Secure by Design

SKU: QASECDEV

Þessi vara er ekki til á lager og þvi ófáanleg eins og er.

This course teaches how to design, build, test, and operate secure software in modern development environments. It replaces bolt-on security approaches with secure-by-design practices embedded across the full system lifecycle, from architecture and development through deployment and operations. Learners explore how security integrates with DevOps and CI/CD pipelines, then apply secure design and threat modelling techniques to identify and manage risk early. The course develops practical understanding of security testing, vulnerability management, identity and access control, data security, and cryptography, forming a strong foundation for secure application development.

Real-world weaknesses are examined using the latest OWASP Top 10, showing how vulnerabilities emerge and how they can be prevented through better design, coding, and configuration. Software supply chain risks, including third-party components and cloud-native dependencies, are also covered. The course extends into AI security, introducing the AI lifecycle, AI-specific threats, and the ETSI EN 304 233 global standard for securing large language models, agentic systems, data, and prompts. By the end of the course, learners can apply secure engineering practices to build resilient, trustworthy software and AI-enabled systems.

Forkröfur

There are no prerequisites for this course.

This course does not include hands-on coding. Learners looking for implementation-focused skills can continue through QA’s Secure Engineering learning pathway.

Target audience

This course is designed for:

  • Software developers, DevOps engineers, and architects integrating security into the system development lifecycle
  • Security engineers and IT professionals responsible for secure design, testing, and operations
  • Technical leaders and managers seeking to reduce software and AI system risk
  • Professionals new to secure development who need a structured foundation

Nemandi mun læra eftirfarandi

By the end of this course, learners will be able to:

  • Integrate security throughout the entire system lifecycle rather than treating it as a final testing step
  • Apply secure-by-design principles when planning, architecting, and building software systems
  • Identify, assess, and prioritise cyber threats using structured threat modelling and risk assessment methods
  • Embed automated security testing and vulnerability management into modern DevOps and CI/CD practices
  • Design and implement strong identity, access control, and Zero Trust principles in applications and APIs
  • Protect sensitive information using data security controls and applied cryptography
  • Recognise and mitigate critical application security risks, including those in the OWASP Top 10
  • Understand and manage software supply chain risks, including third-party dependencies
  • Apply security principles to cloud-native and distributed architectures
  • Explain how AI systems introduce new attack surfaces and risk categories
  • Identify and mitigate vulnerabilities in LLMs, agentic systems, and AI-generated code
  • Use emerging frameworks and standards to secure AI models, data, prompts, and infrastructure
  • Adapt traditional security practices for AI-driven and autonomous systems
  • Contribute to a culture of continuous security monitoring and improvement

Samantekt

Secure development lifecycle

  • Overview of common SDLC models and their security implications
  • Extending the SDLC to include operations and system retirement
  • DevOps and DevSecOps development models
  • Risks of treating security as an afterthought
  • Embedding security controls into CI/CD pipelines
  • Continuous security integration and feedback loops

Secure-by-design and threat modelling

  • Software Security Code of Practice principles
  • Secure-by-design concepts and risk-driven decision making
  • Threat actors, motivations, and common targets
  • Assets, threats, and risk categories
  • Threat modelling purpose and benefits
  • Threat modelling methodologies including STRIDE and PASTA
  • Threat rating using DREAD
  • Practical threat modelling process from asset identification to risk prioritisation

Security testing and vulnerability management

  • Common vulnerabilities across modern development environments
  • Vulnerability identification and management lifecycle
  • Automated security testing in CI/CD pipelines
  • Static, dynamic, and software composition analysis tools
  • Pre-deployment scanning and quality gates
  • Penetration testing purpose, value, and limitations
  • Risk-based vulnerability prioritisation and remediation

Identity and access management

  • Identity and access management concepts and attributes
  • Identification, authentication, authorisation, and accountability
  • Multi-factor authentication and federated identity
  • Authorisation versus access control
  • Least privilege and privileged access management
  • API security considerations
  • Applying Zero Trust principles in modern applications

Data security

  • Core data security principles
  • Protecting data in use, in transit, and at rest
  • Data masking, tokenisation, and pseudonymisation
  • Secure handling of sensitive data in applications and APIs

Cryptography fundamentals

  • Cryptography and the confidentiality, integrity, and availability model
  • Symmetric and asymmetric encryption
  • Hybrid encryption approaches
  • Certificates, public key infrastructure, and trust models
  • Hardware security modules and key protection
  • Introduction to post-quantum cryptography

Application security and OWASP Top 10

  • Purpose and structure of the OWASP Top 10
  • Overview of recent changes and emerging risk trends
  • Coverage of the entire top ten, with case studies and modern mitigation
  • Broken access control and authentication failures
  • Security misconfiguration and insecure design
  • Injection vulnerabilities and cryptographic failures
  • Software and data integrity failures
  • Logging, monitoring, and alerting weaknesses
  • Software supply chain vulnerabilities and SBOM concepts
  • Secure coding, configuration, and cloud audit readiness
  • Learning from real-world vulnerability case studies

AI security foundations

  • The AI system lifecycle and security considerations
  • ETSI EN 304 233 principles for securing AI systems
  • Identifying and protecting AI assets including models, data, and prompts
  • Risks from AI-generated code and autonomous workflows
  • LLM-specific threats such as prompt injection, overreliance, and model theft
  • Agentic AI risks including excessive agency and cascading failures
  • AI security frameworks including MITRE ATLAS and NIST AI risk models
  • AI-focused threat modelling using STRIDE-AI and DREAD
  • Security challenges in autonomous and NoOps environments

Exams and assessments

There are no formal exams or certifications associated with this course. Learners complete structured knowledge checks and scenario-based exercises throughout the course to reinforce key concepts and validate understanding.

Hands-on learning

The course includes practical threat modelling activities, secure design exercises, and guided case studies. Learners apply security concepts to realistic software and AI-enabled scenarios, focusing on risk identification, mitigation strategies, and decision making rather than hands-on coding.