RSS feed logo header graphic

Black Hat USA 2008 Training

Caesars Palace Las Vegas • August 2-3 & August 4-5

Source Code Review – J2EE

Security Compass

registration button


Source code review is a highly effective method of detecting vulnerabilities in software. This course aims to arm security analysts and J2EE software developers interested in creating secure software with the skill-set to manually identify insecure code through analysis. This process requires a more in-depth understanding of application security, and thus this class provides a deeper drive along with hands-on analysis.

Lerarning Objectives

Students who take this course will be able to:

  • Understand major application security vulnerabilities
  • Identify those areas in source code that are of particular concern to security
  • Walk through a real application and perform a manual source code review
  • Learn various source code review methodologies and approaches
  • Walk away with practical guidelines of what to look for when performing source code review
  • Be able to articulate the advantages and disadvantages of manual and automated source code review

Who Should Attend

The intended audience for this course is:

  • Information security analysts
  • Software security testers and code reviewers
  • Designated security experts
  • Architects with a desire to understand more about security


This course explores technical details of various application-layer vulnerabilities. Students should have knowledge of basic web application security, as well as basic programming knowledge (having Java specific programming experience is very helpful).

Not sure if you meet the prerequisites? Take a short quiz to determine if this training is right for you.

Would like a refresher for the prerequisites before taking the course? We have made available a few resources that we think you will find useful.

Course Syllabus

Part 1: Introduction

  • Introduction to the Application
  • Understanding of business case
  • Establishing review objectives

Part 2: Source Code Review Approaches

  • Point-of-entry approach
  • Relevant-component approach
  • Keyword approach
  • Framework level Threat Analysis

Part 3: Authentication

  • Overview
  • Review authentication
  • Realms, users, groups, and roles
  • Common authentication vulnerabilities

Part 4: Authorization

  • Overview
  • Access control: page, functional and data levels
  • Common authorization vulnerabilities

Part 5: Session Management

  • Container managed sessions
  • Session management vulnerabilities

Part 6: Input Validation

  • Identifying SQL injection in code
  • Identifying XSS in code
  • Identifying CSRF in code
  • Identifying XML vulnerabilities in code


Rohit Sethi joined Security Compass as its second full-time employee. Leveraging a combined background in information security and software engineering, Rohit is recognized internationally as an expert in the emerging field of application security. In his role as manager at Security Compass, Rohit is responsible for managing Security Compass’s internationally renowned consultants on cutting edge consulting and training engagements across North America and around the world. He is leading development and instruction of the SANS Institute class Secure Coding in Java.

Rohit has provided security consulting and training services to primarily Fortune 1000 clients in the financial services, healthcare, utilities, telecommunications, media, and software industries. He has led and delivered engagements for a variety of service offerings, including application security architecture, design, and code reviews; threat analysis; penetration testing; application security program enhancement; vendor security assessments; identity management strategy; customer data privacy assessment; security governance strategy; threat risk assessments; SOX, BS7799 and PCI audit and remediation; and segregation of duties analysis and remediation. Rohit has also developed and taught courses for a wide variety of topics, including web application security exploiting, secure coding in J2EE, exploiting web applications, application security awareness, application security for managers, and general information security awareness. Prior to joining Security Compass, Rohit Sethi was a security consultant at Deloitte and a developer/business analyst at Automatic Data Processing (ADP).

Rohit is a noted expert in application security and has delivered / will be delivering talks or training sessions at RSA conference in San Francisco; CSI National in Washington DC; CSI SX in Las Vegas; SANS conferences in Toronto, Orlando, and Washington DC; Shmoocon in Washington DC; SecTor in Toronto; Infosecurity Toronto and New York; ISC2’s Secure Leadership series in Toronto and Calgary; and TASK and Federation of Security Professionals in Toronto.

Rohit has written articles on Aspect Oriented Programming and Security, Application Classification, and Centralized Logging for the prestigious Web Application Security Consortium and industry-recognized leading security portal Security Focus. He has been interviewed and quoted by Computer World and IT World Canada.

Rohit holds an Honors Bachelor of Science in Computer Science with Software Engineering Specialization from the University of Western Ontario in Canada. He is a Certified Information Systems Security Professional (CISSP) and a Sun Certified Java Programmer.

Dan Sinclair is a Security Consultant with a strong background in application development. He has over seven years of experience in application design and development.

Prior to joining Security Compass, Dan worked as a solutions architect, web developer, and, most recently, as a Solaris 10 migration specialist and instructor for TrekLogic Advanced Solutions. He also helped develop and teach “Solaris 10: An introduction to DTrace, SMF, ZFS and Zones” for Sun Microsystems.

Dan is a contributor to several Open Source projects including the Enlightenment project and OpenSolaris where his work has included design, development, testing and documentation. He serves as a lead developer for the Enlightened Widget Library (Ewl).

Dan has a Bachelors of Mathematics in Honors Computer Science from the University of Waterloo.

Ends May 1

Ends July 1

Ends July 31

August 1

USD 1800

USD 2000

USD 2200

USD 2500

1997-2009 Black Hat ™