This course offers an in-depth understanding of secure software development.
- You'll start with key concepts and application security terms and then explore the OWASP Top 10 and SANS Top 25, covering vulnerabilities like broken access control, cryptographic failures, and injection.
- It includes practical demos using tools such as Fiddler and ZAP.
- Additionally, you'll learn about session management, risk rating, threat modeling, encryption, and hashing.
- Further modules cover frameworks and processes like HIPAA, PCI DSS, DevOps, and DevSecOps.
- The Security Scanning and Testing section introduces SAST, DAST, IAST, RASP, WAF, and penetration testing.
Ideal for developers and security professionals with basic R knowledge, this course blends theory with hands-on practice to enhance application security skills. By the end, you'll be able to identify key security concepts, explain OWASP Top 10 vulnerabilities, implement security measures, perform threat modeling, assess application security, and develop secure software.
Overview
Syllabus
- Introduction to the Course
- In this module, we will introduce you to the fundamentals of application security. You'll learn essential terms and definitions, understand the core objectives of application security, and get a practical demonstration of OWASP WebGoat, a tool designed to teach web security through hands-on exercises.
- Introduction to OWASP Top 10 and More Items
- In this module, we will delve into the OWASP Top 10 and additional security concerns. You'll learn about the most critical web application security risks, the SANS Top 25 software errors, and the various threat actors involved. We will also cover defense-in-depth strategies, introduce proxy tools for testing, demonstrate Fiddler with JuiceShop, and discuss the principles of API security.
- Dive into the OWASP Top 10
- In this module, we will explore each of the OWASP Top 10 security risks in depth. You'll gain an understanding of broken access control, cryptographic failures, injection, and insecure design. We will also cover security misconfigurations, the risks of vulnerable components, identification and authentication failures, software and data integrity issues, security logging and monitoring failures, and server-side request forgery.
- Defenses and Tools
- In this module, we will focus on defensive strategies and tools to enhance application security. You will learn how to install and configure OWASP ZAP, run security scans, and understand cross-site scripting. We'll cover implementing Content Security Policy, various security models, and using software composition analysis. Additionally, you'll explore the Security Knowledge Framework (SKF) through explanations and demos, and learn the essentials of performing secure code reviews.
- Session Management
- In this module, we will cover the essential aspects of session management. You'll learn about best practices in session management, the workings of web sessions, and the role of JSON Web Tokens. We'll provide a detailed example of JWT, explain the OAuth protocol, and discuss OpenID and OpenID Connect, highlighting their importance in secure authentication and authorization processes.
- Risk Rating and Threat Modeling
- In this module, we will explore risk rating and threat modeling methodologies. You'll gain an understanding of the importance of risk rating and learn how to perform it effectively. We'll introduce you to threat modeling, covering different types and techniques, including manual threat modeling. Additionally, we will prepare you for and demonstrate the use of the Microsoft Threat Model tool, providing a comprehensive approach to identifying and mitigating security threats.
- Encryption and Hashing
- In this module, we will delve into the core concepts of encryption and hashing. You'll learn about the importance and applications of encryption, explore different use cases, and gain an understanding of hashing principles. We'll also cover the Public Key Infrastructure (PKI) and its role in security, along with best practices for secure password management. Practical demonstrations will enhance your understanding of hashing and password management techniques.
- Frameworks and Process
- In this module, we will explore essential frameworks and processes critical to application security. You'll learn about the regulatory requirements of HIPAA and PCI DSS, understand the roles and methodologies of DevOps, and be introduced to DevSecOps for integrating security into the development process. Additionally, we will examine various use, abuse, and misuse cases to understand potential threats and their mitigation strategies.
- Security Scanning and Testing
- In this module, we will cover various security scanning and testing methodologies to ensure robust application security. You will learn about SAST and see a demonstration using Spot Bugs, understand the applications of DAST and IAST, and explore the benefits of RASP. We will also introduce Web Application Firewalls (WAF), explain the critical role of penetration testing, and discuss the importance of Software Composition Analysis (SCA) for securing open-source software components.
- Conclusion
- In this module, we will review the important concepts learned throughout the course. You'll get a recap of key application security practices and principles, reinforcing the importance of implementing these strategies in your work. This module will also encourage you to continue learning and staying updated on the latest in application security to ensure robust and effective protection for your applications.
Taught by
Packt - Course Instructors
