Courses Solutions Case Studies & Testimonials News & Insights About Us Contact Us
Public Sector Graduate Training Schemes Learning & Development Corporate & Volume Pricing Custom Learning Paths

Public Sector

We've had the pleasure of working with UK and overseas central and local government departments, including Healthcare (NHS and Foundation Trusts), Defence, Education (Universities and colleges), many of the main Civil Service departments, Emergency Services; also public-owned corporations including the BBC, Bank of England, Ordnance Survey, and regulatory bodies such as Ofgem.

We are registered on Crown Commercial Service’s (CCS) Dynamic Purchasing System (RM6219 Training and Learning) and also with numerous tender portals such as Ariba, Coupa and Delta E-Sourcing.

Read more...

Graduate Training Schemes

Framework Training has a strong track record of providing a solid introduction into the working world for technical graduates across myriad industries. We provide the opportunity to learn and gain valuable hands-on experience in a supportive, friendly and sociable training environment.

Attract & retain the brightest new starters

We know it is vital for our clients to invest in the future of their talented grads; not only to provide them with high-quality, professional training essential for their roles, but to embed them within the organisation’s culture and guide them on the right path to a successful career.

After all, your new hires could well be the next leaders and their creative ideas and unique insights are invaluable to your business.

Read more ...

Learning & Development

Our unique portfolio of high-quality technical courses and training programmes are industry-respected. They’re carefully designed so that delegates can seamlessly apply what they’ve learnt back in the workplace. Our team of domain experts, trainers, and support teams know our field — and all things tech — inside out, and we work hard to keep ourselves up to speed with the latest innovations. 

We’re proud to develop and deliver innovative learning solutions that actually work and make a tangible difference to your people and your business, driving through positive lasting change. Our training courses and programmes are human-centred. Everything we do is underpinned by our commitment to continuous improvement and learning and generally making things much better.

Read more...

Corporate & Volume Pricing

Whether you are looking to book multiple places on public scheduled courses (attended remotely or in our training centres in London) or planning private courses for a team within your organisation, we will be happy to discuss preferential pricing which maximise your staff education budget.

Enquire today about:

  • Training programme pricing models  

  • Multi-course voucher schemes

Read more...

Custom Learning Paths

We understand that your team training needs don't always fit into a "one size fits all" mould, and we're very happy to explore ways in which we can tailor a bespoke learning path to fit your learning needs.

Find out about how we can customise everything from short overviews, intensive workshops, and wider training programmes that give you coverage of the most relevant topics based on what your staff need to excel in their roles.

Read more...

OWASP Top 10 Proactive Controls Workshop

Learn practical Strategies for secure application development.

About the course

Integrating security measures into the software development process from its inception is crucial and significantly more cost-effective than addressing vulnerabilities retrospectively. The OWASP Top Ten Proactive Controls provide developers with a set of essential, actionable security techniques designed to be implemented early and consistently in every software project. By focusing on preventative measures, these controls help developers build more resilient applications that are inherently more secure. This 2-day intensive training course delves into these critical proactive controls, guiding participants on how to effectively integrate security best practices into their daily coding workflows and development practices, thereby addressing security concerns from the earliest stages of the development lifecycle.

The course introduces the fundamental philosophy behind the OWASP Proactive Controls and underscores their importance in achieving a "shift left" in security – moving security considerations earlier in the development process. Participants will gain a deep understanding of the core controls necessary for establishing a strong security foundation for any application. This includes learning how to implement effective Access Control mechanisms to rigorously enforce authorisation policies and protect sensitive resources, applying best practices for Using Cryptography the proper way to ensure data confidentiality and integrity, implementing robust techniques to Validate all Input to prevent common issues like Injection attacks (e.g., SQL Injection, XSS) and securely Handle Exceptions to avoid leaking sensitive information. Additionally, the course covers implementing secure Digital Identity and authentication controls and establishing Secure By Default Configurations to minimise the application's attack surface right out-of-the-box.

Building on these foundational controls, the workshop explores further critical proactive measures vital for comprehensive application security. Participants will learn practical strategies to Keep your Components Secure by understanding dependency management risks and the software supply chain, how to effectively Leverage Browser Security Features to enhance client-side protection (e.g., Content Security Policy, Same-Origin Policy), and the importance and implementation details of comprehensive Security Logging and Monitoring for the timely detection of and response to security events. The course also addresses the specific and often critical vulnerability class of Server-Side Request Forgery (SSRF) and details the practical controls needed to prevent it. For each proactive control discussed, the training covers its underlying principle, illustrates common related vulnerabilities it helps prevent (often linking back to the OWASP Top 10 Risks for contextual understanding), and provides practical strategies, code considerations, and implementation guidance applicable across various programming languages and application architectures. Through focused discussions, practical examples, and exploration of real-world scenarios, attendees will gain the knowledge and confidence to effectively apply these proactive controls to build significantly more secure applications from inception.

Instructor-led online and in-house face-to-face options are available - as part of a wider customised training programme, or as a standalone workshop, on-site at your offices or at one of many flexible meeting spaces in the UK and around the World.

    • Understand the critical importance and underlying philosophy of implementing proactive security controls in software development, referencing the OWASP Proactive Controls.
    • Design and implement secure Access Control mechanisms to enforce authorisation policies effectively.
    • Apply best practices for Using Cryptography to protect sensitive data confidentiality and integrity appropriately.
    • Implement robust input validation and securely Handle Exceptions to prevent common vulnerabilities, including injection attacks and information leakage.
    • Configure Secure By Default Configurations for applications and individual components to minimise attack surface.
    • Understand the risks associated with third-party and internal dependencies and apply strategies for keeping Components Secure (Software Supply Chain Security).
    • Implement secure Digital Identity and authentication controls.
    • Leverage available Browser Security Features to enhance the security posture of web applications client-side.
    • Implement effective Security Logging and Monitoring to aid in the detection and response to security incidents.
    • Understand the nature of Server-Side Request Forgery (SSRF) vulnerabilities and implement controls to prevent them.
    • Relate the implementation of these proactive controls to the prevention of common software vulnerabilities, particularly those highlighted in the OWASP Top 10 Risks.
    • Apply the principles of "Address Security from the Start" by integrating these controls throughout the development lifecycle.

  • This 2-day intensive training course is designed for software developers, architects, and technical leads who want to build more secure applications by implementing preventative security controls from the start of the development process. It is ideal for:

    • Software Developers (at all levels) responsible for writing secure code.

    • Application Architects designing secure systems.

    • Security Champions within development teams promoting secure coding practices.

    • DevOps Engineers involved in application deployment and secure configuration.

    • QA Engineers involved in security testing and vulnerability assessment.

    • Technical leads overseeing development teams and secure coding standards.

    • Anyone involved in writing or reviewing code who wants to understand and apply secure coding best practices based on preventative controls.

  • Participants should have:

    • Experience with software development in at least one programming language.

    • Basic understanding of web application concepts (e.g., client-server interaction, HTTP requests, databases).

    • Familiarity with common security terms (e.g., authentication, authorisation, vulnerability) is helpful but not strictly required, as key concepts will be explained.

    We can customise the training to match your team's experience and needs - with more time and coverage of fundamentals for newer developers, for instance.

  • This OWASP Proactive Controls course is available for private / custom delivery for your team - as an in-house face-to-face workshop at your location of choice, or as online instructor-led training via MS Teams (or your own preferred platform).

    Get in touch to find out how we can deliver tailored training which focuses on your project requirements and learning goals.

  • Introduction

    • The importance of proactive security in software development.

    • Understanding the OWASP Top Ten Proactive Controls philosophy: Shifting Left.

    • Contrasting Proactive Controls with reactive approaches (e.g., addressing OWASP Top 10 Risks after they appear).

    • Overview of the controls covered in the course.

    Implement Access Control

    • Understanding Authentication vs. Authorisation.

    • Common Access Control models (e.g., Role-Based Access Control - RBAC).

    • Enforcing access control checks on every request to sensitive resources.

    • Pitfalls: Vertical and Horizontal Access Control issues.

    • Prevents vulnerabilities like Broken Access Control (OWASP Top 10 Risk).

    Use Cryptography the proper way

    • When and where to use cryptography (data in transit, data at rest).

    • Using standard, well-vetted cryptographic libraries and algorithms.

    • Common mistakes: Rolling your own crypto, using deprecated algorithms, key management issues.

    • Hashing vs. Encryption vs. Digital Signatures.

    • Securely storing passwords (salting, stretching).

    • Helps prevent vulnerabilities related to sensitive data exposure.

    Validate all Input & Handle Exceptions

    • The importance of input validation: Never trust user input.

    • Positive vs. Negative validation models.

    • Validating data format, length, type, and content.

    • Common injection attack vectors (SQL Injection, Cross-Site Scripting - XSS, Command Injection).

    • Parameterized queries and prepared statements.

    • Encoding output to prevent XSS.

    • Securely handling exceptions: Avoiding information leakage in error messages.

    • Logging errors securely.

    • Helps prevent vulnerabilities like Injection and Information Disclosure.

    Implement Digital Identity

    • Secure Authentication: Verifying user identity.

    • Different authentication factors (something you know, have, are).

    • Securely managing sessions.

    • Protecting against credential stuffing and brute force attacks.

    • Multi-factor authentication (MFA).

    • Helps prevent vulnerabilities like Broken Authentication.

    Secure By Default Configurations

    • Designing applications and components with security in mind from the start.

    • Minimising the attack surface out-of-the-box.

    • Disabling unnecessary services, features, or ports.

    • Using secure default settings for frameworks, libraries, and servers.

    • Helps prevent vulnerabilities related to Security Misconfiguration.

    Keep your Components Secure

    • Understanding the software supply chain risks.

    • Risks of using vulnerable libraries and dependencies.

    • Using dependency management tools and security scanners.

    • Keeping components updated.

    • Helps prevent vulnerabilities related to Vulnerable and Outdated Components (OWASP Top 10 Risk).

    Leverage Browser Security Features

    • Understanding the Same-Origin Policy (SOP).

    • Content Security Policy (CSP): Mitigating XSS and data injection attacks.

    • HTTP Headers for security (e.g., Strict-Transport-Security - HSTS, X-Content-Type-Options, X-Frame-Options).

    • Cookies security attributes (Secure, HttpOnly, SameSite).

    • Helps prevent vulnerabilities like XSS, Clickjacking, and enhances client-side protection.

    Implement Security Logging and Monitoring

    • Why comprehensive logging is essential: Detection, forensics, monitoring.

    • What information to log (authentication attempts, access to sensitive data, errors).

    • Securely storing and managing logs.

    • Monitoring logs for suspicious activity.

    • Integrating with security monitoring tools (SIEM).

    • Essential for Detection and Response, helps limit the impact of breaches.

    Stop Server-Side Request Forgery (SSRF)

    • Understanding what SSRF is and how it works.

    • Common SSRF attack vectors (e.g., manipulating URLs in server-side requests).

    • Impact of SSRF (accessing internal resources, cloud metadata, internal services).

    • Prevention strategies: Input validation for URLs, enforcing allow lists/deny lists, disabling redirect follows, network segmentation.

    • Directly prevents Server-Side Request Forgery (OWASP Top 10 Risk).

    Address Security from the Start

    • Integrating security into the Software Development Lifecycle (SDLC).

    • Threat modelling: Identifying potential security risks early.

    • Secure design principles.

    • Security code reviews.

    • Automated security testing (SAST, DAST, IAST - overview).

    • Building a security culture in development teams.

    • (This control is placed here to reinforce the overarching principle after specific controls have been discussed, showing how they fit into a broader secure development process).

    Summary

    • Review of the OWASP Proactive Controls covered.

    • Recap of how proactive implementation prevents common vulnerabilities.

    • Next steps for applying these controls in your projects.

    • Q&A.

Trusted by

AMEC company logo BBC logo OVO Energy company logo CAPITA company logo

Public Courses Dates and Rates

Please get in touch for pricing and availability.

Related courses