Security by Design

  • 2 Days
  • Intermediate
  • Virtual | Classroom
  • £ On Request

Learn how to create software that is inherently secure by design from the ground up. A comprehensive, hands-on workshop that covers the patterns, idioms and best practices that help keep software systems safe from attack.

Book For My Team

Overview

The threats faced by software today have never been greater. The proliferation of tools that can be used to break into software systems mixed with the longtail of legacy infrastructure that was never designed with security in mind has resulted in a tsunami of exploits and ransomware attacks. Consequently, security has become a primary concern for every software organisation, not some Band Aid applied after the fact.

One of the most fundamental best-practices in helping ensure our software applications stay safe is the concept of secure by design, where software is designed in such a way that it is inherently secure. This course provides engineers with that understanding, focusing on the patterns, idioms and pratices that result in better more secure code.

Objectives

  • Understand how to design software systems to protect against common attacks
  • Build a catalogue of 'secure by design' architectural patterns and idioms
  • Create a security-first mindset in your teams
  • Learn how to 'security test' your software applications
  • Recognise anti-patterns or approaches

Outline

Code Patterns

  • Data Structures: immutability and managing state, avoiding shared mutable state, domain primitives, avoiding collections that can grow infinitely
  • Contracts and Validation: escaping inputs, validation options built into commonly used frameworks
  • Failure handling: avoid broadcasting sensitive info in logs, information exposure of system internals, passwords, exception safety, etc.
  • Preventing common vulnerabilities: SQL / noSQL injection

Architectural Patterns

  • Managing user data and logs
  • Avoid logging PII
  • Secrets management / vaults
  • Circuit breakers, retries and timeouts
  • Using Caches to enable graceful degradation
  • Principle of least privilege
  • Zero trust security
  • CSRF tokens
  • Protocols (REST, HTTPS, Binary)
  • Avoiding defaults e.g. commonly used headers that expose server information

Testing your Design

  • How to validate that software is security.
  • Boundary testing
  • Input and validation testing
  • Load testing
  • Exploratory testing
  • Automated security testing (Pipelines, security policy as code, SAST, DAST)
  • Benefits of penetration testing

Requirements

This is a hands-on 2-day course, attendees must be comfortable writing code in any high-level language such as Java, TypeScript, Kotlin, C#, etc. They should also have a good understanding of engineering best practices.

Ryan Adams

Used to make software for learning as a developer, now helping software makers learn.

Follow Ryan
Andrew Paul

Was a teacher, then a lecturer and now a trainer at Instil. Has been completed the circle.

For a breakdown of what to expect in our training, check out our training overview page.

This course has massively grown my knowledge of best practice design principles and will change the way I program in the future. It will be immediately beneficial for me in my current project.

A very well put together course with a lot of practical coding and examples. I really enjoyed the challenge the katas presented and coding the solution to them. Really good amount of actual practical work.

Best course I have attended so far at Instil. Learnt a lot about how powerful your IDE can be, how to go about writing tests before writing any production code(TDD) and how refactoring really improves your end product. Great instructor who knows his stuff and was very willing to help when needed.

Deloitte logo
Atlassian logo
Workday logo
BMW logo
Amex logo
McAfee logo
PWC logo