Secure development and coding training

Online course with own lab environment for practical exercises

This video will be loaded from YouTube while playing. By clicking here you accept the data protection declaration of HVS Consulting / IS-FOX and YouTube.

Customer Feedback

Graphical illustration of an evaluation
This video will be loaded from YouTube while playing. By clicking here you accept the data protection declaration of HVS Consulting / IS-FOX and YouTube.

Screenshot from the LAB on Threat Modeling
Screenshot of an exercise
Screenshot from the LAB on SQL
Extract from the LAB
Screenshot from the LAB on Threat Modeling
Screenshot of a test question from the LAB

Chapter overview: Secure Development / Secure Coding for developers

The content has been created by Secure Development experts and has been successfully implemented and optimized in classroom trainings for years. All scenarios are based on typical OWASP Top10 vulnerabilities in applications and are therefore highly relevant.

Intro & Let’s hack

Introduction & Basics: How does the training work. Why is security so important throughout the software development lifecycle.

Plus some hacking to get warm: LAB exercise on bad exception handling and password cracking. The exercise shows which effects even inconspicuous security holes can have.

Intro & Let’s hack


< >

Security Basics

Clarification of the most important basic terms

  • The protection goals in the CIA Triad: Confidentiality, Integrity and Availability.
  • The security principles to achieve these CIA security goals: Don't trust any input, keep security simple, minimize the attack surface, implement 'Defense in Depth', use minimal rights, be 'Secure by Default' and always solve security problems properly.

Security Basics


< >

Implementation phase

  • Authentication: What mistakes are often made during authentication and what simple methods can be used to significantly increase security.
  • Authorization (access control): what is the difference to authentication. LAB exercise Accessing data via Direct Object Reference. How to prevent such vulnerabilities and how to implement appropriate access control.
  • Session Management: What threats exist around session management. LAB exercise Adoption of a Session by Session Fixation. How to make session management secure.
  • Input Validation, Output Sanitization and Injection: What is an injection and what types are there? LAB exercise Data manipulation and deletion by SQL injection. How can injections be prevented.
  • Cross Site Scripting: What types of Cross Site Scripting are available. LAB exercise on persistent cross site scripting. Which defense measures are effective.
  • Cryptography & Secrets Management: What types of secrets exist and what forms do they take ("at rest", "in transit" and "in memory"). LAB exercise System Access via File Inclusion. What is the difference between encryption and encoding. LAB Exercise Decoding a password in a config file. Tips for handling secrets.
  • Remote Code Execution: LAB exercise web shell upload. Why do RCE vulnerabilities have such catastrophic effects. How can the "Defence in Depth" approach reduce such effects.
  • Exceptions & Error Handling: How do hackers exploit error messages and error routines? How should secure error handling look like.
  • Application Logging: Why is a good logging strategy elementary and what should better not be logged. LAB exercise on confidential data in log files. Tips on how to achieve good logging.
  • Secure Networking and Infrastructure: Hackers attack systems, not software. What are the weaknesses in transmission protocols and why are hardening and patching not just the job of administrators?

Implementation phase


< >

Validation phase

  • Code Reviews: what security best practices exist and when should a source code review be performed.
  • Automated Code Analysis: what are the benefits of automated code analysis and which modules can be analyzed.
  • Vulnerability scans: What are the benefits of automated vulnerability scans and where are their limits.
  • Penetration tests: why are penetration tests sometimes indispensable.

Validation phase


< >

Operation phase

  • Code Changes: what effects do code changes have on security. Which measures should be taken.
  • Configuration: how does the configuration influence the security.
  • Patch Management: Who is responsible for patching systems and to where. LAB exercise Exploitation of another RCE vulnerability through an outdated library.
  • Decommissioning: What steps to take when a system is 'End of Life'.

Operation phase


< >

Test

Final test with multiple choice questions

If you pass, you will receive a certificate for download

Test


< >

Demo access? Further Information?

Get in contact with us!
Contact

A lot of good reasons

Visualization of efficient training
Highly efficient training
With the combination of e-learning and LAB you can reach developers all over the world, especially in near-shoring or off-shoring centers. This is essential for risk reduction, because many development teams were previously hardly accessible for training at this quality level.
The best of two worlds
Visualization of learning success
Learning success guaranteed
The main problem in the security awareness of developers is the lack of understanding and involvement. In the LAB E-Learning your developers take the view of an attacker and hack through an application in various ways. This results in a very high level of personal involvement and understanding for the compliance with security principles. This is the foundation for behavioral change.
Visualization of internationality
Internationally applicable
The online course 'Cyber Security for Developers' is available in German and English. It is Scorm compatible and can be delivered as a cloud service or in your own learning management system (LMS). The English-language Security LAB for developers contains a web application with numerous vulnerabilities. Each participant receives his individual LAB and a time quota of 15 hours for usage.
Visualization of integrated policies
Policies can be integrated
Basically, the Secure Coding training does not require any customization. However, you can integrate your relevant documents and policies (secure coding checklists, cryptosystems used, code analysis, etc.) at specific positions. Of course, we also integrate your company logo and name your security contact persons.
Visualization of a fair pricing model
Fair pricing model
The Cyber Security LAB e-learning for developers is licensed by training participants. The price for a training participant (including e-learning course, LAB infrastructure, operation, licenses, etc.) is between 80,- and 250,- EUR net plus VAT depending on the number of participants and thus costs a fraction of a comparable classroom training... but delivers practically the same learning success.