In this intensive two-day hands-on training, participants will master the fundamentals and advanced techniques of secure application development and API hardening.

Using a “Bad, Better, Best” methodology, students will analyze vulnerable code, iteratively improve it, and implement robust security controls. The course blends secure coding, API security, secure design concepts, threat modeling, and a tiny bit of incident response to provide a comprehensive foundation for building and maintaining secure software systems. Key tools include VS Code, GitHub, OWASP DevSlop Pixi, Semgrep Community, and 42Crunch IDE plugins.

Who Should Take this Class:

Application Developers
Backend and Frontend Engineers
API Developers
DevSecOps and Security Engineers
Software Architects

Audience Skill Level:

Beginner to Intermediate. Basic coding experience is expected. Some familiarity with web technologies, APIs, and development tools (e.g., Git, VS Code) is helpful but not mandatory.

Syllabus

Day 1: Secure Coding & Design Foundations

Welcome
Secure Coding Fundamentals with “Bad, Better, Best”
Break
Advanced Secure Coding Practices
Lunch Break
Live Threat Modeling Workshop
Break
Secure Design Concepts – Interactive Ideation
Incident Response for Developers

Day 2: Hands-On Secure API Design & Hardening

Recap
API Threats & OWASP API Top 10 (1–5)
Break
Advanced API Threats & OWASP API Top 10 (6–10)
Lunch Break
API Best Practices & Tools Overview
Break
Hands-On API Hardening Workshop
Final Q&A & Course Wrap-Up

FAQs:

Q: Do I need to be a security expert to take this class?
A: No. This course is designed for developers and engineers with some experience in software development, but not necessarily in security.

Q: What languages and frameworks will be used?
A: Primarily JavaScript, Python, and REST APIs (openAPI/swagger), though principles are transferable across languages.

Q: Will we write code or is this lecture-only?
A: We will review code and discuss code constantly. We will fix API vulnerabilities together on day two. We will use the 42Crunch free plugin with VS Code to analyze the security of an API. You can fix the issues with me, or just watch. If you are not comfortable reading or writing code, you can just follow along. Many students choose to follow along, and that is perfectly ok.

Q: Will I get a copy of the course materials?
A: Yes. You will receive the code, cheat sheets, and slide decks during the class.

System Requirements:

Ability to install VS Code extensions
Laptop with administrative privileges
Visual Studio Code installed
Git installed
Internet access for GitHub, Semgrep Community, 42Crunch plugin setup

Student Requirements / Prerequisites:

Ability to read and write basic JavaScript or another programming language
Working knowledge of the system development lifecycle (SDLC)
Laptop with the IDE VS Code (preferred) or Eclipse installed before the class
Free GitHub account
Optional but helpful: basic understanding of HTTP, APIs, and common web vulnerabilities

There are no scheduled live dates for this course at this time.