Secure by Design

There are no specific pre-requisites for this course.

Note: This course does not cover hands-on coding. Additional courses can be found in our Application Security and Secure Coding learning pathways.

• Understand the main Secure Development Lifecycle (SDLC) Models, and their principal differences
• Be able to choose which SDLC model is most appropriate in a given situation.
• Learn how to apply secure development techniques from the initial design stage and throughout a development lifecycle
• Understand the latest (2021) OWASP vulnerabilities and how to counter/mitigate them
• Learn about useful system design tools
• Discover resources to help introduce and use secure design and development best practices
• Learn Threat Modelling methodologies and techniques
• Understand the benefits of code review
• Understand various testing strategies
• Learn about encryption, securing and compromising passwords and meta data
• Understand the challenges of AI generated software
• Discover the benefits and pitfalls of GitHub Co-pilot
• Understand the OWASP Top 10 for Large Language Models (LLM)
• Learn about the future AI security challenges for Secure by Design

Module 1 - Secure Development Lifecycle (SDLC)

• An overview of the main SDLC models
• Development models
  • DevOps
  • DevSecOps
• Configuration and source code management
  • Integrated teams
  • Securing the software environment
  • API security
• Risk analysis tools

Module 2 - Secure By Design

• Secure development processes
• Threat modelling
  • Identify Assets
  • Create Architecture Overview
  • Decomposing Applications
  • Identify, Document and Rate the Threats
• Practical Threat Modeling
  • STRIDE
  • Attack Trees
• Risk mitigation in the Supply Chain
  • Supply Chain Mapping
  • Trust boundaries
• Security best practice
  • Least Privilege
  • Reducing the Attack Surface
  • Input Validations
  • Defence in Depth
• Security Patterns & Models
  • System Design Tools
  • Secure design architecture

Module 3 – Introduction to Application Security (OWASP 2021)

• Vulnerabilities and mitigations available to any development environment
• Attack vectors and security controls
• OWASP Top Ten 2021
  • Broken Access Controls
    • What’s the risk?
    • Case study
    • Insecure direct objects
    • Authorisation issues
    • Indirect references
    • Function level access
    • Security trimming
    • Risky URL patterns – when not to secure by URL
    • Protecting static resources
  • Cryptographic Failures
    • What’s the risk?
    • Case study
    • Alternatives to holding data
    • Minimising the risk of encrypted data exposure data
    • Storing sensitive data
    • Machine in the middle attacks
    • Employing HSTS
  • Injection
    • What’s the risk?
    • Case study
    • Allow lists
    • Parameterisation
    • Object relational mapping (ORM)
    • Cross site scripting (XSS)
    • Payload obfuscation
    • Other injection risks
  • Insecure Design
    • What’s the risk?
    • Case study
    • Secure design
  • Security Misconfiguration
    • What’s the risk?
    • Case study
    • Insecure cloud buckets
    • Error messages
    • Handling error codes
    • Config files and sensitive data
    • Google dorks to find config files
  • Vulnerable and Outdated Components
    • What’s the risk?
    • Case study
    • Log4Shell
    • Components with known vulnerabilities
    • Identifying old frameworks and libraries
  • Identification and Authentication Failures
    • What’s the risk?
    • Case study
    • Stateless protocol
    • Persisting session state in HTTP
    • Session sates – secure by default
    • Minimising timeouts
  • Software and Data Integrity Failures
    • What’s the risk?
    • Case study
    • XML processing
    • Leveraging XXE to conduct intrusions and attacks
    • XXE prevention
    • Insecure deserialisation
    • Java object serialisation
    • Data integrity
    • Software integrity
    • Integrity controls
  • Security Logging and Monitoring Failures
    • What’s the risk?
    • Case study
    • Logging best practice
    • Security logging and monitoring failures
    • What should and shouldn’t be logged?
  • Server-Side Request Forgery (SSRF)
    • What’s the risk?
    • Case study
    • Payload injection
    • XPSA – port scanning on the server
    • Malicious attacks from the inside
    • Exploit chaining
• OWASP Top 10 Proactive Controls
• OWASP Application Security Verification Standard

Module 4 – Securing Modern Applications & AI

• Code Review
• Code Testing
  • Interface testing
  • Testing integration in CI/CD
• Encryption
  • Defending encryption
  • Hashes and passwords
• AI Security for Secure by Design
  • Challenges of AI generated software
    • Debugging and troubleshooting
    • Adaptability and customisation
  • GitHub Co-pilot
  • OWASP Top 10 for Large Language Models (LLM)
    • LLM01 – Prompt injections
    • LLM02 – Insecure output handling
    • LLM03 – Training data poisoning
    • LLM04 – Denial of service
    • LLM05 – Supply chain
    • LLN06 – Permissions issues
    • LLM07 – Data leakage
    • LLM08 – Excessive agency
    • LLM09 – Overreliance
    • LLM10 – Insecure plugins
• Future AI security challenges