The goal of this program is to provide developers, architects, and security professionals with the practical knowledge to embed security into every stage of the Software Development Lifecycle (SDLC):

• Software Developers and Engineers.
• Application Security Specialists and Analysts.
• DevOps and DevSecOps Engineers.
• Solution and Enterprise Architects.
• Quality Assurance (QA) and Testing Teams.
• Product Owners and Managers.
• CISO and Security Managers overseeing development teams.

• Hands-on coding labs focused on fixing and exploiting OWASP Top 10 vulnerabilities.
• Group threat modeling exercises for a new application feature.
• Case studies on successful DevSecOps pipeline implementations.
• Practical exercises using simplified SAST/SCA tools to analyze code.
• Discussions on designing a developer security training program.

Unit 1: Fundamentals of Application Security

• Understanding the OWASP Top 10 and its relevance.
• Common application vulnerabilities (e.g., injection, broken access control).
• The cost and impact of application security breaches.
• The philosophy of "Shifting Left" in the SDLC.

• Principles of secure design (least privilege, secure defaults).
• The process of effective threat modeling (e.g., STRIDE, DREAD).
• Identifying trust boundaries and data flow in application architecture.
• Defining security requirements and acceptance criteria early in the design phase.

Unit 2: Integrating Security into the Development Process

• Best practices for preventing common web application vulnerabilities.
• Handling user input securely (validation, sanitization, encoding).
• Securely managing state and session information.
• Cryptographic best practices and key management within applications.

• Creating and socializing secure coding standards and guidelines.
• Embedding security requirements into Agile user stories and sprints.
• Effective security awareness and training for developers.
• The role of the Security Champion program.

Unit 3: Automated Security Testing

• Static Application Security Testing (SAST) and code analysis tools.
• Dynamic Application Security Testing (DAST) for runtime flaws.
• Interactive Application Security Testing (IAST) and its benefits.
• Selecting and tuning automated testing tools for accuracy.

• Software Composition Analysis (SCA) for third-party libraries.
• Managing known vulnerabilities in open-source components.
• Creating a Software Bill of Materials (SBOM) for transparency.
• Securing the CI/CD pipeline and code repository (DevSecOps).

Unit 4: Post-Deployment and Operational Security

• Implementing Web Application Firewalls (WAFs) and API Gateways.
• Runtime Application Self-Protection (RASP) and its deployment models.
• Secure configuration of application servers and containers.
• API security: authentication, authorization, and rate limiting.

• Establishing a bug bounty or coordinated vulnerability disclosure program.
• Prioritizing and tracking remediation of application vulnerabilities.
• Developing application-specific incident response playbooks.
• Secure logging, monitoring, and alerting for application-layer attacks.

Unit 5: Advanced Topics and DevSecOps Integration

• Integrating SAST/DAST/SCA into Continuous Integration (CI) tools.
• Automating security gates and "breaking the build" on severe findings.
• Using Infrastructure as Code (IaC) security scanning tools.
• Orchestrating security tools for end-to-end automation.

• Security for serverless and function-as-a-service architectures.
• Advanced container security and admission controllers (Kubernetes).
• The use of AI/ML in application security testing.
• Security for mobile applications (storage, communication, and APIs).