Training


Application Security for Software Engineers (2 days)

Day 1:

Introduction to Application Security for Developers

  • Impact of security on development
  • Developer’s role in application security

Secure Coding Fundamentals

  • Input validation and sanitization
  • Output encoding
  • Secure data handling and storage
  • Error handling and logging

Authentication and Authorization

  • Implementing secure authentication mechanisms
  • Session management
  • Role-based access control (RBAC)
  • Password hashing and salting

Hands-on Lab: Secure Coding Practices

  • Exercises in fixing common vulnerabilities
  • Code review techniques

Secure API Development

  • RESTful API security best practices
  • API authentication (OAuth 2.0, JWT)
  • Authentication and Authorization features in various frameworks

Day 2:

Cryptography for Developers

  • Encryption basics
  • Secure use of cryptographic libraries
  • Key management

Secure Database Interactions

  • Preventing SQL injection
  • Database access controls
  • Secure configuration

Frontend Security

  • Cross-Site Scripting (XSS) prevention
  • Cross-Site Request Forgery (CSRF) mitigation
  • Content Security Policy (CSP)

Security Testing for Developers

  • Unit testing for security
  • Integration of security tools in IDE
  • Understanding and using SAST tools

Secure Development Workflow

  • Security in version control
  • Secure code review process
  • Managing dependencies and vulnerabilities

Hands-on Lab: Vulnerability Assessment and Fixing

  • Using developer-focused security tools
  • Identifying and fixing vulnerabilities in a sample application

Advanced Application Security for Software Engineers (3 days)

Day 1:

Introduction to Advanced Application Security

  • Overview of modern web application architectures
  • Common security challenges in complex applications

Single Page Applications (SPA) Security

  • Security considerations specific to SPAs
  • Cross-Site Scripting (XSS) in SPAs
  • Cross-Origin Resource Sharing (CORS) configuration
  • Content Security Policy (CSP) for SPAs
  • Secure state management
  • HTML5 Local storage and security

OAuth and JWT

  • OAuth 2.0 framework deep dive
  • OpenID Connect
  • JWT structure and security considerations
  • OAuth 2.0 attack vectors and mitigations
  • Secure implementation of OAuth flows

API Security

  • REST API security best practices
  • GraphQL security considerations
  • API authentication and authorization
  • Input validation and output encoding
  • API Security in various frameworks

Day 2:

Security in Modern JavaScript Frameworks

  • Angular security features and best practices
  • React security considerations
  • Next.js security enhancements
  • Vue.js security best practices
  • Common vulnerabilities in framework-based applications

Key and Secret Management

  • Importance of secure key management
  • Key rotation and lifecycle management
  • Secure storage of secrets in CI/CD pipelines (Jenkins)
  • Credentials and secret management in AWS
  • Credentials and secret management in Azure
  • Hashicorp Vault overview

Cloud Provider Security Features

  • AWS security services overview
  • Azure security services overview
  • Best practices for secure cloud configuration

Day 3:

Hands-on Labs and Exercises

  • Implementing secure authentication in a SPA
  • Securing an API with OAuth and JWT
  • Identifying and fixing security issues in framework-based applications
  • Setting up secure key management in a CI/CD pipeline

Case Studies and Real-world Scenarios

  • Analysis of recent security breaches
  • Lessons learned and best practices

Wrap-up and Q&A

  • Recap of key takeaways
  • Resources for further learning
  • Open discussion and questions