Close Cookies Alert

We use cookies to provide you with the best experience and understand how you use our website. For more information, please visit our Privacy Policy page.

Developer Application Security Training

Train your development team to build secure software. Learn how to implement a Secure Development Lifecycle and fix security vulnerabilities before they come into existence.

Developer Application Security Training

All software has security bugs, but some software is much harder to hack than others. We teach software developers, testers, and managers how to produce less vulnerable code and protect user data from malicious hackers.

Training Details

Course level

Beginner to Intermediate


Five three-hour long sessions over two weeks


Private recordings available on YouTube


English, Ukrainian or Russian



2,400 EUR (ex. VAT) for a group of 15-25 students

Suitable for

Suitable for

the companies that are willing to produce more secure software.

Feedback & Support

Feedback & Support

Private chat group to interact with trainers during and after the course.

Why Do Developers Need AppSec Training?

Software development is all about features. Features make your software useful, and they are easy to demonstrate to your customers, unlike software security, which is virtually invisible.

Unlike security vulnerabilities, security breaches are apparent. We teach software developers how to produce more secure code and protect their business, data, and clients from malicious hackers.

Training program

In the Application Security Awareness Training, we cover the material recommended by OWASP SAMM and go far beyond. With this course, we help you implement five crucial Application Security practices into your Software Development Lifecycle:

  • Training and Awareness

    Learning about security engineering principles, application security basics, and appsec practices. More about this practice .

  • Secure Architecture Design

    Establishing the ground basis for effective secure software engineering processes. More about this practice.

  • Application Threat Modeling

    Identifying application threats and defining software security requirements. More about this practice.

  • Secure Coding

    Learning about main security vulnerability classes and preventing and avoiding them in your code. More about this practice.

  • Security Testing

    Verifying security requirements, finding and fixing security vulnerabilities (a.k.a. hacking). More about this practice.

We cover all training topics with lectures and practical exercises. All students participate in a Threat Modeling session and solve Security Testing and Code Review tasks in the online labs.


High Developer Engagement

We keep the audience engaged by applying hands-on training. Practical tasks keep the students excited and help them better absorb the information.

Only Crucial Security Practices

We share the knowledge we are practicing day-to-day: no theorizing or “best practice” mumbo-jumbo, only the practical meat.

OWASP SAMM methodology

We use the OWASP Software Assurance Maturity Model in our Application Security consulting engagements and developer security training.

Prior Knowledge

We offer the training to the software development teams, so there are no specific requirements beyond the field’s general awareness.

No final tests and exams

As it is an awareness training, we provide a course completion report to the client and do not arrange any final examination or quiz.

We know how to break security, we know how to make breaking it harder, and we love teaching developers how to build systems that are harder to break. After all, in the security profession, all fun comes from challenges and knowledge sharing.

Serhii Korolenko

Serhii Korolenko

Senior Consultant & Training Lead

Training Schedule

Day 1

Introduction to Cybersecurity

  • Cybersecurity threats, cyberattacks, and data breaches.
  • Threat actors, attack vectors, and security vulnerability classes.
  • Security design and secure protocol demo based on the Have I Been Pwned website.
  • The state of cybersecurity industry: Data Breach Investigation Report.
  • Cybersecurity online resources and communities.

#cybersecurity #cyberattacks #hackers

Day 2

Application Security Fundamentals

  • Software vulnerability types, National Vulnerability Database (NVD), and Common Vulnerabilities and Exposures (CVE).
  • Vulnerability risk level and using the Common Vulnerability Scoring System (CVSS) calculator.
  • Common software vulnerabilities:
    OWASP Top10, Common Weakness Enumeration (CWE), and BugCrowd Vulnerability Rating Taxonomy (VRT).
  • Understanding the cyberattack kill chain. Using Mitre ATT&CK matrix and ATT&CK Navigator.

#vulnerability #risk #owasp

Day 3

Security Architecture and Threat Modeling

  • Fundamental security engineering principles.
  • Secure Software Development Lifecycle (SDL) and Application Security practices.
  • OWASP Software Assurance Maturity Model (SAMM).
  • Threat Modeling. Using OWASP Threat Dragon and Elevation of Privilege game.
  • A practical Threat Modeling session.

#threatmodeling #sdl #samm

Day 4

Secure Development

  • Security requirements, secure coding, and security testing.
  • Software supply chain vulnerabilities and dependencies security.
  • Code security review basics, techniques, and tools.
  • OWASP Application Security Verification Standard.
  • A practical code security review session in OWASP Secure Flag.

#codereview #asvs #secureflag

Day 5

Security Testing

  • Requirements-based security testing.
  • Third-party penetration testing.
  • Design and architecture review.
  • OWASP Testing Project and OWASP Web Security Testing Guide.
  • A practical security testing session in PortSwigger Web Security Academy.

#securitytesting #wstg #portswigger

Start building more secure and reliable software by teaching the Application Security fundamentals to your software development teams.


The Application Security Awareness Training is taught by the BSG Application Security experts. Our tutors hold prestigious professional certificates, excel at public speaking, and maintain up-to-date knowledge in AppSec practices. They are at the core of the OWASP Kyiv chapter and the NoNameCon – Ukraine’s largest professional cybersecurity conference.

Vlad Styran
Vlad Styran

Co-founder & CEO OSCP, CISSP, CISA

BSG business and cybersecurity strategist.
Cybersecurity expert, ethical hacker, keynote speaker, trainer, and consultant.

Vlad Styran
Co-founder & CEO

Vlad Styran is an internationally known cybersecurity professional with 15+ years of experience in Penetration Testing, Social Engineering, and Security Awareness. He currently holds OSCP, CISSP, and CISA credentials and was certified as C|EH, ISO27001LA, and many more throughout his career.

Vlad is a co-founder of the OWASP Kyiv chapter and the NoNameCon cybersecurity conference. He is a notable blogger, podcaster, and conference speaker.

At BSG, Vlad is responsible for our growth and customer experience. His involvement allows us to deliver first-rate cybersecurity consulting services in software security, cybersecurity awareness, cybersecurity strategy, and security investment.
Serhii Korolenko
Serhii Korolenko

Security Consultant, Training Lead


Penetration tester. Conference speaker. OWASP Kyiv chapter leader.

Serhii Korolenko
Security Consultant, Training Lead

Serhii is a cybersecurity pro with vast experience in both Application Security and Penetration Testing. He manages the full spectrum of appsec assessments and penetration tests from the BSG portfolio.

As a training lead, he is always up to date on the latest security trends and is passionate about organizing conferences and speaking publicly. He presents and volunteers at various events, BruCON, OWASP Ukraine, NoNameCon, and TestingStage, among others.

Serhii is fond of sports videogames and loves riding the drone and take footage of his picturesque travels.


Berezha Security conducted the IT training of the employees of the bank. The team explained the latest cybersecurity trends and approaches to effectively overcoming the SDLC processes in our company. We appreciate the approach of lectures to get over complex topics easily. And the vulnerabilities of desktop software applications were the most useful demonstration for them. Altogether, the team did an enormous job.

Viacheslav Viskushenko

Information Security Manager, Crédit Agricole Ukraine

Our internal development teams are successfully implementing the skills and knowledge that they have taken from this course of Berezha Security in our products and services.

Nazarii Uniiat

Security Engineer, Clario Tech Limited


Why should my developers benefit from taking the course?

In terms of Nassim Taleb’s Black Swan hypothesis, Application Security is the “unknown unknown” to most software developers and quality assurance specialists. Engineers do not think the way hackers do. They assume their systems would work fine by default, except for a few rare occasions where they would need to implement minor and easy fixes. It is far from the truth. All software is vulnerable, and the sooner you realize it, the faster and the cheaper you could fix that. However, starting to work in that direction requires a basic understanding of software security. And this security awareness is what you get at the end of this course.

Why are application security and SDL important?

The cost of implementing security into a software product grows with time. It is never too late, but the later you start – the more expansive it will be. Fixing security bugs in a final release is the most costly as it might require rebuilding parts of the application from scratch. Using safe development practices from the start allows you to fix security vulnerabilities before they even exist.

Is the training online or in-person?

It’s both. It is not a computer-based online awareness training where you watch a couple of videos and then take a multiple-choice quiz. Usually, we prefer to deliver the course in-person and on-site to involve the students in the training process fully. Due to the pandemic, though, we had to retreat to the online in-person mode in Zoom. We record all classes, so students can review them if they missed a lesson.

What is the course language?

We deliver the course in English, Ukrainian, or Russian.

Does this course have a test or certificate?

As it is a corporate awareness type of training, we do not provide a final test or certificate. Instead, we prepare a course completion report that attests that the client’s employees have attended the training. This attestation is enough to provide to an inquiring third party.

How long does the course take?

The training spans over two weeks: we have three classes in the first week and two classes during the second. We recommend our clients schedule the training in the morning hours. In this way, we let the students focus on the learning materials before lunchtime and attend to the ongoing work tasks during the rest of the day.