Teach on Udemy

Turn what you know into an opportunity and reach millions around the world.

Learn More

Your cart is empty.

Keep shopping

Master Application Security: Threat Modeling & Testing

Name: Master Application Security: Threat Modeling & Testing
Rating: 4.6 (14 reviews)

Explore application security best practices with threat modeling, security testing, and DevSecOps integration strategies

Role Play

Created byStarweaver Experts, Derek Fisher, Paul Siegel

Last updated 4/2026

English

What you'll learn

Apply secure coding practices and the OWASP top 10 prevention techniques to eliminate vulnerabilities during development phases.
Analyze application architectures to identify critical security threats and design threat models to mitigate risks and ensure the security of applications.
Evaluate software supply chains and implement security controls for open-source components, dependencies, and vendor relationships.
Design secure cloud-native and container architectures with automated monitoring and compliance validation to maintain cloud application security.
Gain expertise in application security testing approaches to identify and mitigate vulnerabilities in both development and production.
Explore the best practices for securing web applications, including secure coding, threat modeling, and continuous monitoring.

Course content

14 sections • 52 lectures • 3h 58m total length

Intro Video to Course3:25
Introduction to the course, key topics to be covered, and call to action.

Section Introduction3:10
Hook + Key topics covered + Call to action
Secure by Design Principles4:37
What if security was built into your applications from day one instead of bolted on as an afterthought? This lesson explores CISA's Secure by Design principles that are transforming how leading organizations approach application security, covering fundamental design patterns that make applications secure by default.
Secure Coding Practices4:59
Are coding habits creating vulnerabilities that hackers are actively exploiting right now? Discover essential secure coding techniques that prevent common attack vectors, including input validation your, output encoding, and defensive programming strategies that stop vulnerabilities before they reach production.
Secure Configuration and Defaults6:28
Did you know that many successful attacks exploit default configurations that developers never changed? Learn how to implement secure defaults and configuration management practices that eliminate common attack vectors through proper system hardening and baseline security controls.

Prevention of OWASP Top 106:18
The OWASP Top 10 represents the most critical security risks that are actively destroying organizations worldwide. Are you prepared to defend against them? This comprehensive lesson covers the first tier of OWASP Top 10 vulnerabilities including broken access control, cryptographic failures, and injection attacks with practical prevention strategies.
Stopping Insecure Design and Misconfiguration Failures5:39
Insecure design and security misconfiguration are silently undermining applications across the globe. Learn how to spot and stop these threats before they compromise your systems. Explore advanced prevention techniques for design-level security flaws and configuration vulnerabilities that attackers exploit to gain unauthorized access.
Defending Against Supply Chain Attacks and Logging Failures10:19
Supply chain attacks and logging failures are the hidden vulnerabilities that enable attackers to persist undetected in your environment. Discover how to secure your software supply chain, implement comprehensive security logging, and detect attacks before they cause irreversible damage.

Code Testing for Vulnerabilities4:54
This conceptual demo shows how to install Semgrep and perform a quick scan to detect a single SQL injection vulnerability. It focuses on the basics of setup and running manual scans, offering a straightforward introduction for beginners. The video does not cover advanced strategies, false positive handling, workflow integration, or comprehensive application security testing.
Testing an Application for Run-Time Vulnerabilities6:41
What if vulnerabilities only surface when your application is under real-world attack conditions that static testing can't simulate? Discover how to implement Dynamic Application Security Testing (DAST) and interactive testing techniques that evaluate your application's security posture during actual execution. Learn to identify runtime-specific vulnerabilities like authentication bypasses, session management flaws, and business logic errors that emerge only when applications interact with live data and user inputs.
Run-Time Protection7:01
Even the most secure code can be compromised at runtime. Discover how to implement dynamic protection mechanisms that defend against attacks in real-time. Explore runtime application self-protection (RASP), behavioral monitoring, and adaptive security controls that respond to threats as they emerge. Implement these advanced defenses to create applications that actively protect themselves against evolving attack techniques.
Foundations Section of the OWASP Developer Guide0:15
Hands-On-Learning: Secure Coding: Fixing Vulnerabilities in GitHub Codespaces0:13
Application Security Testing and Protection

Section Introduction2:12
Threats vs Risks5:14
Are you confusing threats with risks and making critical security decisions based on incomplete understanding? This foundational lesson clarifies the essential distinction between threats (what could happen), vulnerabilities (weaknesses that enable threats), and risks (the actual business impact), using real-world examples that demonstrate why this matters for effective security strategy.
Intro to Threat Modelling4:36
What if you could systematically anticipate every way attacker might compromise your application before they do? Discover the fundamentals of threat modeling, the proactive security practice that leading organizations use to identify and mitigate security risks during the design phase when fixes are cheapest and most effective. Start your journey toward building inherently secure applications by understanding why threat modeling is the cornerstone of modern application security.
Utilizing STRIDE For Threat Modelling5:52
How do security professionals systematically uncover threats across complex application architectures without missing critical attack vectors? Learn the STRIDE methodology (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) that provides a structured framework for comprehensive threat identification.

Threat Modelling with OWASP Threat Dragon8:20
What if you could identify and eliminate security threats before writing a single line of code? This hands-on lesson demonstrates how to use OWASP Threat Dragon, the industry-standard free tool, to create comprehensive threat models that systematically uncover attack vectors and design effective countermeasures. Master this essential skill to shift security left and prevent costly vulnerabilities from reaching production.
Using Attack Trees in Threat Modelling6:00
Are you missing critical attack paths that sophisticated hackers are already exploiting? Discover how attack trees provide a structured approach to mapping complex, multi-step attack scenarios that traditional threat modeling might overlook. Apply this powerful technique to visualize how attackers' chain together vulnerabilities and design defenses that break the attack chain.
Completing a Rapid Threat Modeling Prototyping (RTMP)5:40
Do you need to perform effective threat modeling when time and resources are limited? Learn the Rapid Threat Modeling Prototyping (RTMP) methodology that delivers actionable security insights in compressed timeframes without sacrificing quality or coverage. Implement this streamlined approach to integrate threat modeling into fast-paced development cycles and agile workflows.

Risk Rating Using OWASP Risk Rating6:57
How do you communicate the business impact of a SQL injection vulnerability to executives who need to prioritize security investments across dozens of competing initiatives? Learn to implement the OWASP Risk Rating methodology that systematically evaluates threat likelihood and business impact to produce actionable risk scores that resonate with both technical teams and business stakeholders.
CVSS Scoring for Vulnerability Management7:20
Are you struggling to prioritize vulnerability remediation when your security scanners report thousands of findings with inconsistent severity ratings? Explore the Common Vulnerability Scoring System (CVSS) that provides standardized, industry-accepted vulnerability severity metrics used by security teams worldwide for consistent risk assessment. Learn to interpret CVSS base scores, temporal metrics, and environmental factors that help enterprise security teams prioritize patching efforts, allocate resources effectively, and communicate vulnerability risk to stakeholders using universally understood severity classifications.
Transforming Threats into Secure Designs6:56
You've identified the threats. But how do you translate those findings into actionable security controls that actually protect your application? This critical lesson demonstrates how to convert threat modeling results into specific design decisions, security requirements, and architectural patterns that eliminate or mitigate identified risks.
NIST Threat Modeling Guidelines0:17
Hands-On-Learning: Attack Path Modeling: Creating Attack Trees with Deciduous0:18
Threat Modeling Best Practices
Persuading a Development Team to Implement Secure Design Patterns Based on Threat Modeling Results

Section Introduction2:09
Software Supply Chain Threat Landscape5:45
Are you unknowingly building applications on a foundation of compromised components that attackers are already exploiting? This comprehensive overview explores the modern supply chain attack ecosystem, from dependency confusion and malicious packages to nation-state campaigns like SolarWinds that compromised over 30,000 organizations.
Software Bill of Materials (SBOM) Fundamentals5:24
What if you could instantly identify every vulnerable component in your software when the next Log4j-style crisis hits the industry? This essential lesson demonstrates how to create and manage Software Bills of Materials using industry-standard formats like SPDX and CycloneDX, transforming invisible dependencies into manageable assets with complete visibility and traceability.
Dependency Management and Open-Source Risk Assessment6:56
With 1 in 8 open-source downloads having known risks and approximately 245,000 malicious packages detected in 2023, are you confident your dependency management strategy can protect against the 742% annual increase in supply chain attacks? Learn systematic approaches to evaluate open-source components, implement dependency pinning, and establish update policies that balance security with stability.

SLSA Framework and Build Provenance5:41
How can you prove that your software artifacts haven't been tampered with during the build process when attackers are increasingly targeting CI/CD pipelines? Discover the Supply-chain Levels for Software Artifacts (SLSA) framework that provides graduated security levels and automated build provenance generation to create verifiable evidence of how your software was built.
Artifact Integrity and Code Signing8:44
What if the container images and binaries powering your critical applications have been silently modified by attackers after they left your secure build environment? Explore digital signing techniques and cryptographic verification methods that ensure software artifacts maintain their integrity from build to deployment.
Vendor Risk Assessment and Third-Party Security7:46
Third-party weaknesses can expose entire supply chains, with 84% of codebases including at least one known open-source vulnerability. Discover frameworks for evaluating vendor security practices, implementing security requirements in contracts, and establishing ongoing monitoring processes.

Continuous Supply Chain Monitoring5:55
Are you flying blind when new vulnerabilities emerge in your software dependencies, leaving your organization exposed until the next scheduled security scan? Learn to implement continuous supply chain monitoring that provides real-time visibility into emerging threats, vulnerability disclosures, and security events across your entire software ecosystem. Deploy automated alerting, threat intelligence integration, and rapid response protocols that transform reactive vulnerability management into proactive supply chain defense, ensuring you can respond to threats like Log4j within hours instead of weeks.
Compliance and Regulatory Requirements5:28
With the EU Cyber Resilience Act mandating SBOMs and the US Executive Order 14028 enforcing secure development, regulatory compliance is no longer optional - are you prepared for the new reality? Learn to navigate CISA attestation requirements, implement compliance automation, and align with international standards.
Supply Chain Incident Response and Recovery6:33
When the next major supply chain attack hits your ecosystem, will you be able to respond effectively or become another casualty statistic? Discover how to develop supply chain-specific incident response plans, implement rapid vulnerability response procedures, and establish recovery protocols that minimize business impact. Build the resilience capabilities that separate industry leaders from those who struggle to recover from supply chain compromises.
Securing the Software Supply Chain0:16
Hands-On-Learning: Software Supply Chain Security: SBOM & Vulnerability Analysis0:15
Managing and Monitoring the Supply Chain

Requirements

To get the most from this course, learners should have a foundation in software development processes, particularly SDLC and Agile/DevOps methodologies. Familiarity with common web application vulnerabilities (such as the OWASP Top 10) and some hands-on experience with modern programming languages are also recommended. A working knowledge of network security and common attack vectors will further enhance your understanding of the advanced application security practices covered in this course.

Description

In today’s digital landscape, software powers everything from cloud workloads to mobile applications and IoT devices. However, traditional security measures that are added as an afterthought in the development process no longer provide adequate protection against increasingly sophisticated cyber threats. As the frequency and complexity of cyberattacks rise, the demand for application security throughout the development lifecycle has become paramount.

This course is designed for cybersecurity professionals, software developers, and DevSecOps teams who want to integrate robust security measures throughout the software development lifecycle (SDLC). You will gain hands-on experience with the latest application security tools, frameworks, and industry best practices to ensure your applications are secure, scalable, and compliant with modern security standards.

Master Industry-Leading Security Frameworks

What if the application security frameworks you learned last year are already outdated? In 2025, the application security landscape has fundamentally shifted. Over 100 major software manufacturers have joined CISA's Secure by Design pledge, and federal agencies now require secure software development attestations with real deadlines already in effect. Recent analysis of cloud security breaches reveals that many organisations continue to fall victim to recurring vulnerabilities that could have been avoided with up-to-date best practices.

This course is built around the most current guidance from industry-leading organisations such as NIST, CISA, OWASP, and CSA. You’ll work with NIST’s Secure Software Development Framework (SSDF), which is the standard for secure software development practices used by U.S. federal agencies and beyond.

The course also integrates CISA’s Secure by Design principles, which prioritise security as a core business requirement, ensuring products are secure from the outset—without relying on afterthought security measures like multi-factor authentication (MFA), logging, and single sign-on. As more organisations adopt this mindset, the way application security is approached is shifting.

Additionally, you'll gain expertise in how OWASP frameworks help define the necessary security controls for developing and testing modern web applications, and how CSA’s Cloud Controls Matrix serves as the standard for cloud security assurance and compliance. These frameworks lay the foundation for world-class application security practices.

High-Impact Security Practices

This course focuses on practical, high-impact practices to protect software today. You’ll learn the core principles of secure development and how to apply them across the entire application lifecycle. CISA’s Secure by Design goals will guide you in implementing proven security practices, ensuring security is embedded from the start.

Secure Development and Code Security: Master the fundamental practices for building secure applications from the ground up. Learn secure coding techniques, including proper input validation, authentication mechanisms, and cryptographic implementation. Focus on preventing the most critical vulnerabilities outlined in the OWASP Top 10 and industry standards. You’ll gain hands-on experience using static analysis tools, security-focused code reviews, and test-driven security development, enabling you to identify and resolve vulnerabilities before they reach production. This module also covers secure design principles, runtime protection mechanisms, and the integration of automated security testing into the development process.

Incorporating Threat Modelling: Learn to identify potential security threats early in the design phase. Using structured methodologies aligned with NIST SSDF, you’ll create comprehensive threat models to identify attack vectors before they can be exploited. This module covers STRIDE methodology, attack trees, and data flow diagrams to help you prioritise security risks and protect complex application architectures.

Supply Chain and Open-Source Software Security: With increasing reliance on open-source software and third-party dependencies, securing the software supply chain has become crucial. This course emphasises monitoring leaked secrets, ensuring code integrity, and evaluating software supply chains. You’ll learn to use Software Bill of Materials (SBOM), dependency scanning, and vendor risk assessment tools to detect vulnerabilities in open-source components and establish secure procurement practices.

Cloud and Container Security: Cloud security is a growing concern for modern enterprises. This section teaches you how to implement robust security controls for cloud-native applications and containerised environments using CSA best practices. You’ll explore container image scanning, runtime protection, secrets management, and cloud-specific security architectures that safeguard applications across multi-cloud and hybrid environments.

Learn Through a Comprehensive Fictional Case Study

Throughout the course, you’ll apply these techniques to a fictional case study that mirrors the challenges faced by real-world enterprises. This immersive approach helps you understand how security principles can be implemented across various business contexts, compliance requirements, and technological architectures. The case study includes a multi-tier web application with cloud infrastructure, mobile components, third-party integrations, and regulatory compliance needs, providing a comprehensive view of modern application security challenges.

The scenarios reflect industry realities such as budget constraints, technical debt, legacy system integration, and competing business priorities, ensuring you gain practical experience with the kinds of issues your organisation may face.

What You Will Learn in This Course

Practical Threat Modelling: Use structured techniques to create actionable security requirements for applications.

Security Control Implementation: Develop security controls for different environments, including cloud-native applications and legacy systems.

Pipeline Security: Learn how to create secure CI/CD pipelines with integrated security testing and automated compliance validation.

Comprehensive Security Assessment: Practice security assessments through scenario-based questions and practical exercises.

Learning Outcomes

By completing this course, you will demonstrate competency in:

Strategic Threat Analysis: Implementing comprehensive threat models that identify critical security risks before they become vulnerabilities.

Supply Chain Risk Management: Securing complex software supply chains, including open-source components, third-party dependencies, and vendor relationships.

Cloud-Native Security Architecture: Understanding security controls that protect applications in scalable cloud environments, including container security and serverless protection.

Continuous Security Monitoring: Utilising automated security monitoring systems for real-time visibility into application security posture and response capabilities.

DevSecOps Integration: Integrating security throughout CI/CD pipelines without disrupting development velocity, including automated testing, compliance validation, and security gate implementation.

Why This Course Matters Now More Than Ever

As cybersecurity threats continue to evolve, the need for secure development practices becomes even more urgent. Federal agencies now require software developers to submit attestations demonstrating compliance with NIST SSDF standards, with deadlines already in effect. This regulatory pressure is driving the widespread adoption of secure software development practices across the industry.

Organisations that fail to adapt risk compliance penalties, security breaches, and damage to their reputation. This course places you at the forefront of application security, equipping you with the knowledge and practical skills needed to build secure, resilient applications that protect your organisation and customers.

Start your journey towards mastering application security today!

Who this course is for:

This course is designed for experienced professionals in software development, security, and operations.
Security Engineers and Architects implementing DevSecOps practices.
Senior Developers focusing on secure coding for applications.
DevOps Engineers integrating security into CI/CD workflows.
IT Managers, Directors, Compliance Specialists, and Security Consultants who need practical frameworks and approaches to oversee and strengthen organizational software security initiatives.
This course provides the tools and methodologies to assess, manage, and enhance software security across modern organizations.

Master Application Security: Threat Modeling & Testing

What you'll learn

Explore related topics

Course content

Introduction1 lecture • 3min

Building Security from the Ground Up4 lectures • 19min

OWASP Top 10 Prevention3 lectures • 22min

Application Security Testing and Protection5 lectures • 19min

Threat Modeling4 lectures • 18min

Utilizing Threat Modeling Tools3 lectures • 20min

Managing Findings from Threat Modeling6 lectures • 22min

Understanding the Software Supply Chain4 lectures • 20min

Collecting Artifacts and Understanding Risk3 lectures • 22min

Managing and Monitoring the Supply Chain5 lectures • 18min

Requirements

Description

Who this course is for: