How to Write Secure Code Training Course

Upon completing this training, participants will be able to:

• Explain the principles of application security and common vulnerabilities
• Outline ABAP programming best practices and the management of SY-SUBRC
• Gain an understanding of injection vulnerabilities
• Describe various security testing tools
• Explain the functions of ATC and CVA

Course Format

• Interactive lectures and discussions.
• Extensive exercises and practical practice.
• Hands-on implementation within a live-lab environment.

This programme explores the core principles of secure coding that are vital for web application developers. Participants will learn secure programming concepts by examining code samples, identifying security vulnerabilities, and applying effective remediation strategies.

The course features demonstrations of real-world attacks and techniques to mitigate them, helping students build confidence in enhancing the security posture of their applications.

Duration: 3 days
Target Audience: Developers seeking to expand their expertise in secure coding practices.

Learning Outcomes
• Participants will acquire knowledge in:
• Web Application Security.
• Common Web Application Risks.
• Penetration Testing of Demo Web Applications.
• Data Validation.
• Authentication.
• Session Management.
• Secure SDLC.

Developing secure networked applications can be challenging, even for developers who have previously worked with cryptographic building blocks like encryption and digital signatures. To help participants grasp the role and application of these cryptographic primitives, the course first establishes a solid foundation on the core requirements of secure communication—namely secure acknowledgement, integrity, confidentiality, remote identification, and anonymity. It also addresses typical threats that can undermine these requirements alongside practical, real-world solutions.

Given that cryptography is a critical component of network security, the course examines essential algorithms in symmetric cryptography, hashing, asymmetric cryptography, and key agreement. Rather than focusing on complex mathematical theory, these topics are approached from a developer's perspective, featuring typical use-case examples and practical considerations such as public key infrastructures. The course introduces security protocols used across various domains of secure communication, offering an in-depth look at widely adopted protocol families like IPSEC and SSL/TLS.

Common cryptographic vulnerabilities are discussed in the context of both specific algorithms and protocols. Topics include BEAST, CRIME, TIME, BREACH, FREAK, Logjam, Padding oracle, Lucky Thirteen, POODLE, and the RSA timing attack. For each issue, the practical implications and potential consequences are explained without delving into deep mathematical details.

Finally, since XML technology is central to data exchange in networked applications, the course covers XML security aspects. This includes the use of XML in web services and SOAP messages, along with protective measures like XML signature and XML encryption. The course also examines weaknesses in these protections and XML-specific security issues such as XML injection, XML external entity (XXE) attacks, XML bombs, and XPath injection.

Participants attending this course will

• Understand basic concepts of security, IT security, and secure coding
• Understand the requirements of secure communication
• Learn about network attacks and defences at different OSI layers
• Have a practical understanding of cryptography
• Understand essential security protocols
• Understand some recent attacks against cryptosystems
• Get information about some recent related vulnerabilities
• Understand security concepts of Web services
• Get sources and further readings on secure coding practices

Audience

Developers, Professionals

This three-day course provides an introduction to safeguarding C/C++ code from malicious actors who might exploit vulnerabilities related to memory management and input handling. The curriculum focuses on the fundamental principles of writing secure code.

Even seasoned Java developers do not necessarily master every security service offered by Java, nor are they always aware of the various vulnerabilities relevant to web applications written in Java.

The course, while introducing the security components of Standard Java Edition, also addresses security issues concerning Java Enterprise Edition (JEE) and web services. Before discussing specific services, the course covers the foundations of cryptography and secure communication. Various exercises focus on declarative and programmatic security techniques in JEE, alongside discussions on both transport-layer and end-to-end security for web services. Participants can apply these concepts through practical exercises, allowing them to test out the discussed APIs and tools themselves.

The course also examines and explains the most common and severe programming flaws in the Java language and platform, as well as web-related vulnerabilities. Beyond typical bugs committed by Java programmers, the introduced security vulnerabilities cover both language-specific issues and problems arising from the runtime environment. All vulnerabilities and relevant attacks are demonstrated through easy-to-understand exercises, followed by recommended coding guidelines and possible mitigation techniques.

Participants attending this course will

• Understand basic concepts of security, IT security, and secure coding
• Learn about web vulnerabilities beyond the OWASP Top Ten and know how to avoid them
• Understand the security concepts of web services
• Learn to use various security features of the Java development environment
• Gain a practical understanding of cryptography
• Understand the security solutions of Java EE
• Learn about typical coding mistakes and how to avoid them
• Get information about some recent vulnerabilities in the Java framework
• Acquire practical knowledge in using security testing tools
• Obtain sources and further readings on secure coding practices

Audience

Developers

Description

The Java language and the Java Runtime Environment (JRE) were engineered to minimise exposure to the most prevalent and dangerous security vulnerabilities found in other languages such as C/C++. Nevertheless, software developers and architects must not only master the application of Java's security features (positive security) but also remain vigilant about the numerous vulnerabilities that continue to affect Java development (negative security).

The course introduces security services by first providing a concise overview of cryptographic foundations, establishing a shared understanding of the purpose and operation of relevant components. Participants will explore the practical application of these components through hands-on exercises, allowing them to experiment with the discussed APIs.

The course also examines and explains the most common and severe programming flaws associated with the Java language and platform. This includes both typical errors made by Java programmers and issues specific to the language and its environment. All vulnerabilities and associated attacks are demonstrated through accessible exercises, followed by recommended coding guidelines and mitigation strategies.

Participants attending this course will

• Grasp the fundamental concepts of security, IT security, and secure coding
• Learn about web vulnerabilities beyond the OWASP Top Ten and understand how to avoid them
• Gain proficiency in using various security features within the Java development environment
• Develop a practical understanding of cryptography
• Identify typical coding mistakes and learn how to prevent them
• Gain insight into recent vulnerabilities affecting the Java framework
• Access sources and further reading materials on secure coding practices

Audience

Developers

Today, a variety of programming languages are available to compile code for the .NET and ASP.NET frameworks. While this environment offers robust tools for security development, developers must understand how to apply architecture- and coding-level programming techniques to implement desired security functionalities, avoid vulnerabilities, or limit their exploitation.

The aim of this course is to equip developers with the ability to prevent untrusted code from performing privileged actions, protect resources through strong authentication and authorization, facilitate remote procedure calls, manage sessions, and introduce diverse implementations for specific functionalities, among other skills, through numerous hands-on exercises.

The introduction to various vulnerabilities begins by presenting typical programming problems encountered when using .NET. The discussion on ASP.NET vulnerabilities also covers various environment settings and their effects. Finally, the topic of ASP.NET-specific vulnerabilities addresses not only general web application security challenges but also special issues and attack methods, such as attacking the ViewState or employing string termination attacks.

Participants attending this course will

• Understand fundamental concepts of security, IT security, and secure coding
• Learn about web vulnerabilities beyond the OWASP Top Ten and understand how to avoid them
• Learn to utilise various security features of the .NET development environment
• Gain practical knowledge in using security testing tools
• Learn about typical coding mistakes and how to avoid them
• Gain information about some recent vulnerabilities in .NET and ASP.NET
• Access sources and further readings on secure coding practices

Audience

Developers

The course provides essential skills for PHP developers necessary to make their applications resistant to contemporary attacks through the Internet. Web vulnerabilities are discussed through PHP-based examples going beyond the OWASP top ten, tackling various injection attacks, script injections, attacks against session handling of PHP, insecure direct object references, issues with file upload, and many others. PHP-related vulnerabilities are introduced grouped into the standard vulnerability types of missing or improper input validation, incorrect error and exception handling, improper use of security features and time- and state-related problems. For this latter we discuss attacks like the open_basedir circumvention, denial-of-service through magic float or the hash table collision attack. In all cases participants will get familiar with the most important techniques and functions to be used to mitigate the enlisted risks.

A special focus is given to client-side security tackling security issues of JavaScript, Ajax and HTML5. A number of security-related extensions to PHP are introduced like hash, mcrypt and OpenSSL for cryptography, or Ctype, ext/filter and HTML Purifier for input validation. The best hardening practices are given in connection with PHP configuration (setting php.ini), Apache and the server in general. Finally, an overview is given to various security testing tools and techniques which developers and testers can use, including security scanners, penetration testing and exploit packs, sniffers, proxy servers, fuzzing tools and static source code analyzers.

Both the introduction of vulnerabilities and the configuration practices are supported by a number of hands-on exercises demonstrating the consequences of successful attacks, showing how to apply mitigation techniques and introducing the use of various extensions and tools.

Participants attending this course will

• Understand basic concepts of security, IT security and secure coding
• Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them
• Learn client-side vulnerabilities and secure coding practices
• Have a practical understanding of cryptography
• Learn to use various security features of PHP
• Learn about typical coding mistakes and how to avoid them
• Be informed about recent vulnerabilities of the PHP framework
• Get practical knowledge in using security testing tools
• Get sources and further readings on secure coding practices

Audience

Developers

This comprehensive core training offers a deep dive into secure software design, development, and testing, guided by the Microsoft Secure Development Lifecycle (SDL). It provides a foundational overview of the SDL's essential building blocks, followed by design techniques aimed at detecting and rectifying flaws during the early stages of the development process.

Focusing on the development phase, the course outlines common security-related programming bugs found in both managed and native code. It presents attack methods for the discussed vulnerabilities alongside their corresponding mitigation techniques. Through numerous hands-on exercises, participants engage in live hacking scenarios, making the learning process interactive and practical. The training introduces various security testing methods and demonstrates the effectiveness of different testing tools. Participants will gain a clear understanding of how these tools operate by applying them to vulnerable code examples discussed throughout the course.

By the end of this course, participants will be able to

Understand the fundamental concepts of security, IT security, and secure coding

Familiarize themselves with the essential steps of the Microsoft Secure Development Lifecycle

Adopt secure design and development practices

Comprehend the principles of secure implementation

Understand security testing methodologies

• Access resources and further reading materials on secure coding practices

Target Audience

Developers, Managers

Protecting web-accessible applications demands security professionals who are thoroughly prepared and constantly updated on current attack methods and trends. While numerous technologies and environments facilitate the comfortable development of web applications, developers must be aware not only of platform-specific security issues but also of general vulnerabilities that apply regardless of the development tools used.

This course provides an overview of applicable security solutions for web applications, with a special focus on understanding the most critical cryptographic techniques. Various web application vulnerabilities are presented, covering both server-side risks (following the OWASP Top Ten) and client-side issues, demonstrated through relevant attacks. These are followed by recommended coding techniques and mitigation methods to prevent associated problems. The topic of secure coding concludes with a discussion of typical security-relevant programming mistakes, including input validation errors, improper use of security features, and code quality issues.

Testing plays a pivotal role in ensuring the security and robustness of web applications. A variety of approaches—from high-level auditing and penetration testing to ethical hacking—can be employed to uncover different types of vulnerabilities. However, to look beyond easily exploitable weaknesses, security testing must be carefully planned and properly executed. Remember: while security testers ideally need to identify all bugs to fully protect a system, adversaries only need to find one exploitable vulnerability to breach it.

Practical exercises will help participants understand web application vulnerabilities, programming mistakes, and, most importantly, mitigation techniques. Through hands-on trials of various testing tools—ranging from security scanners and sniffers to proxy servers, fuzzing tools, and static source code analyzers—this course equips learners with essential practical skills they can apply immediately in the workplace.

Participants attending this course will

• Understand the basic concepts of security, IT security, and secure coding
• Learn about web vulnerabilities beyond the OWASP Top Ten and how to avoid them
• Gain knowledge of client-side vulnerabilities and secure coding practices
• Develop a practical understanding of cryptography
• Understand security testing approaches and methodologies
• Acquire practical knowledge in using security testing techniques and tools
• Stay informed about recent vulnerabilities in various platforms, frameworks, and libraries
• Receive resources and further readings on secure coding practices

Audience

Developers, Testers

This course is designed for individuals such as software developers, testers, and architects involved in creating software using various programming languages and platforms, including desktop, web, cloud, and mobile environments. It aims to enhance their ability to produce high-quality software, with a special emphasis on security and privacy aspects.

In this instructor-led, live course in Botswana, participants will learn how to formulate an appropriate security strategy to address the DevOps security challenge.

The EC-Council Certified DevSecOps Engineer (ECDE) is a practical course crafted to empower professionals with the capabilities to embed security throughout the DevOps lifecycle, facilitating secure software development from the planning phase through to deployment.

This instructor-led, live training (available online or onsite) is tailored for intermediate-level software and DevOps professionals who aim to integrate security practices into CI/CD pipelines, ensuring the delivery of secure and compliant code.

Upon completion of this training, participants will be able to:

• Grasp the principles and practices of DevSecOps.
• Secure every stage of the CI/CD pipeline using automated tools.
• Implement secure coding practices and vulnerability scanning.
• Prepare for the ECDE certification through practical labs and review.

Format of the Course

• Interactive lecture and discussion.
• Hands-on use of DevSecOps tools in simulated pipelines.
• Guided exercises focused on secure development and deployment.

Course Customization Options

• To request a customized training for this course based on your team’s workflows or toolchain, please contact us to arrange.

This course explores secure coding principles and practices in Java, utilizing the testing methodologies of the Open Web Application Security Project (OWASP). The Open Web Application Security Project is a global online community dedicated to producing freely accessible articles, methodologies, documentation, tools, and technologies aimed at enhancing web application security.

This course delves into secure coding concepts and principles using ASP.NET, guided by the testing methodology of the Open Web Application Security Project (OWASP). OWASP is an online community that provides freely available articles, methodologies, documentation, tools, and technologies in the realm of web application security.

This course examines the .NET Framework's security features and demonstrates how to safeguard web applications.