Foundations of Application Security

Overview

Got digital assets that need protecting? With technology at the heart of every business, secure coding, app security testing, and vulnerability management are the essential pillars that safeguard your data. The Foundations of Application Security Course is your ticket to mastering these crucial skills.

But this isn’t just another course—it’s a hands-on experience led by Cole Cornford, the Founder and CEO of Galah Cyber, and a globally recognised AppSec evangelist. Cole’s approach goes beyond theory; he brings real-world scenarios and practical exercises that you can apply straight away. You’ll walk away with the tools and confidence to tackle security challenges head-on.

Price: $1,800 + GST.

Delivery Modality

This course is delivered over four half-day sessions to minimise interruptions to your work.

Upcoming Dates

Course Dates for 2025 Coming Soon

We’re excited to announce that the 2025 course schedule will be available shortly. Stay tuned for updates!

SessionsDatesTime
Session #1Tuesday, 29 October 20241:30 PM - 5:00 PM
Session #2Tuesday, 5 November 20241:30 PM - 5:00 PM
Session #3Tuesday, 12 November 20241:30 PM - 5:00 PM
Session #4Tuesday, 19 November 20241:30 PM - 5:00 PM

Course Outline

Session #1

  • About the course
  • About the trainer
  • What you will learn
  • Professional and personal benefits and drivers
  • About Galah Cyber
  • Introducing Birdhouse, our teaching aid
  • Course Schedule
  • Additional Resources
  • Feedback
  • What is Application Security
  • Why do we need Application Security
  • How Application Security has evolved
  • Transition from Dev to DevOps to DevSecOps
  • Reducing workload pressure and friction
  • Delivering at speed
  • Delivering for scale
  • Industry trends and current observations
  • Challenges
  • Successful Application Security Case Studies
  • Injection Vulnerabilities
  • Types of Injection Vectors
  • Handling Files Safely
  • Authentication and
  • Authorisation Vulnerabilities
  • Types of Authentication and
  • Authorisation Vectors
  • Introduction to OAuth and OIDC
  • Overview of SSO and IDP’s
  • Multi-Factor Authentication
  • Misconfiguration Vulnerabilities
  • Types of Misconfiguration Vectors
  • Secrets Management and Cryptographic Configuration
  • Security Headers and Frameworks

Coffee Break

  • Identifying Injection Vulnerabilities in Birdhouse
  • Identifying Misconfiguration Vulnerabilities in Birdhouse
  • Identifying Authentication and Authorisation Vulnerabilities in Birdhouse
  • Remediation of Injection Vulnerabilities in Birdhouse
  • Remediation of Misconfiguration Vulnerabilities in Birdhouse
  • Remediation of Authentication and Authorisation Vulnerabilities in Birdhouse

Session #2

  • Secure Code Review
  • Static Application Security Testing (SAST)
  • Software Composition Analysis (SCA)
  • Software Bill of Materials (SBOM)
  • Secrets Scanning
  • DAST, IAST, and IaC Testing for comprehensive security analysis
  • Penetration Testing
  • Bug Bounty Programs

Coffee Break

  • SAST, SCA, and Secrets Scanning for Software Engineers
  • Implementation in DevOps Pipelines
  • Performing Assurance with SAST, SCA, and Secrets Scanning

Session #3

  • Principle of Least Privilege
  • Attack Surface Reduction
  • Blast Radius Reduction
  • Zero Trust / Trust
  • Boundaries
  • Environment Parity
  • Redundancy and Fault Tolerance
  • Software Reproducibility
  • Supply Chain Management
  • Observability and Monitoring
  • Large Telecommunication Firm
  • Federal Government Agency
  • SAAS Technology Firm
  • Financial Services Institution
  • Startup Business

Coffee Break

  • What is Threat Modeling
  • Why do we perform Threat Modeling
  • The Four Questions Framework
  • The STRIDE Framework
  • The Attack Trees Framework
  • Making threat modeling scalable and repeatable
  • Common Anti-patterns in threat modeling
  • 4 Questions Model
  • STRIDE Threat Model
  • Attack Trees Model

Session #4

  • Why do we train software engineers in security?
  • Choosing effective delivery modes: In-person / remote / hybrid
  • Training the trainers
  • Running a Security
  • Champions program
  • The role and accountabilities of a security champion
  • Incentives for improving security
  • Collaboration between InfoSec and Developers
  • Using metrics to demonstrate the value of the program
  • Analysis of 5 Case Studies
  • Present on what they think is an effective program

Coffee Break

  • 4-step approach to vulnerability management
  • Risk calculation/risk matrix
  • CVSS – standardised rating
  • Mapping standard ratings to internal risk via vulnerability triage.
  • Discussion on the importance of context
  • Kahoot Quiz
  • 60 sharp lessons in 60 minutes

Who will benefit from this course

Software Engineer

Programmer/Developer

AppSec Engineer

DevSecOps Engineer

DevOps Professional

Cloud Engineer

Register Your Interest

Instructor Bio

Cole Cornford

Founder & CEO
Galah Cyber

Cole is a renowned figure in the Australian Application Security scene. An active OWASP contributor and sought-after speaker, Cole has spearheaded significant AppSec programs globally. In addition to leading Galah, he hosts the Secured podcast and authors influential security-focused articles.