Secure Programming Foundation course

2 days

Intensive hands on introduction to secure software development.

Secure Programming Foundation offers an intensive hands-on introduction to secure software development. You’ll learn what programming errors can lead to software vulnerabilities, how these errors are exploited by attackers, and how you can prevent software flaws that enable cyberattacks. The course benefits software developers as well as security professionals. To successfully participate in the hands on exercises, students should have coding skills as a minimum and preferably understand the principles of the most common software development models.

Authors & Lead Trainers

Bas van den Berg
Trainer

Developer, Ethical Hacker,
CTO at SkoposAI

Mikko Laaksonen
Trainer

Application security expert
CEO at Responsible Cyber

Steven Wierckx
Author & Trainer

Software security consultant
Co-leader OWASP threat model project

At a Glance

Entry level

Secure Programming Foundation

2 days

Developers looking for secure programming skills. Professionals that need to interact with secure programmers. Security professionals looking for application security from a development perspective.

The most important types of coding mistakes that lead to insecure software.

Development models impacting the work of a secure programmer (e.g. waterfall, Agile, DevOps).

Best practices and frameworks (SECO Application Testing Framework, OWASP SAMM), how to integrate them into the Software Development Life Cycle and how they relate to major vulnerability lists (OWASP top 10, SANS).

Hands on exercises in designing and producing secure software, threat modeling and verification of the security of software.

Syllabus

Day 1 – Introduction and creating secure software

The business case for software security

  • What can go wrong?
  • Why must software be secure?
  • Costs versus benefits

Information security principles

  • Confidentiality, integrity, availability
  • Non-repudiation, accountability
  • Privacy, data protection, personal data vs PII

Introduction to SDLC

  • What is it
  • Why is it important
  • Phases in the cycle
  • Pros versus cons

Common software development models and their impact on security

  • Waterfall → Agile → DevOps
  • Pros versus cons

Secure Software Development models

  • BSIMM
  • OWASP SAMM
  • DevOps CI/CD
  • DevSecOps as the next iteration

Principles of threat modelling

  • What is it?
  • How does it work?
  • Example using STRIDE

Mapping issues/controls in a CI/CD pipeline

SECO’s Secure Application Testing Framework (ASTF)

  • Overview of the components that make up the ASTF
  • Relevance to the security of software
  • ASTF adding value to other guidelines and frameworks

OWASP SAMM

  • Methodology to assess, formulate, and implement a strategy for software security
  • Can be integrated into their existing SDLC

What actually goes wrong (OWASP top 10 and others)

  • Mapping OWASP Top 10 to ASTF and OWASP SAMM
  • – Major Risks
  • – What goes wrong in the real world
  • – Why models can be useful, how to use them
  • Importance of proper cryptography

Common coding mistakes hands on

  • Application of ASTF and SAMM as a roadmap to show common coding mistakes: For each coding mistake, the security implications are illustrated. Problems are explained hands on, using real code and real-world examples; including mitigations by compilers/interpreters and improved coding practices.

Day 2 – Designing & Testing Secure Software, Threat Modeling

Common coding mistakes hands on (continuing from Day 1)

The mentality of secure software

  • Layering
  • Isolation
  • Defence in-depth
  • Zero Trust Plus
  • Minimising attack surfaces
  • Principle of least privilege

Principles of designing and implementing secure software

  • Threat modelling
  • Secure coding standards/practices
  • Code review
  • Testing
  • Secure deployment

Principles of threat modelling

  • Data Flow Diagrams (Sources, Sinks, Flows, Tainting, Trust Boundaries, …)
  • STRIDE
  • Discovery (interviewing, infrastructure analysis, dependency analysis, …)

Useful methods/tools that facilitate software security

  • Static/Dynamic testing
  • Fuzzing
  • Run-Time Application Self-Protection (RASP)
  • Web Application Firewall (WAF)
  • Vulnerability scanners
  • Dependency checkers

Next steps

  • Using frameworks like SAMM, ASVS, MASVS, …)
  • Embedding software security in your current development practices
  • Improving performance

Threat Modelling Exercise

Collect your badge of honor

Exam

  • Language: English
  • Delivered: Online via a certified proctor
  • Questions: 40 multiple choice
  • Time: 60 minutes

Dates & locations

Online Live

3 days

4 hours a day

Find a Local Training Partner

Organize a class dedicated for your team