
This course includes our updated coding exercises so you can practice your skills as you learn.
See a demo
Participants will be able to understand the overall content and structure of the course.
Participants will be aware of some of the technical and non-technical terms used through-out the course.
Participants will be introduced the idea of software security anti-patterns.
The participants will learn about confirmation bias as a software security anti-pattern.
The participants will understand Wason's 2-4-6 problem and its relevance to secure coding.
The participants will experience an audio illusion that explains how our brain works.
The participants will be introduced about a devastating software security bug called HeartBleed found in 2014.
The participants will understand the details of the HeartBleed security bug and its reflections to software security in general.
The participants will be introduced about the details of a file upload.
Please follow the instructions in the Demo Setup and the Git Repository links in the Resources section in order to setup your environment and run this demo by yourself.
The participants will understand the mitigation venues on preventing confirmation bias as an anti-pattern.
The participants will shortly review the confirmation bias anti-pattern.
The participants will learn about copy-paste insecure code as a software security anti-pattern.
The participants will understand that StackOverflow has many popular but insecure answers.
The participants will be introduced a security vulnerability called XXE.
Please follow the instructions in the Demo Setup document and the Git Repository links in the Resources section in order to setup your environment and run this demo by yourself.
The participants will shortly see what SSL certificate validation items are.
Please follow the instructions in the Demo Setup document and the Git Repository links in the Resources section in order to setup your environment and run this demo by yourself.
The participants will understand the mitigation venues on preventing copy-paste insecure code as an anti-pattern.
The participants will shortly review the copy-paste insecure code anti-pattern.
The participants will learn about lack of authorization as a software security anti-pattern.
The participants will understand a simple but hideous security bug called Insecure Direct Object Reference.
Please follow the instructions in the Demo Setup document and the Git Repository links in the Resources section in order to setup your environment and run this demo by yourself.
The participants will understand missing authorization controls on data post-backs creates serious security weaknesses.
Please follow the instructions in the Demo Setup document and the Git Repository links in the Resources section in order to setup your environment and run this demo by yourself.
The participants will understand the mitigation venues on preventing lack of authorization as an anti-pattern.
The participants will shortly review the lack of authorization anti-pattern.
The participants will learn about mixing code and data as a software security anti-pattern.
The participants will review maybe the most popular security bug; SQL Injection.
Please follow the instructions in the Demo Setup document and the Git Repository links in the Resources section in order to setup your environment and run this demo by yourself.
The participants will some background information about XML and XPath to easily understand a serious security vulnerability called XPath Injection.
Please follow the instructions in the Demo Setup document and the Git Repository links in the Resources section in order to setup your environment and run this demo by yourself.
The participants will understand the mitigation venues on preventing mixing code and data as an anti-pattern.
The participants will realize that neutralization can be used as an effective strategy to prevent weaknesses that stem from mixing code and data anti-pattern.
The participants will shortly review the mixing code and data anti-pattern.
The participants will learn about using blacklists as a software security anti-pattern.
The participants will review an old but a sticky web application security bug called Cross Site Scripting.
The participants will understand why we tend to use blacklisting for security requirements and why it is not a good idea.
Please follow the instructions in the Demo Setup document and the Git Repository links in the Resources section in order to setup your environment and run this demo by yourself.
The participants will see the story of .NET's request validation technology and why Microsoft quit using it in new framework versions by default.
Please follow the instructions in the Demo Setup document and the Git Repository links in the Resources section in order to setup your environment and run this demo by yourself.
The participants will understand the mitigation venues on preventing using blacklists as an anti-pattern.
The participants will shortly review the using blacklists anti-pattern.
The participants will learn about pardon the malintent as a software security anti-pattern.
Participants will see that some regular expressions may result in security bugs in certain situations.
Please follow the instructions in the Demo Setup document and the Git Repository links in the Resources section in order to setup your environment and run this demo by yourself.
The participants will be introduced directory traversal as a serious security bug.
Please follow the instructions in the Demo Setup document and the Git Repository links in the Resources section in order to setup your environment and run this demo by yourself.
The participants will understand the mitigation venues on preventing pardon the malintent as an anti-pattern.
The participants will shortly review the pardon the malintent anti-pattern.
The participants will learn about secure library ignorance as a software security anti-pattern.
The participants will be introduced a JavaScript library called jsTree and some of its details.
Please follow the instructions in the Demo Setup document and the Git Repository links in the Resources section in order to setup your environment and run this demo by yourself.
The participants will understand that deserialization may cause devastating security bugs when handled insecurely.
Please follow the instructions in the Demo Setup document and the Git Repository links in the Resources section in order to setup your environment and run this demo by yourself.
The participants will review a really short information on React framework and single page applications in general.
Please follow the instructions in the Demo Setup document and the Git Repository links in the Resources section in order to setup your environment and run this demo by yourself.
The participants will understand the mitigation venues on preventing secure library ignorance as an anti-pattern.
The participants will shortly review the secure library ignorance anti-pattern.
The participants will learn about insufficient WWW knowledge as a software security anti-pattern.
The participants will see an HTTP header called X-Forwarded-For and its possible usages.
Please follow the instructions in the Demo Setup document and the Git Repository links in the Resources section in order to setup your environment and run this demo by yourself.
The participants will review the basic details and a regular flow of CAPTCHAs as a security solution.
Please follow the instructions in the Demo Setup document and the Git Repository links in the Resources section in order to setup your environment and run this demo by yourself.
The participants will be introduced the details of a weakness called session puzzling.
Please follow the instructions in the Demo Setup document and the Git Repository links in the Resources section in order to setup your environment and run this demo by yourself.
The participants will understand that client side controls are ineffective from security perspective and it stems from insufficient web knowledge.
The participants will understand the mitigation venues on preventing insufficient WWW knowledge as an anti-pattern.
The participants will shortly review the insufficient WWW knowledge anti-pattern.
The participants will learn about increasing the attack surface as a software security anti-pattern.
The participants will be introduced a weakness called Mass Assignment.
Please follow the instructions in the Demo Setup document and the Git Repository links in the Resources section in order to setup your environment and run this demo by yourself.
The participants will see a sophisticated security bug in Twitter and it relevance to increasing the attack surface anti-pattern.
The participants will understand the mitigation venues on preventing increasing the attack surface as an anti-pattern.
The participants will shortly review the increasing the attack surface anti-pattern.
This training is about writing secure software. We chose to deliver secure coding practices using a perspective where widespread coding security mistakes are classified into understandable chunks. We hope that this will make more sense and be more helpful to hardcore developers and analysts.
Security should be an intrinsic part of any software production methodology and its implementation. That being said, development is a complex process and it is extremely hard to keep a software secure as it ages. Although there are numerous security tools (LLMs included), methodologies and knowledge to produce a secure software, still vast number of applications include critical security bugs. Most of these bugs stem from bad coding patterns that we call software security anti-patterns or in simpler term, mistakes.
An anti-pattern is a common response to a recurring problem that is usually ineffective or worse carry risks. In other words, anti-patterns are commonly reinvented bad solutions to problems.
For example, one of the most famous anti-patterns in software development is the Spaghetti Code. In early phases of being a developer, we are usually not familiar with the importance of modularity or find little time to design first. So, we tend to produce extremely complicated, hard to understand unstructured software. This way of coding produces Spaghetti Code which is hard to maintain and write test code, however, the end product may still run perfectly and serve well in production. But then it is extremely hard to adapt to any possible new changes and add new features.
Similarly, there are bad design or coding choices that repeatedly lead to security bugs. It is important to be aware of these software security anti-patterns in order not to fall prey to hackers. This course will try to explain eight core mistakes. Some are more prevalent than the others, however, all of them produce deadly results. In each lesson, we will first try to explain what the specific anti-pattern is all about. Then, we will move on giving one or more demos on what can go wrong when that mistake is made. At the end of each lesson, we will look at different sound and widely acknowledged solutions against insecure design or coding choices. You will also have the opportunity to apply what you have learned by solving hands-on coding exercises prepared for various programming languages.
Note: Unfortunately, in udemy, all coding exercises should be completed before getting a certificate of completion. Due to negative feedbacks, semantically same coding exercises using different programming languages are barred down by keeping only one exercise per section.