Empower your development teams to create secure solutions with comprehensive,
technology-agnostic AppSec Training based on real world issues and incidents
This course is designed to assist development teams create secure and robust applications by offering comprehensive AppSec training throughout the entire development lifecycle, spanning from the early stages of feature and architecture design to build and deployment.
Understand how attackers think and exploit solutions
Discuss real world examples of security issues
How to review code for security issues
Emerging Security Issues
Introduction Threat Modelling techniques
Learn and see in action tools attackers use
Tools to assist finding and preventing issues
Learn identity and JWT best practices
About the course
In this technology-agnostic course, participants will gain invaluable insights into the various attacks and strategies employed by adversaries, equipping them with the knowledge and skills necessary to effectively defend against these threats.
The course incorporates real-world issues observed either first hand by Kodez and our security partners or recent public incidents. By discussing and focusing on real-world scenarios, participants are provided with practical insights and up-to-date knowledge that directly address current security challenges relevant to their organisation.
By the end of the course attendees will
• Understand how to prevent and mitigate the main categories of web-based security issues
• Contribute to prioritization discussions by being able to assess a security issues risk and impact
• Explain security issues and their risk to non-technical colleagues
• Review code for common security issues and understand automated tooling options available to assist with this
• Use threat-modelling techniques (STRIDE) to help identify issues in solution designs
• Secure build and deployment pipelines
• Avoid common OAuth/OpenID/token implementation mistakes
• Know where to find further security related information and learning options to further develop skills
• Contribute to a secure culture in your organisation
"The Kodez security training sessions have been great. The content has been relevant, relatable and presented in flexible format that promotes discussion among the team. I’ve enjoyed the engaging approach to the modules and the ability to focus on the most applicable security concerns for our use cases"
Technical Specialist and Platform Lead
"Relatable, constructive and eye opening content - The program took us through system vulnerabilities from the eye of the attacker, which helped us get our hacker hats on before reviewing our own systems with our new knowledge of app sec. Great program!"
Software Engineer
Alex Mackey, OSCP, OWSE
Experienced technologist, author and speaker with over 22 years commercial experience working with a range of industries and organizations of various sizes.
Held range of roles including Practice Lead, Principal Consultant, Staff Engineer and Technical Lead. Previously Staff Engineer (AppSec), Holds Offensive Security OSCP (Offensive Security Certified Professional), OSWE (Offensive Security Web Expert) and found CVE-2022-40407.
Regular conference and user group speaker (NDC, Web Directions, Remix) and previously developed and published contents for Apress, PluralSight, ACloudGuru. Led development of AppSec training program.
Through his comprehensive and engaging training sessions Alex ensures that participants gain a deep understanding of the latest security vulnerabilities and current best practices enabling them to build secure and resilient solutions.
Tharindu Edirisinghe, CISSP
A Certified Information Systems Security Professional (CISSP) with 10+ years of experience in Enterprise Software Development, Digital Transformation, IAM and GRC. Specialized in IT Risk Management, Secure Software Engineering, Cloud Security and DevSecOps, Tharindu is also an ambassador for Auth0, an OWASP member and an open-source contributor to OWASP Java Encoder, SAMLRaider and WSO2 Identity Server.
Co-Founder of the Colombo White Hat Security Meetup, active member in the cybersecurity community and a speaker at Melbourne APIs & Microservices Meetup and Melbourne Identity & Security Meetup.
Through engaging and informative training sessions, Tharindu supports organizations adopt latest security frameworks, industry best practices for continuous security compliance and build a security culture to effectively navigate the complex landscape of cybersecurity, implementing robust security measures, and safeguarding critical assets.
• Phased Attack Models
• How attackers discover information (reconnaissance)
• Port scanning with Nmap
• Security Issues/CVE's and CVSS rating system
• Shells: Web, Bind and Reverse Shells
• Fictional end-to-end attack example
• Privilege Escalation and Lateral Movement
• Important concepts: Encoding, Hashing, Symmetric and Asymmetric Encryption
• Identity, Authentication and Authorization
• Types of password attacks
• Importance of Two Factor Authentication (2FA)
• How 2FA is attacked
• Defending against password attacks
• Broken Access Control
• Business Logic Failures
• LFI/RFI (Local/Remote file inclusion), XXE (XML External Entity Injection), ZipSlip and Path Transversal
• Cryptographic Failures
• Injection - XSS, SQLi, Command, Prompt
• Deserialization attacks
• Dangling Domains
• Emerging Issues - SSRF, Prototype Pollution
• What is DevSecOps?
• Security Chaos Engineering
• Organization Culture
• Automated Tooling
• Common Mistakes
• Reviewing Code for security issues
• OWASP Top 10 CI
• Build and Deployment Pipelines
• What is Threat Modelling?
• Four main phases of Threat Modelling
• STRIDE Methodology
• Step-by-step Threat-Modelling Example
• What is OAuth and why do we need it?
• OAuth Flows (Implicit, Authorization + PKCE, Client Credentials Flow, Resource Owner)
• JWT’s, JWT structure and validation
• Common OAuth and JWT implementation mistakes
We recommend modules are run as 3x 4hr sessions (with breaks) to minimize disruption and maximize learning.
We have a recommended order however most modules can be run standalone. We recommend the foundation module is run first as this introduces concepts that may be new for some attendees.
Aimed at development teams - developers, tech leads, QA's and architects from companies of all sizes and industries. Introduction to Threat-Modelling module is particularly relevant to Product and Design folks and we encourage their attendance.
No prior knowledge of security is assumed but basic software development skills will be required.
No setup is needed. Currently content takes a slide based and discussion format with reference to an open source and deliberately vulnerable application.
Attendees will receive PDFs of slides and code examples are available on GitHub.
.png)
.png)
.png)
