# Course Introduction  

This course is about application security for developers and DevOps professionals.
* We're not going to discuss securing infrastructure, that's what security teams and the operations or SRE teams do.
* This course is specifically focused on software engineers and what you need to know to truly embrace the Secure DevOps.

Did you know that the most significant security risks and concerns for developers over two decades ago are almost the same concerns today.
* Many of the most recent concerns included in the **Open Web Application Security Project (OWASP) top 10 list** were the same as in 2007.
* With ever-changing technology and almost incredible computer science and software engineering advancements, software engineers still fail to take the most basic security safety measures to safeguard their applications and close the door to threats and attacks. This is mostly due to poorly implemented security features that could have alerted the team to malicious attempts to break into the system.

We need to **start practicing security by design**.

This course will help you **understand the common risks and vulnerabilities** that threaten your applications and systems.

In this course, 
* You'll learn about **DevSecOps**, an essential part of development and operations.
* You'll learn about proactively **integrating security into your software development process**.
* You'll also gain insights into the role of network security using modern TLS in OpenSSL.
* You'll learn how mapping security into your development plan will increase your ability to recover from attacks and even secure your systems before an attack occurs.
* You'll also learn about **vulnerability scanning and threat modeling** and gain a deeper understanding of threat monitoring.
* You'll also **explore security testing and the different tools** and procedures you can use to mitigate the risks and impacts of security threats and vulnerabilities.
* In the hands-on labs, you'll practice **analyzing code using static and dynamic analysis tools** and running tests to help you understand the process. 
* You'll dive into the **OWASP top 10 list which identifies current security vulnerabilities and concerns**.
* You'll discover how hackers are exploiting common vulnerabilities in applications and systems.
* Then in the labs, you'll get hands-on practice once again, **setting up tools like the vault secrets manager** via both a user interface and programmatically by reading and writing secrets to the vault.
* You'll also learn tools that will help you **check and test the security of your code, dependencies, and development environments**.

By the end of this course, 
* You'll be familiar with many of the key security terms and concepts commonly used by security teams.
* You'll understand how security risks and vulnerabilities threaten your applications and systems.
* You'll learn how to start coding defensively and makes sure that your applications are secure by design.
* You'll be prepared to handle these security nightmares so that you can sleep soundly at night.

# Module 1: Introduction to Security for Application Development

In this module, 
* You will identify how security fits into your workflow and gain a working knowledge of security concepts and terminology.
* You’ll discover how to design for security in the Software Development Lifecycle (SDLC) and find out about a set of practices known as DevSecOps.
* You will also discover the OSI model, identify the necessary OSI layers for developers, and implement security measures on the four layers of application development.
* You will gain insights into security patterns and learn how to organize them.
* You will describe TLS (Transport Layer Security) and SSL (Secure Sockets Layer), identify how to keep TLS secure in the SDLC, and explore OpenSSL and its purpose.
* You will learn the strategies, best practices, and methodologies for getting security early into your code to protect applications against threats and vulnerabilities.
* Further, you’ll find out how you can use tools like vulnerability scanners and threat models to mitigate security vulnerabilities.
* You’ll also get the opportunity to add key terms like authentication, encryption, and integrity to your security vocabulary.
* Finally, you will also perform hands-on labs to encrypt and decrypt files using OpenSSL and scan a network environment with Nmap.

## Learning Objectives

* Describe security by design and secure software development lifecycle (SDLC)
* Define DevSecOps and list the differences between DevSecOps and DevOps
* Explain the OSI Model and identify seven OSI layers
* Implement security measures on the four layers of application development
* Describe security patterns and steps to organize them
* Define TLS and SSL and describe the working of modern TLS
* Explain OpenSSL, its purpose, and public key cryptography
* Create special and secret keys to encrypt your files and perform decryption of the encrypted files
* Assess security in application development, including vulnerability scanning, threat modeling, and threat monitoring
* Perform a network scan based on the IP address or domain name

# Module 2: Security Testing and Mitigation Strategies 

In this module, 
* You will learn the key mitigation strategies to secure your application throughout development and production.
* You will also discover a range of security testing methods like static analysis, dynamic analysis, vulnerability analysis, software component analysis, and continuous security analysis.
* You will explore ways to perform code review and ensure runtime protection for application development.
* You will also perform hands-on labs based on static analysis, dynamic analysis, vulnerability scanning, and vulnerability detection.

## Learning Objectives

* Explain security testing and mitigation strategies and identify the five key strategies for mitigation
* Interpret security reports from SonarQube after running a static analysis scan
* Perform dynamic analysis of your project code using OWASP ZAP and interpret the security report
* Implement key analysis in applications, including code review, vulnerability analysis, software component analysis, continuous security analysis, and runtime protection
* Demonstrate the use of OWASP’s ZAP to scan a vulnerable website
* Perform a vulnerability scan using the Jake tool on a sample web application and evaluate the results
* Use the SCA tool to detect vulnerabilities in a project’s components and analyze the tool’s output

# Module 3: OWASP Application Security Risks

In this module,
* You will learn about the Open Web Application Security Project (OWASP) and its Top 10 security concerns.
* You’ll learn about application vulnerabilities and discover the top vulnerabilities concerning security experts and professionals.
* You will explore SQL injection, cross-site scripting, and storing secrets securely.
* You will also investigate software and data integrity failures, discover how to detect these types of vulnerabilities, and examine ways to mitigate their impact.
* You will also perform hands-on labs to analyze your code repository using Snyk and use the Vault Python API (hvac) to read, write, and delete key-value secrets in Vault.

# Learning Objectives

* Describe OWASP and explain the five major steps in developing the OWASP Top 10
* Perform a scan and analysis of your code repository using Snyk
* Identify four types of SQL injections and how to prevent them
* Compare an SQL statement and an SQL injection statement
* Use Bandit to scan for vulnerabilities in the Python source code and resolve SQL injection vulnerabilities by correcting the source code
* Examine how cross-site scripting (XSS) works in the real world and how to prevent it
* Use the Vault Python API (hvac) to read, write, and delete key-value secrets in Vault`

# Module 4: Security Best Practices

In this module,
* You will learn about coding best practices and software dependencies.
* You’ll also explore how to secure a development environment by deciding what to store in a centralized repository and what not to store in GitHub.
* You will also perform hands-on labs to create HTTP security headers using flask-talisman and safely store and retrieve secrets using the pass CLI (command-line-interface).
* As your final project, you will check your code on GitHub for vulnerabilities in order of severity and fix the vulnerabilities.
* You’ll apply the best practices for reducing the risk of vulnerability.

# Learning Objectives

* Describe defensive methods of code practices
* Create HTTP security headers using flask-talisman
* Establish cross-origin resource sharing (CORS) policies using flask-Cors
* Explain how to determine software dependencies
* Secure your development environment by encrypting secrets like credentials and API keys
* Perform secure storage and retrieval of secrets using the pass CLI (command-line interface)
* Perform a vulnerability scan on your code
* Internalize best practices for reducing the risk of vulnerability
* Fix the vulnerabilities in the code