Security by Design Course

Overview

The threats faced by software today have never been greater. The proliferation of tools that can be used to break into software systems, mixed with the longtail of legacy infrastructure that was never designed with security in mind, has resulted in a tsunami of exploits and ransomware attacks. Consequently, security has become a primary concern for every software organisation, not some sticking plaster applied after the fact.

One of the most fundamental best practices in helping ensure our software applications stay safe is the concept of secure by design, where software is designed in such a way that it is inherently secure. This course provides engineers with that understanding, focusing on the patterns, idioms and practices that result in better more secure code.

Objectives

Understand how to design software systems to protect against common attacks
Build a catalogue of 'secure by design' architectural patterns and idioms
Create a security-first mindset in your teams
Learn how to 'security test' your software applications
Recognise anti-patterns or approaches

Outline

Code Patterns

Data Structures: immutability and managing state, avoiding shared mutable state, domain primitives, avoiding collections that can grow infinitely
Contracts and Validation: escaping inputs, validation options built into commonly used frameworks
Failure handling: avoid broadcasting sensitive info in logs, information exposure of system internals, passwords, exception safety, etc.
Preventing common vulnerabilities: SQL / noSQL injection

Architectural Patterns

Managing user data and logs
Avoid logging PII
Secrets management / vaults
Circuit breakers, retries and timeouts
Using Caches to enable graceful degradation
Principle of least privilege
Zero trust security
CSRF tokens
Protocols (REST, HTTPS, Binary)
Avoiding defaults, e.g. commonly used headers that expose server information

Testing your Design

How to validate that software is secure
Boundary testing
Input and validation testing
Load testing
Exploratory testing
Automated security testing (Pipelines, security policy as code, SAST, DAST)
Benefits of penetration testing

Requirements

This is a hands-on, 2-day course, attendees must be comfortable writing code in any high-level language such as Java, TypeScript, Kotlin, C#, etc. They should also have a good understanding of engineering best practices.

COURSE

Security by Design

A comprehensive, hands-on workshop that covers the patterns, idioms and best practices that help keep software systems safe from attack.

2 Days
All Levels
In-person / Online
£ On Request

Book for my team

“I'm motivated to learn more”

I enjoyed this course a lot! The trainer is very knowledgeable on security and all development processes. They explain things very clearly with good examples. Every topic is very interesting and I'm motivated to learn more with the links. Thanks a lot!

“Very informative”

Overall very informative, especially the threat modelling and data flow. Lots of good resources provided.

“A good insight into how”

I enjoyed learning about the Design Patterns, and different (weird) ways of testing. A good insight into how to analyse the architecture and security of an application. Thanks for this, really enjoyed it.

Related Courses

Intermediate

Capture the Flag

Intermediate

Modern Testing Workshop

Intermediate

Threat Modelling Workshop

View All Courses