Stop fixing security after you ship

Build Secure Software That Holds Up In Production

Foundations of Application Security

Two hands-on days exploring live code, real vulnerabilities, and secure delivery workflows.

80% Hands-On
Melbourne
16-17 June 2026

Secure Your Seat

Download Syllabus PDF

Apply Real Application Security Capability

Not Theory. Real Workflows. Real Outcomes.

The outcomes this course delivers:

Gain clear visibility of risk before it reaches production

Build secure coding into your day-to-day development workflow

Apply threat modelling to real design decisions

Reduce recurring vulnerabilities across your codebase

Module 1: Foundations and threat modelling

Spot risk before it becomes rework

Understand what Application Security actually looks like in real engineering workflows.
Learn how to identify risk early — before it hits production or slows delivery.
How AppSec has evolved: Dev → DevOps → DevSecOps.
Reducing friction while still delivering at speed and scale.
Threat modelling frameworks you’ll actually use:
- Four Questions Framework
- STRIDE
- Attack Trees
How to make threat modelling scalable and repeatable.
Common anti-patterns in threat modelling.
Using AI to improve threat modelling adoption and contextualisation.

Hands-on labs:

Build and run your own threat models using real scenarios

Module 2: Secure coding (hands-on)

Write secure code without slowing down

Learn how vulnerabilities actually get introduced — and how to avoid them from the start
Apply secure coding practices directly into your day-to-day development workflow
Injection vulnerabilities and how they actually happen in production
Handling files safely in real-world applications
Authentication and authorisation vulnerabilities (and how they’re exploited)
OAuth, OIDC, SSO, MFA — what matters in practice
Misconfigurations, secrets management, and cryptographic configuration
Security headers and modern frameworks

Hands-on in Birdhouse:

Identify injection vulnerabilities
Identify misconfiguration vulnerabilities
Identify authentication and authorisation vulnerabilities
Remediate vulnerabilities step-by-step in a live environment

Module 3: Application security testing

Test what matters, not just what tools tell you

Cut through the noise and learn what security testing actually catches real issues
Integrate testing into your workflow without slowing your team down
Static Application Security Testing (SAST)
Software Composition Analysis (SCA) and SBOM
Secrets scanning and dependency risk management
DAST, IAST, and IaC testing for broader coverage
Penetration testing and bug bounty programs
AI-enhanced application security testing (AI-AST)

Hands-on labs:

Run SAST, SCA, and secrets scanning
Implement testing in DevOps pipelines
Perform real assurance workflows as a software engineer

Module 4: Secure by design and scaling AppSec

Design systems that are secure by default

Build systems that reduce risk before a single line of code is written
Learn how to scale security across your team — not just one engineer
Designing systems that reduce risk before code is written
Principle of least privilege
Attack surface reduction and blast radius control
Zero Trust and trust boundaries
Environment parity, redundancy, and fault tolerance
Software reproducibility and supply chain management
Observability and monitoring

Scaling across teams:

Building developer security training programs
Running a Security Champions program
Roles and responsibilities of a security champion
Incentives for improving security
Collaboration between InfoSec and developers
Using metrics to demonstrate program value
Common anti-patterns and mistakes

Real-world program design case studies:

Large telecommunication firm
Federal government agency
SaaS technology firm
Financial services institution
Startup business

Galah’s application security workshop was practical and engaging. It gave our engineers real clarity on secure coding and how to apply it day-to-day. It lifted our security maturity and improved how we build our products. I’d recommend it to any leader looking to uplift their team’s capability and build security into the way they work.”

Learn From One Of Australia’s Leading Application Security Practitioners

Real systems. Real environments. Real application security.

Trained 1,000+ engineers across Australia

Works hands-on with teams to improve software delivery

Practical, engineering-first approach to application security

Focused on what works in production.

Trusted by telco, SaaS, government, and startup teams

Is this right for you?

This 2-day course is built for engineers who want to apply security in real workflows, not just understand it.

This course is perfect for:

Software engineers shipping production code

Security engineers working alongside dev teams

DevOps and platform engineers owning secure delivery

Engineering leaders improving how teams build software

You want to build security into your workflow from the start, not fix it later

Not suited to non-technical or purely executive roles

Individual enrolment

For engineers ready to apply security in real workflows.

Individual: $1,800

Students: $1,600

+ Per person, cost excludes GST

Course inclusions:

12 months access to course materials

Full access to hands-on lab environments

Hands-on labs you can revisit after the course

Catering and networking lunch

Enrol Now

Upskill your engineering team

For teams improving how they develop and deliver secure software.

For 3+ students

$1620 + gst per person

+ Per person, cost excludes GST

Course inclusions:

All of the individual enrollment inclusions +

Unlock a private 2-hour AppSec session with Cole and walk away with:

Clear visibility into where security is breaking down.

Gaps across your workflows and tooling.

Actions your team can apply immediately.

Enquire For Teams Download Syllabus PDF

Melbourne

16 - 17 June 2026

Limited Seats Avaiable

Secure Your Seat See Other Locations and Dates

Ready To Apply Security In Your Workflow?

FAQs

Who should take Foundations of Application Security?

Developers, DevOps Engineers, Infrastructure Engineers, Software Engineers, Product Security, Application Security, Penetration Testers, Security Consultants, QA Engineers, and technical leadership (Head of X / CTO / CISO / CIO).

Does your course content align with any application security standards?

Yes. Secure coding principles map to OWASP Top 10 as well as OWASP ASVS. The AppSec Governance content maps to OWASP SAMM. OpenSSF’s SLSA and VEX / CVSS / KEV are referenced throughout the course as well.

Are there hands-on activities in the course?

Yes. The course has a mix of practical technical activities performed on your personal devices such as reviewing source code for issues as well as running application security tools. These are balanced with group activities for threat modelling and classroom discussions and debates around provided case studies.

Are remote arrangements available if I cannot make the course in-person?

Public courses do not offer remote attendance. Private courses can cater for some remote attendance but are designed for in-person cohorts. Remote participants may have a degraded experience for group activities, discussions, and practical exercises.

How many students are necessary for a public course to run?

A public course must have at least six enrolments to run. If your location does not get the minimum number of enrolments we can offer to transfer your enrolment to a different city, or provide you with a refund.

Is there a limit on the number of students who can attend a public course?

Yes. We cap the attendance at twenty (20) students. Further enrolments will degrade the experience as our instructors will not be able to give enough attention to each student and classroom activities do not scale well beyond this amount.

My location isn’t listed for public courses, what options do I have?

Contact us at course@galahcyber.com.au. If a cohort of at least six enrolled students is available in your location, we can arrange for an instructor to run the course from that location at a later date. Alternatively, you may attend courses at other locations.

Are there references from prior students / clients I can speak to?

Yes. Contact us at course@galahcyber.com.au with any questions that you may have about the course. We can introduce prior students or managers to discuss their experiences with you.

Do I need to bring a device for this course?

Yes. The course will require students to review a custom-built software application through static and dynamic techniques, as well as run application security products. Students who are unable to bring a device may find the first day highly theoretical or may need to share with another student to learn.

What should I have installed in advance for this course?

Devices should be able to run docker, python, shell/cmd, view pdf files, and view source code in an IDE.

I use specific DevSecOps products. Can I have the course tailored for those?

No. This course assumes that students only have access to free or open-source appsec products. Many students do not have the budget or exposure to enterprise appsec tooling, and we believe good appsec practices can be implemented independently of product choices. While we cover a variety of product categories, we aim to remain agnostic towards or against any specific product or business.

I use ABC technologies at my company. Can the practical component be done in these technologies?

No. Each company has a unique technology stack. Because of this, we aim to teach principles and practices that can be applied agnostically. Our custom-built software application is written in Typescript with Express + NodeJS as the backend. React is the frontend language. We use Docker for distribution. C# and Laravel versions of this have been requested previously. With enough interest we can port to these technologies in the future.

I’m not able to attend due to illness / carer responsibilities. Do I have options for make-up or refunds?

Yes. If you cannot attend the course, we are happy to give you a placement at a different location or subsequent running of the course in the second semester. We offer refunds in full up until four weeks before the course running date as at that time we would have paid for venue, travel, and delivery expenses.

Do you offer bulk discounts?

Yes, but generally for private course offerings. Private courses that are run at customer premises, or that are in excess of 20 students will have discounting applied. Contact us at course@galahcyber.com.au to discuss your options.

How much AppSec training can we cover in 2 days?

Over two days, we give you broad exposure across most application security disciplines. This way you can see what areas interest you most, build additional capability, and make yourself attractive to hiring managers without being limited to niche skills.

What happens after the AppSec course - is there ongoing learning?

All graduates get access to our Galah community, with ongoing discussions about application security, plus early access to blogs, videos, and other content from Cole Cornford. It’s a space to keep building on what you’ve learned.

Do you provide resources to continue learning at home?

Yes. Our training aid Birdhouse is available for you to take home and keep learning with. You’ll also get access to the course slides after the training.

How is this AppSec course different to cheaper options like OWASP training?

This course is taught in person by Cole Cornford, founder of Galah Cyber and one of Australia’s leading software security specialists. With 11 years of experience delivering AppSec services and programs for global customers, Cole makes the content practical, engaging, and fun. You’ll also have the chance to ask questions and get real context, which is something you don’t get from cheaper, generic courses.

Do we get recordings of the course or access to the slide decks?

You’ll have access to the course slides and Birdhouse after the training, so you can continue to learn and revisit the material in your own time.