Secure by Design

There are no prerequisites for this course.

This course does not include hands-on coding. Learners looking for implementation-focused skills can continue through QA’s Secure Engineering learning pathway.

Target audience

This course is designed for:

• Software developers, DevOps engineers, and architects integrating security into the system development lifecycle
• Security engineers and IT professionals responsible for secure design, testing, and operations
• Technical leaders and managers seeking to reduce software and AI system risk
• Professionals new to secure development who need a structured foundation

By the end of this course, learners will be able to:

• Integrate security throughout the entire system lifecycle rather than treating it as a final testing step
• Apply secure-by-design principles when planning, architecting, and building software systems
• Identify, assess, and prioritise cyber threats using structured threat modelling and risk assessment methods
• Embed automated security testing and vulnerability management into modern DevOps and CI/CD practices
• Design and implement strong identity, access control, and Zero Trust principles in applications and APIs
• Protect sensitive information using data security controls and applied cryptography
• Recognise and mitigate critical application security risks, including those in the OWASP Top 10
• Understand and manage software supply chain risks, including third-party dependencies
• Apply security principles to cloud-native and distributed architectures
• Explain how AI systems introduce new attack surfaces and risk categories
• Identify and mitigate vulnerabilities in LLMs, agentic systems, and AI-generated code
• Use emerging frameworks and standards to secure AI models, data, prompts, and infrastructure
• Adapt traditional security practices for AI-driven and autonomous systems
• Contribute to a culture of continuous security monitoring and improvement

Secure development lifecycle

• Overview of common SDLC models and their security implications
• Extending the SDLC to include operations and system retirement
• DevOps and DevSecOps development models
• Risks of treating security as an afterthought
• Embedding security controls into CI/CD pipelines
• Continuous security integration and feedback loops

Secure-by-design and threat modelling

• Software Security Code of Practice principles
• Secure-by-design concepts and risk-driven decision making
• Threat actors, motivations, and common targets
• Assets, threats, and risk categories
• Threat modelling purpose and benefits
• Threat modelling methodologies including STRIDE and PASTA
• Threat rating using DREAD
• Practical threat modelling process from asset identification to risk prioritisation

Security testing and vulnerability management

• Common vulnerabilities across modern development environments
• Vulnerability identification and management lifecycle
• Automated security testing in CI/CD pipelines
• Static, dynamic, and software composition analysis tools
• Pre-deployment scanning and quality gates
• Penetration testing purpose, value, and limitations
• Risk-based vulnerability prioritisation and remediation

Identity and access management

• Identity and access management concepts and attributes
• Identification, authentication, authorisation, and accountability
• Multi-factor authentication and federated identity
• Authorisation versus access control
• Least privilege and privileged access management
• API security considerations
• Applying Zero Trust principles in modern applications

Data security

• Core data security principles
• Protecting data in use, in transit, and at rest
• Data masking, tokenisation, and pseudonymisation
• Secure handling of sensitive data in applications and APIs

Cryptography fundamentals

• Cryptography and the confidentiality, integrity, and availability model
• Symmetric and asymmetric encryption
• Hybrid encryption approaches
• Certificates, public key infrastructure, and trust models
• Hardware security modules and key protection
• Introduction to post-quantum cryptography

Application security and OWASP Top 10

• Purpose and structure of the OWASP Top 10
• Overview of recent changes and emerging risk trends
• Coverage of the entire top ten, with case studies and modern mitigation
• Broken access control and authentication failures
• Security misconfiguration and insecure design
• Injection vulnerabilities and cryptographic failures
• Software and data integrity failures
• Logging, monitoring, and alerting weaknesses
• Software supply chain vulnerabilities and SBOM concepts
• Secure coding, configuration, and cloud audit readiness
• Learning from real-world vulnerability case studies

AI security foundations

• The AI system lifecycle and security considerations
• ETSI EN 304 233 principles for securing AI systems
• Identifying and protecting AI assets including models, data, and prompts
• Risks from AI-generated code and autonomous workflows
• LLM-specific threats such as prompt injection, overreliance, and model theft
• Agentic AI risks including excessive agency and cascading failures
• AI security frameworks including MITRE ATLAS and NIST AI risk models
• AI-focused threat modelling using STRIDE-AI and DREAD
• Security challenges in autonomous and NoOps environments

Exams and assessments

There are no formal exams or certifications associated with this course. Learners complete structured knowledge checks and scenario-based exercises throughout the course to reinforce key concepts and validate understanding.

Hands-on learning

The course includes practical threat modelling activities, secure design exercises, and guided case studies. Learners apply security concepts to realistic software and AI-enabled scenarios, focusing on risk identification, mitigation strategies, and decision making rather than hands-on coding.