Secure Web Application Security & Secure SDLC

Course Description

Duration 5 days – 35 hours

Overview

This hands-on bootcamp equips developers, QA, security, and DevOps professionals to find, exploit, and fix common web and API vulnerabilities using OWASP Top 10 (2021) and OWASP API Top 10 as anchors. Beyond discovery, the course integrates Secure Development Lifecycle (SDL) practices—specifically shift-left security testing (SAST/DAST/SCA/secrets scanning) and secure code review + release readiness—so teams can prevent issues earlier, automate security checks in CI/CD, and ship with confidence.

Objectives

Explain web security threats, vulnerability vs risk, and attacker mindset.
Identify and validate OWASP Top 10 vulnerabilities using manual + tooling techniques.
Produce actionable vulnerability reports with severity, evidence, and remediation guidance.
Apply secure coding patterns for input validation, output encoding, auth/session controls, and CSRF defense.
Threat model key app flows and translate threats into security requirements/tests.
Test REST APIs for common security flaws (authz, authn, injection, misconfig).
Implement shift-left security testing: SAST, DAST, SCA/dependency scanning, secrets scanning, and define test coverage.
Conduct secure code reviews and use a release readiness checklist (hardening baselines, traceability, documentation).
Integrate security into Agile/Scrum workflows and CI/CD pipelines (e.g., GitHub Actions + ZAP CLI).

Target Audience

Web developers (front-end, back-end, full-stack)
QA / Test engineers doing security validation
DevOps / Platform engineers supporting CI/CD
AppSec / Security engineers and SOC members supporting product teams
Tech leads, architects, engineering managers who approve releases

Prerequisites

Comfortable with HTTP/HTTPS basics, cookies/sessions, REST concepts

Basic programming knowledge (any of: JavaScript / PHP / Python / Java)

Familiarity with Git and command line is helpful (not required)

Authorization requirement: participants must only test systems they own or are explicitly permitted to test (labs provided)

Course Outline

Day 1 — Foundations + OWASP Top 10 (A01–A03) + Lab Setup

Module 1: Web Application Security Basics

Web security fundamentals, CIA triad, attack surface
Threats vs vulnerabilities vs risk, common attacker paths

Module 2: OWASP Top 10 Overview (2021)

A01 Broken Access Control
A02 Cryptographic Failures
A03 Injection (SQLi, XSS, Command Injection)

Lab setup

DVWA / OWASP Juice Shop, browser tooling, proxy concepts

Hands-on labs

Baseline recon + initial vulnerability discovery using OWASP ZAP

Day 2 — Practical Discovery & Exploitation (A04–A07) + Reporting

Module 3: OWASP Top 10 (continued)

A04 Insecure Design
A05 Security Misconfiguration
A06 Vulnerable and Outdated Components
A07 Identification and Authentication Failures

Manual testing techniques

Parameter tampering, auth checks, session weaknesses, basic fuzzing

Open-source tools

OWASP ZAP (advanced usage)
Nikto (web server scanner)

Hands-on labs

Exploit selected issues in DVWA/Juice Shop
Write a structured finding: steps, evidence, impact, fix, retest steps

Day 3 — Defensive Coding + Threat Modeling

Module 4: Secure Coding Essentials

Input validation strategies, output encoding, canonicalization basics
Session management, secure cookies, token/session pitfalls
Authentication & authorization best practices (least privilege, RBAC/ABAC concepts)
Defense for XSS and CSRF (patterns + common mistakes)

Hands-on secure coding labs

Fix vulnerable snippets (Python/PHP/JavaScript samples)
Add security controls + regression tests (where applicable)

Module 5: Threat Modeling Basics

Identify assets, entry points, trust boundaries
Create basic models using OWASP Threat Dragon
Translate threats to requirements + tests

Day 4 — API Security + Shift-Left Security Testing in the SDL (Module 7)

Module 6: API Security

OWASP API Top 10 overview (common patterns)
Testing REST APIs: authn/authz, BOLA, injection, rate limits, data exposure
Practical API testing workflow

Hands-on labs

API testing with Postman / Insomnia
Optional load/security checks with k6 (basic)

✅ Inserted: Module 7 — Security Testing in the SDL (Shift Left Testing)

SAST: what it finds, how to tune rules, reduce false positives
- Examples: Semgrep, CodeQL (where applicable)
DAST: what it finds, authenticated scans, coverage planning
- Example: OWASP ZAP baseline/full scan
SCA / dependency scanning: vulnerable libraries + license awareness
- Examples: OWASP Dependency-Check, Syft/Grype
Secrets scanning & config validation: preventing key leaks and risky settings
- Examples: Gitleaks, TruffleHog
Pen testing vs vulnerability scanning (when to use each)
Defining security test coverage and “security gates” per SDLC stage

CI/CD automation lab

Implement automated security checks in GitHub Actions
- Run SAST + SCA + secrets scan
- Run ZAP CLI scan for a test environment
- Generate artifacts/reports and define pass/fail criteria

Day 5 — Secure Code Review & Release Readiness (Module 8) + SDL + CTF

✅ Inserted: Module 8 — Secure Code Review & Release Readiness

How to review code with a security lens (data flow, trust boundaries, authz points)
Common red flags (unsafe deserialization, injection sinks, missing authz checks, weak crypto usage)
Pre-release security checklist (must-pass items + evidence)
Secure configuration baselines & hardening (headers, cookies, TLS basics, env separation)
Security documentation & traceability (requirements → tests → findings → fixes)

Module 9: Secure Development Lifecycle (SDL) + Agile/Scrum Integration