Application Security Training

Open any newspaper or news app and you face ominous news headlines that expose the many software risks. Organizations face digital threats such as data breaches, phishing and ransomware attacks. These threats generally arise from insufficient knowledge to minimize software risks. As a developer and software development team, you must know the latest developments and techniques to prevent your organization from becoming the next victim.

To make developers and other stakeholders more aware of, and armed against, these risks, we have developed two hands-on training courses:

• Application Security: Fundamentals
• Application Security: Deep Dive

The first covers the fundamentals of secure application development and should not be seen as just basic training. You will learn to understand and recognize the most common security risks.

In the Deep Dive training, we dive deep into the code and embed a security-first mindset into all software development processes.

This training covers the most common security risks identified by the Open Web Application Security Project in the OWASP Top 10 and API Security Top 10. You will learn to understand the unique vulnerabilities and security risks and how to apply security solutions and minimize risks.

We combine topics from both top 10s to give you the most relevant, up-to-date training. Supplemented with background info, knowledge and experience on OWASP and the hacker mindset.

We cover:

• OWASP
• Hacker mindset
• Hacker kill chain
• Broken Object Level Authorization
• Broken User Authentication
• Excessive Data Exposure
• Lack of Resources & Rate Limiting
• Broken Function Level Authorization
• Mass Assignment
• Cross-site scripting
• Broken Access Control
• Cross-site & Server-side Request Forgery
• Security Misconfiguration
• Injection
• Improper Assets Management
• Security Logging and Monitoring
• Post exploitation
• Reverse shells
• Hacker tools

Knowing and using the OWASP risks is perhaps the most effective first step in improving your organization's software development processes and culture.

Target audience: the training is suitable for all developers, architects and testers who have basic knowledge of request/response principles, and who would like to know more about software risks, application vulnerabilities and how hackers operate in practice.

If you want to take the next step, check out the training Application Security Deep Dive.

A one-day security training course aimed at developers and development teams who are aware of the various security risks and who want to act accordingly. You are familiar with the most common threats and possible solutions. We assume you can identify the vulnerabilities from the OWASP top 10 - if not, we recommend our Fundamentals training first. Now you want to dive deeper into the code to learn to think and act from a security perspective.

We do just that in this hands-on, dynamic training. The core of this training is finding and analyzing vulnerabilities in two applications:

• one with a C# backend with Vue.js frontend;
• and a Javascript Express.js application.

In addition to codebases, we also cover the Secure Development Life Cycle, threat modeling, and the STRIDE model, among other topics:

• Security code analysis:
  Analyzing multiple code bases (C#, Typescript, Infrastructure as Code) with dozens of security issues and errors. What is wrong? How do you prevent it? And how can you defend yourself against this?
• Secure Software Development Life Cycle:
  Which additional steps or features can you add to incorporate security into the daily software cycle?
• Security Testing:
  What types of security tests are there? When and how do you deploy them? We cover SAST, IAST and DAST.
• Security & AI:
  What are the risks of using AI tools like ChatGPT or GitHub Copilot?

In short, a deep dive training to embed a security-first mindset in all your software development processes.

Target audience: developers and software architects who (preferably) understand C# and/or Javascript/Typescript, and have basic knowledge of development tooling and security - ideally thanks to our Application Security Fundamentals training.