35+ Cyber Security Courses at SANS Cyber Defense Initiative® in Washington, DC! Save up to $300 thru 10/16.
Register by Tomorrow to Save $300 on 4-6 Day Courses at SANS Cyber Defense Initiative® in Washington, DC!


Baltimore, MD | Sat, Jun 21 - Mon, Jun 30, 2014
This event is over,
but there are more training opportunities.

DEV541: Secure Coding in Java/JEE: Developing Defensible Applications

Mon, June 23 - Thu, June 26, 2014

This course provided a great review in Java development practices to ensure secure and defensible applications.

John Davis, Lockheed Martin Corporation

I have seen other webinars about secure coding but they don't even scratch the surface of what this first section even contains. I am so impressed. Way worth the value!

Oscar Frink, SC Department of Corrections

Take this course to learn how to build secure Java applications and gain the knowledge and skills to:

  • Keep your web site from getting hacked
  • Avoid becoming the next headline
  • Counter a wide range of application attacks
  • Prevent critical security vulnerabilities that can lead to data loss
  • Understand the attacker√ʬ¬s mindset and how your applications can be hacked

This course teaches you the art of modern web defense for Java applications by focusing on foundational defensive techniques, cutting edge protections, and Java EE security features that you can use in your applications as soon as you return to work. This includes learning how to:

  • Identify security defects in your code
  • Fix security bugs using secure coding techniques
  • Utilize secure HTTP headers to prevent attacks
  • Secure your sensitive REST services
  • Incorporate security into your development process
  • Use freely available security tools to test your applications

Great developers have traditionally distinguished themselves by the elegance, effectiveness, and reliability of their code. That's still true, but elegance, effectiveness, and reliability have now been joined by security. This unique SANS course allows you to bone up on the skills and knowledge required to prevent your applications from getting hacked.

How the course works?

This is a comprehensive course covering a huge set of skills and knowledge. It's not a high-level theory course. It's about real, hands-on programming. In this course you will examine actual code, work with real tools, build applications, and gain confidence in the resources you need for the journey to improving the security of Java applications.

Rather than teaching students to use a set of tools, we're teaching students concepts of secure programming. This involves looking at a specific piece of code, identifying a security flaw, and implementing a fix for flaws found on the OWASP Top 10 and CWE/SANS Top 25 Most Dangerous Programming Errors.

The class culminates in a Secure Development Challenge where you perform a security review of a real-world open source application. You will conduct a code review, perform security testing to actually exploit real vulnerabilities, and finally, using the secure coding techniques that you have learned in class, implement fixes for these issues.

PCI Compliance

Section 6.5 of the Payment Card Industry (PCI) Data Security Standard (DSS) instructs auditors to verify that processes exist that require training in secure coding techniques for developers. If your Java application processes cardholder data and you are required to meet PCI compliance then this course is for you.

Write once securely, run anywhere


Common Web Application Vulnerabilities

  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • SQL injection
  • HTTP response splitting
  • Parameter manipulation

Data Validation

  • Input validation
  • Whitelisting vs blacklisting
  • Output encoding and escaping
  • Parameterized queries
  • Using frameworks and APIs


  • How to use encryption and certificates
  • Protecting session ids
  • JEE based authentication
  • Basic and Forms Based Authentication
  • Client certificate authentication

Session Management

  • Session hijacking
  • Session fixation

Access Control

  • JEE based authorization
  • Declarative and programmatic access control
  • Using annotations
  • Spring Security
  • Java Security Manager


  • JSSE
  • JCA
  • Client certificates
  • SSL

Java Programming and Language

  • Race conditions
  • Logging & error handling
  • Class security


Course Syllabus

Frank Kim
Mon Jun 23rd, 2014
9:00 AM - 5:00 PM


Improper data validation is the root cause of the most prevalent web application vulnerabilities today. You will learn about some of the most prevalent web applications vulnerabilities such as XSS, CSRF, SQL Injection, HTTP Response Splitting, and Parameter Manipulation. You will see how to find these issues and how to recreate them in a running application. Then you will use a variety of methods to actually fix these vulnerabilities in your Java code.

The course is full of hands on exercises where you can apply practical data validation techniques that you can use to prevent common attacks with defense ranging from input validation, output encoding, and use of new techniques like Content Security Policy.

CPE/CMU Credits: 6

  • Web Application Attacks
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • SQL Injection
  • HTTP Response Splitting
  • Parameter Manipulation
  • Directory Traversal
  • Web Application Proxies
  • Validation Concerns
  • Character Encoding
  • Input Validation
  • Output Encoding
  • Blacklisting & Whitelisting
  • Validation Techniques
  • Regular Expressions
  • Servlet Filters
  • Output Encoding
  • Content Security Policy
  • Prepared Statements
  • CSRF Defense

Frank Kim
Tue Jun 24th, 2014
9:00 AM - 5:00 PM


Broken authentication and session management are common issues that can compromise the integrity of your system. Weak authentication protections can allow an attacker to expose your most sensitive secrets: your data! You will learn about these vulnerabilities and what you can do to design and code stronger authentication protections from the start. You will learn how to use Java EE Container Based Authentication and setup Basic, Form Based and client certificate authentication.

You will also learn how to protect data in transit using SSL and how to securely store passwords at rest. Various authorization attacks will be discussed as well as unvalidated forwards and redirects. Session management attacks and defenses are covered in addition to Clickjacking and associated defenses.

CPE/CMU Credits: 6

  • Authentication Factors
  • Authentication Attacks
  • Java EE Authentication
  • Basic Authentication
  • Form Based Authentication
  • Client certificates
  • Using SSL
  • Secure password storage
  • Authorization
  • Web and EJB access control
  • Authorization Attacks
  • Access control bypass
  • Unvalidated forwards and redirects
  • State Management Attacks
  • Session hijacking
  • Session fixation
  • Clickjacking
  • Using X-Frame-Options

Megan Restuccia
Wed Jun 25th, 2014
9:00 AM - 5:00 PM


Java is the language of choice for the development of many mission critical applications. As such, it is vital to understand the security features and implications of using the Java language itself and the Java Runtime Environment (JRE). Through numerous hands-on exercises you will learn about the Security Manager, how code privileges are managed, and how to sign jar files. You will also learn about Exception handling and the importance of logging. With hands-on exercises you will also write code to encrypt both data in transit and data at rest using the Java Secure Socket Extension (JSSE) and the Java Cryptography Architecture (JCA) as well as integer and double overflows, and about numerous Java language features that you should consider while writing secure code.

Organizations continue to expose critical REST based web services that can be consumed by Ajax and mobile applications. You will learn how vulnerabilities like Cross-Site Request Forgery (CSRF) can be used by attackers to hack your JSON services. You will also learn how to develop applications that are resistant to such attacks and about the OAuth protocol for authentication and authorization.

CPE/CMU Credits: 6

  • Java Security Manager
  • Permissions
  • Policy file
  • Jar signing
  • Class security
  • Error Handling
  • Exceptions
  • Using try/catch/finally
  • Logging
  • Logging frameworks
  • ESAPI logging
  • Encryption
  • Java Secure Sockets Extension (JSSE)
  • Java Cryptography Architecture (JCA)
  • Integer and Double Overflows
  • Thread safety
  • Race Conditions
  • Web Service (JAX-RS) Security
  • REST Security
  • OAuth

Megan Restuccia
Thu Jun 26th, 2014
9:00 AM - 5:00 PM


Using what you have learned about Web application vulnerabilities, you will conduct a security review of a real-world open source application. You will see first hand how to integrate security in your software development life cycle (SDLC) by first conducting a code review of a large, widely used open source application. Once you have identified various vulnerabilities in the code itself you will then perform security testing and actually exploit these weaknesses. Once they have been exploited you will then fix them using the secure coding techniques you have learned in class.

The Secure Development Challenge introduces you to what is needed in a Secure SDLC and shows you how to do it first hand!

CPE/CMU Credits: 6


  • Security and the SDLC
  • Conducting a secure code review
  • Manual code review
  • Using a static analysis tool
  • Using FindBugs
  • Integrating code review into the SDLC
  • Security Testing
  • Exploiting XSS, CSRF, and SQL Injection
  • Secure Coding
  • Fixing weaknesses in a running application

Additional Information

System Requirements



To get the most value out of the course, students are required to bring their own laptop so that they can run the virtual machine that contains all the code and labs that will be used in class. Your laptop must meet the following requirements:

  • Laptop with administrative level access
  • 8 GB available hard drive space
  • 2 GB RAM minimum with 4GB or higher recommended
  • DVD drive (minimum 16x recommended)
  • x86 compatible 2Ghz CPU minimum or higher


You will use VMware to perform exercises in class. You must have a working copy of one of the following installed on your system prior to coming to class:

  • VMware Player 4.0 or later
  • VMware Workstation 8.0 or later
  • VMware Fusion 4.0 or later for Mac OS X

VMware Player can be downloaded for free. Alternatively, if you want a more configurable and flexible tool, you can download a free 30-day trial copy of VMware Workstation or VMware Fusion. These products are available at www.vmware.com. VMware will send you a time-limited serial number for VMware Workstation or VMware Fusion if you register for the trial at their Web site. No serial number is required for VMware Player.

We will give you a DVD with a self-contained development environment (Eclipse, Tomcat, etc) that you will use in class and can take home for further study.

The class does not support VirtualPC or other non-VMware virtualization products.

Java Documentation

It is recommended that students download the Java SE 7 and Java EE 7 Javadoc documentation for use as reference material while doing the in-class exercises (the Javadoc license prohibits redistribution). The documentation can be found at java.oracle.com.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

This course is for:

  • Developers who want to build more secure applications
  • Java EE programmers
  • Software engineers
  • Software architects
  • Developers who need to be trained in secure coding techniques to meet PCI compliance

This class is focused specifically on software development but is accessible enough for anyone who's comfortable working with code and has an interest in understanding the developer's perspective including:

  • Application security auditors
  • Technical project managers
  • Senior software QA specialists
  • Penetration testers who want a deeper understanding of target applications or who want to provide more detailed vulnerability remediation options

Students should have at least one year of experience working with the Java EE platform and should have thorough knowledge of Java language and web technology.

Ubuntu Linux VMWare virtual machine containing:

  • Pre-installed developer tools including Eclipse, Tomcat, MySQL, Paros, FindBugs, BeEF, sqlmap
  • Java projects and code for all hands on exercises

Course Books covering the following topics:

  • Section 1: Data Validation
  • Section 2: Authentication & Session Management
  • Section 3: Java Platform & API Security
  • Section 4: Secure Development Lifecycle

DEV541 Will Prepares You To:

  • Use a web application proxy to view and manipulate HTTP requests and responses.
  • Review and perform basic exploits of common web application vulnerabilities, such as those found in the SANS/CWE Top 25 and the OWASP Top 10:
    • Cross-Site Scripting (XSS)
    • Cross-Site Request Forgery (CSRF)
    • SQL Injection
    • Parameter Manipulation
    • Open Redirect
    • Session Hijacking
    • Clickjacking
    • Authentication & Access Control Bypass
  • Mitigate common web application vulnerabilities using secure coding practices and Java libraries, including the following:
    • Input Validation
    • Blacklist & Whitelist Validation
    • Regular Expressions
    • Output Encoding
    • Content Security Policy (CSP)
    • Client-Side Security Headers
  • Build applications using the following:
    • Java EE Authentication
    • Basic and Forms based authentication
    • Client certificates
    • SSL/TLS
    • Java Secure Sockets Extension (JSSE)
    • Secure password storage techniques
    • Java Cryptography Architecture (JCA)
    • SecurityManager
  • Implement a secure software development lifecycle (SDLC) including code review, static analysis, and dynamic analysis techniques.

"Provided a great review in Java development practices to ensure secure and defensible applications". - John Davis, Lockheed Martin Corporation

"Actually coding the examples from a 'find the weakness' & 'fix it' standpoint, as you do in DEV 541, is a big help." - Andrew Whitehead, Federal Reserve Bank - Richmond

"Dev 541 will help change the way the developers in my organization code. We haven't placed a high amount of emphasis on secure coding before." - Brett Hanson, Agrium

"The course gave me a whole new perspective about security." - Mohammed Ahmed, ACT

Author Statement

Author Statement

After having taught application security to hundreds of developers, I've learned what works in teaching this important subject. Developers need to be intellectually challenged with exercises; they need a variety of solutions they can apply to a single problem in different scenarios. By giving our students concrete examples of applications they can take back with them, class attendees will be armed with strong techniques that can be applied to both current and future projects. By knowing how various web application attacks work, how common programming errors are made, and how to prevent them, developers will have the tools necessary to prevent a large number of application attacks. Take part in this groundbreaking class and arm yourself with the knowledge to protect your Java applications.

Frank Kim