Course Outline
Module 1: Introduction to Software Security in the Software Development Life Cycle (Secure SDLC)
• Principles of Secure SDLC
• Relationship with ISO 27001 and PCI DSS (Req. 6)
• Roles and responsibilities in security management
• Security from design to production
Module 2: Software Security by Function and Languages
• Specific risks in financial environments
• Common vulnerabilities in Java/Spring Boot
• Security risks in PL/SQL and databases
• Designing secure software
• Layer separation
• Dependency control
• Principle of least privilege
• Secure coding techniques
• Input validation
• Secure error and exception handling
• Proper use of encryption
Module 3: The 3 A's – Authentication, Authorization, and Approval
• Concepts and differences
• Secure implementation in transactional environments
• Use of mTLS
• OAuth2, JWT, JWE, and JWS
• Pros and cons of each approach in financial ecosystems
Module 4: Cryptography and Key Management
• Basic principles of applied cryptography
• Encryption standards
• AES (GCM vs CBC)
• Secure key management
• Rotation
• Storage
• Protection at rest and in transit
• Common errors and how to avoid them
Module 5: OWASP Top 10 and OWASP API Security Top 10
• Introduction to the expanded OWASP approach
• Injection:
• SQL
• LDAP
• XPath
• XSS and CSRF
• Broken access control
• Broken authentication
• Specific risks in APIs:
• BOLA
• Excessive data exposure
• SSRF
• Applied examples to APIs and microservices
Module 6: Security Incident Management
• Basic incident response cycle
• Detection
• Containment
• Recovery
• Reporting
• Use of logs and traceability
• Monitoring in APIs and microservices
• Lessons learned and continuous improvement
Module 7: PCI DSS and ISO 27001 Compliance from Development
• Impact of secure development on certifications
• Required evidence:
• Security testing
• Vulnerability analysis
• Change control
• Relationship between development, audits, and compliance
Module 8: Security Testing Tools
• Introduction to:
• SAST
• DAST
• SCA
• Use of tools:
• OWASP ZAP
• SonarQube
• OWASP Dependency-Check
• Integration of security in CI/CD pipelines
• Best practices for production environments
Requirements
Requirements
• Basic knowledge of software development
• Previous experience in at least one of the following: Java, PL/SQL, APIs, or transactional systems
• Advanced security knowledge is not required
Target Audience
• Software developers
• Software architects
• Integration and API engineers
• Development teams in financial environments
• Technical personnel involved in Secure SDLC and regulatory compliance
Testimonials (2)
I really enjoyed learning about AI attacks and the tools out there to begin practicing and actively using for security testing. I took a lot of knowledge away which I didn't have at the beginning and the course met what I hoped it would be. My favorite part shown from the training was Comet Browser and was amazed at what it could do. Definitely something will be looking into more. Overall it was a great course and enjoyed learning all OWASP GenAI Top 10.
Patrick Collins - Optum
Course - OWASP GenAI Security
That every technical lesson came with multiple practical exercises to nail down the concepts.
