Curriculum: OWASP Certified Secure-Software Developer (OCSD)
Welcome to the repo for curriculum for OCSD
The scope of this certification is Web Application Security.
It is Foundation-level exam
This certification program is an answer to the questions a hiring manager for a developer might ask, to validate security knowledge of the candidate.
It is also for the developers who want to showcase their skills in developing secure code.
Remember:
**** Writing secure code != testing the security of code with tools ****
**** If developers do not put security in the code, no one else will ****
The questions we may want to ask are:
If I am hiring a web application developer, what are the security related skills I would look for?
If I were a web application developer, what security skills would I like to be validated for?
Generally the topics that we centre our questions around are:\
Authentication and authorisation
Session Management
Cryptography (certs, cert pinning, sharing keys, cipher suites)
DNS entries [Is this appropriate for a developer-focused exam? - JDL]
Service discovery
Firewall rules [Is this appropriate for a developer-focused exam? - JDL]
Input data validation
Output data encoding
Remediating application-related security vulnerabilities
Database and data security concepts
Error handling
Secrets handling (where should secrets be stored - code / configuration file / ???) sort of a negative question :-)
What is SQL Injection
What is the difference between reflected XSS and persistent XSS
What is the best way to address XSS
HTTP Security headers
Hardening of other HTTP headers
Privacy - what is PII and its protection
Threat Modeling
Logging of security-releated events\
We have a markdown file to develop curriculum for this certification exam, based on the security-related questions we ask as a hiring manager and also the security topics that we want validation for as a developer.