This training course introduces developers to Secure Software Development Life Cycle (S-SDLC) methodologies and practices and provides a clear strategy for recognizing insecure patterns using various technologies (mobile and web) and programming languages. Attendees will familiarize themselves with commonly-used security tools, exploit vulnerabilities in real code, create a fix based on the OWASP ASVS, mASVS (for mobile) and SKF recommendations and validate the effectiveness of their solution.


Topics outline



During the training we will explore what are the activities across the complete SDLC to build secure code, and recognize unsecure code using two different Java applications (Javula, Webgoat). Using different security tools (used by security engineers) we will exploit the vulnerabilities, create a fix based on the ASVS v4, MASVS (for mobile) and SKF recommendations, and validate their effectiveness using previous exploits. The first day will focus on understanding the security standards (using ASVS and SKF), how to do threat modelling and how to apply the security principles. After that, using security tools, we will start exploiting web application vulnerabilities using the WebGoat Java app. Each attendee will exploit, fix and retest the vulnerabilities. The second day introduces some of the Spring boot security features (like the Java Security Manager) and explores well known issues that affected the Spring Boot. The second part keeps the focus on another batch of backend vulnerabilities and briefly touches how to detect them through source code review processes for mobile and web. Finally an exciting and fun security quiz will take place in the last 30 mins where the winner will be awarded with a defdeveu gadget.

Takeaway skills

On a base level students will: