Application Development & Programming Training Icon
Information Security Training Icon

Fundamentals of Secure Application Development

2 Days Classroom Session   |  
2 Days Live Online
Classroom Registration
Group Rate:
(per registrant, 2 or more)
GSA Individual:
Live Online Registration
Live Online:
Private Onsite Package

This course can be tailored to your needs for private, onsite delivery at your location.

Request a Private Onsite Price Quote

Professional Credits


ASPE is an IIBA Endorsed Education Provider of business analysis training. Select Project Delivery courses offer IIBA continuing development units (CDU) in accordance with IIBA standards.


Select courses offer Leadership (PDU-L), Strategic (PDU-S) and Technical PMI professional development units that vary according to certification. Technical PDUs are available in the following types: ACP, PBA, PfMP, PMP/PgMP, RMP, and SP.

This course offers:
    14.00 PMP/PgMP Technical PDUs
    1.00 PMI-RMP Technical PDUs


The rules of information security aren’t what they used to be. Hackers aren’t kids in basements–they’re state-sponsored professionals and organized criminal groups all around the world. They break into systems and steal data in any way they can.

Unfortunately, the vast majority of hacks are not due to insecure networks or misconfigured firewalls; they are a result of common software flaws that get coded into applications. Even with good information security policy and staff, the reality is that software developers are often underserved when it comes to security strategy. If their applications get built without attention to good software security practices, risk gets passed downstream and by the time an incident occurs, it’s too late to be proactive.

From proactive requirements to coding and testing, this information security training course covers the best practices any software developer needs to avoid opening up their users, customers, and organization to attack at the application layer. We teach only constantly updated best practices, and our experts answer your questions live in class. Return to work ready to build higher quality, more robustly protected applications.

In this Information Security Training Course, You Will Learn How To:

  • Understand assets, threats, vulnerabilities, and risks
  • Gather and understand security requirements
  • Design secure software
  • Write secure code
  • How to test your software
  • Release & Operate secure software
Upcoming Dates and Locations
All Live Online times are listed in Eastern Time Guaranteed To Run
Request a quote for private onsite training Request
Aug 20, 2020 – Aug 21, 2020    10:30am – 6:30pm Live Online Register
Sep 17, 2020 – Sep 18, 2020    8:30am – 5:30pm Live Online Register
Oct 15, 2020 – Oct 16, 2020    8:30am – 4:30pm Live Online Register
Oct 15, 2020 – Oct 16, 2020    8:30am – 4:30pm Cincinnati, Ohio

MAX Technical Training
4900 Parkway Drive
Suite 160
Mason, OH 45040
United States

Nov 12, 2020 – Nov 13, 2020    8:30am – 4:30pm San Francisco, California

Learn IT
33 New Montgomery St.
Suite 300
San Francisco, CA 94105
United States

Nov 12, 2020 – Nov 13, 2020    11:30am – 7:30pm Live Online Register
Dec 17, 2020 – Dec 18, 2020    8:30am – 4:30pm Phoenix, Arizona

Dynamic Worldwide
4500 S. Lakeshore Dr
Suite 600
Tempe, AZ 85282
United States

Dec 17, 2020 – Dec 18, 2020    10:30am – 6:30pm Live Online Register
Course Outline

Information Security Training Outline

Part 1: Secure Software Development

  1. Assets, Threats & Vulnerabilities
  2. Security Risk Analysis (Bus & Tech)
  3. Secure Dev Processes (MS, BSI…)
  4. Defense in Depth
  5. Approach for this course

Introductory Case Study

Part 2: The Context for Secure Development

  1. Assets to be protected
  2. Threats Expected
  3. Security Imperatives (int&external)
  4. Organization's Risk Appetite
  5. Security Terminology
  6. Organizational Security Policy
  7. Security Roles and Responsibilities
  8. Security Training for Roles
  9. Generic Security Goals & Requirements

Exercise: Our Own Security Context

Part 3: Security Requirements

  1. Project-Specific Security Terms
  2. Project-Related Assets & Security Goals
  3. Product Architecture Analysis
  4. Use Cases & MisUse/Abuse Cases
  5. Dataflows with Trust Boundaries
  6. Product Security Risk Analysis
  7. Elicit, Categorize, Prioritize SecRqts
  8. Validate Security Requirements

Exercise: Managing Security Requirements

Part 4: Designing Secure Software

  1. High-Level Design
    • Architectural Risk Analysis
    • Design Requirements
    • Analyze Attack Surface
    • Threat Modeling
    • Trust Boundaries
    • Eliminate Race Objects
  2. Detail-Level Design
    • Secure Design Principles
    • Use of Security Wrappers
    • Input Validation
    • Design Pitfalls
    • Validating Design Security
    • Pairing Mem Mgmt Functions
    • Exclude User Input from format strings
    • Canonicalization
    • TOCTOU
    • Close Race Windows
    • Taint Analysis

Exercise: A Secure Software Design, Instructor Q and A

Part 5: Writing Secure Code

  1. Coding
    • Developer guidelines & checklists
    • Compiler Security Settings (per)
    • Tools to use
    • Coding Standards (per language)
    • Common pitfalls (per language)
    • Secure/Safe functions/methods
      • Stack Canaries
      • Encrypted Pointers
      • Memory Initialization
      • Function Return Checking (e.e. malloc)
      • Dereferencing Pointers
    • Integer type selection
      • Range Checking
      • Pre/post checking
    • Synchronization Primitives
  2. Early Verification
    • Static Analysis (Code Review w/tools)
    • Unit & Dev Team Testing
    • Risk-Based Security Testing
    • Taint Analysis

Exercise: Secure Coding Q and A

Part 6: Testing for Software Security

  1. Assets to be protected
  2. Threats Expected
  3. Security Imperatives (int&external)
  4. Organization's Risk Appetite
  5. Static Analysis
  6. Dynamic Analysis
  7. Risk-Based Security testing
  8. Fuzz Testing (Whitebox vs Blackbox)
  9. Penetration Testing (Whitebox vs Blackbox)
  10. Attack Surface Review
  11. Code audits
  12. Independent Security Review

Exercise: Testing Software for Security

Part 7: Releasing & Operating Secure Software

  1. Incident Response Planning
  2. Final Security Review
  3. Release Archive
  4. OS Protections:
    • Address Space Layout Randomization
    • Non-Executable Stacks
    • W^X
    • Data Execution Prevention
  5. Monitoring
  6. Incident Response
  7. Penetration Testing

Exercise: A Secure Software Release

Part 8: Making Software Development More Secure

  1. Process Review
  2. Getting Started
  3. Priorities

Exercise: Your Secure Software Plan

Who should attend
  • Application Development Managers
  • Software Engineers and Developers
  • CISOs, CISAs and Security Professionals
  • Software Testers
  • QA Managers, Directors and Staff
  • Test Management
  • Business Analysts
  • Project Managers
  • IT Specialists (Security, Capacity Management, Networking…)