Overview

Secure Software Delivery: From Code to Deployment is an intermediate-level course designed to help developers and technical leads build and ship secure applications confidently—without slowing down innovation. As software systems scale, so do the risks—and success now depends on embedding security into every phase of the development lifecycle. In this course, you’ll move beyond one-off vulnerability patching and learn how to systematically integrate secure coding practices, threat modeling, and automated security testing into your workflows. Through engaging videos, real-world case studies, interactive labs, and scenario-based coaching, you’ll gain hands-on experience with tools like SAST, DAST, and GitHub Actions. Whether you're fixing critical flaws, shifting security left in CI/CD, or leading team-wide secure coding habits, this course will help you operationalize security as a continuous, collaborative practice—and deliver software that’s not just functional, but resilient.

Syllabus

Lesson 1: Identify and Prioritize Application Security Risks

In this first lesson, learners discover why spotting and ranking security risks early is essential to build secure, cloud-based applications. Developers and security teams move from reacting to vulnerabilities to anticipating them. Using frameworks such as STRIDE and DREAD, learners practice mapping high-priority threats before any code ships. The Equifax breach In this first lesson, learners discover why spotting and ranking security risks early is essential to build secure, cloud-based applications. Developers and security teams move from reacting to vulnerabilities to anticipating them. Using frameworks such as STRIDE and DREAD, learners practice mapping high-priority threats before any code ships. The Equifax breach illustrates the real-world cost of poor risk prioritization—and the value of getting it right. Videos, hands-on threat-modeling exercises, and guided discussions grow the risk awareness and strategic thinking needed to embed security measures into the development process from the start.exercises, and guided discussions grow the risk awareness and strategic thinking needed to embed security measures into the development process from the start.

Lesson 2: Remediate OWASP Top-10 with Secure Coding & Tools

In this lesson, learners will explore the OWASP Top-10 vulnerabilities and how to prevent security incidents through proactive secure coding practices and effective analysis tools. The lesson emphasizes why fixing security flaws late in the process is costly and unsustainable, and how systematic prevention—through secure coding and regular testing—offers a better approach. Real-world security incidents, such as the Fortnite XSS vulnerability, are highlighted to illustrate the practical consequences of common coding mistakes. Learners will be introduced to essential tools including Static Application Security Testing (SAST) and dynamic scanning with OWASP ZAP. Through a blend of videos, readings, discussions, and hands-on labs, learners will gain the skills and confidence to systematically build secure, robust applications—transforming their coding approach from reactive fixes to proactive prevention.

Lesson 3: Securing Builds with CI/CD Checks

In this lesson, learners examine how embedding security into Continuous Integration and Continuous Deployment (CI/CD) pipelines transforms release processes into continuous guardians of trust rather than mere delivery engines. Through a scenario illustrating a late-night deployment where a known vulnerable library slipped into production, the lesson highlights why automated security checks must be integrated from the very first pipeline stage. Learners will investigate practical tool implementations—such as Snyk for dependency scanning, OWASP Dependency-Check for open-source vulnerability detection, and GitHub Actions workflows for automation—to ensure issues are caught before code reaches production. Case studies of CI/CD misconfigurations, such as the Capital One cloud breach, demonstrate how small oversights in pipeline or infrastructure-as-code settings can lead to major incidents, reinforcing the need for continuous oversight. Hands-on demonstrations guide learners through setting up security gates that fail builds on critical findings, interpreting scan results, and configuring policy-as-code enforcement, all without impeding development velocity. By the end of the lesson, participants will understand both how to configure and integrate these security tools into real pipelines and why treating security as a separate stage is no longer acceptable—security must be continuous, integrated, and owned by every stakeholder in the delivery workflow.