The course blends secure coding, API security, secure design concepts, threat modeling, and a tiny bit of incident response to provide a comprehensive foundation for building and maintaining secure software systems. Key tools include VS Code, GitHub, OWASP DevSlop Pixi, Semgrep Community, and 42Crunch IDE plugins.

Syllabus

Day 1: Secure Coding & Design Foundations

• 8:30 – 9:00 AM: Registration & Welcome Coffee
• 9:00 – 10:30 AM: Secure Coding Fundamentals with “Bad, Better, Best”
• 10:30 – 10:45 AM: Coffee Break
• 10:45 – 12:15 PM: Advanced Secure Coding Practices
• 12:15 – 1:15 PM: Lunch Break
• 1:15 – 2:30 PM: Live Threat Modeling Workshop
• 2:30 – 2:45 PM: Afternoon Coffee Break
• 2:45 – 4:00 PM: Secure Design Concepts – Interactive Ideation
• 4:00 – 5:00 PM: Incident Response for Developers

Day 2: Hands-On Secure API Design & Hardening

• 8:30 – 9:00 AM: Morning Coffee & Recap
• 9:00 – 10:30 AM: API Threats & OWASP API Top 10 (1–5)
• 10:30 – 10:45 AM: Coffee Break
• 10:45 – 12:15 PM: Advanced API Threats & OWASP API Top 10 (6–10)
• 12:15 – 1:15 PM: Lunch Break
• 1:15 – 2:30 PM: API Best Practices & Tools Overview
• 2:30 – 2:45 PM: Afternoon Coffee Break
• 2:45 – 4:30 PM: Hands-On API Hardening Workshop
• 4:30 – 5:00 PM: Final Q&A & Course Wrap-Up

System Requirements

• Laptop with administrative privileges
• Visual Studio Code installed
• Git installed
• Internet access for GitHub, Semgrep Community, 42Crunch plugin setup
• Ability to install VS Code extensions

Who Should Take this Class

• Application Developers
• Backend and Frontend Engineers
• API Developers
• DevSecOps and Security Engineers
• Software Architects

Audience Skill Level

Beginner to Intermediate. Basic coding experience is expected. Some familiarity with web technologies, APIs, and development tools (e.g., Git, VS Code) is helpful but not mandatory.

FAQs

Q: Do I need to be a security expert to take this class?
A: No. This course is designed for developers and engineers with some experience in software development, but not necessarily in security.

Q: What languages and frameworks will be used?
A: Primarily JavaScript, Python, and REST APIs (openAPI/swagger), though principles are transferable across languages.

Q: Will we write code or is this lecture-only?
A: We will review code and discuss code constantly. We will fix API vulnerabilities together on day two. We will use the 42Crunch free plugin with VS Code to analyze the security of an API. You can fix the issues with me, or just watch. If you are not comfortable reading or writing code, you can just follow along. Many students choose to follow along, and that is perfectly ok.

Q: Will I get a copy of the course materials?
A: Yes. You will receive the code, cheat sheets, and slide decks during the class.

Student Requirements / Prerequisites

• Ability to read and write basic JavaScript or another programming language
• Working knowledge of the system development lifecycle (SDLC)
• Laptop with the IDE VS Code (preferred) or Eclipse installed before the class
• Free GitHub account
• Optional but helpful: basic understanding of HTTP, APIs, and common web vulnerabilities