A 4 day course to help you to understand and mitigate application security vulnerabilities, combining our DevSecOps and AppSec for Developers courses
AppSec for Developers
This class has being written due to the increasing need for developers to code in a secure manner. It is critical to introduce security as a quality component into the development cycle. This class aims at educating developers about various security vulnerabilities.
DevSecOps extends DevOps by introducing security early into the SDLC process, thereby minimizing the security vulnerabilities and enhancing the software security posture.
- Pre-requisites & Audience
- PDF Download
Outline of the course:
Application Security testing (Also known as whitebox testing) as an activity tends to capture security vulnerabilities at the end of the SDLC and is often too late to be able to influence fundamental changes in the way code is written.
If you are a developer who requires mitigation strategies or fails to understand issues like Cross-Site Scripting, XML, External Entity attacks, Deserialization issues, Content-Security Policy and many more application security vulnerabilities and their remediation then this class is for you!
If you are Manager responsible for handling a development team and would like to give a good dose of security knowledge so that you can avoid application security bugs in your code, then you are at the right place!
If you are a DevOps engineer wondering how to automate security into your pipeline, then this course will teach you on how to metamorphose your DevOps to DevSecOps. If you would like to avoid breaches like that of Equifax, then sign up now!
Length of course:
A four day course
The class covers the following modules:
- Application Security Basics
- Understanding HTTP protocol
- Security Misconfigurations
- Insufficient Logging and Monitoring
- Authentication Flaws
- Authorization Bypass
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- Server-Side Request Forger
- SQL Injection
- XML External Entity (XXE) Attacks
- Insecure File Uploads
- Deserialization Vulnerabilities
- Client-Side Security
- Source Code Review
- Introduction and overview of DevOps
- What and Why of DevSecOps?
- Integrating Security in CI/CD
- Vulnerability Management using Archerysec
- Secret Management using Vault, Jenkins and Docker Secrets
- Security in Developer Workstations: Pre-Commit Hooks using Talisman
- Software Composition Analysis using Dependency-Checker
- SAST – Static Application Security Testing using FindSecBugs
- DAST – Dynamic Application Security Testing using ZAP
- Security in Infrastructure as a Code using Clair
- Automated Vulnerability Assessment using OpenVAS
- Compliance as Code using Inspec
- Monitoring and Feedback using Modsecurity WAF
- DevSecOps in AWS
- Challenges in DevSecOps
- DevSecOps Enablers
- Any person who wishes to learn about application security vulnerabilities and understand more about their impact
- Developers who create web applications in any language can attend
- Any technical person having a basic knowledge of how web applications work or is responsible for Implementing, managing or protecting web applications
- Any DevOps engineer looking to automate security
The only requirement for this class is that you bring your own laptop with minimum version JDK 8.0 installed with administrator rights and lots of caffeine!
Other courses to further your knowledge
Lab-based training - written by Black Hat trainers.
These classes are ideal for those preparing for CREST CCT (ICE), CREST CCT (ACE), CHECK (CTL), TIGER SST and other similar industry certifications, as well as those who perform penetration testing on infrastructure or web applications as a day job and wish to add to their existing skill set.
Enquire about your training
We provide training directly (remote or in person) and also work with a range of training partners in different locations around the globe for classroom or remote training. Please contact us with details of your requirement and we will recommend the best route to access our amazing training.