Job seekers
You want to change careers and move into the digital field, even without a technical background. We support you step by step to learn the fundamentals, structure your plan, and target your first role.
Description | Program | Prerequisites | Targeted objectives and competences | Who is this course for | Duration | Course Format | Evaluation procedures/Certification | Upcoming dates | How to access the course | When to access the course | Prices | Administrative & Educational Contact |
Description
Applications (web, API, mobile) are today the first attack surface for organizations. Major vulnerabilities rarely come from a “sophisticated hack”: they mostly come from insufficient access controls, poorly structured authentication, unvalidated entries, vulnerable dependencies, or uncontrolled delivery pipelines.
This training is aimed at developers who want to go beyond simple “secure coding” and become able to test, understand, correct and prevent the most critical application vulnerabilities. It covers AppSec in a concrete way, with an approach based on Web/API application Pentest, remediation and validation of patches. The objective is not to train generalist red teamers, but profiles capable of identifying major flaws, measuring their impact, and then sustainably securing the applications developed or under development.
The course is structured in two complementary levels. The first block trains in secure development and application PenTest, with labs and scenarios oriented “controlled attack → correction → re-test”. The second, optional block extends this logic to DevSecOps, by integrating security controls into the integration and deployment chain (automated tests, code analysis, dependency analysis, CI/CD pipeline). All together makes it possible to build a rare and sought-after profile: a developer capable of reasoning security from end to end, from code to production.
Program
- Set up the development and test environment. Organize work with Git. Prepare a reproducible setup (application + database + dependencies) to be able to test, attack and correct.
- Identify assets (data, accounts, APIs), attack surface, and abuse scenarios Transform these scenarios into a PenTest test checklist and a correction backlog.
- Do application recognition. Discover pages, API endpoints, settings, roles. Use a methodology for discovering endpoints and exposed functionalities. Produce a test card (what should be attacked and how).
- Test classic weaknesses: passwords, session management, tokens, “remember me”, session fixation, logout, reset password. Understand how to prove the impact and how to correct it properly. Understand and test CSRF (Cross-Site Request Forgery) Set up the expected protections (tokens, SameSite, server checks) and validate the correction by re-testing.
- Test authorization (who has the right to do what) and detect “Insecure Direct Object Reference (IDOR)” flaws (access to another user's resources). Fix with server-side authorization rules and non-regression tests.
- Understand and test injections (SQL injection, command injection, NoSQL injection) and validation/normalization errors. Know how to reproduce a vulnerability in a controlled manner, measure the impact, then correct (parameterized requests, strict validation, encoding).
- Test the APIs. Verify authentication, permissions, data exposure, abuse. Test CORS misconfigurations (bad CORS configurations) and correct (authorized origins, credentials, strict rules). Demonstrate before and after.
- Test uploads (file types, paths, execution), SSRF flaws (Server-Side Request Forgery: forcing the server to call an internal URL), configuration (security headers, cookies, CORS). Put in place protections and re-test.
- Identify dependency vulnerabilities (Software Composition Analysis — SCA). Implement an update and patch policy. Understand supply chain risks (dependencies, packages, delivery tools).
- Create security-oriented unit and integration tests (e.g. “one user should never access another user's resources”). Build non-regression tests after correcting a flaw. Objective: to prevent the flaw from coming back.
- Discover and use the standard PenTest application tools (OWASP ZAP, Nmap, Semgrep, etc.). Use a web audit proxy to capture, replay, and modify requests. Use endpoint and attack surface discovery tools at the right level. Structure a useful report for developers (reproduction, impact, correction, re-testing, evidence).
- Complete a final AppSec project. Two possible formats depending on your educational choice: secure an existing application (correct all major flaws) or develop a security tool (Python) used to test/validate some of the vulnerabilities. Include report + demo + re-test.
- Write a test plan that covers features and risks. Define the test environment and strategy (units, integration, system, acceptance). Include essential safety tests.
- Implement test automation. Include basic safety tests and post-fix non-regression tests.
- Set up a DAST (dynamic test): scan the application “in operation” to detect certain flaws (configuration, endpoints, patterns). Integrate the result into the correction loop.
- Set up an SAST (static test): analyze the source code (fault patterns) before deployment. Set up the rules and interpret the results without drowning the team in false positives.
- Implement dependency analysis (SCA) to detect vulnerable libraries. Define the update policy and acceptable criticality thresholds.
- Create a repeatable deployment (dev/test/prod) via containers. Manage configuration and secrets properly. Reduce the gap between environments.
- Set up a CI/CD chain that builds, tests and publishes. Integrate quality and safety controls (SAST/SCA/DAST) into the pipeline.
- Define “quality gates”: criteria that allow or block delivery (OK tests, vulnerabilities above a forbidden threshold, minimum coverage, etc.). Justify the thresholds (pragmatic, not impossible).
- Read the reports (tests, SAST, SCA, DAST). Distinguish real problems and noise. Convert into corrective actions and prove the correction by re-testing.
- Set up a complete pipeline on a project. Demonstrate a vulnerability detected, corrected, then automatically validated by the pipeline (“before-and-after” proof).
Prerequisites
- Developer level: be able to understand a web application/API, read code, and execute a project locally.
- Recommended basic knowledge: HTTP, REST API, databases, Git.
- The course does not require an “advanced pentest” level at the start, but requires rigor, curiosity and the ability to work in lab environments.
Targeted objectives and competences
Educational goals
- Understand and model the risks of an application to prioritize tests and corrections.
- Carry out a Web/API application Pentest (recognition, tests, proofs) on an authorized perimeter.
- Identify and validate major vulnerabilities (auth/session, access control/IDOR, injections, CSRF, CORS misconfigurations, uploads, SSRF, bad configurations).
- Correct faults properly and set up non-regression tests in order to avoid their reappearance.
- Produce a professional deliverable: vulnerability report (reproduction, impact, correction, re-test) and demonstration.
- (CCP3/DevSecOps option) Set up a secure delivery chain: CI/CD, SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), SCA (Software Composition Analysis), SCA (Software Composition Analysis), quality gates, quality gates, quality gates, containers, and reading/interpreting reports.
Targeted skills
CCP 1 — Develop a secure application (Install and configure your work environment according to the project, develop user interfaces, develop business components, contribute to the management of an IT project)
CCP 3 — Preparing for the deployment of a secure application (Prepare and execute application test plans, prepare and document the deployment of an application, contribute to production in a DevOps approach)
Who is this course for
- Web/back-end/full-stack developers who want to improve their skills in AppSec, application security and remediation.
- Application developer designers (CDA) or equivalent profiles who want to add an AppSec/DevSecOps specialization.
- Technical leads who want to structure application security and delivery quality within a team.
- Technical consultants (development) wishing to propose a concrete AppSec approach (tests → corrections → revalidation).
Entering the training course may be preceded by a technical test or a positioning interview, in order to confirm the adequacy between the candidate’s level and the expectations of the course.
Duration
6 to 9 months
Course Format
A distance,Hybrid,Blended
Evaluation procedures/Certification
Progress monitoring is based on short quizzes and regular checkpoints: validation of application recognition, validation of auth/session/access control tests, validation of a reproduced and corrected vulnerability, validation of non-regression tests, then consolidation on the common thread project. As an option DevSecOps, validation of the SAST/DAST/SCA integration, the implementation of quality gates and the ability to interpret CI/CD reports.
Professional skills are evaluated throughout the training through reconstructed tests, professional situations, defenses and technical deliverables. These modalities are designed to validate the skills of 2 certification blocks for the professional certification Application Designer Developer.
Transversal skills — professional communication, problem solving, autonomy, documentation, collaboration — are mobilized and evaluated continuously through all of the above modalities. They participate directly in the implementation of the expected skills.
All evaluations are aligned with the requirements of the certification framework, and documented in the criteria grids used during defenses and projects.
Upcoming dates
April 2026
May 2026
June 2026
How to access the course
To pre-register for this course and receive all the necessary information, please fill out the following online form: Register and we’ll call you back! .
A positioning test is offered to allow us to guide you on the right training.
When to access the course
The estimated time between your registration and the start of the training is 48 to 72 hours (working days) after validation of registration, financing and pre-training tests (if necessary).
Prices
Our courses are designed to meet the needs of everyone, whether you are retraining, looking for a job, an employee or an entrepreneur. Discover our pricing options adapted to each profile:
- All audiences: From €3,000 (additional costs are to be expected if you opt for individual coaching in addition to training)
- Students: Contact us for a special discount
🎉 This training is also available as a monthly subscription: online courses, live workshops and coaching included. Ideal for those who want to learn at their own pace with a controlled budget
.
Administrative & Educational Contact
Gilbert NZEKA - +33973728930
Certification
Certification
Certification
Certification
Certification
How we train our students
A teaching approach designed to make you job-ready quickly: live courses, personalized support, online resources, AI, and mobile apps to accelerate your progress.
Live courses on Microsoft Teams
Attend interactive live sessions with instructors and ask questions to keep progressing. Missed a session? A replay will be available so you don't miss anything.
Group and 1:1 coaching
Benefit from small-group coaching sessions and 1:1 meetings to remove roadblocks, structure your plan, and stay on track.
Hands-on, real-world projects
Work on real digital use cases—websites, marketing campaigns, entrepreneurial projects—to build a portfolio and gain real experience.
AI & online resources
Access structured resources (materials, replays, practical guides) and learn to use AI as a tool to save time and level up your skills.
Learning mobile apps
Make progress anywhere, anytime, with our mobile apps dedicated to each program (progress tracking, practice, reminders, supplementary content).
Exam and internship preparation
Prepare for your exams with mock exams, detailed feedback, and support toward an internship or a freelance project to validate your skills.
Which profiles do we train?
Working professionals
You are already employed and want to advance your career, secure your position, or prepare a transition to a more digital role. Learn at your own pace without interrupting your work.
Young people and students
You are in initial training or have just graduated, and you want to gain practical, job-ready skills to boost your employability in the digital sector.
International students
You live abroad and want to follow a recognized distance-learning program, with the option to take your exams remotely or at one of our campuses depending on your situation.
Replays from our previous cohorts
Access the full replays of our past cohorts at a more affordable price, and progress at your own pace when you can’t join the next intake.
La certification qualité a été délivrée au titre de la catégorie: Action de formation.
