Secure Programming Foundation

Master the fundamentals of secure programming and start building software that's secure by design.

Description

Security is no longer optional — it's a core developer skill. In this course, the latest OWASP Top 10 serves as your practical roadmap to understanding and preventing today's most critical web application risks. Not theory for auditors, but knowledge you can immediately apply in your own code.

You'll go beyond the checklist and truly understand why vulnerabilities happen. We take focused deep dives into essential topics like SOP, CORS, cookies, STRIDE (a lightweight threat modeling method), input handling, and cryptography. Every concept is translated into concrete coding and design decisions you can implement the next day.

Expect live demos and hands-on labs in simple JavaScript so you don't just hear about security — you practice it. While many examples are web-based, the principles you'll learn apply to any language or framework. Secure thinking is universal.

Target audience: This course is designed for developers who want to:

• strengthen and update their secure programming skills
• recognize and prevent common vulnerabilities
• grow from "it works" to "it's secure and works"

Learning Goals

• Recognize security risks in common contexts and demonstrate awareness. [Remember]
• Cite 5 categories of vulnerabilities from the OWASP Top 10. [Remember]
• Recall the STRIDE threat model and how it can be used to identify security threats. [Remember]
• Adapt secure web application development practices to mitigate common security risks. [Apply]
• Describe common injection attacks and mitigation strategies. [Understand]
• Understand the principles and practices of authorization. [Understand]
• Paraphrase common cryptography use cases, like hashing, encryption, and digital signatures. [Understand]
• Understand common security practices surrounding authentication. [Understand]
• Describe common security misconfigurations and how to prevent them. [Understand]

Subjects

1. Secure Programming Awareness
2. STRIDE
3. OWASP Top 10 latest edition:
   • 10 most critical web application security risks
   • related weaknesses (CWE)
   • best practices to mitigate them
4. SOP, CORS, Security-related Headers
5. Input Handling
6. Authentication & Authorization
7. Configuration, Error Handling and Logging
8. Cryptography

• Identify OWASP as a leading authority in secure programming and application security.
• Understand the core principles and best practices outlined by OWASP for secure programming and where to access this information.
• Familiarize with the OWASP Top 10 list of the most critical web application security risks.
• In the news: what happend this week?

• Recognize the historical underfunding of security and understand its implications for organizations.
• Define and explain technical terms commonly used in the context of security.
• Know the STRIDE model to identify and understand different types of threats to security.
• Recognize and understand the role of "man in the middle" proxies in security contexts.
• Understand the HTTP protocol and its relevance as an attack vector in web security.
• Comprehend the Browser Security Model and its significance in ensuring secure web browsing.

• Differentiate between authentication and authorization and understand their respective best practices.
• Implement secure password policies and understand hashing and salting using Bcrypt.
• Know the importance of Multi-Factor Authentication (MFA) as a critical defense against credential theft and weak passwords.
• Differentiate between session-based and token-based authentication, understanding their trade-offs and security implications.
• Implement and manage JWT-based authentication securely, including proper token storage, expiration, and revocation strategies.
• Understand and apply appropriate cookie attributes for secure session management.
• Recognize session fixation and user enumeration attacks and implement appropriate countermeasures.

• Recognize common areas where injection attacks can occur like command injection, XSS, and path traversal.
• Understand the difference between input validation and sanitization, and when to apply each technique.
• Implement measures to harden applications against SQL injection attacks and understand the risks associated with blind SQL injection attacks.
• Differentiate between allowlist and blocklist input validation methods.
• Recognize three types of Cross-Site Scripting (XSS) attacks.
• Implement context-aware encoding to prevent XSS attacks across different contexts.
• Understand how modern frameworks provide automatic escaping and sanitization, and when manual intervention is still required.
• Recognize regular expression pitfalls including ReDoS attacks and greedy quantifiers.
• Understand encoding standards and the importance of decoding.

• Understand the rationale for using indirect object references and preventing Insecure Direct Object Reference (IDOR) vulnerabilities.
• Apply the principle of least privilege when designing access control mechanisms.
• Understand the difference between Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC).
• Enforce record ownership in access controls to prevent unauthorized CRUD operations on other users' data.
• Design and maintain a two-dimensional access control matrix documenting subjects, objects, and allowed actions for each role.
• Understand the basics of an OAuth 2.0.
• Recognize Server-Side Request Forgery (SSRF) attacks and understand mitigation.
• Recognize Cross-Site Request Forgery (CSRF) attacks and implement mitigation.
• Identify and mitigate clickjacking attacks.

• Recognize that frameworks, servers, and cloud platforms are rarely secure by default and require hardening.
• Implement secure configuration practices like disabling directory listing.
• Prevent accidental information disclosure through detailed error messages, stack traces, and response headers.
• Understand best practices around security logging and alerting.
• Configure security-related HTTP response headers like Content-Security-Policy.
• Understand the security implications of missing or misconfigured security related cookie attributes.
• Recognize the importance of applying the principle of "secure by default" across all configurations.
• Implement proper exception handling that fails securely.

• Differentiate between symmetric and asymmetric encryption methods and understand their appropriate use cases in secure communication.
• Understand the role of digital signatures in ensuring data integrity, authenticity, and non-repudiation.
• Explain the basics of Public Key Infrastructure (PKI) including certificate authorities, certificate chains, and the risks of CA compromise.
• Recognize that modern, proven cryptographic algorithms (AES-GCM, ChaCha20-Poly1305, SHA-256/512, Argon2) must be used instead of broken algorithms like MD5, SHA-1, or DES.
• Understand the critical difference between standard PRNGs and Cryptographically Secure PRNGs (CSPRNGs) when generating secrets.
• Understand some best practices around cryptographic key management.
• Verify integrity of third-party resources (CDN scripts, libraries).