Application Security for Software Engineers (2 days)
Day 1:
Introduction to Application Security for Developers
- Impact of security on development
- Developer’s role in application security
Secure Coding Fundamentals
- Input validation and sanitization
- Output encoding
- Secure data handling and storage
- Error handling and logging
Authentication and Authorization
- Implementing secure authentication mechanisms
- Session management
- Role-based access control (RBAC)
- Password hashing and salting
Hands-on Lab: Secure Coding Practices
- Exercises in fixing common vulnerabilities
- Code review techniques
Secure API Development
- RESTful API security best practices
- API authentication (OAuth 2.0, JWT)
- Authentication and Authorization features in various frameworks
Day 2:
Cryptography for Developers
- Encryption basics
- Secure use of cryptographic libraries
- Key management
Secure Database Interactions
- Preventing SQL injection
- Database access controls
- Secure configuration
Frontend Security
- Cross-Site Scripting (XSS) prevention
- Cross-Site Request Forgery (CSRF) mitigation
- Content Security Policy (CSP)
Security Testing for Developers
- Unit testing for security
- Integration of security tools in IDE
- Understanding and using SAST tools
Secure Development Workflow
- Security in version control
- Secure code review process
- Managing dependencies and vulnerabilities
Hands-on Lab: Vulnerability Assessment and Fixing
- Using developer-focused security tools
- Identifying and fixing vulnerabilities in a sample application
Advanced Application Security for Software Engineers (3 days)
Day 1:
Introduction to Advanced Application Security
- Overview of modern web application architectures
- Common security challenges in complex applications
Single Page Applications (SPA) Security
- Security considerations specific to SPAs
- Cross-Site Scripting (XSS) in SPAs
- Cross-Origin Resource Sharing (CORS) configuration
- Content Security Policy (CSP) for SPAs
- Secure state management
- HTML5 Local storage and security
OAuth and JWT
- OAuth 2.0 framework deep dive
- OpenID Connect
- JWT structure and security considerations
- OAuth 2.0 attack vectors and mitigations
- Secure implementation of OAuth flows
API Security
- REST API security best practices
- GraphQL security considerations
- API authentication and authorization
- Input validation and output encoding
- API Security in various frameworks
Day 2:
Security in Modern JavaScript Frameworks
- Angular security features and best practices
- React security considerations
- Next.js security enhancements
- Vue.js security best practices
- Common vulnerabilities in framework-based applications
Key and Secret Management
- Importance of secure key management
- Key rotation and lifecycle management
- Secure storage of secrets in CI/CD pipelines (Jenkins)
- Credentials and secret management in AWS
- Credentials and secret management in Azure
- Hashicorp Vault overview
Cloud Provider Security Features
- AWS security services overview
- Azure security services overview
- Best practices for secure cloud configuration
Day 3:
Hands-on Labs and Exercises
- Implementing secure authentication in a SPA
- Securing an API with OAuth and JWT
- Identifying and fixing security issues in framework-based applications
- Setting up secure key management in a CI/CD pipeline
Case Studies and Real-world Scenarios
- Analysis of recent security breaches
- Lessons learned and best practices
Wrap-up and Q&A
- Recap of key takeaways
- Resources for further learning
- Open discussion and questions