Application Security 101 - Theory by Tanya Janca

Application Security 101 - Theory

Learn about creating and running an Application Security Program, from the ground up. 

Lessons include; planning, launching, running, scaling, measuring and improving your AppSec Program. We will cover; tooling, where to start, how to measure, setting up SLAs, creating a security champions program, developer education, and more. Course will include lectures, reading assignments, written exercises, quizzes, checklists, and handouts. You will be expected to complete exercises which you can bring back to your office for implementation.

What to expect in AppSec101

Here is a video to quickly overview some of the topics that the video course will cover. 


 The pre-reqs for the course are a basic understanding of software development. We will start at the very beginning for application security, but understanding the foundations of the system development life cycle (SDLC) will lead to better results. 

You do not need a computer science degree or coding experience for this course. This is theory and program level, this is not a hands-on course. 

This course does not include a certificate at the end. It will, eventually, be part of a complete curriculum, that will include a certificate at the end. The program is not quite ready, but your completion of this course will be tracked within the system and will apply towards the full program when it is ready.

What's included?

Video Icon 30 videos File Icon 36 files Text Icon 4 text files


Module 1: Introduction: What is Application Security
Course Introduction
5 mins
Your Trainer
2 mins
What is AppSec, what is DevSecOps, and why do they matter?
11 mins
Introduction: What is Application Security: Quiz
Module 2: The Goals of an AppSec Program
AppSec Program Goals
14 mins
Assignment 1 - The Video
6 mins
Assignment 1 - Setting Goals
607 KB
Assignment 1 - Setting Goals - Fillable Form
260 KB
Module 2: The Goals of an AppSec Program: Quiz
Module 3: AppSec Activities
Application Security Activities
60 mins
Assignment 2: AppSec Activities - The Video
1 min
Assignment 2: AppSec Activities - The PDF
591 KB
Assignment 2: AppSec Activities - Fillable Form
422 KB
Module 3: AppSec Activities: Quiz
Module 4: Tooling
Types of AppSec Tooling
39 mins
Assignment 3: Tooling - The Video
2 mins
Assignment 3: Tooling - The PDF File
417 KB
Assignment 3: Tooling - Fillable Form
382 KB
Module 4: Tooling: Quiz
Module 5: Scaling Your Team
Scaling Your Team
14 mins
Assignment 4: Scaling - The Video
3 mins
Assignment 4: Scaling - The PDF File
759 KB
Assignment 4: Scaling - Fillable Form
243 KB
Module 5: Scaling Your Team: Quiz
Module 6: Developer Education and Advocacy
Developer Education
15 mins
Assignment 5: Developer Education - The Video
5 mins
Assignment 5: Developer Education.pdf
749 KB
Assignment 5: Developer Education - Fillable Form.pdf
239 KB
Module 6: Developer Education: Quiz
Developer and Security Advocacy
23 mins
Assignment 6: Advocacy - The Video
5 mins
Assignment 6: Advocacy.pdf
588 KB
Assignment 6: Advocacy - Fillable Form.pdf
244 KB
Module 6: Advocacy: Quiz
Module 7: Standards and Policies
37 mins
Module 7: Policies: Quiz
Standards and Guidelines
Secure Coding Guideline - The Video
13 mins
Secure Coding Guideline - The PDF File
473 KB
Web App Security Requirements - The Video
8 mins
Web App Security Requirements - The PDF File
476 KB
Module 7: Standards and Guidelines: Quiz
SANS Web App Testing Scope Policy
SANS Policy Templates
Module 8: Incident Response
Incident Response
26 mins
During an Incident
Assignment 7: Incident Preparation
3 mins
Assignment 7: Incident Preparation - PDF File
410 KB
Assignment 7: Incident Preparation - Fillable Form
242 KB
Sample Incident Report - The Video
4 mins
Sample Incident Report - The PDF File
395 KB
Sample Postmortem Report - The Video
4 mins
Sample Postmortem Report - The PDF File
575 KB
Module 8: Incident Response: Quiz
Bonus Resources
2 mins
NIST Computer Security Incident Handling Guide
SANS Incident Response WhitePaper
Sample incident report
Atlassian Postmortem Template
Pagerduty Postmortem Template
Pager Duty Incident Best Practices
Module 9: Metrics and Improvement
Metrics and Improvement
35 mins
Case Study 1.pdf
607 KB
Assignment 8: Metrics - The Video
2 mins
Assignment 8: Metrics - The PDF File
950 KB
Assignment 8: Metrics - Fillable Form
477 KB
Module 10: Your Goals
Updating Your Goals, and Creating a PLAN
6 mins
Case Study #3: The Video
14 mins
Case Study 3.pdf
1.16 MB
Assignment 9: Setting Goals - The PDF File
3.2 MB
Assignment 9: Setting Goals - Fillable Form
784 KB
Module 10: Your Goals: Quiz
Module 11: Advanced AppSec Activities
Advanced Application Security Activities
11 mins
Module 12: Conclusion
Course Summary
2 mins
5 mins
Resources: Open Web Application Security Project
Resources: WoSEC - Women of Security
Resources: #CyberMentoringMonday
Resources: Your Trainer, Tanya Janca


Below are frequently asked questions about this course.

Q: How long will it take me to complete this course?
A: Approximately 2 full days.

Q: Can I break the course up into smaller pieces so I can fit it into my schedule?
A: Yes! There are twelve modules, plus you can start or stop it whenever you want.

Q: How much stuff do I need to know to take this course?
A: You will need to have a basic understanding of software development, which includes: the basics of the System Development lifecycle, the fact that software developers save their code into a code library, and the concept of releasing new versions. You will also need very, very basic understanding of project-based work, and a general understanding of the IT industry.  For instance, the fact that there are teams that do helpdesk, teams that do quality assurance, and other teams that manage projects. 

Q: How many assignments are there?
A: 9

Q: Do I have to do the assignments?
A: No, you don't *have* to do the assignments, no one is 'checking'. We do not mark them or ever ask to see them. That said, if you want to learn, do the assignments.

Q: Does this course contain hands-on work?
A: No, this is theory only. 

Q: Do I need to take this course before the hands-on courses?
A: Yes. If you do not understand the theory you won't know when to do each of the hands on tasks.  You also won't know which is the best hands-on task to select to achieve your goals, and you also won't know how to justify your actions to management. This is a foundation course, and you will not fully understand the hands-on courses unless you take it.