Course code Title Language Price # Unit Startdate Hour Enddate Location Signup
QAAPPSEC Application Security for Developers on your request on your request Contact Us

Application Security for Developers

Application Security for Developers


Course code: 
Time Unit: 

Application Security for Web Developers: A 2 day highly-practical course that targets web developers, security auditors, penetration testers, security managers and anyone else who would like to learn about writing secure code or to audit code against security flaws. The course covers each and every vulnerability in-depth and discusses a variety of the best security practices and defence-in-depth approach which developers should keep in mind while developing applications.

The attendees will be provided access to infrastructure on which they will be practicing to identify vulnerable code and subsequently discuss patching approaches. While the course covers industry standards such as OWASP Top 10 and SANS top 25 security issues, it also talks about real world issues which don't find a mention in these lists. The course does not focus on any particular web development language or technology but focuses on the principles. It includes examples from PHP, .NET, classic ASP and Java.

  • Covers latest industry standards such as OWASP Top 10 (2013)
  • Insight into latest security vulnerabilities (such as mass assignment bug in MVC Frameworks)
  • Thorough guidance on security best practices (like HTTP header such as CSP, HSTS header etc).
  • References to real world analogy for each vulnerability
  • Hands-on labs



Introduction to Web Applications

  • Design Flaws
  • Authentication
  • Authorization
  • Session Management
  • Logical Flaws
  • Web Server Misconfiguration
  • Application Server Misconfiguration
  • HTTP Methods
  • SSL and MITM attacks

Cross Site Issues

  • Cross Site Scripting
  • Cross Site Request Forgery
  • Session Fixation
  • CRLF Injection
  • Flash and Cross Domain Issues

Server Side Issues

  • SQL Injection
  • File Uploads
  • Server Side Includes
  • File Inclusion
  • Direct Object Reference
  • OS Code Execution

Best Security practices

  • HSTS
  • Content Security Policy
  • Defense in Depth



Delegates will have attended the Introduction to Digital Investigations course (QAIDIGINV) or have sufficient practical experience of evidential capture.

Intended Audience:

  • Software/Web developers
  • PL/SQL developers
  • Penetration Testers
  • Security Auditors
  • Administrators and DBAs
  • Security Managers