Write software that resists attack by default — from authentication and access control to input validation, output encoding, cryptography and safe logging. Learn the secure-coding practices behind the SANS SWAT checklist and OWASP, and make them stick with spaced repetition.
Secure coding is the practice of writing software that resists attack by default — validating every input, encoding every output, protecting data in transit and at rest, and failing safely when something goes wrong. It is the developer-side counterpart to a penetration test: instead of finding holes after the fact, you avoid opening them. This track distils the SANS SWAT secure-development checklist and its matching CWE weaknesses into questions you can actually retain.
The deck is organised the way real application security is. Authentication & Access Control covers password policy, brute-force lockout, session management, least privilege and complete mediation. Input, Output & Data Protection covers allowlist validation, parameterised queries, contextual output encoding, CSRF and security headers, TLS and password storage. Error Handling, Logging & Operations covers safe error messages, what to log and what to never log, and secure build and deploy practices.
Every card ties back to a concrete weakness — SQL injection (CWE-89), session fixation (CWE-384), sensitive data in logs (CWE-532) — and links to the relevant OWASP Cheat Sheet. Spaced repetition turns a checklist you skim once into instincts you apply in every pull request and code review.
Each module is a set of practice cards — 51 in total. Answer, review, and watch your knowledge grow from seed to full bloom.
Authentication, session management, and access-control fundamentals
17 cardsInput validation, output encoding, and protecting data in transit and at rest
19 cardsError handling, security logging, and secure build and operations practices
15 cardsA taste of the real cards. Pick an answer, then reveal the explanation.
Which flags should be set on session cookies?
How should an application prevent SQL injection?
How should an application store user passwords?
How should an application handle an exception it did not anticipate?
Each card is one practical concept with multiple options. Pick what you think is right.
See the correct option plus a clear explanation, and a link to deeper docs when one is available.
A spaced-repetition engine (SM-2 or FSRS) resurfaces each card just before you would forget it.
Catch injection, XSS, weak sessions and leaky errors while you write the code — not after a pentest report lands.
Built from the SANS SWAT checklist and CWE, with every card linking to the matching OWASP Cheat Sheet for deeper reading.
Know why each answer is right and why the plausible alternatives are wrong — the exact judgement a security code review needs.
Authentication, access control, injection defence and crypto storage are staples of appsec interviews and secure-development exams.
Developers, DevSecOps engineers and code reviewers who want to write and approve safer code. It assumes general web-development experience but starts each topic from fundamentals.
The questions are drawn from the SANS SEC540 / SWAT secure-development checklist and mapped to CWE weaknesses. Each card links to the corresponding OWASP Cheat Sheet (or MDN / NIST) for deeper reading.
No. The principles — input validation, output encoding, session management, TLS, password storage and safe logging — apply across languages and stacks, so the deck stays language-agnostic.
Yes, completely free. No registration or credit card is required, and all your progress is stored locally in your browser.
Plant your first seed today. Ten minutes a day builds secure-coding instincts you'll reach for in every code review.