Trusted By Companies Of All Sizes










Case Study
Find out how developers find and fix 5.6x more vulnerabilities after taking HackEDU's Training.
115+ topics in Secure Development Training
This course covers the OWASP Top 10 web vulnerabilities as well as additional vulnerabilities. Additional vulnerabilities can be added if requested.
Languages and Frameworks
Python
Ruby
PHP
Laravel
C#
.NET
Go
Node.JS
Angular
React
Java
C++
You get 115+ topics, including:
SQL Injection
SQL Injection
Objectives
- Learn how to discover and exploit SQL Injection attacks.
- Learn how to protect against SQL Injection attacks with parameterized queries.
- Fix a vulnerable SQL query in your language of choice.
Languages Covered
NoSQL Injection
NoSQL Injection
Command Injection
Command Injection
Objectives
- Learn how to discover and exploit Command Injection attacks.
- Discover timing based network attacks, and how to use them within the context of blind command injection.
- Learn how to protect against OS Command Injection attacks by using safe functions, input validation, and allow-listing.
- Fix an OS Command Injection attack in your language of choice.
- Learn how attackers inject commands into the Operating System.
Languages Covered
Remote Code Execution
Remote Code Execution
XSS
XSS
Objectives
- Learn about reflected, stored, and DOM XSS attacks.
- Learn how to discover and exploit XSS attacks.
- Learn how to protect against XSS attacks by using input/output validation, and frameworks.
- Fix a XSS vulnerability in the sandbox using your language of choice.
Languages Covered
Broken Authentication and Session Management
Broken Authentication and Session Management
Objectives
- Learn about brute forcing authentication and how to mitigate with throttling.
- Learn about weak session management and how to store session information correctly and why not to store the information in cookies.
- Learn about how to store passwords and why plain text or a simple hash is not safe.
- Learn about invalidating sessions on logout.
- Fix the way a web app handles sessions in your language of choice.
Languages Covered
Authentication Rate Limits
Authentication Rate Limits
Languages Covered
Weak Session Management
Weak Session Management
Languages Covered
Password Handling and Storage
Password Handling and Storage
Languages Covered
Cross-Site Request Forgery
Cross-Site Request Forgery
Objectives
- Learn how to discover and exploit cross-site request forgery.
- Learn how to protect against CSRF attacks with trusted libraries and nonces.
Clickjacking
Clickjacking
Broken Access Control
Broken Access Control
Languages Covered
Security Misconfiguration
Security Misconfiguration
Objectives
- Understand the dangers of information exposure (web server & version, stack traces, Index Of pages, etc).
- Learn importance of not using default usernames and passwords.
Sensitive Data Exposure
Sensitive Data Exposure
Encryption Best Practices
Encryption Best Practices
Using Components with Known Vulnerabilities
Using Components with Known Vulnerabilities
Objectives
- Learn how to use security misconfiguration (exposing stack traces) to discover libraries that are known to be vulnerable.
- Successfully exploit a vulnerable library described in a CVE.
- Learn best practices for keeping libraries up to date with security patches.
XML External Entities
XML External Entities
Objectives
- Learn how to discover and exploit XXE attacks.
- Craft an XML payload that steals the /etc/passwd from your sandbox, and steals a secret key from an internal service on the sandbox’s network.
- Learn how to protect against XXE attacks with proper parser configuration.
- Fix a vulnerable XML parser in your sandbox using your language of choice.
Languages Covered
Buffer Overflow
Buffer Overflow
Heap Overflow
Heap Overflow
Advanced Lessons
These lessons are based on vulnerabilities found in real applications from HackerOne's bug bounty program.
Learn MoreClickjacking
Highly wormable clickjacking vulnerability in Twitter player card.
Blind XXE
XXE in Site Audit function exposing file and directory contents.
Remote Code Execution
RCE by command injection to 'gm convert' in image crop functionality.
SQL Injection with SQLMap
Complex SQL Injection in www.drivegrab.com
XSS using PostMessage
Stealing contact form data on hackerone.com using Marketo Forms XSS.
Included Public Vulnerabilities
HackEDU has sandboxes with public vulnerabilities to learn real world offensive and defensive security techniques in a safe and legal environment.
Learn MoreDrupalgeddon2
This sandbox replicates a public Remote Code Execution (RCE) vulnerability in Drupal (CVE-2018-7600).
Struts
This sandbox replicates a public Remote Code Execution (RCE) vulnerability in Apache Struts 2 (CVE-2018-11776).
Zip Slip
This sandbox replicates public vulnerabilities with archive software.
Offensive & Defensive Approach
Proven to be more effective and more engaging than defensive training alone.
Read MoreSave Developer Time
This training has a 4.4x ROI on saving developer time. Developers can do these lessons over time at their own pace.
Read MoreAccountability with Code Fixes
Developers must correctly fix vulnerable code to pass lessons. To train developers effectively, they need to code.
Read MoreGamification
Developers can compete, challenge, and earn points in capture the flag style challenges. This further engages developers to learn secure coding practices.
Read MoreCertify Developers
Developers earn the HackEDU certification for completion and passing all code patches.
Read MoreCompliance
Meet & manage PCI-DSS, NIST 800-53, SOC, and HIPAA/HITRUST developer training requirements.
Read MoreInteractive, Hands-On Training
Developers are problem solvers and learn most effectively through hands-on real-world scenarios. Video and PowerPoint lessons don't cut it.
Try out our SQL Injection Demo to get a feel for how the training platform works. No account or setup is required.
Coding and Hacking Challenges
Coding Challenges are labs where software developers practice finding and fixing vulnerabilities in software. Developers have to both find the vulnerability and then securely code in order to pass the challenge. These challenges compliment HackEDU's lessons and can be assigned before or after lessons to ensure that the training concepts are solidified.
HackEDU’s Coding Challenges can also be used as assessments to evaluate the secure coding competency of developers!
Administration Management Dashboard
The HackEDU Admin Dashboard makes it easy to manage and monitor your organization's training.


Dashboard Features
- Monitor your team's progress
- Create custom training plans
- Setup SSO
- Schedule your teams training to fit your needs
- Generate Certificates for compliance audits
Benefits of Secure Development Training

High Developer Engagement

Why Secure Development Training?

Stop Repeat Vulnerabilities
Pricing
Wow, really great product! Great learning platform, far and away better than anything out there now.
Trial Account
No credit card required. Just register to access the lessons.
Try NowIncludes:
- 2 Lessons
- All Challenges
- Unlimited Access
1-9 Developers
Startup Plan
Get A QuoteIncludes:
- All Application Security Lessons
- Compliance Requirement Certificates
- All Real World Practice Environments
- Management Dashboard
- Early Access to New Course Releases
- Full Access for 1 Year
10+ Developers
Pro Plan
Get A QuoteIncludes:
- Everything in the Startup Plan
- Single Sign On (SSO)
- Learning Management System Integration
- High Engagement Training
- Decrease Cost in SDLC
- Continuous Content Releases

What I've learned already since signing up for HackEDU has proven priceless in terms of protecting one of our major clients against data theft. This week I've been cleaning up several broken authentication issues on their site using the info I've learned just from the course!
Exploiting and then fixing the code is great. Hands on and eye opening, love it.
Really love the fact that you can live patch the application. I really like how easy this makes it to see and understand the problem.