purifier). Best practices for hardening PHP configuration (php.ini settings), Apache, and the server environment are also covered. Additionally, participants will gain an overview of security testing tools and techniques available to developers and testers, including security scanners, penetration testing tools, exploit packs, sniffers, proxy servers, fuzzing tools, and static source code analyzers.

Both the introduction of vulnerabilities and configuration practices are reinforced through hands-on exercises. These activities demonstrate the consequences of successful attacks, show how to apply mitigation techniques, and guide participants in using various extensions and tools.

Participants attending this course will

• Understand fundamental concepts of security, IT security, and secure coding
• Learn about web vulnerabilities beyond the OWASP Top Ten and know how to avoid them
• Gain knowledge of client-side vulnerabilities and secure coding practices
• Develop a practical understanding of cryptography
• Learn to utilize various PHP security features
• Identify typical coding mistakes and learn how to avoid them
• Stay informed about recent PHP framework vulnerabilities
• Acquire practical experience with security testing tools
• Access resources and further reading on secure coding practices

Audience

Developers

This comprehensive SDL core training provides an in-depth look at secure software design, development, and testing, guided by the Microsoft Secure Development Lifecycle (SDL). It offers a foundational (level 100) overview of the essential components of SDL, followed by design techniques aimed at detecting and resolving flaws during the early stages of the development process.

Focusing on the development phase, the course covers typical security-relevant programming bugs in both managed and native code. It presents attack methods for discussed vulnerabilities alongside associated mitigation techniques. Participants engage in numerous hands-on exercises that offer practical, live hacking experiences. Additionally, the introduction of various security testing methods is reinforced by demonstrating the effectiveness of different testing tools. Through practical exercises applying these tools to previously discussed vulnerable code, participants gain a clear understanding of their operation.

Participants attending this course will

Understand basic concepts of security, IT security, and secure coding.

Become familiar with the essential steps of the Microsoft Secure Development Lifecycle.

Learn secure design and development practices.

Gain knowledge of secure implementation principles.

Understand security testing methodology.

• Access sources and further readings on secure coding practices.

Audience

Developers, Managers.

Once participants are familiar with vulnerabilities and attack methods, they will explore the general approach, methodology, and techniques used to uncover specific security flaws. Security testing begins with gathering information about the system (the Target of Evaluation, or ToC), followed by comprehensive threat modeling to identify and prioritize risks, ultimately leading to a risk-driven test plan.

Security assessments can occur at multiple stages of the Software Development Life Cycle (SDLC). This course covers design reviews, code reviews, reconnaissance, and information gathering, as well as testing implementation and hardening the environment for secure deployment. Detailed insights into techniques such as taint analysis, heuristics-based code review, static code analysis, dynamic web vulnerability testing, and fuzzing are provided. Various tools for automating the security evaluation of software products are introduced, supported by hands-on exercises where participants execute these tools to analyze previously discussed vulnerable code. Real-life case studies enhance the understanding of different vulnerabilities.

This course equips testers and QA professionals with the skills to effectively plan and execute security tests, select and utilize appropriate tools and techniques to uncover even concealed security flaws, and apply these essential practical skills immediately in their daily work.

Participants attending this course will

• Understand fundamental concepts of security, IT security, and secure coding
• Learn about web vulnerabilities beyond the OWASP Top Ten and discover how to avoid them
• Gain knowledge of client-side vulnerabilities and secure coding practices
• Understand security testing approaches and methodologies
• Acquire practical experience in using security testing techniques and tools
• Find sources and further readings on secure coding practices

Audience

Developers, Testers

Protecting web-accessible applications demands security professionals who are consistently informed about the latest attack vectors and industry trends. While a vast array of technologies and environments facilitate the comfortable development of web applications, it is crucial to be aware not only of the specific security issues tied to these platforms but also of general vulnerabilities that apply regardless of the development tools used.

This course provides an overview of applicable security solutions for web applications, with a special emphasis on understanding key cryptographic mechanisms. Various web application vulnerabilities are presented on both the server side (following the OWASP Top Ten) and the client side. These are demonstrated through relevant attack scenarios, followed by recommended coding practices and mitigation methods to prevent associated issues. The topic of secure coding concludes with a discussion of typical security-related programming errors in the areas of input validation, improper use of security features, and code quality.

Testing plays a vital role in ensuring the security and robustness of web applications. Various approaches—ranging from high-level auditing and penetration testing to ethical hacking—can be employed to identify vulnerabilities of different types. However, to move beyond easily discoverable low-hanging fruit, security testing must be carefully planned and executed. Recall that while security testers ideally aim to find all bugs to protect a system, an adversary only needs to find one exploitable vulnerability to gain access.

Practical exercises will aid in understanding web application vulnerabilities, programming mistakes, and most importantly, mitigation techniques. Through hands-on trials of various testing tools—including security scanners, sniffers, proxy servers, fuzzing tools, and static source code analyzers—this course equips participants with essential practical skills that can be applied directly in the workplace the following day.

Participants attending this course will

• Grasp basic concepts of security, IT security, and secure coding
• Learn about web vulnerabilities beyond the OWASP Top Ten and know how to avoid them
• Understand client-side vulnerabilities and secure coding practices
• Develop a practical understanding of cryptography
• Comprehend security testing approaches and methodologies
• Gain practical knowledge in using security testing techniques and tools
• Stay informed about recent vulnerabilities in various platforms, frameworks, and libraries
• Receive sources and further reading materials on secure coding practices

Audience

Developers, Testers

In this instructor-led live course in Mexico, participants will learn how to develop an appropriate security strategy to address the challenges of DevOps security.

The EC-Council Certified DevSecOps Engineer (ECDE) is a practical program designed to empower professionals with the capabilities to integrate security throughout the DevOps lifecycle, fostering secure software development from the initial planning phases through to deployment.

This instructor-led live training, available both online and onsite, targets intermediate-level software and DevOps professionals aiming to incorporate security protocols into CI/CD pipelines, thereby ensuring the delivery of code that is both secure and compliant.

Upon completing this training, participants will be equipped to:

• Grasp the core principles and practices of DevSecOps.
• Safeguard every phase of the CI/CD pipeline utilizing automated tools.
• Apply secure coding standards and conduct vulnerability scanning.
• Get ready for the ECDE certification through hands-on labs and comprehensive review.

Course Format

• Engaging lectures and group discussions.
• Practical application of DevSecOps tools within simulated pipelines.
• Supervised exercises centered on secure development and deployment strategies.

Customization Options

• For personalized training tailored to your team’s specific workflows or toolchains, please reach out to us to make arrangements.

This Course in Mexico aims to help in the following:

1. Enable developers to master secure coding techniques
2. Assist software testers in verifying application security before production deployment
3. Help software architects understand the risks associated with applications
4. Support team leaders in establishing security baselines for developers
5. Aid webmasters in configuring servers to prevent misconfigurations

This course explores secure coding concepts and principles for Java, utilizing the testing methodology of the Open Web Application Security Project (OWASP). OWASP is an online community that produces freely accessible articles, methodologies, documentation, tools, and technologies focused on web application security.