Secure development and coding training

Online course with own lab environment for practical exercises

This video will be loaded from YouTube while playing. By clicking here you accept the data protection declaration of HVS Consulting / IS-FOX and YouTube.

Customers who strengthen their security with Cyber LABs

This video will be loaded from YouTube while playing. By clicking here you accept the data protection declaration of HVS Consulting / IS-FOX and YouTube.

Amadeus
Audi
Munich Airport
Lufthansa
Osram
RS

Better trained developers than software with RCE vulnerabilities

Miscellaneous Power Strom Lightning Blitz Attention Achtung Gr
50% quicker learning success
With the Cyber Labs, we reduce the training time by 50% compared to comparable live events, without compromising the learning success. Before, face-to-face trainers needed 8 hours for the same content. Why? Because of the regular breaks and waiting times until all participants had started the LABs and typed the commands correctly. In the Cyber Lab, two virtual trainers guide you through the program in a varied way and each participant can complete the LABs at “their” own pace.
Visualization of efficient training
By professionals for professionals
The content is provided by security specialists, pentesters, incident responders and developers from HvS-Consulting. The learning content is prepared by the IS-FOX learning specialists. The result is a developer training course that teaches secure development in an understandable and varied way, not just “writing secure code”, but understanding security as a concept. Delivered in such a way that security beginners can follow along easily, but even professionals won't be bored. That's why we often read “Best training course ever” in participant feedback.
Visualization of learning success
Secure behaviour guaranteed
There is often a lack of knowledge and/or understanding of security in development. Secure development changes day-to-day work, makes it more complicated in some cases and extends development cycles. Without an understanding of “why” and the interrelationships, there is a lack of acceptance among developers and product owners. The Developer LABs create this understanding and convey secure development as a concept, not as a collection of scanners and tools. This creates significantly more security - sustainably.

Chapter overview Module 1: Secure Development Lifecycle

The content has been created by secure development experts and has been successfully implemented and optimized in classroom training courses over many years. All scenarios are based on typical top 10 OWASP vulnerabilities in applications and are therefore highly relevant.

Intro & Let’s hack

Introduction & Basics: How does the training work. Why is security so important throughout the software development lifecycle.

Plus some hacking to get warm: LAB exercise on bad exception handling and password cracking. The exercise shows which effects even inconspicuous security holes can have.

< >

Security Basics

Clarification of the most important basic terms

  • The protection goals in the CIA Triad: Confidentiality, Integrity and Availability.
  • The security principles to achieve these CIA security goals: Don't trust any input, keep security simple, minimize the attack surface, implement 'Defense in Depth', use minimal rights, be 'Secure by Default' and always solve security problems properly.
< >

Implementation phase

  • Authentication: What mistakes are often made during authentication and what simple methods can be used to significantly increase security.
  • Authorization (access control): what is the difference to authentication. LAB exercise Accessing data via Direct Object Reference. How to prevent such vulnerabilities and how to implement appropriate access control.
  • Session Management: What threats exist around session management. LAB exercise Adoption of a Session by Session Fixation. How to make session management secure.
  • Input Validation, Output Sanitization and Injection: What is an injection and what types are there? LAB exercise Data manipulation and deletion by SQL injection. How can injections be prevented.
  • Cross Site Scripting: What types of Cross Site Scripting are available. LAB exercise on persistent cross site scripting. Which defense measures are effective.
  • Cryptography & Secrets Management: What types of secrets exist and what forms do they take ("at rest", "in transit" and "in memory"). LAB exercise System Access via File Inclusion. What is the difference between encryption and encoding. LAB Exercise Decoding a password in a config file. Tips for handling secrets.
  • Remote Code Execution: LAB exercise web shell upload. Why do RCE vulnerabilities have such catastrophic effects. How can the "Defence in Depth" approach reduce such effects.
  • Exceptions & Error Handling: How do hackers exploit error messages and error routines? How should secure error handling look like.
  • Application Logging: Why is a good logging strategy elementary and what should better not be logged. LAB exercise on confidential data in log files. Tips on how to achieve good logging.
  • Secure Networking and Infrastructure: Hackers attack systems, not software. What are the weaknesses in transmission protocols and why are hardening and patching not just the job of administrators?
< >

Validation phase

  • Code Reviews: what security best practices exist and when should a source code review be performed.
  • Automated Code Analysis: what are the benefits of automated code analysis and which modules can be analyzed.
  • Vulnerability scans: What are the benefits of automated vulnerability scans and where are their limits.
  • Penetration tests: why are penetration tests sometimes indispensable.
< >

Operation phase

  • Code Changes: what effects do code changes have on security. Which measures should be taken.
  • Configuration: how does the configuration influence the security.
  • Patch Management: Who is responsible for patching systems and to where. LAB exercise Exploitation of another RCE vulnerability through an outdated library.
  • Decommissioning: What steps to take when a system is 'End of Life'.
< >

Test

Final test with multiple choice questions

If you pass, you will receive a certificate for download

< >
This video will be loaded from YouTube while playing. By clicking here you accept the data protection declaration of HVS Consulting / IS-FOX and YouTube.

Screenshot from the LAB on Threat Modeling
Screenshot of an exercise
Screenshot from the LAB on SQL
Extract from the LAB
Screenshot from the LAB on Threat Modeling
Screenshot of a test question from the LAB

Chapter overview Module 2: Cloud Security & DevSecOps

The second Developer LAB module “Cloud and DevSecOps” focuses on current security topics such as cloud security, 3rd party libraries, single sign-on or infrastructure as code. With the combination of a real trainer and an AI avatar, it offers a unique learning experience.

Cloud Security

Cloud security: The operating models in the cloud

Shared responsibility: Role of the admin and the cloud provider

Tips for the Cloud: Clean account separation. Securing privileged accounts, jump server concept. Various multi-factor methods. Private networks and IP restrictions

LAB exercise: Access to poorly configured cloud database through OSINT research

< >

3rd Party Libraries

Risks associated with the use of 3rd party libraries.

Practical tips for risk reduction, for example

  • through reputation checks by developers and repositories
  • continuous use of dependency check tools

LAB exercise: Attack on software via unpatched 3rd party library

< >

Single Sign On

  • Benefits and advantages of central identity providers.
  • Explanation of SSO with Oauth, OpenID Connect and SAML.
  • Risks of SSO use with weak validation of tokens.
    LAB exercise: leveraging single sign-on with manipulated Oauth tokens.
  • Practical tips for secure token signing
< >

DevSecOps

  • The concept behind DevSecOps: a win-win-win situation.
  • Automated security checks: How to permanently eliminate vulnerabilities with functional tests, code scanners and co.
  • Infrastructure as code: Code is code - and therefore susceptible to vulnerabilities. Tips for secret handling and security checks in IaC.

Lab exercise: Reading secrets from the state of an IaC project.

< >

IP and KI

  • Strictly Confidential: Why source code can be very sensitive and how a business secret should be guarded.
  • Strict separation: Why business code should not be edited with private accounts.
  • Healthy skepticism: When is the use of AI in development a benefit, and when does it pose a risk?
< >

Test

Final Secure Development test with multiple-choice questions:

If you pass, you can download a certificate.

< >
This video will be loaded from YouTube while playing. By clicking here you accept the data protection declaration of HVS Consulting / IS-FOX and YouTube.

Secure Developer Training E-Learning Schulung
Secure Developer Training LAB Portal LAB Start
Secure Development Training LAB Übung mit API
Secure Developer Training Cloud Betriebsmodelle

Customer feedback

Graphical illustration of an evaluation

The next steps: How to get the most out of your Cyber LAB

Our Secure Development training for developers lays the right foundation for secure application development: Product managers, application owners, software architects and developers understand why secure development is fundamentally important and which components are essential prerequisites.

However, this enthusiasm for security must then be properly channelled so that secure development actually becomes a sustainable part of everyday development.

How do you do that? Here you will find our proven best-practice approach for firmly embedding security into your development process.

Demo access? Further Information?

Get in contact with us!
Contact

A lot of good reasons

Visualization of efficient training
Highly efficient training
With the combination of e-learning and LAB you can reach developers all over the world, especially in near-shoring or off-shoring centers. This is essential for risk reduction, because many development teams were previously hardly accessible for training at this quality level.
The best of two worlds
Visualization of learning success
Learning success guaranteed
The main problem in the security awareness of developers is the lack of understanding and involvement. In the LAB E-Learning your developers take the view of an attacker and hack through an application in various ways. This results in a very high level of personal involvement and understanding for the compliance with security principles. This is the foundation for behavioural change.
Visualization of internationality
Internationally applicable
The online course 'Cyber Security for Developers' is available in German and English. It is Scorm compatible and can be delivered as a cloud service or in your own learning management system (LMS). The English-language Security LAB for developers contains a web application with numerous vulnerabilities. Each participant receives his individual LAB and a time quota of 15 hours for usage.
Visualization of integrated policies
Policies can be integrated
Basically, the Secure Coding training does not require any customisation. However, you can integrate your relevant documents and policies (secure coding checklists, cryptosystems used, code analysis, etc.) at specific positions. Of course, we also integrate your company logo and name your security contact persons.
Visualization of a fair pricing model
Fair pricing model
The Cyber Security LAB e-learning for developers is licensed by training participants. The price for a training participant (including e-learning course, LAB infrastructure, operation, licenses, etc.) is between 80,- and 250,- EUR net plus VAT depending on the number of participants and thus costs a fraction of a comparable classroom training... but delivers practically the same learning success.