Ximedes Security

Serious secure coding, based on the latest threats, regulations and best practices.

Start Secure Development Download Flyer

The need for secure coding

A time of serious challenges

The way we do business has always changed at the speed of technology, and in the past decades technological progress has been dominated by advancements in information technology. From the smallest service company to the largest multinational, software has become the dominating force behind innovation and competitive advantage.

Unfortunately, decades of rapid innovation have also exposed businesses worldwide to a new set of risks. Attackers are constantly searching for weaknesses in the software running at the very core of your organization. Protecting the integrity, confidentiality and availability of your digital information should be your top priority. Yet every day, new headlines inform you that yet another large organization has become the victim of a successful hack, leaking gigabytes of sensitive customer data and being subject to massive fines and penalties.

New laws and regulations

Governments and regulatory bodies are responding to this changing world by issuing increasingly demanding guidelines about how to protect your customer’s sensitive data, and issuing every larger fines for non-compliance. GDPR, PCI DSS, ISO 2700X, the list is long and ever-growing. On top of that, internal security and legal departments in large organizations create their own rules and regulations, adding to the already significant workload for product owners and development managers.

Luckily, you are not defenseless. Penetration testing, blue/red team exercises, intrusion detection software, web application firewalls - these and many more options are available for you to defend yourself against attackers. But the simplest and most cost-effective countermeasure you can take is to prevent creating insecure software in the first place.

What a secure coding training should offer.

OWASP Top 10

The top 10 list of vulnerability categories most frequently seen. Any developer should know these and how to avoid them by heart.


Secure coding is more than just avoiding common vulnerabilities. Having to build PCI DSS or GDPR compliant solutions requires knowledge of the right security controls and where to apply them properly.


Being familiar with compliance and security requirements does not mean you are able to avoid them yet. You have to have hand-on experience, knowing how it should be done.


Building secure solutions

Ximedes Security can help you by training your developers and software architects in designing, creating and maintaining secure software. With a focus on server-side web applications on the JVM (in Java and Kotlin), we can help your development team to design secure solutions from the ground up, and prevent making those little mistakes that can lead to big damages.

The Ximedes Secure Coding training combines teaching theoretical knowledge with a hands-on training, where participants are tasked with finding and fixing vulnerabilities in a modern Java application based on Spring Boot, Apache H2, ThymeLeaf, and React.


Our two-day hands-on training teaches your team to:

  • View web application architectures from a security perspective
  • Understand the different types of vulnerabilities exploited by attackers
  • How to prevent vulnerabilities by secure coding principles
  • Perform code reviews to find vulnerabilities in existing codebases
  • Implement secure coding processes at the team level

Standard Program Contents

The following topics are addressed during the standard program:

  • The Basics
    • Introducing our reference architecture
    • Knowing the treasures of your application
    • Security Principles
      • CIA
      • Defense in-depth
  • Cross-site Scripting (XSS)
    • Input normalization
    • Input validation
    • Output encoding
    • CSP
  • Injection Attacks
    • SQL Injection
    • XXS Injection
    • XML/JSON/LDAP Injection
    • Insecure Deserialization
  • Broken Authentication and Session Management
    • Insecure account creation
    • Insecure account password reset
    • Insecure login (brute force vulnerability)
    • Insecure passwords
    • Insecure cookies
    • Insecure JWTs
    • Insecure sessions
    • CSRF (unintended user requests)
    • Secure session cookies
    • Secure session JWTs
    • Secure passwords
    • Brute force login protection
    • Secure session management
  • Broken Access Control
    • Insecure direct object references
    • Unsecured URL/endpoints
    • Unsecured asset exposure
    • Predictable user/object identifiers
  • Sensitive Data Leakage
    • 3rd party resources and services
    • Missing HTTP headers
    • MITM
    • Data encryption at rest
    • Details in error messages to user
    • Logging sensitive data to backend
  • Sensitive Data Leakage
    • 3rd party resources and services
    • Missing HTTP headers
    • MITM
    • Data encryption at rest
    • Details in error messages to user
    • Logging sensitive data to backend
  • Vulnerable 3rd party libraries
    • In-browser
    • Java libraries
  • Regulatory Compliance
    • Audit logging requirements
    • PCI-DSS
    • GDPR
  • Exam

General Information

Duration Two days (9:00 AM to 17:00 PM)
Location Either at your offices or off-site
Number of participants Minimum 5, maximum 20
Prerequisites Basic knowledge of web application development in Java. A laptop with up-to-date Java development environment. We encourage the use of IntelliJ.
Price (ex. BTW) EUR 1500 per participant
Included Tea, coffee, snacks, lunch, training material, exam and certificate of attendance

Want to join our standard program course?

Our next course takes place on September 20 and 21, 2018 at our main office in Haarlem.

Register Now I Want A Custom Program

The simplest and most cost-effective countermeasure you can take is to prevent creating insecure software in the first place.


Rather having a training considering your specific compliance requirements?

We can tailor our standard training program to your security and compliance needs. Contact us for a cup of coffee.


Don't get caught in a compliance nightmare, avoid security issues from the start in your next project.


Our trainers have years of actual secure development experience.

Joris Portegies Zwart PhD

After obtaining a PhD in machine learning, Joris has been developing software for 15 years, mainly working in the financial and payments sector. He has extensive experience developing secure software on the JVM, with a focus on Spring-based web applications. As CTO of Ximedes, he is responsible for delivering secure, performant and maintainable software across teams to Dutch banks and financial institutes.


Gijs van den Broek MSc CEH CISSP

Gijs graduated with honours in Telematics and has extensive experience with IT security, ranging from privacy impact assessments, penetration testing, assisting large organizations in becoming ISO 27001 compliant and security testing new systems with respect to GDPR and PCI DSS compliance requirements.