Application Security for Developers

Participants should have:

• A working understanding of application development in any modern programming language.
• Basic familiarity with software development lifecycles and version control systems.
• Awareness of common web technologies such as HTTP, APIs, and client–server communication.

Target audience

This course is designed for:

• Software developers at junior, mid, or senior levels.
• Technical leads and software architects responsible for secure design.
• Development teams seeking to embed security within their software lifecycle.

The course is particularly relevant for teams that manage both legacy and modern applications, and who want to integrate secure practices into their Agile or DevOps workflows.

By the end of this course, learners will be able to:

• Understand key principles of application security and their relevance to the software lifecycle.
• Apply the STRIDE threat modelling methodology to assess risks at any stage of development.
• Identify, exploit, and remediate vulnerabilities in application code through hands-on exercises.
• Secure data in transit and at rest using appropriate cryptographic methods.
• Implement safe authentication, session management, and API security controls.
• Recognise and defend against client-side, server-side, and injection-based attacks.
• Integrate secure coding and vulnerability management practices into Agile development environments.
• Build a culture of security awareness across the development team.

Application security fundamentals

• Why secure development is essential in modern software environments.
• The cost of insecure code and lessons from real-world breaches.
• Understanding the OWASP Top 10 and common developer pitfalls.
• Core threat modelling concepts and the STRIDE framework.

Developer environment security

• Protecting code in repositories and managing secure commits.
• Securing third-party dependencies and libraries.
• Automated code scanning and continuous integration security.
• Simulated attacks: phishing and supply chain compromises.

Front-end security

• Understanding the HTTP/HTTPS protocol and browser request flows.
• Identifying attack surfaces in client-side code.
• Securing forms, input validation, and browser sessions.
• Applying and testing client-side security headers.
• Attacks and mitigations:
  • Cross-site scripting (XSS)
  • File upload vulnerabilities and client-side code injection
  • Session hijacking and cookie manipulation

Backend and API security

• Securing authentication and authorisation mechanisms.
• Applying secure design principles to APIs and backend logic.
• ORM and model-layer security to prevent injection and mass assignment.
• Integration security for third-party APIs and external services.
• Attacks and mitigations:
  • Brute force and login bypass
  • Parameter tampering
  • Server-side URL manipulation

Data security

• Principles of protecting data at rest and in transit.
• Implementing encryption, hashing, and key management securely.
• Understanding cryptographic vulnerabilities.
• Attacks and mitigations:
  • SQL injection
  • Insecure deserialisation

Secure file handling

• Validating file uploads and managing MIME types.
• Safely processing and storing user-uploaded documents.
• Attacks and mitigations:
  • Remote code execution via malicious uploads
  • XML external entity (XXE) attacks
  • Insecure direct object reference (IDOR)

Source code review and exploit chaining

• Conducting secure source code reviews.
• Analysing vulnerable code snippets to identify exploit chains.
• Capture the flag exercise: identifying flaws under timed conditions.

Threat modelling and agile security integration

• Applying threat modelling to full applications and incremental features.
• Building and maintaining threat lists within Agile workflows.
• Integrating security requirements into backlogs and sprints.
• Driving a team-wide security culture through process and awareness.

Exams and assessments

There are no formal exams in this course. Instead, learners complete interactive labs, practical challenges, and a competitive capture the flag activity to test their skills. Knowledge checks and guided discussions ensure participants can apply their learning to real-world projects.

Hands-on learning

This course includes extensive hands-on activities, including:

• Practical threat modelling of real application features.
• Exploiting and remediating more than ten common vulnerabilities using professional security tools.
• Reviewing and securing insecure code in sandboxed environments.
• Simulated red-team exercises led by experienced penetration testers.
• A final capture the flag challenge to reinforce and test learning outcomes.