Training Course

Foundations of Application Security

Register your interest

Overview

Got digital assets that need protecting? With technology at the heart of every business, secure coding, app security testing, and vulnerability management are the essential pillars that safeguard your data. The Foundations of Application Security Course is your ticket to mastering these crucial skills.

But this isn’t just another course—it’s a hands-on experience led by Cole Cornford, the Founder and CEO of Galah Cyber, and a globally recognised AppSec evangelist. Cole’s approach goes beyond theory; he brings real-world scenarios and practical exercises that you can apply straight away. You’ll walk away with the tools and confidence to tackle security challenges head-on.

Price: $1,800 + GST.

Delivery Modality

This course is delivered over four half-day sessions to minimise interruptions to your work.

Upcoming Dates

SessionsDatesTime
Session #1Tuesday, 29 October 20241:30 PM - 5:00 PM
Session #2Tuesday, 5 November 20241:30 PM - 5:00 PM
Session #3Tuesday, 12 November 20241:30 PM - 5:00 PM
Session #4Tuesday, 19 November 20241:30 PM - 5:00 PM

Course Outline

Day 1

  • About the course
  • About the trainer
  • Promise Statement
  • Professional and personal benefits and drivers
  • About Galah
  • About Birdhouse + Access
  • Course Schedule
  • Resources
  • Feedback
  • Define what AppSec is
  • Define why we need it
  • Evolution of AppSec and how we got here
  • Transition from Dev to DevOps to DevSecOps
  • Reducing workload pressure and friction
  • Delivering at speed
  • Delivering for scale
  • Industry trends and current observations
  • Case Studies (3 examples)
  • Injection Vulnerabilities
  • Types of Injection Vectors
  • Handling Files Safely
  • Authentication and Authorisation Vulnerabilities
  • Types of Authentication and Authorisation Vectors
  • Introduction to OAuth and OIDC
  • Overview of SSO and IDP’s
  • Multi-Factor Authentication
  • Misconfiguration Vulnerabilities
  • Types of Misconfiguration Vectors
  • Secrets Management and Cryptographic Configuration
  • Security Headers and Frameworks

Coffee Break

  • Identifying Injection Vulnerabilities in Birdhouse
  • Identifying Misconfiguration Vulnerabilities in Birdhouse
  • Identifying Authentication and Authorisation Vulnerabilities in Birdhouse
  • Remediation of Injection Vulnerabilities in Birdhouse
  • Remediation of Misconfiguration Vulnerabilities in Birdhouse
  • Remediation of Authentication and Authorisation Vulnerabilities in Birdhouse

Lunch Break

  • Secure Code Review
  • Static Application Security Testing (SAST)
  • Software Composition Analysis (SCA)
  • Software Bill of Materials (SBOM)
  • Secrets Scanning
  • Dynamic Application Security Testing (DAST), Interactive Application Security Testing (IAST), and Infrastructure as Code (IaC) Testing
  • Penetration Testing
  • Bug Bounty Programs

Coffee Break

  • Usage of SAST, SCA, and Secrets Scanning
  • Implementation in DevOps Pipelines
  • Assurance with SAST, SCA, and Secrets Scanning
  • Day 1 Feedback
  • Day 1 Promise Statement
  • Overview of Day 2 Schedule
  • Reflection on current state and opportunities for improvement
  • We’ll discuss those tomorrow morning
  • See you here at XYZ

Day 2

  • Day 1 Recap
  • Reflection on applying Day 1 content at your workplace
  • Day 2 Promise Statement
  • Day 2 Schedule
  • Resources
  • Principle of Least Privilege
  • Attack Surface Reduction
  • Blast Radius Reduction
  • Zero Trust / Trust Boundaries
  • Environment Parity
  • Redundancy and Fault Tolerance
  • Reproducibility
  • Supply Chain Management
  • Observability and Monitoring
  • Why
  • What
  • Four Questions Framework
  • STRIDE
  • Making threat modelling scalable and repeatable
  • Common Anti-patterns in threat modelling
  • STRIDE Model of Birdhouse
  • 4 Questions Model of Birdhouse

Coffee Break

  • Why
  • Delivery Modes: In-person / remote / hybrid
  • Running a Security Champions Program
  • The role and accountabilities of a security champion
  • Incentives for improving security
  • Collaboration between InfoSec and Developers
  • Using metrics to demonstrate the value of the program
  • Analysis of 5 Case Studies
  • Present on what they think is an effective program

Lunch Break

  • Steps
    1. Identify
    2. Triage
    3. Remediate
    4. Audit / Metrics
  • Risk calculation / risk matrix
  • CVSS – standardised rating
  • Mapping standard rating to internal contextual risk rating through vulnerability triage
  • Discussion on the importance of context
  • Kahoot Quiz

Coffee Break

  • 60 Security Lessons in 60 Minutes
  • Day 2 Feedback
  • Reflection on applying Day 2 content at your workplace
  • Day 2 Promise Statement
  • Galah Marketing > Podcast / Conferences / Meetups / Webinars
  • Galah Seek Testimonials
  • Thank you for coming

Register Your Interest

”100% of our staff endorse this training and would gladly recommend it to others.”

”We found a 27% average of skill improvement across six key areas within our team post-training, with an impressive 65% skill boost in one topic.”

”The real-world threat modelling scenarios provided invaluable context and clarity.”

”Exceptional presentation style. A comprehensive overview of AppSec, surpassing other cyber courses we’ve experienced.”

Instructor Bio

Cole Cornford

Founder & CEO
Galah Cyber

Cole is a renowned figure in the Australian Application Security scene. An active OWASP contributor and sought-after speaker, Cole has spearheaded significant AppSec programs globally. In addition to leading Galah, he hosts the Secured podcast and authors influential security-focused articles.

Book a Free Consultation
Contact Us
Quick links
Services
Contact
Linkedin
Web Design Lake Macquarie