Developer Application Security Awareness Training
Application Security Awareness Training is a crucial first step in building an effective Secure Development Lifecycle in a software development company.
The Application Security Awareness Training covers the material recommended by OWASP SAMM 2.0 and goes far beyond. The program spans over six sessions. Each session is about three hours long. We hold training sessions on-site or remotely two or three times per week.
Day 1: Intro to Application Security
- World Biggest Data Breaches and Application Security.
- Threat actors, attack vectors, and vulnerability classes.
- HaveIBeenPwned’s secure protocol for password verification.
- The state of the Application Security industry.
- AppSec resources and communities.
- Burp Suite basic configuration.
- Web Security Academy introduction.
Day 2: Application Security Basics
- Software vulnerability types, National Vulnerability Database, CVE. Vulnerability risk level. Using the CVSS calculator.
- Vulnerability taxonomies and examples: OWASP Top 10, Mitre CWE, and Bugcrowd VRT.
- Attack narrative and Attack Kill Chain. Mitre ATT&CK matrix of common tactics, techniques, and procedures. Using ATT&CK Navigator.
- OWASP Testing project and OWASP Web Security Testing Guide (WSTG).
- Secure development and OWASP Application Security Verification Standard (ASVS).
Day 3. Security Architecture Fundamentals
- Fundamental security engineering principles.
- Secure SDLC and common Application Security practices.
- OWASP Software Assurance Maturity Model (SAMM).
- Threat Modeling. Using OWASP Threat Dragon.
- Security requirements and security testing.
- Installing and configuring DVWA and OWASP Juice Shop.
- Web Security Academy labs (SQLi).
Day 4. Secure Development and Security Testing
- Secure supply chain and dependencies security.
- Code security review basics, techniques, and tools.
- SAST basics, working with Sonar.
- DWVA testing and code review exercises (CI, XSS, SQLi).
- Web Security Academy labs (XSS, CSRF).
Day 5. Deep Dive in Security Testing Part 1
- Requirements-based testing.
- Design and architecture review.
- Web Security Academy labs (XXE, SSRF, SSTI).
- Cloud security testing basics. Using ScoutSuite.
Day 6. Deep Dive in Security Testing Part 2
- Mobile app security testing lab setup.
- API web-service security and testing specifics.
- Web Security Academy labs (Broken Access Control, HTTP Request Smuggling).
We offer the training to the software development teams, so there is no specific set of requirements to meet. To fully grasp the content of the training, the students should already have experience in software development and related skills.
The Application Security Awareness Training price for one group of 16 students is 5,000 EUR (VAT excluded). As always, returning customers get 15% discount off this price starting from the second learning group.
The Application Security Awareness Training is taught by our lead experts that have vast practical experience in application security as well as the project management and business consulting background in this area.
The trainers have excellent presentation skills and can deliver the training material in both English and Ukrainian.
As active contributors to the profession and the chapter leaders of OWASP Kyiv, they always have fully up-to-date knowledge of current best practices in the Application Security industry.
Now, internal development teams are successfully implementing the skills they learned from Berezha Security. The specialists maintained an excellent communication style throughout the sessions.
Berezha Security conducted effective training sessions. They demonstrated various penetration testing tools to great success, so the client’s team is now familiar with new frameworks. The Berezha team was responsive and communicative; it’s comprised of professional experts who know their field well.
+380 (44) 364 7336 +1 (315) 303 2323
6 Nimanska St., 41, Kyiv, Ukraine 01103
77 Sichovykh Striltsiv St., Kyiv, Ukraine