Static Application Security Testing
3h 41mIntermediate2023-05-08
Authors

Jerod Brennen
Security Architect, Advisor, Speaker, Teacher
Course details
Building security testing into the software development life cycle is the best way to protect your app and your end users. This course identifies tools and techniques that developers can use to minimize the cost and impact of security testing—while maximizing its impact and effectiveness. In this course, instructor Jerod Brennen focuses on offline testing activities: preparing test plans, policies, and other documentation and conducting offline source code reviews. He also explains how to conduct offline testing for the OWASP Top Ten vulnerabilities. Along the way, you can become familiar with best practices around security in the SDLC. The hands-on sections—with demos of popular tools such as Codacy and SonarQube—prepare you to apply the lessons in the real world.
Skills covered
SonarQubeSecurity TestingProgramming FoundationsCybersecuritySoftware DevelopmentDeep Dive (X:Y)
Concepts
0. Introduction
- 01 - The importance of static testing
- 02 - What you should know
1. Leading Practices
- 03 - Security in the SDLC
- 04 - Development methodologies
- 05 - Programming languages
- 06 - Security frameworks
- 07 - The OWASP Top 10
- 08 - Other notable projects
- 09 - Top 25 software errors
- 10 - BSIMM
- 11 - Building your test lab
- 12 - Preparing your checklist
2. Security Documentation
- 13 - Internal project plans
- 14 - Communication planning
- 15 - Change control policy
- 16 - Security incident response policy
- 17 - Logging and monitoring policy
- 18 - Third-party agreements
- 19 - OWASP ASVS
3. Source Code Security Reviews
- 20 - Challenges of assessing source code
- 21 - OWASP Code Review Guide
- 22 - Static code analysis
- 23 - Code review models
- 24 - Application threat modeling - STRIDE
- 25 - Application threat modeling - DREAD
- 26 - Code review metrics
- 27 - Demo - Codacy
- 28 - Demo - SonarQube
4. Static Testing for the OWASP Top 10 (2021)
- 29 - The OWASP Top 10
- 30 - A1 - Broken access controls
- 31 - A2 - Cryptographic failures
- 32 - A3 - Injection
- 33 - A4 - Insecure design
- 34 - A5 - Security misconfiguration
- 35 - A6 - Vulnerable and outdated components
- 36 - A7 - Identification and authentication failures
- 37 - A8 - Software and data integrity failures
- 38 - A9 - Security logging and monitoring failures
- 39 - A10 - Server-Side Request Forgery
Conclusion
- 40 - Static application security testing next steps
Related courses
- Static Application Security Testing (SAST) (2019)
- Building an Application Security Program
- Application Security in DevSecOps (2019)
- Android App Security: A Structured Approach to Pen Testing
- Amazon Simple Storage Service (Amazon S3) with Free Playground
- MongoDB Java Developer Associate Cert Prep
- Kubernetes: Your First Project
- Introducing Caching to a Serverless Application with CloudFront