Foundations of Application Security with Cole Cornford

• What is Application Security
• Why do we need Application Security
• How Application Security has evolved
• Transition from Dev to DevOps to DevSecOps
• AIM: Reducing workload pressure and friction
• AIM: Delivering at speed
• AIM: Delivering for scale
• Current industry trends and observations
• Current and future challenges
• Successful Application Security Case Studies

Theory

• Injection Vulnerabilities
• Types of Injection Vectors
• Handling Files Safely
• Authentication and Authorisation Vulnerabilities
• Types of Authentication and Authorisation Vectors
• Introduction to OAuth and OIDC
• Overview of SSO and IDP’s
• Multi-Factor Authentication
• Misconfiguration Vulnerabilities
• Types of Misconfiguration Vectors
• Secrets Management and Cryptographic Configuration
• Security Headers and Frameworks

Practical Exercises

• Identifying Injection Vulnerabilities in Birdhouse
• Identifying Misconfiguration Vulnerabilities in Birdhouse
• Identifying Authentication and Authorisation Vulnerabilities in Birdhouse
• Remediation of Injection Vulnerabilities in Birdhouse
• Remediation of Misconfiguration Vulnerabilities in Birdhouse
• Remediation of Authentication and Authorisation Vulnerabilities in Birdhouse

Theory

• Static Application Security Testing (SAST)
• Software Composition Analysis (SCA)
• Software Bill of Materials (SBOM)
• Secrets Scanning
• DAST, IAST, and IaC Testing for comprehensive security analysis
• Penetration Testing
• Bug Bounty Programs
• AI-enhanced AST (AI-AST)

Practical Exercises

• SAST, SCA, and Secrets Scanning for Software Engineers
• Implementation in DevOps Pipelines
• Performing Assurance with SAST, SCA, and Secrets Scanning

• Principle of Least Privilege
• Attack Surface Reduction
• Blast Radius Reduction
• Zero Trust / Trust Boundaries
• Environment Parity
• Redundancy and Fault Tolerance
• Software Reproducibility
• Supply Chain Management
• Observability and Monitoring

• What is Threat Modeling
• Why do we perform Threat Modeling
• The Four Questions Framework
• The STRIDE Framework
• The Attack Trees Framework
• Making threat modeling scalable and repeatable
• Common anti-patterns in threat modeling
• Using AI to improve threat modelling adoption or contextualisation

Practical Exercises

• Four Questions Threat Model
• STRIDE Threat Model

• Why do we train software engineers in security?
• Choosing effective delivery modes: In-person / remote / hybrid
• Running a Security Champions program
• The role and accountabilities of a security champion
• Incentives for improving security
• Collaboration between InfoSec and Developers
• Training the trainers
• Using metrics to demonstrate the value of the program
• Common anti-patterns and mistakes

• Large Telecommunication Firm
• Federal Government Agency
• SAAS Technology Firm
• Financial Services Institution
• Startup Business

Yes. Secure coding principles map to OWASP Top 10 as well as OWASP ASVS. The AppSec Governance content maps to OWASP SAMM. OpenSSF’s SLSA and VEX / CVSS / KEV are referenced throughout the course as well.

Yes. The course has a mix of practical technical activities performed on your personal devices such as reviewing source code for issues as well as running application security tools. These are balanced with group activities for threat modelling and classroom discussions and debates around provided case studies.

Public courses do not offer remote attendance. Private courses can cater for some remote attendance but are designed for in-person cohorts. Remote participants may have a degraded experience for group activities, discussions, and practical exercises.

A public course must have at least six enrolments to run. If your location does not get the minimum number of enrolments we can offer to transfer your enrolment to a different city, or provide you with a refund.

Yes. We cap the attendance at twenty (20) students. Further enrolments will degrade the experience as our instructors will not be able to give enough attention to each student and classroom activities do not scale well beyond this amount.

Contact us at course@galahcyber.com.au. If a cohort of at least six enrolled students is available in your location, we can arrange for an instructor to run the course from that location at a later date. Alternatively, you may attend courses at other locations.

Yes. Contact us at course@galahcyber.com.au with any questions that you may have about the course. We can introduce prior students or managers to discuss their experiences with you.

Yes. The certification will be made available in January 2026 and will cover broad technical and non-technical application security concepts, largely covered in the course.

Yes. The course will require students to review a custom-built software application through static and dynamic techniques, as well as run application security products. Students who are unable to bring a device may find the first day highly theoretical or may need to share with another student to learn.

Devices should be able to run docker, python, shell/cmd, view pdf files, and view source code in an IDE.

No. This course assumes that students only have access to free or open-source appsec products. Many students do not have the budget or exposure to enterprise appsec tooling, and we believe good appsec practices can be implemented independently of product choices. While we cover a variety of product categories, we aim to remain agnostic towards or against any specific product or business.

No. Each company has a unique technology stack. Because of this, we aim to teach principles and practices that can be applied agnostically. Our custom-built software application is written in Typescript with Express + NodeJS as the backend. React is the frontend language. We use Docker for distribution. C# and Laravel versions of this have been requested previously. With enough interest we can port to these technologies in the future.

Yes. If you cannot attend the course, we are happy to give you a placement at a different location or subsequent running of the course in the second semester. We offer refunds in full up until four weeks before the course running date as at that time we would have paid for venue, travel, and delivery expenses.

Yes, but generally for private course offerings. Private courses that are run at customer premises, or that are in excess of 20 students will have discounting applied. Contact us at course@galahcyber.com.au to discuss your options.

Over two days, we give you broad exposure across most application security disciplines. This way you can see what areas interest you most, build additional capability, and make yourself attractive to hiring managers without being limited to niche skills.

All graduates get access to our Galah community, with ongoing discussions about application security, plus early access to blogs, videos, and other content from Cole Cornford. It’s a space to keep building on what you’ve learned.

Yes. Our training aid Birdhouse is available for you to take home and keep learning with. You’ll also get access to the course slides after the training.

This course is taught in person by Cole Cornford, founder of Galah Cyber and one of Australia’s leading software security specialists. With 11 years of experience delivering AppSec services and programs for global customers, Cole makes the content practical, engaging, and fun. You’ll also have the chance to ask questions and get real context, which is something you don’t get from cheaper, generic courses.

You’ll have access to the course slides and Birdhouse after the training, so you can continue to learn and revisit the material in your own time.