Application Security

1

Threat Modeling

Mapping assets, attackers and entry points. STRIDE for the practical engineer.

25 minutes

→

2

OWASP Top 10 Deep Dive

The ten most common families of bugs explained with real CVEs and fixes.

30 minutes

→

3

SQL Injection — Defense

Why prepared statements always win, ORM safety, blind injection patterns.

30 minutes

→

4

XSS Defense

Output encoding, CSP, trusted types, sanitizing only at boundaries.

30 minutes

→

5

CSRF Defense

Tokens, SameSite cookies, double-submit, when same-origin is enough.

25 minutes

→

7

Authentication Weaknesses

Credential stuffing, brute force, password reset flaws, MFA bypass.

30 minutes

→

8

Session Management

Cookie attributes, fixation, hijacking, rotation on privilege change.

25 minutes

→

11

TLS Configuration

Cipher suites, modern profiles, automatic renewal, HSTS preload.

25 minutes

→

12

HTTP Security Headers

CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy. Cheap big wins.

20 minutes

→

13

Secrets Management

Vault, KMS, sealed secrets. Rotation. Never in git, never in env files in production.

25 minutes

→

14

Dependency Security

Lockfiles, audit, automated upgrades, known-vuln databases.

20 minutes

→

18

Logging for Security

What to log, what NOT to log (PII!), tamper-evident chains, retention.

25 minutes

→

6

SSRF Defense

Server-side request forgery: allowlists, metadata-IP blocking, isolated egress.

25 minutes

→

9

JWT Pitfalls

alg=none, key confusion, replay, why short-lived tokens beat blacklists.

25 minutes

→

10

Remote Code Execution

Unsafe deserialization, eval-like APIs, command injection, supply chain.

30 minutes

→

15

Vulnerability Scanning

SAST, DAST, dependency scanners. Wiring them into CI without false-positive fatigue.

25 minutes

→

16

Security Code Review

Spotting common bugs in PRs: a checklist that scales beyond intuition.

30 minutes

→

17

Incident Response

Detect, contain, eradicate, recover. Communication. Blameless postmortem.

30 minutes

→