How to Write Secure Code Training Course

Implementing a secure networked application can be challenging, even for developers who have previously used various cryptographic building blocks like encryption and digital signatures. To help participants grasp the role and usage of these cryptographic primitives, the course first establishes a solid foundation on the main requirements of secure communication – including secure acknowledgment, integrity, confidentiality, remote identification, and anonymity. It also presents typical problems that can undermine these requirements along with real-world solutions.

Since cryptography is a critical aspect of network security, the course discusses the most important algorithms in symmetric cryptography, hashing, asymmetric cryptography, and key agreement. Rather than focusing on deep mathematical background, these concepts are explored from a developer's perspective, illustrating typical use-case examples and practical considerations related to cryptography, such as public key infrastructures. Various security protocols across different areas of secure communication are introduced, with a detailed discussion on widely-used protocol families like IPSEC and SSL/TLS.

Typical crypto vulnerabilities are discussed, covering both specific algorithms and protocols. This includes issues such as BEAST, CRIME, TIME, BREACH, FREAK, Logjam, Padding oracle, Lucky Thirteen, POODLE, and others, as well as RSA timing attacks. For each issue, practical considerations and potential consequences are described, again without delving into complex mathematical details.

Finally, given that XML technology is central for data exchange by networked applications, the security aspects of XML are described. This includes the usage of XML within web services and SOAP messages alongside protection measures such as XML signature and XML encryption – as well as weaknesses in those protection measures and XML-specific security issues such as XML injection, XML external entity (XXE) attacks, XML bombs, and XPath injection.

Participants attending this course will

• Understand basic concepts of security, IT security and secure coding
• Understand the requirements of secure communication
• Learn about network attacks and defenses at different OSI layers
• Have a practical understanding of cryptography
• Understand essential security protocols
• Understand some recent attacks against cryptosystems
• Get information about some recent related vulnerabilities
• Understand security concepts of Web services
• Get sources and further readings on secure coding practices

Audience

Developers, Professionals

This three-day course introduces the fundamental principles of securing C/C++ code against malicious actors who might exploit vulnerabilities related to memory management and input handling. Participants will learn the key practices for writing secure software.

Even seasoned Java developers often do not fully master the array of security services provided by Java, nor are they always aware of the various vulnerabilities that impact web applications built with Java.

This course goes beyond introducing the security components of Standard Java Edition; it also addresses security concerns in Java Enterprise Edition (JEE) and web services. Discussions on specific services are grounded in the fundamentals of cryptography and secure communication. Through various exercises, participants will explore declarative and programmatic security techniques in JEE, as well as transport-layer and end-to-end security for web services. The use of all these components is demonstrated through practical exercises, allowing participants to experiment with the discussed APIs and tools firsthand.

The course also examines and explains the most common and severe programming flaws in the Java language and platform, as well as web-related vulnerabilities. In addition to typical bugs made by Java developers, the covered security vulnerabilities address both language-specific issues and problems arising from the runtime environment. All vulnerabilities and corresponding attacks are illustrated through easy-to-understand exercises, followed by recommended coding guidelines and possible mitigation techniques.

Participants attending this course will

• Understand the basic concepts of security, IT security, and secure coding
• Learn about web vulnerabilities beyond the OWASP Top Ten and how to avoid them
• Understand the security concepts of web services
• Learn how to use various security features of the Java development environment
• Gain a practical understanding of cryptography
• Understand security solutions in Java EE
• Learn about typical coding mistakes and how to avoid them
• Receive information about recent vulnerabilities in the Java framework
• Acquire practical knowledge in using security testing tools
• Obtain resources and further readings on secure coding practices

Audience

Developers

Description

The Java language and the Java Runtime Environment (JRE) were designed to minimize the most problematic common security vulnerabilities found in other languages, such as C/C++. However, software developers and architects must do more than just learn how to use the various security features available in the Java environment (positive security); they must also be aware of the numerous vulnerabilities that remain relevant to Java development (negative security).

The introduction to security services begins with a brief overview of cryptography fundamentals, providing a common baseline for understanding the purpose and operation of the applicable components. The use of these components is demonstrated through several practical exercises, allowing participants to experiment with the discussed APIs firsthand.

The course also reviews and explains the most frequent and severe programming flaws associated with the Java language and platform, covering both typical bugs committed by Java programmers and issues specific to the language and environment. All vulnerabilities and relevant attacks are demonstrated through easy-to-understand exercises, followed by recommended coding guidelines and possible mitigation techniques.

Participants attending this course will

• Understand basic concepts of security, IT security, and secure coding
• Learn about web vulnerabilities beyond the OWASP Top Ten and know how to avoid them
• Learn to use various security features of the Java development environment
• Gain a practical understanding of cryptography
• Learn about typical coding mistakes and how to avoid them
• Get information about some recent vulnerabilities in the Java framework
• Get sources and further readings on secure coding practices

Audience

Developers

Today, various programming languages allow developers to compile code for the .NET and ASP.NET frameworks. This environment offers robust tools for security development; however, developers must understand how to apply architectural and coding-level techniques to implement the desired security measures, prevent vulnerabilities, and limit potential exploitation.

This course aims to guide developers through numerous practical exercises to teach them how to prevent untrusted code from executing privileged actions, protect resources via strong authentication and authorization, manage remote procedure calls, handle sessions, and explore various implementation options for specific functionalities.

The introduction to different vulnerabilities begins by highlighting typical programming errors made when using .NET. The discussion on ASP.NET vulnerabilities also covers various environment settings and their impact. Furthermore, the topic of ASP.NET-specific vulnerabilities addresses general web application security challenges as well as special issues and attack vectors, such as ViewState attacks and string termination attacks.

Participants attending this course will

• Grasp the fundamental concepts of security, IT security, and secure coding.
• Learn about web vulnerabilities beyond the OWASP Top Ten and understand how to avoid them.
• Master the use of various security features within the .NET development environment.
• Gain practical experience with security testing tools.
• Identify common coding mistakes and learn how to prevent them.
• Stay informed about recent vulnerabilities in .NET and ASP.NET.
• Access resources and further reading materials on secure coding practices.

Audience

Developers

This course equips PHP developers with the essential skills needed to make their applications resilient against modern internet threats. It explores web vulnerabilities through PHP examples that go beyond the OWASP Top Ten, addressing various injection attacks, script injections, session handling issues, insecure direct object references, file upload vulnerabilities, and more. PHP-related vulnerabilities are categorized into standard types such as missing or improper input validation, incorrect error and exception handling, misuse of security features, and time- or state-related issues. For the latter, we examine attacks like open_basedir circumvention, denial-of-service via magic float, and hash table collision attacks. In each scenario, participants will learn the key techniques and functions required to mitigate these risks.

Particular emphasis is placed on client-side security, addressing issues related to JavaScript, Ajax, and HTML5. The course introduces various PHP extensions for cryptography (such as hash, mcrypt, and OpenSSL) and for input validation (including Ctype, ext/filter, and HTML Purifier). Best practices for hardening PHP configuration (php.ini settings), Apache, and the server environment are also covered. Additionally, participants will gain an overview of security testing tools and techniques available to developers and testers, including security scanners, penetration testing tools, exploit packs, sniffers, proxy servers, fuzzing tools, and static source code analyzers.

Both the introduction of vulnerabilities and configuration practices are reinforced through hands-on exercises. These activities demonstrate the consequences of successful attacks, show how to apply mitigation techniques, and guide participants in using various extensions and tools.

Participants attending this course will

• Understand fundamental concepts of security, IT security, and secure coding
• Learn about web vulnerabilities beyond the OWASP Top Ten and know how to avoid them
• Gain knowledge of client-side vulnerabilities and secure coding practices
• Develop a practical understanding of cryptography
• Learn to utilize various PHP security features
• Identify typical coding mistakes and learn how to avoid them
• Stay informed about recent PHP framework vulnerabilities
• Acquire practical experience with security testing tools
• Access resources and further reading on secure coding practices

Audience

Developers

This comprehensive SDL core training provides an in-depth look at secure software design, development, and testing, guided by the Microsoft Secure Development Lifecycle (SDL). It offers a foundational (level 100) overview of the essential components of SDL, followed by design techniques aimed at detecting and resolving flaws during the early stages of the development process.

Focusing on the development phase, the course covers typical security-relevant programming bugs in both managed and native code. It presents attack methods for discussed vulnerabilities alongside associated mitigation techniques. Participants engage in numerous hands-on exercises that offer practical, live hacking experiences. Additionally, the introduction of various security testing methods is reinforced by demonstrating the effectiveness of different testing tools. Through practical exercises applying these tools to previously discussed vulnerable code, participants gain a clear understanding of their operation.

Participants attending this course will

Understand basic concepts of security, IT security, and secure coding.

Become familiar with the essential steps of the Microsoft Secure Development Lifecycle.

Learn secure design and development practices.

Gain knowledge of secure implementation principles.

Understand security testing methodology.

• Access sources and further readings on secure coding practices.

Audience

Developers, Managers.

In this instructor-led live course in Mexico, participants will learn how to develop an appropriate security strategy to address the challenges of DevOps security.

This world-class, cutting-edge, hands-on workshop immerses participants in the critical realities of modern CI/CD pipeline security. Designed for security professionals, DevOps engineers, and developers eager to master advanced pipeline breach defense, the training blends live attack simulations with industry-leading tools and practical defense techniques.

The EC-Council Certified DevSecOps Engineer (ECDE) is a practical program designed to empower professionals with the capabilities to integrate security throughout the DevOps lifecycle, fostering secure software development from the initial planning phases through to deployment.

This instructor-led live training, available both online and onsite, targets intermediate-level software and DevOps professionals aiming to incorporate security protocols into CI/CD pipelines, thereby ensuring the delivery of code that is both secure and compliant.

Upon completing this training, participants will be equipped to:

• Grasp the core principles and practices of DevSecOps.
• Safeguard every phase of the CI/CD pipeline utilizing automated tools.
• Apply secure coding standards and conduct vulnerability scanning.
• Get ready for the ECDE certification through hands-on labs and comprehensive review.

Course Format

• Engaging lectures and group discussions.
• Practical application of DevSecOps tools within simulated pipelines.
• Supervised exercises centered on secure development and deployment strategies.

Customization Options

• For personalized training tailored to your team’s specific workflows or toolchains, please reach out to us to make arrangements.

Based on the latest OWASP GenAI Security Project guidance, participants will learn to identify, assess, and mitigate AI-specific threats through hands-on exercises and real-world scenarios.

This instructor-led, live training in Mexico (online or onsite) is aimed at developers, engineers, and architects who wish to apply the MSTG testing principles, processes, techniques, and tools to secure their mobile applications and services.

By the end of this training, participants will be able to:

• Explore testing techniques to strategize an effective security testing implementation in the development lifecycle.
• Perform testing techniques to test general vulnerabilities and risks in mobile apps.
• Run various security testing processes to secure their Android and iOS mobile applications.

This instructor-led, live training in Mexico (online or on-site) is designed for web developers and leaders who wish to explore and apply the OWASP Top 10 reference standard to secure their web applications.

By the end of this training, participants will be able to strategize, implement, secure, and monitor their web applications and services using the OWASP Top 10 document.

This course explores secure coding concepts and principles for Java, utilizing the testing methodology of the Open Web Application Security Project (OWASP). OWASP is an online community that produces freely accessible articles, methodologies, documentation, tools, and technologies focused on web application security.

This course delves into secure coding concepts and principles using ASP.NET, guided by the Open Web Application Security Project (OWASP) testing methodology. OWASP is an online community dedicated to producing freely available articles, methodologies, documentation, tools, and technologies focused on web application security.

The course explores the security features of the .NET Framework and demonstrates how to secure web applications.