Application Security - The Complete Guide

Developing security in the Software Development Life Cycle (SDLC)

What you'll learn:

• Learn how to become an application security champion.
• What is the OWASP Top 10 and how to defend against those vulnerabilities.
• Use of threat modeling to identify threats and mitigation in development features.
• How to perform a threat model on an application.
• How to perform a vulnerability scan of an application.
• Rating security vulnerabilities using standard and open processes.
• How to correct common security vulnerabilities in code.
• How application security fits in an overall cyber security program
• Building security in to the software development life cycle.

Every company is a software company, and it' becoming more difficult to secure applications.

In an era where cyber threats are ever-evolving and increasingly sophisticated, securing applications from the ground up is more essential than ever. This course is a robust, all-encompassing course designed to equip software developers, and security professionals with the knowledge and tools necessary to protect their applications throughout the entire software development lifecycle (SDLC).

This course begins by introducing participants to foundational security concepts such as "Defense in Depth," where we explore the anatomy of attacks, including vulnerabilities, exploits, and payloads, using real-world examples like the "PrintNightmare" vulnerability. We will examine how to implement multiple layers of security to build a comprehensive defense strategy against these threats. As participants progress, they will gain a deep understanding of essential security principles, including confidentiality, integrity, and availability (CIA), alongside key practices for managing authentication, authorization, and session management.

A significant portion of the course is dedicated to modern challenges in application security, such as API security. Participants will learn how Application Programming Interfaces (APIs) function within web applications, the risks they pose, and the strategies to secure them effectively. This includes a deep dive into industry standards and frameworks like the OWASP Top 10, which highlight the most critical security risks to web applications today. We’ll explore the nuances of implementing robust security controls, risk rating methodologies such as those from NIST, FAIR, OWASP, and CIS RAM, and how to develop and enforce these controls to counteract various security threats.

Participants will also delve into advanced topics like software supply chain security, ensuring the integrity of software from development to deployment. The course covers the full spectrum of vulnerability management, from identification and evaluation to remediation and reporting, providing participants with the skills needed to maintain the security and integrity of IT systems continuously.

A thorough exploration of cryptographic techniques, including hashing, encryption (both symmetric and asymmetric), and the use of digital certificates and Public Key Infrastructure (PKI), will be provided to ensure that participants can protect sensitive data and secure communications effectively. We will cover JSON Web Tokens (JWTs), JSON Web Encryption (JWE), and JSON Web Signatures (JWS) to illustrate how these technologies are used to secure data transmissions in web applications.

As the course progresses, participants will explore the critical integration of security within the DevOps process, known as DevSecOps. Here, we emphasize the importance of embedding security practices early and continuously throughout the development lifecycle. We’ll examine the security of Continuous Integration and Continuous Deployment (CI/CD) pipelines, understanding how to secure these processes against unauthorized access, code tampering, and other threats. Participants will learn to implement security testing tools, including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Interactive Application Security Testing (IAST), Runtime Application Self-Protection (RASP), Web Application Firewalls (WAF), and more!

Moreover, the course will cover emerging areas like Application Security Posture Management (ASPM), which offers a comprehensive view of the security health of software applications by integrating various security practices and tools. This holistic approach ensures that organizations can manage vulnerabilities, configuration weaknesses, and compliance with security policies across the entire application lifecycle.

Practical demonstrations and hands-on activities will allow participants to apply what they’ve learned in real-world scenarios. From exploring attack trees and threat modeling techniques to conducting penetration tests and leveraging tools like CodeQL for secure coding, participants will gain valuable experience in identifying, mitigating, and responding to security threats.

By the end of this course, participants will have developed a deep, nuanced understanding of application security. They will be able to integrate security practices seamlessly into the SDLC, ensuring their applications are not only functional but resilient and secure against the full spectrum of cyber threats. Whether you're a seasoned security professional or a developer new to application security, this course will empower you with the knowledge and skills to build and maintain secure, reliable software in today’s digital landscape.