Catalog

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Filter by Belt Level

White BeltWhite Belt
Yellow BeltYellow Belt
Green BeltGreen Belt

Filter by Green Belt Language/Technology

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Show less
Show more

Filter by Topic

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Show less
Show more
Introduction to Security Journey
White Belt
12
minutes
Season 1
Lessons with Experiments
In this first lesson, we introduce you to security levels and the path from Security White to Black Belt. We provide a short demo of all the Security Dojo's excellent features and review tips for success with the Security Journey platform.
Introduction to Security
White Belt
9
minutes
Season 1
Lessons with Experiments
We begin with a basic but important idea: defining security. We expand into the three supporting tiers of security and visualize how to implement application security. We also explain the difference between builders, breakers, and defenders.​
Core Security Concepts
White Belt
12
minutes
Season 1
Lessons with Experiments
After introducing Security and Security Journey, now we dive into core security concepts. To succeed as a security person, you need to know the vocabulary. You'll learn the three foundational building blocks of security, the differences between a vulnerability, exploit, and attack, the stages of a security framework, and the distinctions between the red, blue, and purple teams.
Security Business Case
White Belt
9
minutes
Season 1
Lessons with Experiments
Your customers trust you with their data, and they expect you to protect their data. We'll discover the impact of a security breach or privacy violation in the eyes of your customer and explain the business case for security.
Attacks
White Belt
14
minutes
Season 1
Lessons with Experiments
There are many different types of attacks. We lay the foundation for some of the basic types. To recognize and mitigate an attack, you must understand attack methods. We'll walk through the steps attackers go through as they attempt to compromise a product or system. We'll uncover four basic classes of attacks, and we'll talk about the negative results of a successful attack.​
Attackers
White Belt
13
minutes
Season 1
Lessons with Experiments
A small amount of knowledge about common adversaries can allow you to shut the door on them. We'll explore five primary types of cyber adversaries and their attack motivation. We'll explain the various layers of the Internet and how attackers use them and uncover an Advanced Persistent Threat group's common traits.
Secure Development Lifecycle
White Belt
14
minutes
Season 1
Lessons with Experiments
The foundation of an application security program is a Secure Development Lifecycle (SDL). Explore the benefits of SDL and the commonalities of world-renowned SDLs. The standard SDL phases and goals for each stage are exposed. A secure development lifecycle standardizes an organization's approach to product and application security.
Privacy & Customer Data Protection
White Belt
10
minutes
Season 1
Lessons with Experiments
The protection and privacy of customer data is the top line principle of application security. Analyze the differences between security and privacy, the types of data that must be protected, and the relevant legislation impacting privacy. If you do not protect your customers' data, those customers will go elsewhere.
Myths
White Belt
12
minutes
Season 1
Lessons with Experiments
We're busting the security myths that most people believe and adding a dose of reality. Analyze common security myths and learn to counter security objections. Myths are a misdirection of fact; many will argue against security by claiming these myths are the truth.​ ​
Data Breaches
White Belt
15
minutes
Season 1
Lessons with Experiments
The front page is a terrible place to see your organization's security breach or failure. We want to teach your people to avoid the front page. We'll unpack the business impacts of a data breach and then dive deeply into three historical, damaging security events and the lessons to be learned from each one. We study past breaches to prevent issues in the future.
Threat Landscape
White Belt
18
minutes
Season 1
Lessons with Experiments
The Threat Landscape is Threats x Devices x Attackers and is always expanding. New attackers are waking up every day and targeting new devices using various threats. We'll consider the significant threats on technology's bleeding edge, including cloud, mobile, and IoT.
Threat Landscape: Cloud
White Belt
11
minutes
Season 1
Lessons with Experiments
Cloud computing has become a mainstay of all organizations, and with the cloud comes a unique set of security threats. We'll identify the specific security issues of cloud computing, list the categories of threats to cloud computing, and unpack each one.​
Software Supply Chain
White Belt
12
minutes
Season 1
Lessons with Experiments
Understand the threats posed by third-party/open source software and how to deal with this type of risk in your product correctly. Open source and third-party software contain security vulnerabilities, and everyone in your organization needs to understand the depth of the problem. Securing third-party software is your responsibility.​ ​
Culture and Mindest
White Belt
12
minutes
Season 1
Lessons with Experiments
There is a direct correlation between your security culture's strength and the security of your applications and products. We'll consider the reality of security culture and its impact on all job roles, examine the security mindset and describe how you can apply it to your career, and understand what a security champion is and why you need to become one.​ ​
Prioritizing Security
White Belt
15
minutes
Season 1
Lessons with Experiments
Prioritization of security is crucial. See how to give your people time to "do security." Examine the security behaviors and activities that a developer, tester, and manager must perform. Application and product security begin with a resource management decision.
Translating Security
White Belt
10
minutes
Season 1
Lessons with Experiments
The business and the security team appear to have different priorities, but through translating security, we find that we all have the same goal. We'll review the various terms that are specific to Executives, Program/Product Managers, and the Developer/Tester, and translate business language into security language.​
Dealing with Vulnerabilities
White Belt
15
minutes
Season 1
Lessons with Experiments
Vulnerabilities exist in all products and applications. Daily, the discovery of new vulnerabilities occurs. Examine the need for a response process, why researchers hunt for vulnerabilities and understand the PSIRT process. The security incident response process cleans up vulnerabilities.​ ​
Knowledge Sources
White Belt
12
minutes
Season 1
Lessons with Experiments
Learn where to find security knowledge on the Internet, from CWE, CAPEC, ATT&CK, NVD, OWASP, and NIST. The basic building blocks of security knowledge are available and accessible and seamlessly integrate into the security personnel's life.​
OWASP Universe
White Belt
12
minutes
Season 1
Lessons with Experiments
OWASP is THE open-source resource for awareness documents, processes, measurement, tools, conferences, and local meetups. We'll explain what OWASP is and the services it provides, identify the most popular OWASP projects, and the function of each, and identify the primary purposes of OWASP projects.​
Security at Home
White Belt
11
minutes
Season 1
Lessons with Experiments
Our homes are our castles, and castles need physical and cybersecurity. We'll explore the physical and cybersecurity threats impacting our families, provide you preventative and reactive physical strategies, and six tips for protecting your cyber home.
Trends in Application Security: 2020-2021
White Belt
19
minutes
Season 1
Lessons with Experiments
The world of application and product security changes every year, and practitioners must stay updated on trends and new attacks, tools, and projects. We'll explore recent application security trends and look at modern standards, tools, and projects worth testing and implementing.
Six Foundational Truths of Application Security
Yellow Belt
12
minutes
Season 1
Lessons with Experiments
The six foundational truths of application security are do not trust user input, shift left, avoid hardcoded credentials, third-party software care and feeding, threat modeling, and knowledge. Applying the foundational truths of application security will save you pain.
Secure Design Principles Part 1
Yellow Belt
13
minutes
Season 1
Lessons with Experiments
In this module, we explore secure design principles such as defense in depth, avoid security by obscurity, keep security simple and usable security. Employing a common understanding of secure design principles encourages secure design, and secure design equals less vulnerabilities.​
Secure Design Principles Part 2
Yellow Belt
11
minutes
Season 1
Lessons with Experiments
In this module, we explore secure design principles such as to minimize the attack surface, fail securely, least privileged, separation of duties, do not trust services/infrastructure, and secure defaults. Employing a common understanding of secure design principles encourages secure design, and secure design equals less vulnerabilities.​​
Input Validation
Yellow Belt
16
minutes
Season 1
Lessons with Experiments
This module explores input validation, which is checking data sent to your application before putting it to use. We explore the different types of input validation, how to determine if input validation is implemented correctly, and the implementation steps for correct input validation. Input validation protects what comes into your application, and attackers will send bad data inbound to see what happens.​​
Output Encoding
Yellow Belt
13
minutes
Season 1
Lessons with Experiments
This module explores output encoding, which is translating special characters into some equivalent form that is no longer dangerous in the target interpreter. We examine encoding, escaping, and contextual output encoding, various language approaches to encoding, and review examples. Output encoding protects what comes out of the application, and sometimes input. Improper encoding or escaping allow an attacker to change the commands that are sent to another component, inserting malicious commands instead. Encoding is a safety issue. The safety of the users of your application is at stake.​
Authentication Theory
Yellow Belt
13
minutes
Season 1
Lessons with Experiments
In this module, we define authentication as it relates to proving identity and multiple factors. We will uncover how authentication works and the issues for consideration. Authentication is an essential security feature of all applications. If authentication is flawed, the door into your application is open.​​
Authorization Theory
Yellow Belt
12
minutes
Season 1
Lessons with Experiments
This module explains why permissions must be checked, privileges must be limited, and access control is mandatory to prevent unauthorized access. We uncover how authorization works and the issues for consideration. Authorization is an essential security feature of all applications. If access control is flawed, users may access any information they want within your application.​
Logging and Exception Handling
Yellow Belt
18
minutes
Season 1
Lessons with Experiments
This module examines how audit records track both legitimate user and attacker activity. We explore the threats and weaknesses of logging, events to log, data to exclude from logs and design principles to improve logging. Without proper logging, it is impossible to investigate an application compromise or data breach. Without stable exception handling, applications behave in unknown and unspecified ways.​
Cryptography
Yellow Belt
18
minutes
Season 1
Lessons with Experiments
In this module, we explore the basic building blocks of cryptography; encryption, decryption, keys, and algorithms. A small mistake in configuration or coding will result in removing protection and rendering a crypto implementation useless. Your application must use cryptography well to protect data in transit and at rest.​
Risk Management for AppSec​
Yellow Belt
13
minutes
Season 1
Lessons with Experiments
In this module, we explain the principles of risk management, and how it applies to your world. The software contains risk, and risk management principles help with risk reduction. Technical people must understand the risk.​
The Hacker Mindset
Yellow Belt
10
minutes
Season 1
Lessons with Experiments
In this module, we examine how hackers think differently; learn how their brains work. The term “hacker” is thrown around in the media with reckless abandon and is synonymous with cyber-criminal. The hacker mindset is adaptable and applicable to anyone, with no life of crime required.​​
OWASP Top 10: Part 1
Yellow Belt
12
minutes
Season 1
Lessons with Experiments
In this module, we review Injection, Broken Authentication, and Sensitive Data Exposure. We examine a description of each item, the risk to products and applications, applicable languages, and how to mitigate each risk. The OWASP Top 10 is the most popular application security document and contains the definitive industry list of security risks.​
OWASP Top 10: Part 2
Yellow Belt
11
minutes
Season 1
Lessons with Experiments
In this module, we review XML External Entity, Broken Access Control, Security Misconfiguration, and Cross-Site Scripting. We examine a description of each item, the risk to products and applications, applicable languages, and how to mitigate each risk. The OWASP Top 10 is the most popular application security document and contains the definitive industry list of security risks.​​
OWASP Top 10: Part 3
Yellow Belt
10
minutes
Season 1
Lessons with Experiments
In this module, we review Insecure Deserialization, Using Components with Known Vulnerabilities, and Insufficient Logging & Monitoring. We examine a description of each item, the risk to products and applications, applicable languages, and how to mitigate each risk. The OWASP Top 10 is the most popular application security document and contains the definitive industry list of security risks.​​
Buffer Overflows and Remote Code Execution
Yellow Belt
11
minutes
Season 1
Lessons with Experiments
In this module, we define overflows as when too much data is placed into a data structure, and data transforms into code. We explain how a buffer overflow works, differentiate between stack-based, heap-based, and integer overflows, and devise a plan to mitigate buffer overflows in your applications. Buffer overflow results in an attacker controlling the flow of a program on your computer. With control flow comes the ability to drop to a shell.​
Denial of Service
Yellow Belt
14
minutes
Season 1
Lessons with Experiments
This module reviews denial of service, an attack against the availability of a product or system. We examine denial of service-based threats, differentiate between the different flavors of denial of service, and realize how denial of service attacks are mitigated. We also explore real-life examples. Denial of service takes your product or application offline and renders it unusable by your customers.​​
XSS, Part One
Yellow Belt
8
minutes
Season 1
Lessons with Experiments
This module reviews XSS (“Cross Site Scripting”), an attacker-controlled JavaScript executing in a user’s browser. We explore stored or persistent XSS and devise a plan to mitigate XSS in your applications. We also review real-life XSS examples.​
XSS, Part Two
Yellow Belt
14
minutes
Season 1
Lessons with Experiments
This module reviews XSS (“Cross Site Scripting”), an attacker-controlled JavaScript executing in a user’s browser. We explore reflected and DOM-based XSS and devise a plan to mitigate XSS in your applications. We also review real-life XSS examples.​
Injection: SQL and Command
Yellow Belt
11
minutes
Season 1
Lessons with Experiments
This module reviews injection, an attack that allows an attacker to execute commands within your application or product, outside of your control. SQL and command injection attacks insert structured commands from an attacker directly inside an application. We review the critical types of injection attacks and devise a plan to mitigate injection in your applications.​
Cross-Site Request Forgery
Yellow Belt
9
minutes
Season 1
Lessons with Experiments
This module examines CSRF, an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. A successful CSRF attack can force the user to transfer funds, change their email address, and so forth. If the victim is an admin, CSRF can compromise the entire web application. We review examples and how to mitigate this type of attack.​​
Insecure Communications
Yellow Belt
9
minutes
Season 1
Lessons with Experiments
This module examines how insecure communications could result in the COMPLETE disclosure of all your customer data. We explore how to determine if a conversation is adequately authenticated and encrypted. We also review best practices for securing network communications.​​ ​
Social Engineering
Yellow Belt
15
minutes
Season 1
Lessons with Experiments
This module explores attacks against the human element. We examine the influence of the human factor in tech-based attacks, the tactics that social engineers utilize, a general social engineering process, and various social engineering scenarios that technical people might deal with. Social engineering attacks target engineers and professional people every day.​​
AppSec in an Agile World, Part One
Yellow Belt
16
minutes
Season 1
Lessons with Experiments
This module outlines how to incorporate application security into the Agile development methodology. We differentiate between the security activities of a standard sprint and a security sprint. Agile is the way of the future for software development and building security in is the only avenue for true security success.​​
AppSec in an Agile World, Part Two
Yellow Belt
14
minutes
Season 1
Lessons with Experiments
This module outlines how to incorporate application security into the Agile development methodology. We differentiate between the security activities of a standard sprint and a security sprint. Agile is the way of the future for software development and building security in is the only avenue for true security success.​
AppSec in a DevOps World
Yellow Belt
16
minutes
Season 1
Lessons with Experiments
This module examines how to integrate application security into a DevOps pipeline. We review the DevOps methodology and all things continuous, the security activities to go fast, and the security activities to the DevOps methodology. DevOps is changing the velocity of software delivery and must have security built-in.​
Security Behaviors for DevOps
Yellow Belt
16
minutes
Season 1
Lessons with Experiments
This module examines the seven security behaviors that drive security into DevOps. DevOps is changing the velocity of software delivery and must have security built-in.​​
Security Requirements
Yellow Belt
10
minutes
Season 1
Lessons with Experiments
This module explains how writing security requirements must be a part of every SDL. We explore how security requirements are used to impact a product or applications development positively, trusted sources, and how to apply and work with specific, basic security requirements. Implementation of security requirements forms the foundation of your product or application's security posture.​​
Threat Modeling Basics
Yellow Belt
11
minutes
Season 1
Lessons with Experiments
This module explains the importance of threat modeling, the purpose and advantages of threat modeling, and how threat modeling can be implemented. Threat modeling is basic application security hygiene, just like brushing your teeth. Do it early and often.​
Threat Modeling Process
Yellow Belt
17
minutes
Season 1
Lessons with Experiments
This module examines the process of performing threat modeling and the application of the threat modeling process. Threat modeling results in fewer security bugs to fix up to and after release, reduces possible avenues of attack (which Customers like), and drives the focus of security testing.​​
Threat Modeling Examples
Yellow Belt
12
minutes
Season 1
Lessons with Experiments
In this module, we review why engineers and testers need threat modeling, analyze example threat models and watch as experts perform threat modeling using examples.​​
Static Application Security Testing (SAST)
Yellow Belt
12
minutes
Season 1
Lessons with Experiments
In this module, we review tools and processes for discovering vulnerabilities in source code. We explore the uses of a SAST tool, the SAST tool workflow for a developer, and survey the available SAST offerings. SAST is a spell checker for security problems. You may have these tools, but not understand how they work or what they do.​
Dynamic Application Security Testing (DAST)
Yellow Belt
13
minutes
Season 1
Lessons with Experiments
In this module, we review tools and processes for discovering vulnerabilities in runtime web applications. DAST is a run-time checker for security problems. Fuzzers find implementation flaws you have not considered. Explore the uses of DAST tools, the DAST tool workflow for a developer, and the available DAST/Fuzz offerings. You may have these tools, but not understand how they work or what they do.​ ​
Next Generation AppSec Tools
Yellow Belt
14
minutes
Season 1
Lessons with Experiments
In this module, we discuss how IAST/RASP/SCA/CWPP is set to replace SAST/DAST/WAF over time. We review Interactive Application Security Testing (IAST), Runtime Application Self Protection (RASP), Software Composition Analysis (SCA), and Cloud Workload Protection Platform (CWPP). We also discuss the uses of these new tools and survey the available tool offerings.
Vulnerability Scanning
Yellow Belt
17
minutes
Season 1
Lessons with Experiments
In this module, we discuss tools and processes for discovering vulnerabilities in system-level components and operating systems. Vulnerability scanning identifies issues in the infrastructure beneath your application or product. You’ll receive the output from vulnerability scans and need to make changes to fix. We explain how a vulnerability scanner works, the uses of a vulnerability scanning tool, the vulnerability tool workflow for a developer, and survey the available vulnerability scanning offerings.​
Penetration Testing and Bug Bounty
Yellow Belt
14
minutes
Season 1
Lessons with Experiments
In this module, we explore penetration testing ( attacking applications and products using human expertise) and bug bounty ( a marketplace for the use of penetration testing skills). We examine the benefits of pen testing and bug bounty, the process for pen testing and bug bounty, and survey available pen testing and bug bounty offerings.
Secure Code Review Part 1
Yellow Belt
10
minutes
Season 1
Lessons with Experiments
In this module, we explain the process and checklists for performing security code review. We examine how to do code review for input validation. server-side validation, output encoding, and default/hardcoded credentials. Secure code review discovers potential vulnerabilities that manifest in code and design and mitigates those vulnerabilities that manifest in code and design and mitigates those issues by modifying the code.
Secure Code Review Part 2
Yellow Belt
17
minutes
Season 1
Lessons with Experiments
The process and checklists for performing security code review. Examine how to do code review for parameterized SQL queries, user management/authentication, session management, authorization, cryptography, logging/error handling, and security configuration. Secure code review discovers potential vulnerabilities that manifest in code and design and mitigates those issues by modifying the code.
LINDDUN Privacy Threat Modeling
Yellow Belt
14
minutes
Season 1
Lessons with Experiments
In this module, we explain the difference between contextual and transactional data, the growing value of privacy threat modeling, and the essential elements of the LINDDUN methodology.
LINDDUN Privacy Threat Modeling Process
Yellow Belt
15
minutes
Season 1
Lessons with Experiments
In this module, we dive into steps of applying LINDDUN by demonstrating how to create DFD diagrams, apply threat trees to DFD elements, prioritize threats, and plan mitigations.
LINDDUN Threat Mitigations
Yellow Belt
13
minutes
Season 1
Lessons with Experiments
In this module, we reveal the high-level goals of privacy threat mitigation, the four interrogative questions to apply to stored data, basic mitigation strategies, and privacy-enhancing technologies.
CWE Top 25 Part 1
Yellow Belt
15
minutes
Season 1
Lessons with Experiments
In this module, we review the CWE top 25 a list of the top 25 most dangerous software security weaknesses. We examine Cross-Site Scripting, Out-Of-Bounds Write and Read, Improper Restrictions of Operations within Memory Buffers, Improper Input Validation, and SQL Injection. We go over the consequences and mitigations of each of these weaknesses, as well as some common mitigations that can be used with most weaknesses.​​
CWE Top 25 Part 2
Yellow Belt
14
minutes
Season 1
Lessons with Experiments
In this module, we review the CWE top 25 a list of the top 25 most dangerous software security weaknesses. We examine Information Exposure, Use After Free, Cross-Site Request Forgery, OS Command Injection, Integer Overflow or Wraparound, and Path Traversal. We go over the consequences and mitigations of each of these weaknesses.​
CWE Top 25 Part 3
Yellow Belt
14
minutes
Season 1
Lessons with Experiments
In this module, we review the CWE top 25 a list of the top 25 most dangerous software security weaknesses. We examine NULL Pointer Dereference, Improper Authentication, Unrestricted Upload of File with Dangerous Type, Incorrect Permission Assignment for Critical Resource, Code Injection, and Insufficiently Protected Credentials. We go over the consequences and mitigations of each of these weaknesses.​​
CWE Top 25 Part 4
Yellow Belt
16
minutes
Season 1
Lessons with Experiments
In this module, we review the CWE top 25 a list of the top 25 most dangerous software security weaknesses. We examine Improper Restriction of XML External Entity Reference, Use of Hard-coded Credentials, Deserialization of Untrusted Data, Improper Privilege Management, Uncontrolled Resource Consumption, Missing authentication for critical function, and Missing Authentication. We go over the consequences and mitigations of each of these weaknesses.​​
Server-Side Request Forgery
Yellow Belt
15
minutes
Season 1
Lessons with Experiments
In this module, we define Server-Side Request Forgery, describe the different kinds of Server-Side Request Forgery attacks, and explain mitigation to prevent SSRF attack
Intro to Secure Development
The definition of secure development and it’s pieces. Each developer has secure development responsibilities. Secure development starts and ends with the developer. Your software, hardware, and infrastructure are only as safe as you make them. Developers are the first line of defense.​ ​
Intro to Secure Coding
The need for secure coding, what are secure coding standards and how does a developer use them, and the potential dangers of Stack Overflow. Languages are complex. Secure coding is about creating code that is correct and secure.​ ​
Secure Coding Best Practices: Part 1
Explore the OWASP Proactive Controls, including Define Security Requirements, Leverage Security Frameworks and Libraries, Secure Database Access, Encode and Escape Data, and Validate All Inputs. OWASP Proactive Controls is security information written for developers, by developers.
Secure Coding Best Practices: Part 2
Explore the OWASP Proactive Controls, including Enforce Access Control, Protect Data Everywhere, Implement Security Logging and Monitoring, and Handle All Errors and Exceptions. OWASP Proactive Controls is security information written for developers, by developers.
Language Typing
In this module, we explain how a languages type system is categorized and what the main categories are. We discuss the difference between static and dynamic languages as well as weak and strongly typed languages. ​​ ​
Securing the Development Environment
The threats that your development environment faces, how to reduce development environment risk, and the ten tips to secure your development environment. Development environment threats are real and following simple tips to secure your development environment can significantly reduce your exposure.
Protecting your Code Repository
Why you need to protect your code repository, the security challenges in choosing a repository, the impact of not protecting access credentials and separating secrets in the source code. Your code is your product or application. If it is left unsecured, it could fall into the hands of a competitor.​
Producing a Clean, Maintainable, & Secure Code Culture
The sources of complexity in software that led to security vulnerabilities and the twelve laws that act as the foundation for a clean, maintainable, and secure code culture. Developers must strive for secure code. Secure code is both clean and maintainable.
Secure the Release
Potential security threats are impacting your release and deployment process and ways to improve the security of your release and deployment process. The release and deployment process is how our code gets delivered to our customers. The introduction of an unauthorized piece of code by an attacker could be devastating.
Designing a Secure App or Product
The four pillars of a secure application or product, secure application or product decisions, and the categories of the design of a secure application or product. A new application or product deserves a secure design. Security becomes a reality through careful design choices.
Thinking Like A Penetration Tester
The tools and methodologies to help a developer think like a penetration tester, how penetration testers use browsers and intercepting proxies, testing, fuzzing, and reverse engineering, and applying the knowledge of these topics to your world as a developer. Developers generally focus on the build; to better secure your applications, products, and systems, think like one who breaks.​
Secure Design Principles in Action: Part 1
The economy of mechanism, secure the weakest link, establish trust boundaries, defense in-depth, don’t reinvent the wheel, usable security and default deny. Secure design principles require action to achieve “secure by design.”​
Secure Design Principles in Action: Part 2
In this module, we explore secure design principles such as minimizing the attack surface, fail securely, least privileged, separation of duties, do not trust services/ infrastructure, and secure defaults. Employing a common understanding of secure design principles encourages secure design, and secure design equals fewer vulnerabilities.
Syntactic & Semantic Input Validation 
Green Belt
C#/.NET
12
minutes
Season 1
Lessons with Experiments
Input-validation focuses on preventing improperly-formed data from entering the system. Input validation is one of the defenses against the injection class of attacks. Syntactic and semantic input validation explores the basic types of input validation and how to perform them in the .NET context. Review the three primary rules of input validation and code examples for performing syntactical and semantic input validation. A review of whitelisting with a code example is also covered.​
Input Validation with Range Checks, Regex, & Enums​
Green Belt
C#/.NET
12
minutes
Season 1
Lessons with Experiments
Input validation is a multi-faceted toolbox, and this module adds Intermediate level input validation techniques for .NET, including range checks to evaluate minimum and maximum values for numbers and dates, use of regular expressions as input validation techniques, validation of e-mail addresses, and using enums to validate all types of data.
Web Input Validation: MVC
Green Belt
C#/.NET
11
minutes
Season 1
Lessons with Experiments
Model-based validation is the first line of defense against malicious web input. Learn how to implement web input validation performed in a Model-View-Controller or MVC context for ASP.NET Core MVC and API. Explore the difference between client and server-side input validation and realize the depth of different web technologies that exist within .NET.
Web Input Validation: MVC client-side
Green Belt
C#/.NET
8
minutes
Season 1
Lessons with Experiments
Input validation is available on both the server and client-side. Learn how to implement web input validation for MVC client-side using input and validation tag helpers and HTML helpers.​ ​
Web Input Validation: Webforms and Webpages
Green Belt
C#/.NET
9
minutes
Season 1
Lessons with Experiments
While Web Forms and Pages are not the latest and greatest, they still require the same level of input validation as any new code. Developers work with new applications but must also support the maintenance of existing applications. Input validation is essential in new and existing apps. Learn input validation strategies for ASP.NET Web Forms and Web Pages and how to validate input for ASP.NET Web Pages 2 and 3 and ASP.NET Web Forms.
Parameterization with SQL
Green Belt
C#/.NET
11
minutes
Season 1
Lessons with Experiments
SQL is foundational within web applications, and improperly validating input to SQL results in a data breach. SQL injection can have a devastating impact on a web application. Recognize the flaw in using concatenation with strings to perform SQL queries and learn the secure approach to execute SQL queries using parameterized queries.​ ​
Securely Working with SQL
Green Belt
C#/.NET
17
minutes
Season 1
Lessons with Experiments
Secure SQL is more than just parameterized queries. SQL Injection can sneak in through stored procedures and LINQ and Entity Framework. Excessive privilege on SQL Server can provide an attacker unbridled access if they exploit an underlying vulnerability. Error information from your application can assist an attacker in fine-tuning an attack. Learn how to mitigate all of these issues.​ ​
Safely Working with XML
Green Belt
C#/.NET
13
minutes
Season 1
Lessons with Experiments
Insecure use of XML can result in an XML External Entity (XXE) attack, which may lead to the disclosure of confidential data, denial of service, server-side request forgery, and port scanning from the parser’s machine. Explore how to create and parse XML using safe methods and learn to construct XXE-free XML.
Avoiding Insecure Serialization & Deserialization
Green Belt
C#/.NET
17
minutes
Season 1
Lessons with Experiments
.NET has many ways of serializing and deserializing data. Deserializing untrusted data with an insecure deserializer can lead to remote code execution and complete system compromise. Serializing types without proper attributes can expose sensitive data. Describe the risk of exposing sensitive data via serialization and explore unsafe and safe methods for serialization with .NET. Investigate risky and secure ways for deserialization with JSON.NET and BinaryFormatter with a custom SerializationBinder and review tips for preventing serialization/deserialization vulnerabilities.​
Encode Output
Green Belt
C#/.NET
17
minutes
Season 1
Lessons with Experiments
Encoding and escaping are defensive techniques meant to stop an injection or cross-site scripting attack. Review the concept of Cross Site Scripting or XSS and consider why XSS is such a big problem and explore the different methods to defend against XSS in ASP.NET, including the AntiXssEncoder. Learn how to spot XSS and fix the associated problem in your code.
Authentication: Basic and Windows
Green Belt
C#/.NET
12
minutes
Season 1
Lessons with Experiments
Basic and Windows authentication are widespread in corporate internal environments and may exist in legacy code. Developers must know how to implement and fix it properly. Explore the steps to perform basic authentication and windows integrated authentication securely.​
Authentication: Forms
Green Belt
C#/.NET
9
minutes
Season 1
Lessons with Experiments
Form authentication is the modern approach for authentication with web applications. Examine how server-side stateful sessions with client-side ids and stateless bearer-tokens for authentication work. Learn which authentication type is best for specific scenarios and explore examples of how to implement form-based authentication in C#.
Authentication: Token
Green Belt
C#/.NET
12
minutes
Season 1
Lessons with Experiments
Token authentication is primarily used for API and 3rd party external provider integration. Learn how to unpack an original token request and response, and how a token gets used from the end-point to the server-side. Explore code examples of token-based authentication in action.​
Authentication: JWT
Green Belt
C#/.NET
7
minutes
Season 1
Lessons with Experiments
JSON Web Tokens are an alternative for authentication. Understand how JSON Web Token (JWT) based authentication works and weigh the pros and cons to determine if JWT is right for your application. Explore examples of how to implement JWT securely.
Authentication: External authentication
Green Belt
C#/.NET
9
minutes
Season 1
Lessons with Experiments
External authentication protocols provide single sign-on (SSO) capabilities, allowing users to have a unique username and password that gives access to multiple web applications. Learn the different types of external authentication, including OAuth, OpenID Connect, and WS-Fed. Explore library-based solutions to implement external authentication and code examples of how to use OAuth, Open ID Connect and WS-Fed with ASP.Net.
Authentication: .NET Core Identity
Green Belt
C#/.NET
10
minutes
Season 1
Lessons with Experiments
.NET Core Identity provides many robust security features for authentication directly in the framework. Explore general guidance for authentication in a .NET Core Identity context. Consider how to implement different authentication-related security features such as enforcing strong passwords, email confirmation, and account lockout.
CSRF & Open Redirects
Green Belt
C#/.NET
16
minutes
Season 1
Lessons with Experiments
CSRF results in any allowed logged-in user action performed without user’s knowledge or consent (ex. transfer of funds, change of account password, purchase and shipment of merchandise). An open redirect results in a user being forwarded to an attacker’s site even though the link they clicked on appeared to go to a legitimate site; the attacker spoofs the official website and tricks the user into believing that the user continues to work/interact with the official site. Walkthrough an example of CSRF and Open Redirect and explore the .NET Framework-specific solutions to address CSRF and Open Redirect.
Authorization: Simple, Role-Based, & View-Based
Green Belt
C#/.NET
16
minutes
Season 1
Lessons with Experiments
Authorization enforces access control within your application, both for users and administrators. .NET has multiple solutions for access control. Compare simple, role-based, and view-based authorization. Explore code examples of implementing the various authorization types.​
Authorization: Claims & Policy
Green Belt
C#/.NET
13
minutes
Season 1
Lessons with Experiments
Authorization enforces access control within your application, both for users and administrators. Understand how claims and policy authorization work and explore the steps to implement claims and policy authorization.
Authorization: Legacy
Green Belt
C#/.NET
16
minutes
Season 1
Lessons with Experiments
.NET has older styles of performing authorization. While you would not want to use these as a starting point, developers may have to fix bugs in legacy applications that uses IIS URL Authz, ASP.NET Authz, Webforms role-based, or WCF authorization. If a developer finds an implementation with permission challenges or bugs, they will be prepared to fix the issues.
Sessions and Cookies
Green Belt
C#/.NET
18
minutes
Season 1
Lessons with Experiments
Session and cookies track the results of the previous authentication and improve user experience. Explore session and cookie basics and warnings. Review the Session state implementation in ASP.NET (Core) and the importance of data protection for session cache. Learn how to implement sessions and cookies for models and Razor pages and consider all the available cookie options and their most secure settings.​
Load More Modules
Need more information about Security Journey? Get in touch.

Ready to start your journey?

Try It For Free