Secure software Development Fundamentals

Modern software is under constant attack, but many software developers have never been told how to effectively counter those attacks. This certification is to cover that problem, by proving you master the fundamentals of developing secure software.

Start now

Summary

This exam covers the basics of security, such as what risk management really means. It discusses how to consider security as part of the requirements of a system, and what potential security requirements you might consider. This part then discusses how to design software to be secure, including various secure design principles that will help you avoid bad designs and embrace good ones. It also discusses how to secure your software supply chain, that is, how to more securely select and acquire reused software (including open source software) to enhance security. This is the first of the three courses in the Secure Software Development Fundamentals Professional Certificate program, and was developed by the Open Source Security Foundation (OpenSSF), a project of the Linux Foundation focused on securing the open source ecosystem. The training courses included in this program focus on practical steps that you (as a developer) can take to counter most common kinds of attacks.

  • What you'll learn
  • - Security basics: risk management, the “CIA” triad, and requirements.
  • - Secure design principles: what are principles such as “least privilege” and how to apply these principles.
  • - Supply chain evaluation: tips on how to choose packages to reuse, and how to reuse them so that you can rapidly be alerted & update.
  • - Implementation: You’ll learn how to implement much more secure software. This includes how to do Input validation, process data securely, call out to other programs, and send output. You’ll also learn about more specialized approaches, including some basics of cryptography and handling problems (such as error-handling code).
  • - Security Verification: How to examine software, include some key tool types, and how to apply them in continuous integration (CI). This includes learning about security code scanners/static application security testing (SAST) tools, software composition analysis (SCA)/dependency analysis tools, fuzzers, and web application scanners.
  • - Threat modeling/Attack modeling: How to consider your system from an attacker’s point of view and how to apply a simple design analysis approach called STRIDE.
  • Fielding: How to deploy and operate secure software, handle vulnerability reports, and how to rapidly update when reused components have publicly-known vulnerabilities.
  • - Assurance cases & formal methods: The basics of approaches to more strongly analyze and justify that your software is secure.

This is the first of the three courses in the Secure Software Development Fundamentals Professional Certificate program, and was developed by the Open Source Security Foundation (OpenSSF), a project of the Linux Foundation focused on securing the open source ecosystem. The training courses included in this program focus on practical steps that you (as a developer) can take to counter most common kinds of attacks.

Modules

Path traversal (LFI)
Cross Site Scripting
Cross site scripting (attribute)
Cross site scripting (href)
Insecure file upload
Clickjacking
Rate-limiting
Open redirect
Formulla injection
Mass assingment attack