Introduction to AppSec training by Kodez

Build Secure Software

Empower your development teams to create secure solutions with comprehensive,
technology-agnostic AppSec Training based on real world issues and incidents

This course is designed to assist development teams create secure and robust applications by offering comprehensive AppSec training throughout the entire development lifecycle, spanning from the early stages of feature and architecture design to build and deployment.

What will attendees learn?

Understand how attackers think and exploit solutions

Discuss real world examples of security issues

How to review code for security issues

Emerging Security Issues

Introduction Threat Modelling techniques

Learn and see in action tools attackers use

Tools to assist finding and preventing issues

Learn identity and JWT best practices

About the course

In this technology-agnostic course, participants will gain invaluable insights into the various attacks and strategies employed by adversaries, equipping them with the knowledge and skills necessary to effectively defend against these threats.

The course incorporates real-world issues observed either first hand by Kodez and our security partners or recent public incidents. By discussing and focusing on real-world scenarios, participants are provided with practical insights and up-to-date knowledge that directly address current security challenges relevant to their organisation.

By the end of the course attendees will

• Understand how to prevent and mitigate the main categories of web-based security issues
• Contribute to prioritization discussions by being able to assess a security issues risk and impact
• Explain security issues and their risk to non-technical colleagues
• Review code for common security issues and understand automated tooling options available to assist with this
• Use threat-modelling techniques (STRIDE) to help identify issues in solution designs
• Secure build and deployment pipelines
• Avoid common OAuth/OpenID/token implementation mistakes
• Know where to find further security related information and learning options to further develop skills
• Contribute to a secure culture in your organisation

"The Kodez security training sessions have been great. The content has been relevant, relatable and presented in flexible format that promotes discussion among the team. I’ve enjoyed the engaging approach to the modules and the ability to focus on the most applicable security concerns for our use cases"

Technical Specialist and Platform Lead

"Relatable, constructive and eye opening content - The program took us through system vulnerabilities from the eye of the attacker, which helped us get our hacker hats on before reviewing our own systems with our new knowledge of app sec. Great program!"

Software Engineer 

Your coaches

Alex Mackey, OSCP, OWSE

Experienced technologist, author and speaker with over 22 years commercial experience working with a range of industries and organizations of various sizes.

Held range of roles including Practice Lead, Principal Consultant, Staff Engineer and Technical Lead. Previously Staff Engineer (AppSec), Holds Offensive Security OSCP (Offensive Security Certified Professional), OSWE (Offensive Security Web Expert) and found CVE-2022-40407.

Regular conference and user group speaker (NDC, Web Directions, Remix) and previously developed and published contents for Apress, PluralSight, ACloudGuru. Led development of AppSec training program.

Through his comprehensive and engaging training sessions Alex ensures that participants gain a deep understanding of the latest security vulnerabilities and current best practices enabling them to build secure and resilient solutions.    

Tharindu Edirisinghe, CISSP

A Certified Information Systems Security Professional (CISSP) with 10+ years of experience in Enterprise Software Development, Digital Transformation, IAM and GRC. Specialized in IT Risk Management, Secure Software Engineering, Cloud Security and DevSecOps, Tharindu is also an ambassador for Auth0, an OWASP member and an open-source contributor to OWASP Java Encoder, SAMLRaider and WSO2 Identity Server.

Co-Founder of the Colombo White Hat Security Meetup, active member in the cybersecurity community and a speaker at Melbourne APIs & Microservices Meetup and Melbourne Identity & Security Meetup.

Through engaging and informative training sessions, Tharindu supports organizations adopt latest security frameworks, industry best practices for continuous security compliance and build a security culture to effectively navigate the complex landscape of cybersecurity, implementing robust security measures, and safeguarding critical assets.

Course contents

Foundational Concepts

• Phased Attack Models
• How attackers discover information (reconnaissance)
• Port scanning with Nmap
• Security Issues/CVE's and CVSS rating system
• Shells: Web, Bind and Reverse Shells
• Fictional end-to-end attack example
• Privilege Escalation and Lateral Movement
• Important concepts: Encoding, Hashing, Symmetric and Asymmetric Encryption

Account Based Attacks and Defences

• Identity, Authentication and Authorization
• Types of password attacks
• Importance of Two Factor Authentication (2FA)
• How 2FA is attacked
• Defending against password attacks

Common Security Issues

• Broken Access Control
• Business Logic Failures
• LFI/RFI (Local/Remote file inclusion), XXE (XML External Entity Injection), ZipSlip and Path Transversal
• Cryptographic Failures
• Injection - XSS, SQLi, Command, Prompt
• Deserialization attacks
• Dangling Domains
• Emerging Issues - SSRF, Prototype Pollution

Secure Build and Deployment Pipelines

• What is DevSecOps?
• Security Chaos Engineering
• Organization Culture
• Automated Tooling
• Common Mistakes
• Reviewing Code for security issues
• OWASP Top 10 CI
• Build and Deployment Pipelines

Introduction to Threat Modelling

• What is Threat Modelling?
• Four main phases of Threat Modelling
• STRIDE Methodology
• Step-by-step Threat-Modelling Example

OAuth and Tokens

• What is OAuth and why do we need it?
• OAuth Flows (Implicit, Authorization + PKCE, Client Credentials Flow, Resource Owner)
• JWT’s, JWT structure and validation
• Common OAuth and JWT implementation mistakes

Like to learn more ?


How Long is the training?

We recommend modules are run as 3x 4hr sessions (with breaks) to minimize disruption and maximize learning.

Can the modules be run in any order?

We have a recommended order however most modules can be run standalone. We recommend the foundation module is run first as this introduces concepts that may be new for some attendees.

Who should attend?

Aimed at development teams - developers, tech leads, QA's and architects from companies of all sizes and industries.  Introduction to Threat-Modelling module is particularly relevant to Product and Design folks and we encourage their attendance.  

What prior knowledge is needed?

No prior knowledge of security is assumed but basic software development skills will be required.

What requirements are there for the training?

No setup is needed. Currently content takes a slide based and discussion format with reference to an open source and deliberately vulnerable application.

What takeaways are available?

Attendees will receive PDFs of slides and code examples are available on GitHub.

Who we’re proud to partner with

Sound Interesting?

PeopleStreme Logo
PeopleStreme Logo