Topic

Recommended Lesson(s)

Race Condition

Secure Coding Techniques for Embedded Systems | Part 1

Risky Cryptographic Algorithm

Cryptography, Encryption

Integer Overflow or Wraparound

CWE-190 Integer Overflow or Wraparound

Path Traversal

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Path Traversal (CWE-22)

Improper Authentication

CWE-287 Improper Authentication, Broken Authentication

Improper Access Control

CWE-862 Missing Authorization, Broken Access Control | Improper Access Control

Code Injection

CWE-94 Improper Control of Generation of Code ('Code Injection'), Command Injection (CWE-78 -- OS Command Injection)

SQL Injection

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), SQL Injection: Part 1, SQL Injection: Part 2, SQL Injection: Part 3

Logging and Monitoring Failures

Logging and Exception Handling, Security Logging and Monitoring Failures | Insufficient Logging

Server-Side Request Forgery

CWE-918 Server-Side Request Forgery (SSRF), Server-Side Request Forgery (SSRF)

Software and Data Integrity Failure

CWE-502 Deserialization of Untrusted Data, Software and Data Integrity Failures | Overreliance on Cookies

Vulnerable and Outdated Compononetns

Software Supply Chain, Vulnerable and Outdated Components | Using Components with Known Vulnerabilities

Use of Hard-coded Credentials

CWE-798 Use of Hard-coded Credentials, Cryptographic Failures | Use of Hard-coded Password (Part 1), Cryptographic Failures | Use of Hard-coded Password (Part 2)

Insecure Design

Insecure Design

Security Misconfiguration

Security Misconfigurations | Error Message Containing Sensitive Information

Topic

Recommended Lesson(s)

Attack Terminology

Introduction to Security, Data Breaches, Attacks, Knowledge Sources

Application and Product Security

Core Security Concepts, Six Foundational Truths of Application Security, Software Supply Chain

Data Privacy

Privacy and Customer Data Protection, LINDDUN Privacy Threat Modeling

CIA Security Triad

Core Security Concepts

Threat Actors

Attackers, Social Engineering

Security Organization and Community

Prioritizing Security, Translating Security, Security Myths, OWASP Universe, Knowledge Sources

Risk Terminology

Risk Management for AppSec

Threat Terminology

Threat Landscape, Threat Landscape: Cloud

Security Champions

Security Culture and Mindset

Proactive Security

Security Business Case

Security Threats and Impact

Threat Landscape, Denial of Service (DoS), Social Engineering, Data Breaches

Topic

Recommended Lesson(s)

DevSecOps - Build and Deployment

DevSecOps Maturity Model Build - Deployment

DevSecOps - Culture and Organization

DevSecOps Maturity Model Build - Culture - Organization

DevSecOps - Implementation

DevSecOps Maturity Model Implementation - Information Gathering part 1

DevSecOps - Information Gathering

DevSecOps Maturity Model Implementation - Information Gathering part 2

DevSecOps - Test and Verification

DevSecOps Maturity Model Test - Verification part 1, DevSecOps Maturity Model Test Verification part 2

SDLC - Metrics and Reporting

Secure Development Lifecycle, DevSecOps Maturity Model Implementation - Information Gathering part 2

SDLC - PSIRT

Secure Development Lifecycle, Dealing with Vulnerabilities

SDLC - Security Best Practices

Secure Coding Best Practices: Part 1, Secure Coding Best Practices: Part 2

SDLC - Security Requirements

Secure Development Lifecycle, Security Requirements

SDLC - Security Testing

Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Next Generation AppSec Tools

SDLC - Third-Party Testing

Secure Development Lifecycle, Penetration Testing and Bug Bounty

STRIDE Methodology

Threat Modeling Process

Threat Modeling Process

Threat Modeling Basics