What's in this course?

Learn More about this course

Course curriculum

  • 1

    Introduction to Secure Coding - The Basics

  • 2

    Secure SDLC & Application Security Program

    • Secure SDLC & Application Security Program

    • Threat Modeling

    • Third Party Components (SCA)

    • Security Testing

    • Code Review and Static Analysis

    • Secure SDLC - Quiz!
  • 3

    Secure Coding Basics

    • #1 Input Validation

    • Input Validation - More Advice From OWASP

    • Input Validation: Code Review

    • #2 Output Encoding

    • Output Encoding: Code Review

    • #3 Parameterized queries are required; dynamic queries are forbidden.

    • Parameterized queries: Code Review

    • #4 Use the Authorization and Authentication provided by your framework, do not write your own.

    • Authentication and Password Management – OWASP Advice

    • #5 Use the identity and session management features available in your framework, network, or cloud provider.

    • #6 Use all applicable security headers

    • #7 Do not cache sensitive page data

    • Caching Sensitive Data: Code Review

    • #8 Secure Cookies

    • Thoughts on securing your cookies

    • #9 Take every possible precaution when performing file uploads

    • File upload advice from OWASP

    • Scanning your uploaded files

    • #10 All errors should be caught, handled, logged, and, if appropriate, alerted upon.

    • OWASP guidance on login, alerting and monitoring

    • Error Handling and Logging Cheat Sheet!

    • #11 Sensitive or decision-making information should never be stored in URL parameters.

    • #12 Your application should be served over HTTPS only.

    • HTTPS Everywhere: Code Review

    • #13 All data must be encrypted in transit and at rest

    • #14 Allow users to cut and paste into the password field, to allow for use of password managers.

    • #15 All connection strings, hashes, passwords and other secrets must be kept in a secret store.

    • Reasons Secrets Need Management

    • Secret Management Best Practices

    • What are 'secrets'?

    • #16 Hash and salt all passwords.

    • #17 Keep your stuff up to date!

    • A special note on APIs

    • API Security Best Practices - Checklist

    • We did it!

    • 17 Commandments - PDF Checklist!
  • 4

    PCI DSS - for Devs!

    • What is PCI and why do we need to be compliant?

    • PCI Compliance - Jump Start!

    • PCI DSS #1 - Firewalls

    • PCI DSS #2 - Reset Default Passwords

    • PCI DSS #3 - Protect stored cardholder data

    • PCI DSS #4 - Encrypt transmission of cardholder data

    • PCI DSS #5 - Use Antivirus Software

    • PCI DSS #6 - Develop and Maintain Secure Systems and Applications

    • PCI DSS #7 - Restrict access to cardholder data

    • PCI DSS #8 - Assign a unique ID to each person

    • PCI DSS #9 - Restrict physical access to cardholder data

    • PCI DSS #10 - Track and monitor access to network and data

    • PCI DSS #11 - Regular Security Testing

    • PCI DSS #12 - Maintain a policy that addresses information security

    • PCI DSS - for Devs - The PDF!
  • 5

    The OWASP Top Ten and other Common Pitfalls

    • Common Vulnerabilities

      FREE PREVIEW

    • What is 'OWASP'? What is the 'Top Ten'?

      FREE PREVIEW

    • A1: Injection

    • A2: Broken Authentication

    • A3: Sensitive Data Exposure

    • A4: XML External Entities (XXE)

    • A5: Broken Access Control

    • A6: Security Misconfiguration

    • A7: Cross Site Scripting (XSS)

    • A8: Insecure Deserialization

    • A9: Using Components with Known Vulnerabilities

    • A:10 Insufficient Logging and Monitoring

    • More! Important stuff that is not in the OWASP Top Ten

    • Buffer Overflows

    • Insecure Cryptographic Storage

    • Insecure Communications

    • Improper Error Handling

    • Cross Site Request Forgery (CSRF)

    • Quiz: Common Pitfalls
  • 6

    Conclusion and Resources

    • Key Take Aways

    • Awesome Books

    • Community Resources

    • Thank You!

    • Feedback to help us be better