Briefly about Cyber Security for Application Developers

This course is aimed at software developers and tech teams, focusing on fundamental cybersecurity concepts essential for protecting sensitive information and ensuring robust security in software systems. This course integrates theoretical knowledge with practical exercises, providing hands-on experience in implementing security measures to your infrastructure, application, and organization. The purpose of the course is to raise security awareness and introduce a coherent framework for addressing security concerns.

Content:

The course is structured around the CIA triad: Confidentiality, Integrity, and Availability.

Confidentiality – how do we keep our secrets

• Encrypt & Decrypt Files (Symmetric & Asymmetric): Learn the principles of basic file encryption using symmetric and asymmetric algorithms. Practical exercises include file, encryption and decryption. This is a simple and often overlooked tool to mitigate data leaks
• What is sensitive information? Categorization of data
• Basic Access Control: Implement and test file system permissions and database roles to understand how access controls safeguard data. Get familiar with authentication and authorization. Apply the Principle of Least Privilege
• Encrypting Sensitive Data: Explore techniques for encrypting sensitive data on a database using Transparent Data Encryption (TDE) or column-level encryption

Integrity – prevent and discover tampering of data and code

• Logs Management: Understand the importance of application, audit, access, and error logs. The importance of fine-grained logging. Learn about the principle of write-once-read-many (WORM) and centralized logging
• Version Control & Code Reviews: Emphasize the necessity of version control and code reviews in maintaining code integrity
• Continuous Deployment. Your build and deploy pipeline matters. Learn why build, release, and run should be strictly separated stages
• Redundancy and Fault Tolerance: Engage in exercises to horizontally scale applications

Availability – make sure users can access your systems

• Securing APIs from DoS Attacks: Identify potential DoS (Denial of Service) attack vectors
• Caching: Integrate a caching system to mitigate overload, ensure resilience, and lower latency
• Message Queuing: Improve system availability by adding message queuing mechanisms to ensure reliability, scalability, and resilience
• Request limiter: Practical implementation of request limiting by applying a request limiter for a vulnerable public endpoint
• Web Application Firewall (WAF) and Content Delivery Network (CDN): Conduct vulnerability scans and enhance security with a WAF proxy. Enable a Content Delivery Network to mitigate most DDoS attacks

Prerequisites:

In the course, an API is the centerpiece in many of the exercises. The infrastructure is often containerized using docker and docker-compose. The examples can have application code in Java, Python, Ruby, C# and use miscellaneous libraries. It is not a prerequisite to have specific programming experience in all those languages. The examples have been chosen to illustrate principles. The course can be held in Danish or English, the courseware is in English.

Target Audience:

This course is ideal for software developers, system administrators, devops, and tech teams who develop or manage applications.

After the course, the participant can:

After the course, the participant will have a solid understanding of the key principles of cybersecurity—confidentiality, integrity, and availability. They will have seen practical examples on how to implement security measures, ensuring their systems and applications are more secure, resilient, and reliable.