Secure Coding Fundamentals Learning Path
16 hours, 34 minutes
Quick facts
About this learning path
-
courses
100% online
-
Duration
16 hours, 34 minutes
-
Assessment
questions
About Secure Coding Fundamentals
Most software vulnerabilities are caused by the same few development mistakes. This path describes these vulnerabilities and how to recognize them in code, demonstrates how they are exploited by attackers (including real-world case studies of vulnerable applications in production), and describes ways by which the vulnerabilities can be mitigated.
Syllabus
Secure Coding Fundamentals Skill Assessment
Assessment - 84 questions
Introduction to Secure Coding Fundamentals
Course - 00:08:00
This learning path starts with a discussion of the secure coding landscape and the tools that will be used. This course discusses why knowledge of secure coding techniques is so necessary for modern development and introduces the deliberately vulnerable applications that will be used to demonstrate the impact of different vulnerabilities.
Buffer Overflows
Course - 00:51:00
Buffer overflow vulnerabilities are some of the simplest vulnerabilities that can exist in an application. This course discusses how poor memory management can leave an application open to attack, how the vulnerability can be exploited and potential mitigations to reduce the probability and impact of vulnerable code.
Integer Overflows and Underflows
Course - 00:54:00
Integer overflow and underflow vulnerabilities are caused by misuse of the various types of variables available in most programming languages. Understanding how to identify these vulnerabilities and how they can be exploited can prevent an attacker from bypassing checks or triggering other vulnerabilities (like buffer overflows).
Race Conditions
Course - 01:18:00
The advent of parallel processing has made computers more efficient but also created new classes of vulnerabilities. This course describes the theory and practice of race condition vulnerabilities by describing what makes a code vulnerable, how it can be exploited and ways to mitigate the vulnerability.
Format String Vulnerabilities
Course - 00:32:00
Print statements are a deceptively simple aspect of programming. By exploiting format string vulnerabilities, an attacker can read from or write to arbitrary memory within a program. This course describes how to identify format string vulnerabilities and how to write code that is not vulnerable to attack.
Command Injection
Course - 00:40:00
Command injection vulnerabilities take advantage of the fact that instructions and data are often mixed within programs. This course demonstrates how command injection vulnerabilities can be exploited by an attacker, what to look out for and how to write code that is immune to this type of attack.
Least Privilege
Course - 01:03:00
Least privilege is not so much a vulnerability as a vulnerability multiplier. Any error that allows an attacker to gain control of a program only grows worse when that application is running with high-level permissions. This course suggests how to implement applications in a way that minimizes the permissions needed.
Credential Management
Course - 01:01:00
The concept of using passwords for authentication is widespread and probably not going away anytime soon. This course demonstrates what to do and what not to do when managing user credentials, including case studies, samples of vulnerable code and suggestions for managing user credentials in a secure fashion.
Cryptography
Course - 00:40:00
Cryptography is a very useful tool. However, it can also be very fragile. A small error in design or implementation can destroy any benefits of using encryption in an application. This course describes some of the common errors that developers make when using cryptography and how to remediate them.
SQL Injection
Course - 01:33:00
SQL injection vulnerabilities are some of the most well-known and common vulnerabilities in existence. This course describes what they are, how they work, how they can be exploited and steps that can be taken to fix them. The case study featuring Starbucks demonstrates how a small mistake can have big consequences.
Cross-Site Scripting
Course - 00:31:00
Cross-site scripting (XSS) vulnerabilities are commonly underrated despite being the most common source of bug bounty payouts. This course describes the different types of XSS vulnerabilities, how to identify and mitigate them, and how they can be exploited to create big-name breaches like the ones pulled off by the Magecart Group.
Cross-Site Request Forgery
Course - 00:53:00
Cross-site request forgery (CSRF) vulnerabilities can force a user to take undesired actions on their account. These vulnerabilities can be easy to identify but harder to fix, since some seemingly logical solutions simply don’t work. This course discusses how the vulnerability works and the best ways to develop resilient code.
Poor HTTP Usage
Course - 00:43:00
In most scenarios, developing a “clever hack” to achieve some goal is applauded in programming. However, this isn’t the case when abusing HTTP or HTML to simplify some aspects of web design. This course demonstrates some of the numerous ways in which poor use of HTTP and HTML makes a web application vulnerable to attack.
Error Handling
Course - 00:58:00
Handling potential errors in code is essential to protecting against many of the attacks described in this learning path. However, developers need to maintain a careful balance between providing too much and too little information in error messages. This course describes how going too far in one direction or another can leave an application vulnerable to attack.
Meet the author
Howard Poston
The details
Learning path insights
How to claim CPEs
Should you complete this learning path, you’ll be able to download a certificate of completion. Use this to claim your CPEs or CPUs.
Associated NICE Work Roles
All Infosec training maps directly to the NICE Workforce Framework for Cybersecurity to guide you from beginner to expert across 52 Work Roles.
- All-Source Analyst
- Mission Assessment Specialist
- Exploitation Analyst
No software. No set up. Unlimited access.
Skip the server racks and spin up a realistic environment with one click. Infosec Skills cyber ranges require no additional software, hardware or server space so your team can spend less time configuring environments and more time learning. Unlimited cyber range access is included in every Infosec Skills subscription so your team can skill up however they learn best.
Unlock 7 days of free training
- 1,400+ hands-on courses and labs
- Certification practice exams
- Skill assessments
Plans & pricing
Infosec Skills Personal
$299 / year
- 190+ role-guided learning paths (e.g., Ethical Hacking, Threat Hunting)
- 100s of hands-on labs in cloud-hosted cyber ranges
- Custom certification practice exams (e.g., CISSP, Security+)
- Skill assessments
- Infosec peer community support
Infosec Skills Teams
$799 per license / year
- Team administration and reporting
- Dedicated client success manager
-
Single sign-on (SSO)
Easily authenticate and manage your learners by connecting to any identity provider that supports the SAML 2.0 standard.
-
Integrations via API
Retrieve training performance and engagement metrics and integrate learner data into your existing LMS or HRS.
- 190+ role-guided learning paths and assessments (e.g., Incident Response)
- 100s of hands-on labs in cloud-hosted cyber ranges
- Create and assign custom learning paths
- Custom certification practice exams (e.g., CISSP, CISA)
- Optional upgrade: Guarantee team certification with live boot camps
Learn about scholarships and financing with
