Fundamentals of Building Secure Software Online Course
Fundamentals of Building Secure Software Online Course
This online course provides a thorough understanding of securing software applications from start to finish. You’ll learn core concepts of application security, integrating security into the Software Development Life Cycle (SDLC). Key topics include threat modeling, vulnerability management, and using frameworks like OWASP and NIST for strong defenses. You'll explore advanced topics such as Defense in Depth and cloud security, with real-world case studies like the “PrintNightmare” vulnerability. Practical demos will teach you how to prevent common security flaws, such as SQL injection and XSS. The course also covers DevSecOps, secure CI/CD pipelines, and automating security checks, preparing you to create and maintain secure applications. By the end, you’ll be equipped with essential skills for a career in secure software development.
Key Benefits
- Gain expertise in embedding security throughout the entire software development lifecycle, from design to deployment.
- Master advanced techniques such as STRIDE and attack trees to establish strong, proactive defenses against potential threats.
- Learn to secure CI/CD pipelines by implementing automated security checks and testing to ensure continuous protection throughout the development process.
Target Audience
This course is for software developers, security engineers, and IT professionals seeking to enhance their expertise in application security. Whether you're new to cybersecurity or looking to advance your skills, the course offers valuable insights and hands-on knowledge. While basic programming experience is recommended, prior security knowledge is not required. It is also ideal for IT managers and business analysts who wish to gain a foundational understanding of security principles to effectively collaborate with development teams and make informed decisions regarding software security.
Learning Objectives
- Incorporate security measures throughout the software development lifecycle to ensure robust protection.
- Utilize OWASP tools to identify and mitigate common vulnerabilities in applications.
- Apply secure coding techniques and thorough testing practices to enhance application security.
- Integrate security into DevOps workflows and CI/CD pipelines for continuous protection.
- Conduct effective threat modeling and risk assessments to proactively identify potential security risks.
- Safeguard cloud environments and secure containerized deployments to prevent unauthorized access and vulnerabilities.
Course Outline
The Fundamentals of Building Secure Software Exam covers the following topics -
Module 1 - Course Introduction
- Overview of Application Security
- Key Terminologies in Application Security
- Core Goals of Application Security
- Demonstration: OWASP WebGoat
Module 2 - Understanding Secure SDLC
- Introduction to Application Security in SDLC
- Exploring the Top 10 Security Risks
- Key Definitions and Terminologies in Application Security
- Setting Application Security Goals
- Introduction to NIST (National Institute of Standards and Technology)
- Introduction to CSA (Cloud Security Alliance)
Module 3 - Defense in Depth
- Concepts of Defense in Depth
- Key Roles and Terminologies in Cybersecurity
- Securing APIs
- Implementing Content Security Policy (CSP)
- Understanding Server-Side Request Forgery (SSRF)
- Best Practices in Vulnerability Management
Module 4 - Exploring the OWASP Top 10
- Broken Access Control and Demo
- Cryptographic Failures
- Injection Vulnerabilities and Demo
- Insecure Design Practices
- Security Misconfigurations
- Managing Vulnerable and Outdated Components
- Addressing Authentication and Identification Failures
- Software and Data Integrity Failures
- Logging and Monitoring Security Failures
- Cross-Site Scripting (XSS) and Demo
Module 5 - Supply Chain Security
- Introduction to Supply Chain Security
- Defensive Measures in Supply Chain Security
- Software Composition Analysis (SCA)
- Overview of SLSA (Supply Chain Levels for Software Artifacts)
- Understanding Software Bill of Materials (SBOM)
- Tools: Dependency-Track and CycloneDX
Module 6 - Cloud and Container Security
- Cloud Security Overview
- Core Cloud Security Concepts
- AWS Security Pillars
- Identity and Access Management in AWS
- AWS Detection Controls
- AWS Infrastructure and Data Protection
- AWS Incident Response and Application Security
- Container Security Overview
- Security Measures for Azure and GCP
Module 7 - Session Management
- Overview of Session Management
- Managing Web Sessions
- Understanding JSON Web Token (JWT) and Example
- JSON Web Encryption (JWE)
- OAuth and OpenID / OpenID Connect Authentication
Module 8 - Risk Rating and Threat Modeling Basics
- Introduction to Risk Rating and Demo
- Identifying Security Controls
- Fundamentals of Threat Modeling
- Types of Threat Modeling Techniques
- Manual Threat Modeling Approach
- Preparing for Microsoft Threat Model Tool
- Demos: Microsoft Threat Model Tool and OWASP Threat Dragon
Module 9 - Advanced Threat Modeling
- Exploring Advanced Threat Modeling Methods
- Using DREAD Framework
- Leveraging MITRE ATT&CK Framework
- Other Techniques in Threat Modeling
- Attack Trees and Demo
- Continuous Threat Modeling and Threagile Demo
- Threat Modeling in Cloud Environments
Module 10 - Encryption and Hashing Techniques
- Overview of Encryption Practices
- Use Cases for Encryption
- Introduction to Hashing and Demo
- Public Key Infrastructure (PKI)
- Secure Password Management and Demo
Module 11 - DevSecOps and Secure CICD
- Understanding DevOps vs DevSecOps
- Design and Implementation of DevSecOps
- Securing the Development Pipeline: Code, Analysis, Build, and Operations
- Introduction to Secure CICD and Demo
Module 12 - Security Scanning and Testing
- Overview of Static Application Security Testing (SAST) and Demo
- Dynamic Application Security Testing (DAST) and Demo
- Interactive Application Security Testing (IAST)
- Application Security Posture Management (ASPM) and Demo
- Runtime Application Self-Protection (RASP)
- Web Application Firewalls (WAF)
- Penetration Testing Techniques
- Fuzz Testing for Vulnerabilities
