Learning Outcomes

Course delegates will complete the course having gained the following knowledge.

• Design patterns that lead to more secure code
• Architectural patterns that more secure systems
• How to test your system from a security perspective
• Anti-patterns

Course Outline

Throughout the duration of the two-day course, delegates will be armed with the ability to identify security issues much earlier in the development cycle, thus saving cost and removing business critical bugs before they appear in the wild.

Modules

Delegates will complete training in the following modules.

1. Code Patterns

• Data structures: Immutability and managing state, avoiding shared mutable state, domain primitives, and avoiding collections that can grow infinitely.
• Contracts and validation: Escaping inputs, and validation options built into commonly used frameworks.
• Failure handling: Avoid logging sensitive info in logs and information exposure (system internals, passwords, exception safety, etc.).
• Preventing common vulnerabilities: SQL & noSQL injection.

2. Architectural Patterns

• Managing user data and logs
• Avoid logging PII
• Secrets management / vaults
• Circuit breakers, retries and timeouts
• Using Caches to enable graceful degradation
• Principle of least privilege
• Zero trust security
• CSRF tokens
• Protocols (REST, HTTPS, Binary)
• Avoiding defaults e.g. commonly used headers that expose server information

3. Testing your Design

• How to validate that software is secure.
• Boundary testing
• Input and validation testing
• Load testing
• Exploratory testing
• Automated security testing (Pipelines, security policy as code, SAST, DAST)
  Benefits of penetration testing

Prerequisites

Delegates should be comfortable writing code in any high-level language e.g. Java, Kotlin, C# and should also have a good understanding of engineering best practices.

Further Learning

Looking to continue on your learning path? The following courses are ideal as follow-on courses to Security by Design.