Agenda structure

Last updated 2 months ago

The published agendas of our courses represent a collection of topics and classes we deliver on a course, normally or optionally, in depth or in a short version depending on the needs of the client and the actual audience. The agendas do not represent a lineup of the topics and classes. In a defdev course we interweave introductory lecturing with intro exercises and the advanced discussion of topics with practicing the subject matters by doing exercises, DIY tasks and challenges.

Secure development courses

For many of the topics in the secure development agendas we prepare demos, code fixing exercises, and DIY practices. Most of the hands-ons and other practical exercises are available as cloud instances developed and hosted by

A defdev course for developers consists of the following ingredients:


We make students experience the problems of hackable software right from the beginning. We touch some topics in introductory mode first, turn to some exercises then, and finally discuss the details based on hands-on experiences. Also there are topics that need to be discussed like S-SDLC which we introduce without details to developers. [see block A];

Secure coding

The topics of secure implementation every developer is expected to have a good command of in order to produce quality code. We discuss and practice how to avoid vulnerabilities. [see block B];

Secure architecting

The topics of secure design which should be well applied at the initial phase of software development. We discuss how to make choices regarding threats, crypto, access management, business logic, regarding object references and remote calls, communication configuration, tiers of protection, logging, etc. [see block C];

Framework/language specifics

Every course has its specific subject, a language or a framework in the context of which the above topics are illustrated. Also every framework and language has its own weaknesses to learn how to avoid. [see block D];

Security testing and audit

We assume that developers (and other professionals involved in software production) should be able to do basic security testing on their own. We teach basics of automated code analysis, and also ASVS review. [see block E];


The course can be extended with add-on modules, such as assisted code-review or S-SDLC playbook. [see blocks K,L,M];

Other course types

Content under construction