Test-Driven Security: A Vulnerability Is a Missing Test

Find vulnerabilities by capturing the flag, reproduce them as a PHPUnit test, and close them for good – security as a green test instead of a one-off audit.

  • Understand common vulnerabilities by finding and exploiting them yourself
  • Reproduce every security requirement as an automated PHPUnit test
  • Turn every fix into lasting regression protection
Learn more → This training in 🇩🇪
Test-Driven Security: A Vulnerability Is a Missing Test

Test-Driven Security: A Vulnerability Is a Missing Test

In many projects, security is treated as a point-in-time audit: checked once, fixed once, and quickly forgotten. This training takes a different stance: a vulnerability is nothing more than a missing test. You work in a deliberately vulnerable PHP application and, for each weakness, run through a three-step cycle – find and exploit the flaw manually by capturing the flag, express the security requirement as an automated PHPUnit test, and change the code until that test turns green.

The punchline: the "flag" is not proof of a break-in, but a green test that prevents every future break-in of the same kind. The Common Weakness Enumeration (CWE) provides the scaffolding: each class of vulnerability becomes a station you can solve independently. This way you anchor security where it lasts – in your test suite.

From the Contents

  • The three-step cycle: capture the flag, reproduce as a red test, fix until green
  • Cross-Site Scripting, SQL injection, and OS command injection (CWE-79, CWE-89, CWE-78)
  • Path traversal and unrestricted file upload (CWE-22, CWE-434)
  • IDOR as well as missing and improper authorization (CWE-639, CWE-862, CWE-285)
  • Cross-Site Request Forgery, insecure deserialization, and SSRF (CWE-352, CWE-502, CWE-918)
  • Choosing the right test level: a unit test where the flaw lives in a class, a functional test at the application boundary
  • Testing authorization in both directions: permitted access keeps working, unauthorized access is rejected

Who should participate?

The training is aimed at experienced PHP developers and teams who want to treat security not as a one-off audit but as a permanent part of their automated test suite.

Are there requirements for participation?

We recommend several months of experience with programming in PHP or a similar programming language. Participants should be familiar with the basic concepts of object-oriented programming and with automated testing using PHPUnit.

What this training offers you

  • You recognise vulnerabilities because you have traced the attack vector yourself
  • You translate security requirements into automated tests instead of relying on one-off audits
  • Every fixed flaw stays closed for good, protected by a green test

Secure your spot

Start now by registering – or book a free consultation to customise this session for you.

Test-Driven Security: Eine Sicherheitslücke ist ein fehlender Test 🇩🇪

Dauer: 4 Tage

10.-13. Nov. 2026, jeweils 10:00-12:00 (MEZ)

Anmeldefrist: 27. Okt. 2026

799 €
Kalendereintrag online (Zoom) Sebastian Bergmann
Für 799 € buchen
Mit 8 Credits buchen
Anmelden via Flatrate

Test-Driven Security: Eine Sicherheitslücke ist ein fehlender Test 🇩🇪

Dauer: 4 Tage

Expected in November 2027. We will be happy to notify you as soon as we have set the dates.

799 €
online (Zoom) Sebastian Bergmann
Let me know →

Test-Driven Security: Eine Sicherheitslücke ist ein fehlender Test 🇩🇪 🇬🇧

Duration: ca. 8 hours

Your preferred date, any number of participants. Either in Zoom or using your preferred video conferencing software.

from 3600 €
Your desired date online (Zoom) Sebastian Bergmann
Start free consultation on online training →

Test-Driven Security: Eine Sicherheitslücke ist ein fehlender Test 🇩🇪 🇬🇧

Duration: 2-3 days

Your preferred date, any number of participants. At your company or at your desired location.

from 5500 €
Your desired date Any location Sebastian Bergmann
Start free consultation on inhouse training →
Credits allow discounted access to our training courses. Learn More
Easy access to all our training courses for a monthly fixed fee. Learn More

Frequently Asked Questions

Why are there no full-day online courses?
Our content is designed for optimal online learning: Short, focused sessions promote concentration and provide time to process what has been learned between units.
Are the training sessions live or recorded?
All our training courses take place live as a video conference and are led by an experienced trainer. Participants can ask questions at any time.
What makes your training courses unique?
Our training courses combine hands-on tasks with live coding and solving real-life problems. Our experienced trainers guarantee a particularly good learning experience.
Are your training courses remote or in-person?
We offer our training courses both remotely and in person in order to meet the different requirements of our customers.
Can you tailor training courses specifically to our needs?
Naturally. We can customise our training courses to the individual needs of teams and their technology stacks at any time.
What advantages do individualised training courses offer?
In-house training courses allow you to arrange individual topics, flexible dates and guarantee targeted learning in a familiar environment. This is usually financially viable for four or more participants.
Is there a certification?
Yes, participants will receive a certificate on request after successful participation.