Training Course

Foundations of Application Security with Cole Cornford

Practical training for secure-by-design software development

From $1,800 per person (ex GST)

Register your interest

Discount pricing for students. Please see the terms of booking below!

Overview

This two-day course gives software and security engineers the foundational skills for building secure and resilient software. 

This course will give you the practical skills and cutting-edge knowledge needed to secure software applications. With an emphasis on combining hands-on practical exercises, engaging group activities, and discussions around real-world case studies, this course covers all bases. Attendees will walk away confident in their ability to interrogate source code for security flaws and empowered to select the right DevSecOps capabilities for their technology stack. We go further and not only teach technical skills, but the critical program management skills like achieving buy-in from stakeholders, being successful with training programs, and measuring success too.

But the best part? You can join ‘The Flock’, alumni who are the best product security professionals in Asia Pacific.

Course Outline

Introduction
  • About the course and trainer
  • Professional and personal benefits and drivers
  • About Galah Cyber
  • Introducing Birdhouse, our teaching aid
  • Course Schedule
  • Additional Resources
  • Feedback
  • What is Application Security
  • Why do we need Application Security
  • How Application Security has evolved
  • Transition from Dev to DevOps to DevSecOps
  • AIM: Reducing workload pressure and friction
  • AIM: Delivering at speed
  • AIM: Delivering for scale
  • Current industry trends and observations
  • Current and future challenges
  • Successful Application Security Case Studies

Theory

  • Injection Vulnerabilities
  • Types of Injection Vectors
  • Handling Files Safely
  • Authentication and Authorisation Vulnerabilities
  • Types of Authentication and Authorisation Vectors
  • Introduction to OAuth and OIDC
  • Overview of SSO and IDP’s
  • Multi-Factor Authentication
  • Misconfiguration Vulnerabilities
  • Types of Misconfiguration Vectors
  • Secrets Management and Cryptographic Configuration
  • Security Headers and Frameworks

Practical Exercises

  • Identifying Injection Vulnerabilities in Birdhouse
  • Identifying Misconfiguration Vulnerabilities in Birdhouse
  • Identifying Authentication and Authorisation Vulnerabilities in Birdhouse
  • Remediation of Injection Vulnerabilities in Birdhouse
  • Remediation of Misconfiguration Vulnerabilities in Birdhouse
  • Remediation of Authentication and Authorisation Vulnerabilities in Birdhouse

Theory

  • Static Application Security Testing (SAST)
  • Software Composition Analysis (SCA)
  • Software Bill of Materials (SBOM)
  • Secrets Scanning
  • DAST, IAST, and IaC Testing for comprehensive security analysis
  • Penetration Testing
  • Bug Bounty Programs
  • AI-enhanced AST (AI-AST)

Practical Exercises

  • SAST, SCA, and Secrets Scanning for Software Engineers
  • Implementation in DevOps Pipelines
  • Performing Assurance with SAST, SCA, and Secrets Scanning
  • Principle of Least Privilege
  • Attack Surface Reduction
  • Blast Radius Reduction
  • Zero Trust / Trust Boundaries
  • Environment Parity
  • Redundancy and Fault Tolerance
  • Software Reproducibility
  • Supply Chain Management
  • Observability and Monitoring

Theory

  • What is Threat Modeling
  • Why do we perform Threat Modeling
  • The Four Questions Framework
  • The STRIDE Framework
  • The Attack Trees Framework
  • Making threat modeling scalable and repeatable
  • Common anti-patterns in threat modeling
  • Using AI to improve threat modelling adoption or contextualisation

Practical Exercises

  • Four Questions Threat Model
  • STRIDE Threat Model
  • Why do we train software engineers in security?
  • Choosing effective delivery modes: In-person / remote / hybrid
  • Running a Security Champions program
  • The role and accountabilities of a security champion
  • Incentives for improving security
  • Collaboration between InfoSec and Developers
  • Training the trainers
  • Using metrics to demonstrate the value of the program
  • Common anti-patterns and mistakes
  • Risk calculation / risk matrices
  • CVSS, EPSS, KEV, VEX, and other rating systems
  • Mapping standard ratings to internal risk via vulnerability triage.
  • The importance of introducing context into the evaluation approach
  • Where vulnerability management programs fail
  • Leveraging AI to enhance triage or remediation approaches
  • Large Telecommunication Firm
  • Federal Government Agency
  • SAAS Technology Firm
  • Financial Services Institution
  • Startup Business

Register Your Interest

Your Investment

The Foundations of Application Security course is available at:

  • $1,800 per person (excluding GST)
  • $900 for students

To qualify for the student discount, you’ll need to provide proof of current student status and a short video testimonial after completing the course.

All prices are in AUD.

Upcoming Locations

  • Sydney – Sep 17th – 18th
  • Newcastle – Oct 2nd – 3rd
  • Melbourne – Oct 6th – 7th
  • Canberra – Nov 17th – 18th

Learning Objectives

  • Explain the business case and objectives of building an application security program
  • Practice secure coding techniques to improve the quality and reliability of your code
  • Interrogate unfamiliar source code repositories for security vulnerabilities
  • Design appropriate security controls to manage these vulnerabilities, being considerate of cost and effort
  • Evaluate DevSecOps capabilities and select appropriate tooling for your business scale and security needs
  • Implement DevSecOps capabilities locally and within a DevOps workflow to scale your security program
  • Design and architect applications with inherent security mechanisms
  • Perform practical threat modelling exercises using established industry frameworks like 4Q’s and STRIDE
  • Build effective vulnerability management processes for different business scales
  • Design and operate effective and relevant developer training programs in the future

For several years, Transmax has partnered with Galah Cyber to deliver high‑quality training for our software development teams, ensuring we build IT solutions that are safe and secure.

Galah Cyber’s trainers are highly knowledgeable, experienced, and personable. They build strong rapport, create a positive learning environment, and deliver engaging, relevant content that leaves a lasting impact.

I highly recommend Galah Cyber’s education and awareness solutions to any organisation looking to invest in its people and improve security outcomes.”

Jon-Anthoney de Boer
Product Security Lead at Transmax

Galah’s application security workshop was both practical and engaging. It gave our engineers a clear understanding of secure coding principles and how to apply them in their day-to-day work. The session helped lift our overall security maturity and improve the way we build and maintain our products.

Jonathan Milgate
Chief Technology Officer at Camplify

Galah’s application security workshop was both practical and engaging. It gave our engineers a clear understanding of secure coding principles and how to apply them in their day-to-day work. The session helped lift our overall security maturity and improve the way we build and maintain our products.

Leander Nott
Software Development Manager at Allambi Care

Target Audience

This course is best suited for mid-level software engineers, security engineers, and related disciplines such as DevOps, IT, Cloud, Infrastructure, and Data. Managers with technical backgrounds will find value in it, but it is not recommended for non-technical or executive-level staff.

Startup or scaleup engineers find the course particularly valuable because it helps introduce security capability without the need to engage external consultants or dedicated staff members.

Prerequisites

This course requires students to have;

  • Practical experience in software development and an understanding of computer science concepts.
  • Ability to read and run unfamiliar codebases, use package manager and containers, use git, and understand the git flow. Many vulnerability classes require understanding programming concepts like memoisation, instantiation, control-flow, compilation, and more.
  • You will be required to run DevSecOps tools locally on your workstation as well.

Students without a software engineering background may struggle to comprehend many of the technical concepts being taught and find the hands-on exercises difficult and frustrating. Students without formal computer science education will be able to follow, but may need to take note of unfamiliar concepts to research at a later time or during breaks.

Class Requirements

Students will need;

  • Bring their own personal computer. We do not recommend using work devices as we train using vulnerable software applications and need the capability to download and run software applications during the course.
  • Checkov, Snyk, and SemGrep are used for practical exercises.
  • The computer should have docker or python3 installed
  • Have network connectivity available for use at the venue.

The course is designed explicitly for in-person instruction, and remote attendees may struggle to participate in practical exercises or otherwise feel excluded.

Instructor Bio

Cole Cornford

Founder & CEO
Galah Cyber

Cole Cornford is a recognised leader in Australia’s application security scene. As Founder of Galah Cyber, he’s led major security programs across global teams and brings a strong engineering mindset to everything he does.

An active OWASP contributor, sought-after speaker, and host of the Secured podcast, Cole is known for cutting through complexity and speaking the language of developers.

Book a Free Consultation
Contact Us
Quick links
Services
Contact
Linkedin
Web Design Lake Macquarie