OWASP Global AppSec USA 2026

3-Day Training: November 2-4, 2026
Level: Beginner
Trainer: Jim Manico

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Description: This three-day security course is designed for software engineers and AppSec professionals who want to tailor their learning experience. Throughout the class, you’ll select the topics that interest you most—ensuring that the content aligns with your individual needs and goals. We’ll honor every participant’s topic requests, so you can dive deeper into the areas that matter most.

Students will choose from the following material:

Core Modules

• 00-00 Introduction to Application Security (1 hr): Goals and Threats in AppSec
• 00-01 Input Validation Basics (1 hr): Allowlist Validation, Safe Redirects
• 00-02 HTTP Security Basics (1.5 hrs): Response/Request Headers, Verbs, Secure Transport Basics
• 00-03 SOP and CORS (1 hr): Same-Origin Policy, Cross-Origin Resource Sharing Security
• 00-04 SQL and Other Injections (1.5 hrs): Parameterized Queries, Secure Database Configurations, Command Injection
• 00-05 Cross-Site Request Forgery (1.5 hrs): CSRF Defenses for Various Architectures
• 00-06 File Upload and File I/O Security (1 hr): Secure File Upload, File I/O Security
• 00-07 Deserialization Security (0.5 hr): Safe Deserialization Practices
• 00-08 Third-Party Library Security Management (1 hr): Ensuring Third-Party Library Security
• 00-09 Security Logging and Monitoring (0.5 hr): Security-Focused Logging
• 00-10 Application Layer Intrusion Detection (0.5 hr): Detecting App Layer Attacks
• 00-11 Threat Modeling Fundamentals (1 hr): Security Design via Threat Modeling
• 00-12 Forms and Workflows Security (0.5 hr): Secure Handling of Complex Form Workflows

API Security

• 01-00 API and REST Security (2 hrs): REST Design, XML, XXE, JSON, API Access Control
• 01-01 Microservice Security (2 hrs): Security Architectures in Microservices
• 01-02 JSON Web Tokens (JWT) (1 hr): Addressing JWT Security Challenges
• 01-03 gRPC Security (1 hr): gRPC Security Architecture

Foundations of AI Security

• 02-00 Introduction to AI Security (1 hr): Overview of AI Security Concepts, Threats, and Mitigations
• 02-01 OWASP Top 10 for Large Language Model (LLM) Applications (4 hrs): Top 10 Practices for Protecting Large Language Model Applications

AI Secure Development Practices

• 02-10 AI for Code Creation (1 hr): Exploring the Security Implications of Using AI for Code Generation
• 02-11 React Security Prompt Engineering (1 hr): Building Secure React Applications with AI

AI Architecture

• 02-20 Threat Modeling for AI Systems (1 hr): Applying Threat Modeling Methodologies Specifically Tailored to AI Architectures and Pipelines
• 02-21 Zero Trust Architectures for AI (1 hr): Adapting Zero Trust Principles in Designing and Deploying Secure AI Infrastructure
• 02-22 Access Control Design for AI (1 hr): Building Access Control in Vector Database AI Systems
• 02-23 AI for UI Development (1 hr): Building Access Control in Vector Database AI Systems
• 02-24 AI Model Updates and Patching (1 hr): Best Practices for Securely Updating and Patching Deployed Models, Especially in Response to Emerging Threats
• 02-25 Self Hosted Models (1 hr): Strategies for securely deploying and operating self-hosted LLMs and vector stores

AI Adversarial Techniques

• 02-30 Adversarial Machine Learning (1 hr): Understanding and Mitigating Adversarial Attacks on AI Systems
• 02-31 Red Teaming AI Systems (1 hr): Conducting Adversarial Testing and Red Teaming for AI Systems to Identify Vulnerabilities and Resilience

AI Supply Chain

• 02-40 Integrating AI in Software (1 hr): Security architecture patterns, risks, and mitigation strategies for integrating LLMs and AI APIs into real-world applications
• 02-41 Hugging Face OSS Model Security (1 hr): Securing the Hugging Face Ecosystem
• 02-42 AI Model Drift and Security Monitoring (1 hr): Strategies for Monitoring Models in Production to Detect Security Drift and Performance Degradation Over Time
• 02-43 AWS Bedrock (1 hr): Securely using AWS Bedrock to access and manage foundation models
• 02-44 PySpark Security (1 hr): Securing large-scale data pipelines with PySpark

AI Regulatory and Ethical Frameworks

• 02-50 Differential Privacy (1 hr): Principles and Practices for Ensuring Privacy and Ethical AI Usage in Business Environments
• 02-51 European Union AI Act (1 hr): Detailed Examination of the EU AI Act and Its Implications for AI Development and Deployment

Standards

• 03-00 OWASP Top Ten (1-4 hrs): Top Ten Web Security Risks
• 03-01 Introduction to GDPR (1 hr): European Data Privacy Law
• 03-02 OWASP ASVS (1 hr): Comprehensive Secure Coding Standard
• 03-03 OWASP Top Ten Proactive Controls (1 hr): Web Security Defense Categories
• 03-04 PCI Secure SDLC Standard (1 hr): Credit Card SDLC Requirements

User Interface Security

• 04-00 XSS Defense (2 hrs): Client-Side Web Security
• 04-01 Content Security Policy (1 hr): Advanced Client-Side Web Security
• 04-02 Content Spoofing and HTML Hacking (0.5 hr): HTML Client-Side Injection Attacks
• 04-03 React Security (1 hr): Secure React Application Development
• 04-04 Vue.js Security (1 hr): Secure Vue.js Application Development
• 04-05 Angular and AngularJS Security (1 hr): Secure Angular Application Development
• 04-06 Clickjacking (0.5 hr): UI Redress Attack Defense
• 04-07 Flutter Security (0.5 hr): Flutter Security Basics

Identity & Access Management

• 05-00 Authentication Best Practices (1.5 hrs): Web Authentication Practices
• 05-01 Session Management Best Practices (1.5 hrs): Web Session Management Practices
• 05-02 Multi-Factor Authentication (1 hr): NIST SP-800-63 Compliant MFA Implementation
• 05-03 Secure Password Policy and Storage (1 hr): Secure User Password Policy and Storage
• 05-04 Access Control Design (1 hr): ABAC/Capabilities-Based Access Control
• 05-05 OAuth2 Security (1 hr): OAuth2 Authorization Protocol
• 05-06 OpenID Connect Security (1 hr): OpenID Connect Federation Protocol
• 05-07 Brute Force Defense (0.5 hr): Stopping Brute Force Attacks

Crypto Modules

• 06-00 Secrets Management (1 hr): Key and Credential Storage Strategies
• 06-01 HTTPS/TLS Best Practices (1 hr): Transport Security Introduction
• 06-02 Cryptography Fundamentals:
• 06-02-00 Terminology and Basic Concepts (1 hr): Understanding Key Terms in Cryptography
• 06-02-01 Steganography (1 hr): Techniques for Concealing Information
• 06-02-02 Cryptographic Attacks (1 hr): Common Attacks and How to Defend Against Them
• 06-02-03 Kerckhoffs's Principle and Perfect Forward Secrecy (1 hr): Fundamental Principles in Cryptographic Security
• 06-02-04 Hash Functions (1 hr): Importance and Use Cases of Hash Functions
• 06-02-05 Symmetric Cryptography (1 hr): Understanding Symmetric Key Algorithms
• 06-02-06 Randomness in Cryptography (1 hr): Role and Generation of Randomness
• 06-02-07 Digital Signatures (1 hr): Ensuring Integrity and Authenticity in Digital Communications

Process

• 07-00 DevOps Best Practices (1 hr): DevOps and DevSecO

2-Day Training: November 3-4, 2026
Level:Intermediate
Trainer: Robert Hurlbut

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

This training immerses you in the practical world of threat modeling through hands-
on exercises and real-world scenarios. With 25 years of practical experience and
over a decade of delivering this training at Black Hat, it emphasizes an interactive
approach—70% of the course is dedicated to exercises that reinforce learning. By
the end, you'll gain not only knowledge but also the skills to effectively practice threat
modeling within your organization.


Updated annually, this revised training covers the latest threat intelligence and attack
methods expected for 2026 and beyond, including risks associated with LLMs and
other AI systems. Participants will engage in practical activities inspired by real
industry projects, such as integrating threat modeling into secure-by-design and
DevOps workflows. Key features include threat-informed defense using MITRE
frameworks like ATT&CK for real-world analysis, using threat libraries and
intelligence to deepen threat understanding, and tackling modern challenges such as
modeling threats for AI-driven systems—specifically, a machine-learning-powered
chatbot. 


Before the training, all participants will get access to our self-paced “introduction to
threat modeling” course, designed to bring participants up to speed.


As practitioners with hands-on experience, we understand the gap between book-
based threat modeling knowledge and the practical challenges faced in real-world
environments. To address this, we have created a comprehensive real-world case
study and exercises to help you build effective threat models.
In this course, you will work in teams of 3 or 4 to address the stages of threat
modeling across various technology stacks.


Examples include:
• Use case describing a home automation system
• Data flow diagramming and trust boundaries
• Identifying threats
• AI-Assisted STRIDE analysis
• Constructing an attack tree
• Mitigating threats
• AI-Assisted mitigations
• Applying GDPR Risk Patterns for Privacy by Design
• Using AI resources to threat model a machine learning powered
HomeAutomationBot
• Integrating the OWASP Threat Modeling Playbook into agile development
• Threat Modeling a CI/CD supply chain
• Red Team / Blue Team battle for control over an offshore wind turbine park


After each exercise, we encourage in-depth discussions and provide a documented
solution to reinforce your understanding. Additionally, participants are invited to
create and submit their “Bring Your Own Case” (BYOC) threat models after the
training and receive personalized feedback to improve their techniques.
To receive the “Certified Threat Modeling Practitioner” certificate, participants must
pass an exam and submit their BYOC threat model.


This training extends beyond the classroom: every participant gains access to our
Threat Modeling Playbook, one year of online learning resources, and invitations to
monthly Ask-Me-Anything sessions to help you keep improving your threat modeling
skills long after the course concludes.

3-Day Training: November 2-4, 2026
Level: Beginner
Trainer: Jim Manico

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Description: This three-day security course is designed for software engineers and AppSec professionals who want to tailor their learning experience. Throughout the class, you’ll select the topics that interest you most—ensuring that the content aligns with your individual needs and goals. We’ll honor every participant’s topic requests, so you can dive deeper into the areas that matter most.

Students will choose from the following material:

Core Modules

• 00-00 Introduction to Application Security (1 hr): Goals and Threats in AppSec
• 00-01 Input Validation Basics (1 hr): Allowlist Validation, Safe Redirects
• 00-02 HTTP Security Basics (1.5 hrs): Response/Request Headers, Verbs, Secure Transport Basics
• 00-03 SOP and CORS (1 hr): Same-Origin Policy, Cross-Origin Resource Sharing Security
• 00-04 SQL and Other Injections (1.5 hrs): Parameterized Queries, Secure Database Configurations, Command Injection
• 00-05 Cross-Site Request Forgery (1.5 hrs): CSRF Defenses for Various Architectures
• 00-06 File Upload and File I/O Security (1 hr): Secure File Upload, File I/O Security
• 00-07 Deserialization Security (0.5 hr): Safe Deserialization Practices
• 00-08 Third-Party Library Security Management (1 hr): Ensuring Third-Party Library Security
• 00-09 Security Logging and Monitoring (0.5 hr): Security-Focused Logging
• 00-10 Application Layer Intrusion Detection (0.5 hr): Detecting App Layer Attacks
• 00-11 Threat Modeling Fundamentals (1 hr): Security Design via Threat Modeling
• 00-12 Forms and Workflows Security (0.5 hr): Secure Handling of Complex Form Workflows

API Security

• 01-00 API and REST Security (2 hrs): REST Design, XML, XXE, JSON, API Access Control
• 01-01 Microservice Security (2 hrs): Security Architectures in Microservices
• 01-02 JSON Web Tokens (JWT) (1 hr): Addressing JWT Security Challenges
• 01-03 gRPC Security (1 hr): gRPC Security Architecture

Foundations of AI Security

• 02-00 Introduction to AI Security (1 hr): Overview of AI Security Concepts, Threats, and Mitigations
• 02-01 OWASP Top 10 for Large Language Model (LLM) Applications (4 hrs): Top 10 Practices for Protecting Large Language Model Applications

AI Secure Development Practices

• 02-10 AI for Code Creation (1 hr): Exploring the Security Implications of Using AI for Code Generation
• 02-11 React Security Prompt Engineering (1 hr): Building Secure React Applications with AI

AI Architecture

• 02-20 Threat Modeling for AI Systems (1 hr): Applying Threat Modeling Methodologies Specifically Tailored to AI Architectures and Pipelines
• 02-21 Zero Trust Architectures for AI (1 hr): Adapting Zero Trust Principles in Designing and Deploying Secure AI Infrastructure
• 02-22 Access Control Design for AI (1 hr): Building Access Control in Vector Database AI Systems
• 02-23 AI for UI Development (1 hr): Building Access Control in Vector Database AI Systems
• 02-24 AI Model Updates and Patching (1 hr): Best Practices for Securely Updating and Patching Deployed Models, Especially in Response to Emerging Threats
• 02-25 Self Hosted Models (1 hr): Strategies for securely deploying and operating self-hosted LLMs and vector stores

AI Adversarial Techniques

• 02-30 Adversarial Machine Learning (1 hr): Understanding and Mitigating Adversarial Attacks on AI Systems
• 02-31 Red Teaming AI Systems (1 hr): Conducting Adversarial Testing and Red Teaming for AI Systems to Identify Vulnerabilities and Resilience

AI Supply Chain

• 02-40 Integrating AI in Software (1 hr): Security architecture patterns, risks, and mitigation strategies for integrating LLMs and AI APIs into real-world applications
• 02-41 Hugging Face OSS Model Security (1 hr): Securing the Hugging Face Ecosystem
• 02-42 AI Model Drift and Security Monitoring (1 hr): Strategies for Monitoring Models in Production to Detect Security Drift and Performance Degradation Over Time
• 02-43 AWS Bedrock (1 hr): Securely using AWS Bedrock to access and manage foundation models
• 02-44 PySpark Security (1 hr): Securing large-scale data pipelines with PySpark

AI Regulatory and Ethical Frameworks

• 02-50 Differential Privacy (1 hr): Principles and Practices for Ensuring Privacy and Ethical AI Usage in Business Environments
• 02-51 European Union AI Act (1 hr): Detailed Examination of the EU AI Act and Its Implications for AI Development and Deployment

Standards

• 03-00 OWASP Top Ten (1-4 hrs): Top Ten Web Security Risks
• 03-01 Introduction to GDPR (1 hr): European Data Privacy Law
• 03-02 OWASP ASVS (1 hr): Comprehensive Secure Coding Standard
• 03-03 OWASP Top Ten Proactive Controls (1 hr): Web Security Defense Categories
• 03-04 PCI Secure SDLC Standard (1 hr): Credit Card SDLC Requirements

User Interface Security

• 04-00 XSS Defense (2 hrs): Client-Side Web Security
• 04-01 Content Security Policy (1 hr): Advanced Client-Side Web Security
• 04-02 Content Spoofing and HTML Hacking (0.5 hr): HTML Client-Side Injection Attacks
• 04-03 React Security (1 hr): Secure React Application Development
• 04-04 Vue.js Security (1 hr): Secure Vue.js Application Development
• 04-05 Angular and AngularJS Security (1 hr): Secure Angular Application Development
• 04-06 Clickjacking (0.5 hr): UI Redress Attack Defense
• 04-07 Flutter Security (0.5 hr): Flutter Security Basics

Identity & Access Management

• 05-00 Authentication Best Practices (1.5 hrs): Web Authentication Practices
• 05-01 Session Management Best Practices (1.5 hrs): Web Session Management Practices
• 05-02 Multi-Factor Authentication (1 hr): NIST SP-800-63 Compliant MFA Implementation
• 05-03 Secure Password Policy and Storage (1 hr): Secure User Password Policy and Storage
• 05-04 Access Control Design (1 hr): ABAC/Capabilities-Based Access Control
• 05-05 OAuth2 Security (1 hr): OAuth2 Authorization Protocol
• 05-06 OpenID Connect Security (1 hr): OpenID Connect Federation Protocol
• 05-07 Brute Force Defense (0.5 hr): Stopping Brute Force Attacks

Crypto Modules

• 06-00 Secrets Management (1 hr): Key and Credential Storage Strategies
• 06-01 HTTPS/TLS Best Practices (1 hr): Transport Security Introduction
• 06-02 Cryptography Fundamentals:
• 06-02-00 Terminology and Basic Concepts (1 hr): Understanding Key Terms in Cryptography
• 06-02-01 Steganography (1 hr): Techniques for Concealing Information
• 06-02-02 Cryptographic Attacks (1 hr): Common Attacks and How to Defend Against Them
• 06-02-03 Kerckhoffs's Principle and Perfect Forward Secrecy (1 hr): Fundamental Principles in Cryptographic Security
• 06-02-04 Hash Functions (1 hr): Importance and Use Cases of Hash Functions
• 06-02-05 Symmetric Cryptography (1 hr): Understanding Symmetric Key Algorithms
• 06-02-06 Randomness in Cryptography (1 hr): Role and Generation of Randomness
• 06-02-07 Digital Signatures (1 hr): Ensuring Integrity and Authenticity in Digital Communications

Process

• 07-00 DevOps Best Practices (1 hr): DevOps and DevSecO

2-Day Training: November 3-4, 2026
Level: Beginner

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

This training immerses you in the practical world of threat modeling through hands-on exercises and real-world scenarios. With 25 years of practical experience and over a decade of delivering this training at Black Hat, it emphasizes an interactive approach—70% of the course is dedicated to exercises that reinforce learning. By the end, you'll gain not only knowledge but also the skills to effectively practice threat modeling within your organization.

Updated annually, this revised training covers the latest threat intelligence and attack methods expected for 2026 and beyond, including risks associated with LLMs and other AI systems. Participants will engage in practical activities inspired by real industry projects, such as integrating threat modeling into secure-by-design and DevOps workflows. Key features include threat-informed defense using MITRE frameworks like ATT&CK for real-world analysis, using threat libraries and
intelligence to deepen threat understanding, and tackling modern challenges such as modeling threats for AI-driven systems—specifically, a machine-learning-powered chatbot. 

Before the training, all participants will get access to our self-paced “introduction to threat modeling” course, designed to bring participants up to speed.

As practitioners with hands-on experience, we understand the gap between book-based threat modeling knowledge and the practical challenges faced in real-world environments. To address this, we have created a comprehensive real-world case study and exercises to help you build effective threat models. In this course, you will work in teams of 3 or 4 to address the stages of threat modeling across various technology stacks.

Examples include:
• Use case describing a home automation system
• Data flow diagramming and trust boundaries
• Identifying threats
• AI-Assisted STRIDE analysis
• Constructing an attack tree
• Mitigating threats
• AI-Assisted mitigations
• Applying GDPR Risk Patterns for Privacy by Design
• Using AI resources to threat model a machine learning powered
HomeAutomationBot
• Integrating the OWASP Threat Modeling Playbook into agile development
• Threat Modeling a CI/CD supply chain
• Red Team / Blue Team battle for control over an offshore wind turbine park


After each exercise, we encourage in-depth discussions and provide a documented solution to reinforce your understanding. Additionally, participants are invited to create and submit their “Bring Your Own Case” (BYOC) threat models after the training and receive personalized feedback to improve their techniques. To receive the “Certified Threat Modeling Practitioner” certificate, participants must pass an exam and submit their BYOC threat model.


This training extends beyond the classroom: every participant gains access to our
Threat Modeling Playbook, one year of online learning resources, and invitations to
monthly Ask-Me-Anything sessions to help you keep improving your threat modeling
skills long after the course concludes.

3-Day Training: November 2-4, 2026
Level: Beginner
Trainer: Jim Manico

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Description: This three-day security course is designed for software engineers and AppSec professionals who want to tailor their learning experience. Throughout the class, you’ll select the topics that interest you most—ensuring that the content aligns with your individual needs and goals. We’ll honor every participant’s topic requests, so you can dive deeper into the areas that matter most.

Students will choose from the following material:

Core Modules

• 00-00 Introduction to Application Security (1 hr): Goals and Threats in AppSec
• 00-01 Input Validation Basics (1 hr): Allowlist Validation, Safe Redirects
• 00-02 HTTP Security Basics (1.5 hrs): Response/Request Headers, Verbs, Secure Transport Basics
• 00-03 SOP and CORS (1 hr): Same-Origin Policy, Cross-Origin Resource Sharing Security
• 00-04 SQL and Other Injections (1.5 hrs): Parameterized Queries, Secure Database Configurations, Command Injection
• 00-05 Cross-Site Request Forgery (1.5 hrs): CSRF Defenses for Various Architectures
• 00-06 File Upload and File I/O Security (1 hr): Secure File Upload, File I/O Security
• 00-07 Deserialization Security (0.5 hr): Safe Deserialization Practices
• 00-08 Third-Party Library Security Management (1 hr): Ensuring Third-Party Library Security
• 00-09 Security Logging and Monitoring (0.5 hr): Security-Focused Logging
• 00-10 Application Layer Intrusion Detection (0.5 hr): Detecting App Layer Attacks
• 00-11 Threat Modeling Fundamentals (1 hr): Security Design via Threat Modeling
• 00-12 Forms and Workflows Security (0.5 hr): Secure Handling of Complex Form Workflows

API Security

• 01-00 API and REST Security (2 hrs): REST Design, XML, XXE, JSON, API Access Control
• 01-01 Microservice Security (2 hrs): Security Architectures in Microservices
• 01-02 JSON Web Tokens (JWT) (1 hr): Addressing JWT Security Challenges
• 01-03 gRPC Security (1 hr): gRPC Security Architecture

Foundations of AI Security

• 02-00 Introduction to AI Security (1 hr): Overview of AI Security Concepts, Threats, and Mitigations
• 02-01 OWASP Top 10 for Large Language Model (LLM) Applications (4 hrs): Top 10 Practices for Protecting Large Language Model Applications

AI Secure Development Practices

• 02-10 AI for Code Creation (1 hr): Exploring the Security Implications of Using AI for Code Generation
• 02-11 React Security Prompt Engineering (1 hr): Building Secure React Applications with AI

AI Architecture

• 02-20 Threat Modeling for AI Systems (1 hr): Applying Threat Modeling Methodologies Specifically Tailored to AI Architectures and Pipelines
• 02-21 Zero Trust Architectures for AI (1 hr): Adapting Zero Trust Principles in Designing and Deploying Secure AI Infrastructure
• 02-22 Access Control Design for AI (1 hr): Building Access Control in Vector Database AI Systems
• 02-23 AI for UI Development (1 hr): Building Access Control in Vector Database AI Systems
• 02-24 AI Model Updates and Patching (1 hr): Best Practices for Securely Updating and Patching Deployed Models, Especially in Response to Emerging Threats
• 02-25 Self Hosted Models (1 hr): Strategies for securely deploying and operating self-hosted LLMs and vector stores

AI Adversarial Techniques

• 02-30 Adversarial Machine Learning (1 hr): Understanding and Mitigating Adversarial Attacks on AI Systems
• 02-31 Red Teaming AI Systems (1 hr): Conducting Adversarial Testing and Red Teaming for AI Systems to Identify Vulnerabilities and Resilience

AI Supply Chain

• 02-40 Integrating AI in Software (1 hr): Security architecture patterns, risks, and mitigation strategies for integrating LLMs and AI APIs into real-world applications
• 02-41 Hugging Face OSS Model Security (1 hr): Securing the Hugging Face Ecosystem
• 02-42 AI Model Drift and Security Monitoring (1 hr): Strategies for Monitoring Models in Production to Detect Security Drift and Performance Degradation Over Time
• 02-43 AWS Bedrock (1 hr): Securely using AWS Bedrock to access and manage foundation models
• 02-44 PySpark Security (1 hr): Securing large-scale data pipelines with PySpark

AI Regulatory and Ethical Frameworks

• 02-50 Differential Privacy (1 hr): Principles and Practices for Ensuring Privacy and Ethical AI Usage in Business Environments
• 02-51 European Union AI Act (1 hr): Detailed Examination of the EU AI Act and Its Implications for AI Development and Deployment

Standards

• 03-00 OWASP Top Ten (1-4 hrs): Top Ten Web Security Risks
• 03-01 Introduction to GDPR (1 hr): European Data Privacy Law
• 03-02 OWASP ASVS (1 hr): Comprehensive Secure Coding Standard
• 03-03 OWASP Top Ten Proactive Controls (1 hr): Web Security Defense Categories
• 03-04 PCI Secure SDLC Standard (1 hr): Credit Card SDLC Requirements

User Interface Security

• 04-00 XSS Defense (2 hrs): Client-Side Web Security
• 04-01 Content Security Policy (1 hr): Advanced Client-Side Web Security
• 04-02 Content Spoofing and HTML Hacking (0.5 hr): HTML Client-Side Injection Attacks
• 04-03 React Security (1 hr): Secure React Application Development
• 04-04 Vue.js Security (1 hr): Secure Vue.js Application Development
• 04-05 Angular and AngularJS Security (1 hr): Secure Angular Application Development
• 04-06 Clickjacking (0.5 hr): UI Redress Attack Defense
• 04-07 Flutter Security (0.5 hr): Flutter Security Basics

Identity & Access Management

• 05-00 Authentication Best Practices (1.5 hrs): Web Authentication Practices
• 05-01 Session Management Best Practices (1.5 hrs): Web Session Management Practices
• 05-02 Multi-Factor Authentication (1 hr): NIST SP-800-63 Compliant MFA Implementation
• 05-03 Secure Password Policy and Storage (1 hr): Secure User Password Policy and Storage
• 05-04 Access Control Design (1 hr): ABAC/Capabilities-Based Access Control
• 05-05 OAuth2 Security (1 hr): OAuth2 Authorization Protocol
• 05-06 OpenID Connect Security (1 hr): OpenID Connect Federation Protocol
• 05-07 Brute Force Defense (0.5 hr): Stopping Brute Force Attacks

Crypto Modules

• 06-00 Secrets Management (1 hr): Key and Credential Storage Strategies
• 06-01 HTTPS/TLS Best Practices (1 hr): Transport Security Introduction
• 06-02 Cryptography Fundamentals:
• 06-02-00 Terminology and Basic Concepts (1 hr): Understanding Key Terms in Cryptography
• 06-02-01 Steganography (1 hr): Techniques for Concealing Information
• 06-02-02 Cryptographic Attacks (1 hr): Common Attacks and How to Defend Against Them
• 06-02-03 Kerckhoffs's Principle and Perfect Forward Secrecy (1 hr): Fundamental Principles in Cryptographic Security
• 06-02-04 Hash Functions (1 hr): Importance and Use Cases of Hash Functions
• 06-02-05 Symmetric Cryptography (1 hr): Understanding Symmetric Key Algorithms
• 06-02-06 Randomness in Cryptography (1 hr): Role and Generation of Randomness
• 06-02-07 Digital Signatures (1 hr): Ensuring Integrity and Authenticity in Digital Communications

Process

• 07-00 DevOps Best Practices (1 hr): DevOps and DevSecO