Description

This curriculum spans the breadth of an enterprise AppSec program, reflecting the integrated practices of threat modeling, secure coding, dependency oversight, and runtime protection seen in multi-workshop technical rollouts and internal capability builds across development and operations teams.

Module 1: Threat Modeling and Risk Prioritization in Development Lifecycle

Integrate STRIDE threat modeling during sprint planning to identify attack surfaces in user authentication and API endpoints.
Map Common Vulnerabilities and Exposures (CVEs) to in-house components to assess exploitability based on public proof-of-concept availability.
Establish risk acceptance thresholds with legal and compliance teams for vulnerabilities with compensating controls in place.
Define severity scoring adjustments using CVSS v3.1 environmental metrics for internal asset criticality and exposure.
Conduct architecture review sessions with red team findings to eliminate design flaws before coding begins.
Enforce threat model updates when third-party libraries are introduced into the dependency chain.

Module 2: Secure Coding Standards and Static Analysis Integration

Customize SAST rulesets to suppress false positives related to framework-specific safe patterns while retaining coverage for injection flaws.
Enforce pre-commit hooks that block code pushes if high-severity findings are detected in new code paths.
Configure baseline scans to differentiate between legacy debt and newly introduced vulnerabilities in pull requests.
Map insecure coding patterns (e.g., hardcoded credentials, unsafe deserialization) to developer training modules for remediation.
Negotiate exceptions for unavoidable third-party library vulnerabilities with documented mitigation plans.
Standardize code annotation practices to mark intentional deviations from security rules with audit trails.

Module 3: Dependency Management and Software Bill of Materials (SBOM)

Implement automated dependency scanning in CI/CD to flag transitive dependencies with known vulnerabilities.
Generate SPDX-formatted SBOMs for each release and store them in a version-controlled artifact repository.
Establish patch SLAs based on exploit maturity (e.g., 24 hours for actively exploited, 30 days for theoretical).
Enforce allow-listing of approved open-source components using internal policy engines like Syft or Grype.
Coordinate with procurement to obtain SBOMs from commercial software vendors for integration projects.
Automate alerts when a dependency on the CISA Known Exploited Vulnerabilities (KEV) catalog is detected.

Module 4: Dynamic and Interactive Application Security Testing (DAST/IAST)

Configure DAST tools to respect robots.txt and avoid triggering rate-limiting or account lockout on production systems.
Use IAST agents in staging environments to correlate runtime behavior with code-level vulnerabilities like path traversal.
Adjust scan scope and depth based on application sensitivity—limit aggressive crawling for customer-facing portals.
Validate scan results by reproducing findings manually to reduce false positives before triage.
Integrate DAST reports into Jira with custom fields for tracking remediation status across teams.
Rotate authentication credentials used in authenticated scans to prevent staleness and privilege escalation risks.

Module 5: Vulnerability Triage and Developer Workflow Integration

Define triage workflows that assign ownership based on code ownership metadata from version control.
Set thresholds for vulnerability re-scanning to avoid developer burnout from repetitive validation requests.
Integrate vulnerability data into developer dashboards to increase visibility without disrupting sprint velocity.
Escalate unresolved critical vulnerabilities to incident response after 72 hours of inactivity.
Standardize reproduction steps and evidence (e.g., HTTP request/response) for each reported finding.
Implement automated deduplication across SAST, DAST, and dependency scanners using vulnerability fingerprints.

Module 6: Secure Deployment and Runtime Protection

Enforce deployment gates that prevent promotion if critical vulnerabilities remain unpatched in the target environment.
Configure Web Application Firewalls (WAF) with virtual patching rules for vulnerabilities awaiting code fixes.
Monitor for exploitation attempts using WAF logs correlated with vulnerability scan results.
Restrict container images to those with clean vulnerability scans and signed SBOMs in the registry.
Disable debugging endpoints and error verbosity in production to reduce information leakage.
Use runtime application self-protection (RASP) to detect and block exploit attempts in real time.

Module 7: Compliance, Audit, and Continuous Improvement

Map vulnerability management activities to regulatory requirements (e.g., PCI DSS 6.3, HIPAA, SOC 2).
Prepare evidence packages for auditors showing scan frequency, coverage, and remediation rates.
Conduct quarterly gap analysis between scan coverage and actual application inventory.
Adjust scanning schedules based on change velocity—high-velocity teams require daily scans.
Archive historical scan results for forensic analysis during incident investigations.
Review scanner efficacy annually by comparing findings against penetration test results.

Module 8: Cross-Team Coordination and Security Advocacy

Establish a Security Champions program with representatives from each development team to facilitate knowledge transfer.
Host biweekly syncs between AppSec and DevOps to resolve tooling conflicts and pipeline bottlenecks.
Develop playbooks for common vulnerability patterns with ready-to-use secure code examples.
Negotiate SLAs for vulnerability remediation with engineering leadership based on severity tiers.
Facilitate blameless post-mortems for exploited vulnerabilities to improve detection and response.
Coordinate disclosure timelines with public relations and legal teams when addressing zero-day vulnerabilities.