🚀 Early Adopter Price: $39/mo for lifeClaim Your Price →
Application Security Fundamentals
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
SecurityFoundationalFreeComing Soon

Application Security Fundamentals

The Application Security Fundamentals course teaches how applications are attacked and defended, organized around the OWASP Top 10. Learners study injection, broken access control, cryptographic failures, insecure design, security misconfiguration, vulnerable components, authentication failures, integrity failures, logging failures, and SSRF — with concrete remediation guidance and secure coding patterns.

Who Should Take This

Software developers, junior security engineers, and code reviewers who write or review web applications and APIs. Assumes basic familiarity with HTTP and at least one server-side programming language. Learners finish able to recognize the OWASP Top 10 in source code, apply standard mitigations, and reason about secure-by-design patterns.

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
13 Activity Formats

Course Outline

1Broken Access Control
3 topics

Authorization Fundamentals

  • Define authentication versus authorization and identify which one access control concerns.
  • Identify the access-control models RBAC, ABAC, and ReBAC and describe a use case for each.

Vertical and Horizontal Escalation

  • Distinguish vertical privilege escalation (user → admin) from horizontal (user A → user B's data) and identify both in scenario descriptions.
  • Apply server-side authorization checks at every privileged endpoint and explain why client-side hiding of UI is not a security control.

IDOR and Force Browsing

  • Define Insecure Direct Object References (IDOR) and recognize a vulnerable endpoint pattern (e.g., GET /api/orders/{id} with no ownership check).
  • Apply object-level authorization (ownership or scope check on every request) and contrast with relying on UUIDs as 'security through obscurity'.
  • Analyze a code review scenario containing IDOR and explain the minimal correct fix.
2Cryptographic Failures
3 topics

Data In Transit

  • Identify the requirement to use TLS 1.2+ for sensitive data in transit and recognize plain-HTTP login forms as a critical issue.
  • Apply HSTS, secure-cookie flags, and full-site HTTPS enforcement to a web application.

Data At Rest

  • Identify when application data requires encryption at rest (PII, secrets, financial records) and identify field-level vs disk-level options.
  • Apply envelope encryption with a KMS to protect sensitive columns, and contrast with full-database TDE for compliance-only encryption.

Password Storage and Secrets

  • Identify Argon2id and bcrypt as appropriate password-hashing functions and identify SHA-256 (without KDF) and unsalted hashes as inappropriate.
  • Apply secret-management practices: secrets in a vault (AWS Secrets Manager, Vault), short-lived rotated credentials, never in source control.
  • Analyze a leaked credentials database scenario and evaluate cracking economics under different password storage choices.
3Injection and Insecure Design
3 topics

SQL and NoSQL Injection

  • Define SQL injection and identify a vulnerable string-concatenation pattern in real code.
  • Apply parameterized queries (prepared statements / ORM placeholders) and explain why they prevent SQL injection.
  • Analyze a stored procedure or NoSQL query that suffers from injection and propose the correct fix grounded in the underlying data layer's API.

Cross-Site Scripting (XSS)

  • Distinguish stored, reflected, and DOM-based XSS and identify a representative payload for each.
  • Apply context-aware output encoding (HTML body, attribute, JavaScript, URL) and CSP nonces as XSS defenses.

Insecure Design and Business Logic

  • Define insecure design and identify common business-logic flaws (negative-quantity orders, race conditions in coupon redemption, missing rate limits).
  • Apply threat modeling early in design (STRIDE on a DFD) and explain how it surfaces design-level flaws missed by code review.
  • Analyze a checkout-flow scenario with a missing server-side total recomputation and explain the resulting price-tampering vulnerability.
4Configuration, Components, and Authentication
3 topics

Security Misconfiguration

  • Identify common misconfigurations: default credentials, verbose error pages, exposed admin endpoints, unnecessary HTTP methods, debug mode in production.
  • Apply secure baseline configurations and use IaC + linters (cfn-nag, tfsec, kube-bench) to enforce them.

Vulnerable and Outdated Components

  • Identify SBOM and SCA (Software Composition Analysis) as core supply-chain practices and identify GitHub Dependabot, Snyk, and OSV as common SCA tools.
  • Apply a dependency hygiene policy: pin versions, monitor advisories, patch on published CVE, and remove unused dependencies.
  • Analyze a Log4Shell-style scenario where a transitive dependency is vulnerable and evaluate the response (immediate mitigation vs full upgrade).

Identification and Authentication Failures

  • Identify weak authentication patterns: passwords-only, no MFA, predictable session IDs, session fixation, missing rate limit on login.
  • Apply baseline authentication hardening: MFA, secure session cookies (Secure, HttpOnly, SameSite), session rotation on privilege change, rate limit + lockout.
5Integrity, Logging, and SSRF
3 topics

Software and Data Integrity Failures

  • Define insecure deserialization and identify pickle, YAML.load, and Java deserialization as historically dangerous interfaces.
  • Apply integrity controls: signature verification on artifacts, pinned package hashes, and avoiding native deserialization of untrusted input.
  • Analyze a CI/CD pipeline scenario where a build step pulls an unpinned action and propose a hardening plan grounded in SLSA-level controls.

Security Logging and Monitoring Failures

  • Identify the minimum security-relevant events to log: authentication outcomes, authorization denials, privileged actions, integrity-check failures.
  • Apply structured logging with correlation IDs and forward to a SIEM with retention sufficient for incident investigation.

Server-Side Request Forgery (SSRF)

  • Define SSRF and identify common targets: cloud metadata endpoints (169.254.169.254), internal admin services, and link-local addresses.
  • Apply SSRF mitigations: allowlist outbound destinations, block link-local/private ranges at egress, use IMDSv2 in AWS.
  • Analyze a server-side image fetcher that accepts user URLs and explain how a chained DNS rebinding attack defeats naive IP-blocklist defenses.
6Secure SDLC
3 topics

Static and Dynamic Analysis

  • Distinguish SAST, DAST, IAST, and SCA in terms of when in the SDLC each runs and what classes of bugs each finds.
  • Apply a baseline security CI pipeline: SAST + SCA on every PR, DAST on staging, secret scanning on every commit.

Code Review and Threat Modeling

  • Apply a security-focused code review checklist (input handling, authz, secrets, crypto, error handling, logging) to an unfamiliar PR.
  • Analyze a feature design proposal using STRIDE and produce a prioritized list of mitigations.

Vulnerability Management

  • Define CVE, CWE, and CVSS and describe how each is used in vulnerability triage.
  • Apply a triage workflow that prioritizes by exploitability, exposure, and business impact rather than by raw CVSS alone.
  • Identify EPSS (Exploit Prediction Scoring System) and KEV (CISA Known Exploited Vulnerabilities) and describe how they refine CVSS-only prioritization.
7API and Service Security
3 topics

REST API Security

  • Identify the OWASP API Security Top 10 and identify Broken Object Level Authorization (BOLA) as the most common API vulnerability.
  • Apply object-level and field-level authorization on every API endpoint, and avoid relying on opaque IDs as access control.
  • Analyze a 'mass assignment' API vulnerability where an unfiltered body parameter elevates a user role and propose the correct fix.

GraphQL Security

  • Identify GraphQL-specific concerns: query depth/complexity attacks, batch attacks, introspection in production, missing authz at the resolver level.
  • Apply GraphQL hardening: query depth limits, complexity scoring, persisted queries in prod, disabled introspection, per-resolver authorization.

API Authentication and Rate Limiting

  • Identify common API auth patterns: OAuth bearer tokens, mTLS for service-to-service, signed requests (AWS SigV4), and API keys (lowest assurance).
  • Apply per-client rate limiting and quota enforcement to mitigate scraping, brute force, and resource exhaustion.
8Mobile and DevSecOps
4 topics

Mobile App Security

  • Identify the OWASP Mobile Top 10 categories at a recall level, including improper credential usage, insecure communication, and insecure storage.
  • Apply mobile app secret-storage guidance: Keychain (iOS) / Keystore (Android), avoid hard-coded API keys, certificate pinning where appropriate.

CI/CD and Pipeline Security

  • Identify common CI/CD risks: leaked secrets in logs, unpinned third-party actions, malicious PRs running in privileged contexts, and post-build artifact tampering.
  • Apply pipeline hardening: short-lived OIDC-federated cloud creds, pinned action SHAs, secret scanning, branch protection, and signed artifacts (Sigstore/cosign).
  • Analyze the SolarWinds-style supply-chain compromise pattern and trace which CI/CD controls would have detected or prevented each step.

Container Image Security

  • Identify image scanning tools (Trivy, Grype, Snyk) and identify minimal-base-image strategies (distroless, scratch, Alpine considerations).
  • Apply baseline image hygiene: pin base image digests, run as non-root, drop capabilities, scan in CI, sign images, and pull from a private registry.

Secure Defaults and Frameworks

  • Identify how modern frameworks (Django, Rails, Spring Security) provide secure defaults — and identify common ways developers disable them.
  • Apply framework-aware security review: confirm CSRF protection, output escaping, authz decorators, and template auto-escaping are not disabled.

Scope

Included Topics

  • OWASP Top 10 (2021) categories and their concrete manifestations in code.
  • Injection (SQL, NoSQL, OS command, LDAP, XPath) and parameterized-query mitigations.
  • Broken access control: vertical and horizontal privilege escalation, IDOR, force-browsing.
  • Cryptographic failures: weak primitives, hardcoded secrets, plain-HTTP transmission, weak password storage.
  • Insecure design: missing threat modeling, business-logic flaws, lack of rate limiting.
  • Security misconfiguration: default credentials, verbose errors, exposed admin interfaces.
  • Vulnerable and outdated components, SBOM, and dependency hygiene.
  • Identification and authentication failures: weak password policies, missing MFA, session fixation.
  • Software and data integrity failures: insecure deserialization, supply-chain attacks, missing signature verification.
  • Security logging and monitoring failures.
  • Server-side request forgery (SSRF).

Not Covered

  • Binary exploitation, memory-corruption vulnerabilities, and reverse engineering.
  • Mobile-specific (OWASP MASVS) and IoT-specific application security beyond conceptual coverage.
  • Detailed bug-bounty hunting tactics.

Application Security Fundamentals is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified