Training Course

Foundations of Application Security with Cole Cornford

Practical training for secure-by-design software development

From $1,800 per person (ex GST)

Enrol Now

Discount pricing for students. Please see the terms of booking below!

How this course will transform the way you build software

In just two days, you’ll gain the foundational skills every software and security engineer needs to create secure, resilient applications and the confidence to apply them immediately.

Through a mix of hands-on practical exercises, engaging group activities, and real-world case studies, you’ll learn how to spot security flaws in your code, choose the right DevSecOps capabilities for your stack, and apply secure-by-design principles from day one.

We don’t stop at technical know-how. You’ll also master the program management skills that make security stick, including getting stakeholder buy-in, running impactful training programs, and measuring success to drive lasting change.

And when you graduate? You’ll join The Flock, our alumni network of the most skilled product security professionals in Asia Pacific.

Download Brochure

Course Outline

Introduction
  • About the course and trainer
  • Professional and personal benefits and drivers
  • About Galah Cyber
  • Introducing Birdhouse, our teaching aid
  • Course Schedule
  • Additional Resources
  • Feedback
  • What is Application Security
  • Why do we need Application Security
  • How Application Security has evolved
  • Transition from Dev to DevOps to DevSecOps
  • AIM: Reducing workload pressure and friction
  • AIM: Delivering at speed
  • AIM: Delivering for scale
  • Current industry trends and observations
  • Current and future challenges
  • Successful Application Security Case Studies

Theory

  • Injection Vulnerabilities
  • Types of Injection Vectors
  • Handling Files Safely
  • Authentication and Authorisation Vulnerabilities
  • Types of Authentication and Authorisation Vectors
  • Introduction to OAuth and OIDC
  • Overview of SSO and IDP’s
  • Multi-Factor Authentication
  • Misconfiguration Vulnerabilities
  • Types of Misconfiguration Vectors
  • Secrets Management and Cryptographic Configuration
  • Security Headers and Frameworks

Practical Exercises

  • Identifying Injection Vulnerabilities in Birdhouse
  • Identifying Misconfiguration Vulnerabilities in Birdhouse
  • Identifying Authentication and Authorisation Vulnerabilities in Birdhouse
  • Remediation of Injection Vulnerabilities in Birdhouse
  • Remediation of Misconfiguration Vulnerabilities in Birdhouse
  • Remediation of Authentication and Authorisation Vulnerabilities in Birdhouse

Theory

  • Static Application Security Testing (SAST)
  • Software Composition Analysis (SCA)
  • Software Bill of Materials (SBOM)
  • Secrets Scanning
  • DAST, IAST, and IaC Testing for comprehensive security analysis
  • Penetration Testing
  • Bug Bounty Programs
  • AI-enhanced AST (AI-AST)

Practical Exercises

  • SAST, SCA, and Secrets Scanning for Software Engineers
  • Implementation in DevOps Pipelines
  • Performing Assurance with SAST, SCA, and Secrets Scanning
  • Principle of Least Privilege
  • Attack Surface Reduction
  • Blast Radius Reduction
  • Zero Trust / Trust Boundaries
  • Environment Parity
  • Redundancy and Fault Tolerance
  • Software Reproducibility
  • Supply Chain Management
  • Observability and Monitoring

Theory

  • What is Threat Modeling
  • Why do we perform Threat Modeling
  • The Four Questions Framework
  • The STRIDE Framework
  • The Attack Trees Framework
  • Making threat modeling scalable and repeatable
  • Common anti-patterns in threat modeling
  • Using AI to improve threat modelling adoption or contextualisation

Practical Exercises

  • Four Questions Threat Model
  • STRIDE Threat Model
  • Why do we train software engineers in security?
  • Choosing effective delivery modes: In-person / remote / hybrid
  • Running a Security Champions program
  • The role and accountabilities of a security champion
  • Incentives for improving security
  • Collaboration between InfoSec and Developers
  • Training the trainers
  • Using metrics to demonstrate the value of the program
  • Common anti-patterns and mistakes
  • Risk calculation / risk matrices
  • CVSS, EPSS, KEV, VEX, and other rating systems
  • Mapping standard ratings to internal risk via vulnerability triage.
  • The importance of introducing context into the evaluation approach
  • Where vulnerability management programs fail
  • Leveraging AI to enhance triage or remediation approaches
  • Large Telecommunication Firm
  • Federal Government Agency
  • SAAS Technology Firm
  • Financial Services Institution
  • Startup Business

Your Investment

The Foundations of Application Security course is available at:

  • $1,800 per person (excluding GST)
  • $900 for students

To qualify for the student discount, you’ll need to provide proof of current student status and a short video testimonial after completing the course.

All prices are in AUD.

Upcoming Locations

  • Newcastle
    Oct 2nd – 3rd
    Rydges Newcastle
  • Melbourne
    Oct 6th – 7th
    Cliftons Melbourne, Collins St
  • Sydney
    Nov 10th – 11th
    Novotel Sydney Darling Square
  • Canberra
    Nov 17th – 18th
    Crowne Plaza Canberra

Ready to Enrol?

Enrol Now

Skills you’ll walk away with

  • Explain the business case and objectives of building an application security program.
  • Apply secure coding techniques to improve the quality and reliability of your code.
  • Analyse unfamiliar source code repositories for security vulnerabilities.
  • Design appropriate security controls to manage vulnerabilities, considering cost and effort.
  • Evaluate DevSecOps capabilities and select appropriate tooling for your business scale and security needs.
  • Implement DevSecOps capabilities locally and within a DevOps workflow to scale your security program.
  • Architect applications with inherent security mechanisms.
  • Perform practical threat modelling exercises using established industry frameworks like 4Q’s and STRIDE.
  • Build effective vulnerability management processes for different business scales.
  • Design and operate effective, relevant developer training programs for the future.
Transmax has partnered with Galah Cyber for several years to deliver high‑quality training to our software development teams, ensuring our IT solutions are secure. Galah Cyber’s trainers are knowledgeable, engaging, and create a positive learning environment. I highly recommend their education and awareness solutions to any organisation wanting stronger security outcomes.

Jon-Anthoney de Boer
Product Security Lead
Transmax

Galah’s application security workshop was both practical and engaging. It gave our engineers a clear understanding of secure coding principles and how to apply them in their day-to-day work. The session helped lift our overall security maturity and improve the way we build and maintain our products.

Jonathan Milgate
Chief Technology Officer
Camplify

Amazing! High-quality delivery of brilliant content. I loved the adaptable style that was tailored to my team’s needs in real time.

Leander Nott
Software Development Manager
Allambi Care

Foundations of Application Security reinforced my AppSec knowledge, and the practical exercises were fun and valuable. I appreciated the instructor’s balance of engagement and expertise, and I’m looking forward to future courses with Cole.

Nina Juliadotter
Application Security Practice Lead
Westpac Group

Meet your Instructor

Cole Cornford

Founder & CEO Galah Cyber

Cole Cornford is a recognised leader in Australia’s application security scene. As Founder of Galah Cyber, he’s led major security programs across global teams and brings a strong engineering mindset to everything he does.

An active OWASP contributor, sought-after speaker, and host of the Secured podcast, Cole is known for cutting through complexity and speaking the language of developers.

Who is this course for?

This course is best suited for mid-level software engineers, security engineers, and professionals in related disciplines such as DevOps, IT, Cloud, Infrastructure, and Data. Managers with a technical background will also benefit from the practical, hands-on learning.

It is not recommended for non-technical or executive-level staff.

Engineers in startups or scaleups will find this training especially valuable, as it equips you to build security capability in-house without relying on external consultants or dedicated security hires.

Prerequisites

This course requires students to have;

  • Practical experience in software development and an understanding of computer science concepts.
  • Able to read and run unfamiliar codebases, work with package managers and containers, use Git and Git flow, and understand programming concepts such as memoisation, instantiation, control flow, and compilation.
  • You will be required to run DevSecOps tools locally on your workstation as well.

Students without a software engineering background may struggle to comprehend many of the technical concepts being taught and find the hands-on exercises difficult and frustrating. Students without formal computer science education will be able to follow, but may need to take note of unfamiliar concepts to research at a later time or during breaks.

Class Requirements

Students will need;

  • Bring their own personal computer. We do not recommend using work devices as we train using vulnerable software applications and need the capability to download and run software applications during the course.
  • Checkov, Snyk, and SemGrep are used for practical exercises.
  • The computer should have docker or python3 installed
  • Have network connectivity available for use at the venue.

The course is designed explicitly for in-person instruction, and remote attendees may struggle to participate in practical exercises or otherwise feel excluded.

Frequently Asked Questions

Who should take Foundations of Application Security?

Developers, DevOps Engineers, Infrastructure Engineers, Software Engineers, Product Security, Application Security, Penetration Testers, Security Consultants, QA Engineers, and technical leadership (Head of X / CTO / CISO / CIO).

Yes. Secure coding principles map to OWASP Top 10 as well as OWASP ASVS. The AppSec Governance content maps to OWASP SAMM. OpenSSF’s SLSA and VEX / CVSS / KEV are referenced throughout the course as well.

Yes. The course has a mix of practical technical activities performed on your personal devices such as reviewing source code for issues as well as running application security tools. These are balanced with group activities for threat modelling and classroom discussions and debates around provided case studies.

Public courses do not offer remote attendance. Private courses can cater for some remote attendance but are designed for in-person cohorts. Remote participants may have a degraded experience for group activities, discussions, and practical exercises.

A public course must have at least six enrolments to run. If your location does not get the minimum number of enrolments we can offer to transfer your enrolment to a different city, or provide you with a refund.

Yes. We cap the attendance at twenty (20) students. Further enrolments will degrade the experience as our instructors will not be able to give enough attention to each student and classroom activities do not scale well beyond this amount.

Contact us at course@galahcyber.com.au. If a cohort of at least six enrolled students is available in your location, we can arrange for an instructor to run the course from that location at a later date. Alternatively, you may attend courses at other locations.

Yes. Contact us at course@galahcyber.com.au with any questions that you may have about the course. We can introduce prior students or managers to discuss their experiences with you.

Yes. The certification will be made available in January 2026 and will cover broad technical and non-technical application security concepts, largely covered in the course.

Yes. The course will require students to review a custom-built software application through static and dynamic techniques, as well as run application security products. Students who are unable to bring a device may find the first day highly theoretical or may need to share with another student to learn.

Devices should be able to run docker, python, shell/cmd, view pdf files, and view source code in an IDE.

No. This course assumes that students only have access to free or open-source appsec products. Many students do not have the budget or exposure to enterprise appsec tooling, and we believe good appsec practices can be implemented independently of product choices. While we cover a variety of product categories, we aim to remain agnostic towards or against any specific product or business.

No. Each company has a unique technology stack. Because of this, we aim to teach principles and practices that can be applied agnostically. Our custom-built software application is written in Typescript with Express + NodeJS as the backend. React is the frontend language. We use Docker for distribution. C# and Laravel versions of this have been requested previously. With enough interest we can port to these technologies in the future.

Yes. If you cannot attend the course, we are happy to give you a placement at a different location or subsequent running of the course in the second semester. We offer refunds in full up until four weeks before the course running date as at that time we would have paid for venue, travel, and delivery expenses.

Yes, but generally for private course offerings. Private courses that are run at customer premises, or that are in excess of 20 students will have discounting applied. Contact us at course@galahcyber.com.au to discuss your options.

Enrol Now
Book a Free Consultation
Contact Us
Quick links
Services
Contact
Linkedin
Web Design Lake Macquarie