
Explore secure software development life cycle concepts, junior-to-mid roles, and hands-on labs covering OWASP Top Ten, threat modeling, and security architecture, with job-hunt guidance and certifications.
Explore threat modeling before coding and secure code review, SAST, SCA, container security, dynamic and interactive testing throughout the secure SDLC to protect applications.
Map security job roles to every phase of the secure SDLC, from threat modeling by architects and engineers to secure code review, devsecops tooling, container security, and pentest activities.
Find application security jobs on platforms like LinkedIn using keywords such as security analyst and security engineer. Distinguish roles with sast, dast, and cloud security from infrastructure security.
Understand the technical requirements for senior security engineers and security architects, including threat modeling, architecture reviews, security controls, and expertise in OWASP top ten, SANS 25, and relevant certifications.
Explore the roles of a devsecops engineer, from implementing static and dynamic security testing in ci/cd to integrating sast, dast, container and iac scanners, with shift-left practices and compliance guidance.
Develop expertise in static and dynamic application security testing, software composition analysis, and false positive analysis; use Fortify, Veracode, Sonar, ZAP, and OWASP guidance to report findings and advise controls.
Discover the common technical requirements across entry, mid, and senior application security roles, from mastering OWASP top ten or top 25 to analyzing tool outputs and false positive analysis.
Learn static application security testing (sast), tools, and how they scan code during development to detect vulnerabilities like cross-site scripting, missing csrf tokens, and broken access control, with ci/cd integration.
Learn to perform a manual static application security test with Fortify on Demand by uploading a zip, running a scan, and analyzing results for vulnerabilities.
Learn how to perform a software composition analysis using Snyk to identify and fix security vulnerabilities in third-party libraries within a Maven project.
Master dynamic application security testing by interacting with web apps and APIs to identify vulnerabilities like cross-site scripting, missing CSRF tokens, and SQL injection using Burp and OWASP ZAP.
Demonstrates a hosted DAST workflow with OWASP ZAP scanning http example.com, revealing medium and low severity issues like missing anti clickjacking header and x content type options header.
Explore how containers package applications and dependencies with a container runtime like Docker engine, and learn about container security and scanning tools, including Aqua, Prisma Cloud, Snake, and Trevor.
Execute a container security scan with Snyk on a Python 3.4-alpine image using Docker, reveal vulnerabilities including OpenSSL and SQLite, and discuss remediation via base image upgrades.
Discover how infrastructure as code enables automated provisioning and security scans to detect misconfigurations, using tools like Chekov, Sneak, Checkov, and Snyk in CI/CD pipelines.
Demonstrate iac security scanning with chekov by running a scan on a terraform main.tf to identify security misconfigurations and learn how to interpret pass and fail test cases.
Install Node.js for the OWASP Juice Shop on your local system, verify Node version, then git clone the project and prepare for the next steps in this hands on session.
Install OWASP juice shop on your local system by cloning the repo with depth, running npm install, and starting the server on port 3000 for hands-on OWASP top ten learning.
Install Burpsuite Community Edition on a Windows 64-bit system by downloading the installer, running it, and launching Burpsuite with a temporary project using defaults.
Explore broken access control within the owasp top ten using the owasp juice shop demo, identify vulnerabilities, and apply remediation steps like deny-by-default, minimal cross-origin resource sharing, and rate limiting.
Identify cryptographic failures rooted in weak algorithms and default keys. Encrypt data at rest and in transit using strong algorithms, TLS, and proper key management.
Explore injection threats such as SQL injection and cross-site scripting, see how unsanitized input and non parameterized queries enable breaches, and learn mitigations like parameterized queries and validation.
Learn about insecure design, a top OWASP risk, where missing best practices enable sensitive data exposure. Explore prevention through secure sdlc, threat modeling, security user stories, and proper testing.
Learn how security misconfiguration arises from incorrect or missing controls, and how to remediate with server hardening, patch management, containerization, and security headers like HSTS.
Identify and prevent authentication failures by enforcing multi-factor authentication, strong passwords, and high-entropy session IDs, while mitigating brute-force risks and insecure password workflows.
Explore software and data integrity failures caused by untrusted dependencies and insecure pipelines, and learn prevention via official repos, code reviews, digital signatures, and software bill of materials.
Understand how server side request forgery lets an attacker force the app to access localhost or internal IPs, and apply input sanitization, allow lists, and disable redirects to prevent it.
Implement a four-step security architecture and design review for real-life apps, including stakeholder walkthroughs, a secure design checklist, threat modeling, and final reporting for e-commerce projects.
Sign up for Iris Risk community edition, activate your account, and log in to start creating a threat modeling project with exports, diagrams, and preconfigured reports; explore enterprise options.
Perform threat modeling on the data flow diagram with Iris Risk, identify threats and countermeasures, and generate downloadable risk, technical threat, technical countermeasure, and compliance reports.
Discover enterprise devsecops tooling, from git secrets and shift-left ide plugins to sast, dast, iac and container security, plus build pipelines, cspm, and native cloud tools.
Explain a case study on understanding project requirements before workflow implementation in a Java devsecops pipeline using GitLab, SonarCloud sast, Snyk sca, owasp zap dast, and Jira.
Execute an end-to-end devsecops pipeline for a Java project in GitLab, including committing to master and running three stages: sast with sonar cloud, sca with snyk, and zap.
Who shall take this course?
This "Application Security Fundamentals - Including Hands On Demo" course is designed for beginners looking to switch to application security. It will also help SOC engineers, DevOps Engineers, SRE, QA Professionals and Freshers looking to find a job in the field of application security. This course will teach you about various job roles in application security and the technical requirements for each job roles. It will explain the difference between application security and infrastructure security.
This course is for:
SOC engineers
DevOps
Security Engineers
Aspiring professionals in the Security domain
Quality Assurance Engineers
InfoSec/AppSec Professional
Why purchase this course?
This is only practical hands-on application security course available on the internet till now.
Application security enables secure application development with agility, at the same time it secures your application with automated security checks integrated within the pipeline. It helps to increase productivity and security by integrating security at each phase in the software development.
Also, we have included practical examples to learn about the basic building blocks of application security
By the end of the course, you will be able to successfully explain the various job roles in application security, technical expertise required for a job role and choose the best career option for you.
No Action required before taking this course. For any question or concerns, Please post your comments in discussions tab
Disclaimer: English subtitles are auto-generated so please ignore any grammar mistakes