This training covers Application Security, Threats and Attacks

What is a Secure Application
Need for Application Security
Most Common Application Level Attacks
Why Applications become Vulnerable to Attacks
What Consistutes Comprehensive Application Security
Insecure Application: A Software Development Problem
Software Security Standards, Models and Frameworks
Security Requirements Gathering

Importance of Gathering Security Requirements
Security Requirement Engineering (SRE)
Abuse Case and Security Use Case Modeling
Abuser amd Security Stories
Security Quality Requirements Engneering (SQUARE)
Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)
Secure Application Design and Architecture

Relative Cost of Fixing Vulnerabilities at Different Phases of SDLC
Secure Application Design and Architecture
Goal of Secure Design Process
Secure Design Actions
Secure Design Principles
Threat Modeling
Decompose Application
Secure Application Architecture
Secure Coding Practices for Input Validation

Input Validation Pattern
Validation and Security Issues
Impact of Invalid Data Input
Data Validation Techniques
Input Validation using Frameworks and APIs
Open Source Validation Framework for Java
Servlet Filters Validation Filters for Servlet
Data Validation using OWASP ESAPI
Data Validation: Struts Framework
Data Validation: Spring Framework
Input Validation Errors
Common Secure Coding Practices
Secure Coding Practices for Authentication and Authorization

Introduction to Authentication
Types of Authentication
Authentication Weaknesses and Prevention
Introduction to Authorization
Access Control Model
EJB Authorization
Java Authentication and Authorization (JAAS)
Java EE Security
Authorization Common Mistakes and Countermeasures
Authentication and Authorization in Spring Security Framework
Defensive Coding Practices against Broken Authentication and Authorization
Secure Development Checklists: Broken Authentication and Session Management
Secure Coding Practices for Cryptography

Java Cryptographic
Encryption and Secret Keys
Cipher Class
Digital Signatures
Secure Socket Layer (SSL)
Key Management
Digital Signatures
Signed Code Sources
Hashing
Java Card Cryptography
Spring Security: Crypto Module
Do’s and Dont’s in Java Cryptography
Best Practices for Java Cryptography
Secure Coding Practices for Session Management

Session Management
Session Tracking
Session Management in Spring Security
Session Vulnerabilities and their Mitigation Techniques
Best Practices and Guidelines for Secured Sessions Management
Checklist to Secure Credentials and Session ID’s
Guidelines for Secured Session Management
Secure Coding Practices for Error Handling

Introduction to exceptions
Erroneous Exceptional Behaviors
Dos and Don’ts in Error Handling
Spring MVC Error Handling
Exception Handling in Struts 2
Best Practices for Error Handling
Introduction to Logging
Logging using Log4j
Secure Coding in Logging
Static and Dynamic Application Security Testing (SAST and DAST)

Static Application Security Testing
Manual Secure Code Review for Most Common Vulnerabilities
Code Review: Check List Approach
SAST Finding
SAST Report
Dynamic Application Security Testing
Automated Application Vulnerability Scanning Tools
Proxy-based Security Testing Tools
Choosing between SAST and DAST
Secure Deployment and Maintenance

Secure Deployment
Prior Deployment Activity
Deployment Activities: Ensuring Security at Various Levels
Ensuring Security at Host Level
Ensuring Security at Network Level
Ensuring Security at Application Level
Ensuring Security at Web Container Level (Tomcat)
Ensuring Security in Orcale
Security Maintenance and Monitoring