Secure Coding Fundamentals Learning Path

Learn about common development mistakes, how they can be exploited and mitigated.

16 hours, 34 minutes

Quick facts

About this learning path

  • courses

    100% online

  • Duration

    16 hours, 34 minutes

  • Assessment


About Secure Coding Fundamentals

Most software vulnerabilities are caused by the same few development mistakes. This path describes these vulnerabilities and how to recognize them in code, demonstrates how they are exploited by attackers (including real-world case studies of vulnerable applications in production), and describes ways by which the vulnerabilities can be mitigated.



Secure Coding Fundamentals Skill Assessment

Assessment - 84 questions

Introduction to Secure Coding Fundamentals

Course - 00:08:00

This learning path starts with a discussion of the secure coding landscape and the tools that will be used. This course discusses why knowledge of secure coding techniques is so necessary for modern development and introduces the deliberately vulnerable applications that will be used to demonstrate the impact of different vulnerabilities.
Buffer Overflows

Course - 00:51:00

Buffer overflow vulnerabilities are some of the simplest vulnerabilities that can exist in an application. This course discusses how poor memory management can leave an application open to attack, how the vulnerability can be exploited and potential mitigations to reduce the probability and impact of vulnerable code.
Integer Overflows and Underflows

Course - 00:54:00

Integer overflow and underflow vulnerabilities are caused by misuse of the various types of variables available in most programming languages. Understanding how to identify these vulnerabilities and how they can be exploited can prevent an attacker from bypassing checks or triggering other vulnerabilities (like buffer overflows).
Race Conditions

Course - 01:18:00

The advent of parallel processing has made computers more efficient but also created new classes of vulnerabilities. This course describes the theory and practice of race condition vulnerabilities by describing what makes a code vulnerable, how it can be exploited and ways to mitigate the vulnerability.
Format String Vulnerabilities

Course - 00:32:00

Print statements are a deceptively simple aspect of programming. By exploiting format string vulnerabilities, an attacker can read from or write to arbitrary memory within a program. This course describes how to identify format string vulnerabilities and how to write code that is not vulnerable to attack.
Command Injection

Course - 00:40:00

Command injection vulnerabilities take advantage of the fact that instructions and data are often mixed within programs. This course demonstrates how command injection vulnerabilities can be exploited by an attacker, what to look out for and how to write code that is immune to this type of attack.
Least Privilege

Course - 01:03:00

Least privilege is not so much a vulnerability as a vulnerability multiplier. Any error that allows an attacker to gain control of a program only grows worse when that application is running with high-level permissions. This course suggests how to implement applications in a way that minimizes the permissions needed.
Credential Management

Course - 01:01:00

The concept of using passwords for authentication is widespread and probably not going away anytime soon. This course demonstrates what to do and what not to do when managing user credentials, including case studies, samples of vulnerable code and suggestions for managing user credentials in a secure fashion.

Course - 00:40:00

Cryptography is a very useful tool. However, it can also be very fragile. A small error in design or implementation can destroy any benefits of using encryption in an application. This course describes some of the common errors that developers make when using cryptography and how to remediate them.
SQL Injection

Course - 01:33:00

SQL injection vulnerabilities are some of the most well-known and common vulnerabilities in existence. This course describes what they are, how they work, how they can be exploited and steps that can be taken to fix them. The case study featuring Starbucks demonstrates how a small mistake can have big consequences.
Cross-Site Scripting

Course - 00:31:00

Cross-site scripting (XSS) vulnerabilities are commonly underrated despite being the most common source of bug bounty payouts. This course describes the different types of XSS vulnerabilities, how to identify and mitigate them, and how they can be exploited to create big-name breaches like the ones pulled off by the Magecart Group.
Cross-Site Request Forgery

Course - 00:53:00

Cross-site request forgery (CSRF) vulnerabilities can force a user to take undesired actions on their account. These vulnerabilities can be easy to identify but harder to fix, since some seemingly logical solutions simply don’t work. This course discusses how the vulnerability works and the best ways to develop resilient code.
Poor HTTP Usage

Course - 00:43:00

In most scenarios, developing a “clever hack” to achieve some goal is applauded in programming. However, this isn’t the case when abusing HTTP or HTML to simplify some aspects of web design. This course demonstrates some of the numerous ways in which poor use of HTTP and HTML makes a web application vulnerable to attack.
Error Handling

Course - 00:58:00

Handling potential errors in code is essential to protecting against many of the attacks described in this learning path. However, developers need to maintain a careful balance between providing too much and too little information in error messages. This course describes how going too far in one direction or another can leave an application vulnerable to attack.

Meet the author

Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant providing training and content creation for cyber and blockchain security. He is also the creator of over a dozen cybersecurity courses, has authored two books, and has spoken at numerous cybersecurity conferences. He can be reached by email at or via his website at

The details

Learning path insights

How to claim CPEs

Should you complete this learning path, you’ll be able to download a certificate of completion. Use this to claim your CPEs or CPUs.

Associated NICE Work Roles

All Infosec training maps directly to the NICE Workforce Framework for Cybersecurity to guide you from beginner to expert across 52 Work Roles.

  • All-Source Analyst
  • Mission Assessment Specialist
  • Exploitation Analyst

No software. No set up. Unlimited access.

Skip the server racks and spin up a realistic environment with one click. Infosec Skills cyber ranges require no additional software, hardware or server space so your team can spend less time configuring environments and more time learning. Unlimited cyber range access is included in every Infosec Skills subscription so your team can skill up however they learn best.

Unlock 7 days of free training

  • 1,400+ hands-on courses and labs
  • Certification practice exams
  • Skill assessments

Plans & pricing

Infosec Skills Personal

$299 / year

  • 190+ role-guided learning paths (e.g., Ethical Hacking, Threat Hunting)
  • 100s of hands-on labs in cloud-hosted cyber ranges
  • Custom certification practice exams (e.g., CISSP, Security+)
  • Skill assessments
  • Infosec peer community support

Infosec Skills Teams

$799 per license / year

  • Team administration and reporting
  • Dedicated client success manager
  • Single sign-on (SSO)
    Easily authenticate and manage your learners by connecting to any identity provider that supports the SAML 2.0 standard.
  • Integrations via API
    Retrieve training performance and engagement metrics and integrate learner data into your existing LMS or HRS.
  • 190+ role-guided learning paths and assessments (e.g., Incident Response)
  • 100s of hands-on labs in cloud-hosted cyber ranges
  • Create and assign custom learning paths
  • Custom certification practice exams (e.g., CISSP, CISA)
  • Optional upgrade: Guarantee team certification with live boot camps

Learn about scholarships and financing with

Affirm logo