Application Security for Developers Training

The future of secure software development depends on developers who understand how to design, build, and maintain secure applications. This intensive two-day course provides developers, architects, and tech leads with practical skills to identify and remediate vulnerabilities in their code. Through interactive labs and real-world scenarios, learners will explore modern application security practices and learn to apply threat modelling techniques using the STRIDE methodology. Participants will also gain insight into secure coding patterns, defensive programming, and common exploitation techniques used by attackers.

The course bridges theory with hands-on practice to help developers strengthen their security mindset, align development workflows with security principles, and confidently safeguard applications throughout their lifecycle.

By the end of this course, learners will be able to:

• Understand key principles of application security and their relevance to the software lifecycle.
• Apply the STRIDE threat modelling methodology to assess risks at any stage of development.
• Identify, exploit, and remediate vulnerabilities in application code through hands-on exercises.
• Secure data in transit and at rest using appropriate cryptographic methods.
• Implement safe authentication, session management, and API security controls.
• Recognise and defend against client-side, server-side, and injection-based attacks.
• Integrate secure coding and vulnerability management practices into Agile development environments.
• Build a culture of security awareness across the development team.

Application security fundamentals

• Why secure development is essential in modern software environments.
• The cost of insecure code and lessons from real-world breaches.
• Understanding the OWASP Top 10 and common developer pitfalls.
• Core threat modelling concepts and the STRIDE framework.

Developer environment security

• Protecting code in repositories and managing secure commits.
• Securing third-party dependencies and libraries.
• Automated code scanning and continuous integration security.
• Simulated attacks: phishing and supply chain compromises.

Front-end security

• Understanding the HTTP/HTTPS protocol and browser request flows.
• Identifying attack surfaces in client-side code.
• Securing forms, input validation, and browser sessions.
• Applying and testing client-side security headers.
• Attacks and mitigations:
  • Cross-site scripting (XSS)
  • File upload vulnerabilities and client-side code injection
  • Session hijacking and cookie manipulation

Backend and API security

• Securing authentication and authorisation mechanisms.
• Applying secure design principles to APIs and backend logic.
• ORM and model-layer security to prevent injection and mass assignment.
• Integration security for third-party APIs and external services.
• Attacks and mitigations:
  • Brute force and login bypass
  • Parameter tampering
  • Server-side URL manipulation

Data security

• Principles of protecting data at rest and in transit.
• Implementing encryption, hashing, and key management securely.
• Understanding cryptographic vulnerabilities.
• Attacks and mitigations:
  • SQL injection
  • Insecure deserialisation

Secure file handling

• Validating file uploads and managing MIME types.
• Safely processing and storing user-uploaded documents.
• Attacks and mitigations:
  • Remote code execution via malicious uploads
  • XML external entity (XXE) attacks
  • Insecure direct object reference (IDOR)

Source code review and exploit chaining

• Conducting secure source code reviews.
• Analysing vulnerable code snippets to identify exploit chains.
• Capture the flag exercise: identifying flaws under timed conditions.

Threat modelling and agile security integration

• Applying threat modelling to full applications and incremental features.
• Building and maintaining threat lists within Agile workflows.
• Integrating security requirements into backlogs and sprints.
• Driving a team-wide security culture through process and awareness.

Exams and assessments

There are no formal exams in this course. Instead, learners complete interactive labs, practical challenges, and a competitive capture the flag activity to test their skills. Knowledge checks and guided discussions ensure participants can apply their learning to real-world projects.

Hands-on learning

This course includes extensive hands-on activities, including:

• Practical threat modelling of real application features.
• Exploiting and remediating more than ten common vulnerabilities using professional security tools.
• Reviewing and securing insecure code in sandboxed environments.
• Simulated red-team exercises led by experienced penetration testers.
• A final capture the flag challenge to reinforce and test learning outcomes.