Tested by Security Innovation

Application Security Education Curriculum

Courses to help build and deploy more secure software applications and systems

Table of Contents

1.0 Security Education Curriculum Map .................................................................................................... 3

2.0 Information and Application Security Awareness ............................................................................... 4

3.0 Attacker Techniques Exposed: Threats, Vulnerabilities and Exploits .................................................. 5

4.0 Architecting Secure Solutions .............................................................................................................. 7

5.0 Creating Secure Code .......................................................................................................................... 8

6.0 Creating Secure Code – C/C++ ........................................................................................................... 10

7.0 Creating Secure Code – Java .............................................................................................................. 12

8.0 Creating Secure Code – ASP.NET ....................................................................................................... 14

9.0 Creating Secure Code – J2EE Applications ......................................................................................... 16

10.0 Web Application Security Testing .................................................................................................... 18

11.0 How to Break Software Security ...................................................................................................... 20

12.0 How to Break Web Software ........................................................................................................... 22

13.0 Security Testing Boot camp ............................................................................................................. 24

14.0 Introduction to the Microsoft Security Development Lifecycle (SDL) ............................................. 25

15.0 Introduction to Microsoft SDL Threat Modeling ............................................................................. 26

16.0 Privacy in Software Development ................................................................................................... 27

17.0 Quarterly Security Brown-Bag ......................................................................................................... 28

18.0 PCI Boot Camp for Software Development Teams .......................................................................... 29

Education Curriculum 3

1.0 Security Education Curriculum Map

Title:

Creating Secure Code

Duration: 2 days

Title:

How to break

software security

Duration: 2 days

ARCHITECT TESTERDEVELOPER

Title:

Architecting secure

solutions

Duration: 2 days

Number of

questions: 15

Format: Multiple

choice questions

EXAM EXAM EXAM

Title:

How to break web

software security

Duration: 2 days

Title: Quarterly Security Brown Bag

Duration: 2 hours

Number of

questions: 15

Format: Multiple

choice questions

Number of

questions: 15

Format: Multiple

choice questions

EXAM

Number of

questions: 15

Format: Multiple

choice questions

Title:

Security Testing

Bootcamp

Duration: 2 days

TESTERDEVELOPER

EXAM

Number of

questions: 15

Format:

Multiple choice

questions

Title:

Creating Secure

Code – Java

Duration: 2 days

INT

RO

DU

CT

OR

Y

CL

AS

SE

SC

OR

E C

LA

SS

ES

SP

EC

IAL

IZE

D C

LA

SS

ES

Title:

Creating Secure

Code – J2EE

Applications

Duration: 2 days

Number of

questions: 15

Format:

Multiple choice

questions

Title:

Creating Secure

Code – C/C++

Duration: 3 days

Number of

questions: 15

Format:

Multiple choice

questions

Title:

Creating Secure

Code – ASP.NET

Duration: 2 days

Number of

questions: 15

Format:

Multiple choice

questions

EXAM EXAM EXAM

Title:

Information and Application

Security Awareness

Duration: 2 hours

Title:

Attacker Techniques Exposed

Duration: 1 day

MANAGER / ARCHITECT, DEVELOPER, TESTER

EXECUTIVES, MANAGERS, DEVELOPMENT TEAMS


2.0 Information and Application Security Awareness

Delivery Method: Instructor-led Duration: 2 hours

Audience

This course is intended for all audiences (from marketing managers to testers)

Prerequisite Knowledge/Skills

There are no prerequisites for this class

Course Description

This course explores the consequences of failure, examines the root cause of software vulnerabilities, assesses the true cost of software vulnerability and presents a model to integrate security into the organization.

Course Objectives

Upon completion of this class, participants will be able to: Discuss why application security is critical List the main drivers for application security Recognize that they (as everyone else in the organization) play a role in security

Modules Covered

Series of case studies/examples This module introduces a series of case studies where security vulnerabilities have resulted in huge financial losses. These studies look beyond IT losses to broader consequences such as impact on stock value, remediation expense, reputation loss, liability, etc.

The increasing reliance of software to manage sensitive data and systems In this module we assess the true reliance of businesses and critical systems on software and explore the consequences of failure.

Most system vulnerabilities have their roots in software This module examines the threats that can be mitigated at the network layer as opposed to those that must be addressed in software.

Software vulnerabilities have real costs and consequences to customers and vendors This module addresses the true cost of software vulnerability. Legislative requirements are also examined and attendees will take a tour through current and looming regulation challenges.

Getting to the root of software vulnerabilities This module will demonstrate that most security problems are not in security-specific components; rather they are errors in general software routines and functions. Illustrative examples are shown.

Looking forward: balancing security Security is a major concern, but principles must be applied in the context of other organizational goals. Security is also more than just technology. It spans policy, procedure, people and technology. This section looks forward to what can be done to integrate security into the organization and discusses strategies to build a culture of security.

Deliverables

This course is supported by a PowerPoint presentation, a hand-out of which is presented to the students at the beginning of the course.

Assessments

No assessment is provided for this course

Corporate Requirements

Classroom setup


3.0 Attacker Techniques Exposed: Threats, Vulnerabilities and Exploits

Delivery Method: Instructor-led Duration: 1 day

Audience

This course is intended for all technical/development team audiences Prerequisite Knowledge/Skills

There are no prerequisites for this class Course Description

This course examines trends in software vulnerabilities, demonstrates examples of security breaches, explores a wide range of live software vulnerabilities and introduces Threat Modeling techniques. Course Objectives

Upon completion of this class, participants will be able to:

Recognize the need for integrating security at each phase of the Software Development LifeCycle Identify missing processes that are needed to improve the security of their systems Create a high-level map of needs for the organization’s people, processes and technology

Modules Covered

The potential attacker The course begins by discussing the different genres of attackers, their different skill sets and their different goals.

The anatomy of an attack

This section examines the different steps of an attack from information gathering to the attack’s consequences. Attacks and defenses

This section goes over the layered security model, and the different defenses that will help mitigate security risks Live vulnerability and exploit tour!

This is the core of the course. In this section, attendees will go through a wide range of software vulnerabilities and the instructor will show sample exploits for these vulnerabilities live. Attendees will gain awareness and key insights into these vulnerability types as well as the ease with which the attacker community can exploit them.

Tools and threats

The threat is growing and so is the number of tools that lower the bar for attackers. This section takes the audience inside the underground world of the attacker and illustrates the range of tools available to adversaries.

Thinking like the attacker: threat modeling

A critical step in securing an application or system is to methodically think through threats. In this section we present several techniques for threat modeling and also walk the audience through the process of modeling threats against several systems.

Incorporating threats into software/system design, development, testing and deployment

By thinking about threats at each stage of the development lifecycle, we can make software and systems that are more resilient to attack. Attendees will walk away with an introduction to tools and techniques to build security in.


Deliverables

This course is supported by a PowerPoint presentation; a hand-out of which is presented to the students at the beginning of the course. Assessments

No assessment is provided for this course Corporate Requirements

Classroom setup


4.0 Architecting Secure Solutions

Delivery Method: Instructor-led Duration: 2 days

Audience

This course is intended for developers, architects and testers


This course requires software design/programming knowledge and experience.

Course Description

This course illustrates the importance of deploying secure solutions and describes the main secure design principles, what purpose they serve, how to apply them, and what technologies can be used to support these principles.

Course Objectives


Design software with security in mind Use technologies pertaining to networks, encryption, anti-virus, and authentication to increase system security Discuss and utilize the different technologies available to create secure systems Integrate missing methodologies to improve the security of enterprise level computing and management

Modules Covered

Security Goals This section discusses the four basic tenets of software security: Integrity, Availability, Privacy and Confidentiality. It highlights the need for them in the development process and sets the stage for specific techniques and technologies that enable secure software development.

The Business Context This section discusses the role that security concerns and technologies play in product business decisions is discussed. Some of the tradeoffs are highlighted and also topics such as security estimation and metrics along with quantifiable risk assessment are touched on.

Security Principles The fundamental principles of secure design/implementation are outlined. The content is sprinkled with not only code examples, but also with live demonstrations of the critical issues and failures.

Technologies This section is designed to educate developers and testers on the technologies available to create more secure systems. The thrust of this section is to impart knowledge on constituent technologies that can essentially be “plugged in” to obtain a particular level of assurance.

Methodologies and Techniques This section broadly discusses fundamental principals of secure design. This section will also provide background information to better frame the technologies section.

Deliverables

This course is supported by a PowerPoint presentation a hand-out of this is presented to the students at the beginning of the course.

Assessments

A 15 question multiple choice exam is taken at the end of the course


Classroom setup


5.0 Creating Secure Code


Audience

This course is intended for developers (and testers with programming experience). Prerequisite Knowledge/Skills

This course requires software design/programming knowledge and experience. Course Description

Secure coding is the process of reducing the susceptibility of code to vulnerabilities. It includes items that are classed as defensive in nature (e.g. checking error return codes before using handles and other data structures that should have been created, or protecting against using a pointer after it has been released). It also includes items that may be more normally associated with cryptographic procedures (e.g. random number generation, encryption algorithms, etc.) This course examines vulnerabilities that are common across language implementations (C, C++ and Java) and covers real-world examples – illustrated in code - of failures along with methods to find, fix and prevent each type of flaw. Students are presented with a set of security coding best practices and practical recommendations. Course Objectives


Identify why Software Security matters to their business Proactively recognize and remediate common coding errors that lead to vulnerabilities Perform threat modeling to identify vulnerabilities and analyze risks Design and develop secure applications leveraging time-tested defensive coding principles

Modules Covered

Introduction to Software Security This section provides insight into Software Security, why it is needed, and what the consequences of security vulnerabilities can be.

Common coding errors in C/C++

This section teaches how to recognize and remediate common coding errors and what tools can support this effort. Threat modeling

This section will show how threat modeling is a great technique to find, classify and prioritize security vulnerabilities. Defensive coding principles

This section educates the students on 19 time-tested defensive coding principles and how to use them to effectively prevent common security vulnerabilities.

Web Vulnerabilities

The web is different! This section will address common web vulnerabilities, how to find them, how to prevent them.

Security Testing and Quality Assurance This section is optional and designed to educate both developer and testers on the differentiating factors between functional and security testing, the three classes of security bugs and how to spot these.

Training labs will be used to provide practical experience


Deliverables


A 15 question multiple choice exam is taken at the end of the course Corporate Requirements

Classroom setup with:

At least one PC for 2 students Internet connection with ports 8080 to 8085 open preferred, or isolated network where the instructor can plug in

his/her laptop (with DHCP settings for all workstations). Please let us know which option you will accommodate at time of booking.

Windows 2000 / XP .net framework 2.0 Visual Studio – a free version of Visual Studio can be found at

http://msdn.microsoft.com/vstudio/express/default.aspx

Note: When VS Express is installed, the user is asked to choose a programming language, and VS will be installed for that language only. C++ should be chosen as the language



6.0 Creating Secure Code – C/C++


Audience

This course is intended for developers and testers with C/C++ programming experience. Prerequisite Knowledge/Skills

This course requires software C/C++ programming knowledge and experience. Course Description

Secure coding is the process of reducing the susceptibility of code to vulnerabilities. It includes items that are classed as defensive in nature (e.g. checking error return codes before using handles and other data structures that should have been created, or protecting against using a pointer after it has been released). It also includes items that may be more normally associated with cryptographic procedures (e.g. random number generation, encryption algorithms, etc.) This course examines vulnerabilities that are specific to C/C++ and covers real-world examples – illustrated in code - of failures along with methods to find, fix and prevent each type of flaw. Students are provided with a set security coding best practices and practical recommendations. Course Objectives


Identify why Software Security matters to their business Write secure code on Windows and *nix platforms Proactively recognize and remediate common coding errors that lead to vulnerabilities Perform threat modeling to identify vulnerabilities and analyze risks Design and develop secure applications leveraging time-tested defensive coding principles

Modules Covered Introduction to software security

This section provides insight into Software Security, why it is needed, and what the consequences of security vulnerabilities can be.

OS security

This section goes deep into Windows and *nix security and the programming caveats that they present. It then describes best practices to write robust code (exception handling etc). Finally it describes the risks of socket programming and identifies secure practices.

Common coding errors in C/C++ This section teaches how to recognize and remediate common C/C++ coding errors and what tools can support this effort.

Threat modeling

This section will show how threat modeling is a great technique to find, classify and prioritize security vulnerabilities. Defensive coding principles

This section educates the students on 12 time-tested defensive coding principles and how to use them to effectively prevent common security vulnerabilities.



Deliverables






Windows 2000 / XP .net framework 2.0 Visual Studio – a free version of Visual Studio can be found at


Note: When VS Express is installed, the user is asked to choose a programming language, and VS will be installed for that language only. C++ should be chosen as the language



7.0 Creating Secure Code – Java


Audience

This course is intended for developers and testers with Java programming experience. Prerequisite Knowledge/Skills

This course requires software Java programming knowledge and experience. Course Description

Secure coding is the process of reducing the susceptibility of code to vulnerabilities. It includes items that are classed as defensive in nature (e.g. checking error return codes before using handles and other data structures that should have been created, or protecting against using a pointer after it has been released). It also includes items that may be more normally associated with cryptographic procedures (e.g. random number generation, encryption algorithms, etc.) This course deals specifically with Java. The course will describe platform-provided security features, threat modeling techniques and will then provide the students with a set of security coding best practices and practical recommendations. Course Objectives


Identify why software security matters to their business Write secure Java code by taking advantage of platform-provided security features Create and use threat trees to find threats and vulnerabilities Perform risk analysis and prioritize security fixes Design and develop secure applications leveraging time-tested Java best practices

Modules Covered

Introduction to software security This section provides insight into Software Security, why it is needed, and what the consequences of security vulnerabilities can be.

Java Virtual Machine

This section provides an overview of the Java Virtual Machine. Java Security

In this section the students will learn platform-provided security features that should be leveraged to minimize the number of security vulnerabilities.

Threat modeling

This section will show how threat modeling is a great technique to find, classify and prioritize security vulnerabilities. Coding best practices

This section educates the students on 16 time-tested best practices, what the consequences are of not following them, and how to use them to effectively prevent common security vulnerabilities.



Deliverables

This course is supported by a PowerPoint presentation; a hand-out of which is presented to the students at the beginning of the course Assessments





Windows 2000 with J2SE Developer Kit of at least 1.4.2. and Eclipse 3.2.2


8.0 Creating Secure Code – ASP.NET


Audience

This course is intended for developers with ASP.NET programming experience. Prerequisite Knowledge/Skills

This course requires ASP.NET programming knowledge and experience. Course Description

This course gives developers an in-depth emersion into secure coding practices with an emphasis on solutions built around ASP.NET code. We will discuss in-depth the principles of secure development; common coding errors for ASP.NET code and web apps; secure coding best practices and how they can be used to develop more secure applications. Course Objectives


Identify why software security matters to their business Recognize the root causes of the more common vulnerabilities Write secure ASP.NET code by taking advantage of Windows-provided security features Identify the symptoms of common vulnerabilities Design and develop secure applications leveraging time-tested ASP.NET code best practices

Modules Covered

The Need For Security This section describes the need for application security and provides a high-level description of application-based attacks.

Common Web Software Security Vulnerabilities This section describes the most common security vulnerabilities and how to uncover them in your software.

Secure Programming Best Practices This section educates the students on 13 time-tested best practices, how the ASP.NET framework can support following them, what the consequences are of not following them, and how to use them to effectively prevent common security vulnerabilities.

Suggested Readings and Sites References are provided in this section


Deliverables








Windows 2000 / XP .net framework 2.0 Visual Studio (or other asp development environment) – a free version of Visual Studio can be found at


Note: When VS Express is installed, the user is asked to choose a programming language, and VS will be installed for that language only. Please select C#



9.0 Creating Secure Code – J2EE Applications


Audience

This course is intended for developers and testers with Java web programming experience.


This course requires Java programming knowledge and experience.

Course Description

This class dives deep into developing secure web applications in Java. It provides an overview of common web application vulnerabilities and presents ways to avoid those vulnerabilities in Java code. In the hands-on section, students will discover the vulnerabilities for themselves and find ways to deal with them, greatly enhancing the security of their code.

Course Objectives


Identify why software security matters to their business Recognize the root causes of the more common vulnerabilities Write secure J2EE code by taking advantage of Java-provided security features Identify the symptoms of common vulnerabilities Design and develop secure applications leveraging time-tested J2EE code best practices

Modules Covered

The Need For Security This section describes the need for application security and provides a high-level description of application-based attacks.

Common Web Software Security Vulnerabilities This section describes the most common security vulnerabilities and how to uncover them in your software.

Secure Programming Best Practices This section educates the students on 13 time-tested best practices, how the J2EE framework can support following them, what the consequences are of not following them, and how to use them to effectively prevent common security vulnerabilities.

Suggested Readings and Sites References are provided in this section

Training labs will be used to provide practical experience Deliverables

This course is supported by a PowerPoint presentation; a hand-out of which is presented to the students at the beginning of the course

Assessments







Windows 2000 with J2SE Developer Kit of at least 1.4.2. and Eclipse 3.2.2


10.0 Web Application Security Testing

Delivery Method: Instructor-led Duration: 5 Day Course including hands-on labs

Audience

Web Testers Prerequisite Knowledge/Skills

Functional testing knowledge as well as a basic understanding of how applications work. No prior security testing experience is required. Course Description

This course is an intensive deep dive into the world of web application security testing. It is designed to walk testers through every step of web application penetration testing arming them with the knowledge and tools they will need to begin conducting their own security testing. The course will teach the participants how to think like a security engineer by creating and executing a security test plan. Participants will be exposed to the common web application vulnerabilities, testing techniques and tools by a professional security tester. The course will culminate in a full day guided penetration test in which the students will execute security test cases on one of their own applications with the help of the instructor. The use of one of the organization’s applications has the benefit of easing the transition of knowledge and techniques from classroom back into every day practice for the participants as well as providing the organization with a partial penetration test of an application. Course Objectives


Identify why software security matters to their business Build a threat model driven security test plan Quickly Identify the riskiest areas of an application Perform a high-level security assessment on their application. Integrate security test cases and tools as part of their test suites Report findings in a comprehensive manner in order to enable timely remediation

Detailed Course Outline

Introduction to Software Security Security in the System Development Lifecycle Thinking Like a Security Engineer

Enumerating the Attack Surface What is an Attack Surface? Standard Application Attack Vectors

GET and POST Header Cookies Tools: Man-in-the-Middle Proxies

Extending the Application Web 2.0 and Web Services

Beyond the Application Server Fingerprinting Port Scanning Tools: HTTPrint, NMap, etc


More Tools and Techniques Google Hacking Nessus TamperData Spidering Scripting (Python)

Common Weaknesses Data Leakage Attacks

Sniffing Decompiling of Client-side code Probing the Application through Error Reporting WSDL Scanning

Modification of Assumed Immutable Data (MAID) Direct Request (Forced Browsing) Path Traversal Parameter Tampering (Hands On!)

Incorrect Resource Transfer Between Spheres Bypassing Client-side Enforcement of Security Unrestricted File Upload

Injection Attacks SQL Injection (Hands On!) Cross-site Scripting (XSS) (Hands On!) HTTP Response Splitting XPath, XQuery and XML Injection (Hands On!) AJAX Code Injection Recursive XML Payload Buffer Overflow

Exploiting Authentication Insufficient Session Timeout Session Hijacking/Replaying Session Fixation Session Riding/Cross-site Request Forgery (XSRF)

Threat Based Testing Threat Modeling

Decomposing the Application Identifying Threats and Building Threat Trees Identifying Mitigations and Vulnerabilities

Threat Based Test Plans Building Test Plans from the Threat Tree Test Execution and Coverage

Issue Reporting and Tracking Reproducing Vulnerabilities Reporting Business Impact Defining Criticality

Boot Camp Participants will spend the last day of the putting what they have learned to use on a test version of the application on which they work daily. The instructor will act as a mentor and experienced resource as they embark on their first security test engagement. The use of the organization’s application rather than a demonstration application has been proven to help students more easily assimilate what they have learned into their daily testing activities. It also has the added benefit of discovering issues which need to be addressed by the organization.


11.0 How to Break Software Security


1 Day Course, Lecture Only Audience

This course is intended for testers. Prerequisite Knowledge/Skills

This course requires functional testing knowledge as well as a basic understanding of how applications work Course Description

Learn how to recognize potential security holes before attackers do! This course is designed to give testers and developers the tools , techniques and mindset they need to find security problems before their application is released Course Objectives


Identify why software security matters to their business Conduct attacks to uncover security vulnerabilities Recognize where attacks are applicable Identify the symptoms of security vulnerabilities

Modules Covered

Introduction This section describes why security bugs are different from functional bugs in software; the students will gain an understanding as to why security bugs are usually missed during functional testing and learn to recognize symptoms of insecure software behavior

The Four Classes of Security Vulnerabilities

In this section participants learn what a security bug really is and the four basic classifications of security vulnerabilities.

Assessing Risk

This section will help the students learn to identify the threats to their application An Overview of the Methodology of How to Break Software Security

This section describes how to determine which security attacks apply to their application and learn how to quickly develop security test cases for each attack, tailored to their application.

Attacking Dependencies

In this section the students will learn different techniques allowing them to test and ensure the securely response of their application under different, simulated, dependency failures.

Attacking through the User Interface

In this section the students will learn testing techniques to expose security vulnerabilities in their software through the user interface.

Attacking Design

This section will provide the students with techniques to expose vulnerabilities that can creep into an application at the design stage.


Attacking Implementation

In this section students will learn techniques that can be used to expose vulnerabilities that exist because of implementation errors.

Training labs will be used to provide practical experience (in the 2-day version of this class) Deliverables






Windows XP (preferred) or 2000 with .NET frameworks v2.0 and MS Office


12.0 How to Break Web Software


1 Day Course, Lecture Only Audience

This course is intended for web application testers. Prerequisite Knowledge/Skills

This course requires functional testing knowledge as well as a basic understanding of how applications work Course Description

This course outlines a model for web application testing as well as web application concerns including accountability, availability, confidentiality and integrity. We will go well beyond the OWASP to 10, looking at 19 specific web application attacks including attacking the client, state, data and the server. Course Objectives


Identify why software security matters to their business Conduct attacks to uncover security web application vulnerabilities Recognize where attacks are applicable Identify the symptoms of security vulnerabilities for web applications

Modules Covered

Gathering information on the target In this section the students will learn how web applications are built and what attacks are applicable for this type of applications.

Attacking the client

In this section students will learn different client based attacks such as Bypass and Client side validation Attacking State

In this section students will learn why state is important and different stated based attacks such as Cgi parameters and Cookie Poisoning

Attacking Data

In this section students will learn different data based attacks such as Cross-site scripting and SQL Injection. Attacking the server

In this section students will learn different server based attacks such as SQL injection II – stored procedures and Command injection

Privacy

This section provides the students with an introduction to privacy: who you are, where you have been; as well as different data gathering methods.

Web services

In this section we introduce participants to web services and discuss common attacks Training labs will be used to provide practical experience (in the 2-day version of this class)


Deliverables






No OS requirements. Text editor of choice Localhost proxy: paros, or webscarab


13.0 Security Testing Boot camp

Delivery Method: Instructor led Duration: 2 Day practical session

Audience

This course is intended for testers.


This course can only be followed after the successful completion of one of the following courses: - How to Break Software Security - How to Break Web Software

Course Description

This course is unique in the security industry. Rather than learning through lecture and general hands on labs, this course walks the students through the security issues of one of the actual applications that they are responsible for testing on a daily basis.

Course Objectives

Upon completion of this class, participants will be able to: Quickly Identify the riskiest areas of an application Perform a high-level security assessment on their application. Integrate security test cases as part of their test suites

Boot Camp set up

Pre-Course Self Study and Nightly Assignments Students will need to complete required reading and analyze how specific security issues correspond to their area of testing focus of the application

Security Briefings Each morning will start with a briefing on the security issues specific to the application. Application-specific security testing issues are discussed every morning and then immediately implemented against the application and throughout the day-long deep security testing sessions.

Application-specific Security Testing Several days of intense hands-on assessment of the application is performed by the students. The class is broken into two-person teams who compete to find the most security defects by performing specific attacks on the sections of the product they typically perform QA testing.

Deliverables

No specific deliverables are provided for this class

Assessments

No assessment is provided for this class


To achieve the required results, your company needs to provide access to a developer knowledgeable of the entire application, the complete threat model as well as details on past defects discovered in the application. This will enable a strategic attack plan to be created prior to the course that will be discussed and explained during the class. Additionally, your company needs to make sure the students do all pre-course reading and all nightly assignments. This will be an intense several days of security education and testing that will push each student as they evolve from top quality assurance testers into lead security testers. Prizes should be provided to the students for each security defect discovered with special prizes to the top three teams based on the number and severity of the security bugs they find.


14.0 Introduction to the Microsoft Security Development Lifecycle (SDL)

Delivery Method: Instructor-led Duration: 1 hour

Audience

This course is designed for all members of development teams which are adopting Microsoft’s Security Development Lifecycle. Prerequisite Knowledge/Skills

This course requires some understanding about general software development lifecycles Course Description

In order to help teams adopt the best practices which are parts of the Security Development Lifecycle (SDL) this course provides an overview of what the SDL is and how it can be used by your team to produce solutions which meet a higher security quality standard. Course Objectives

Upon completion of this seminar participants will be able to:

Understand the need to address security at all phases of software development Understand the benefits of adopting the SDL Be able to identify the best practices from the SDL not currently in place at the organization

Modules Covered

Applications Under Attack This section describes the need for application security and provides a look at the impact of application vulnerabilities.

Origins of the Microsoft SDL This section describes the evolution of security at Microsoft and how the SDL came to be.

What is Microsoft doing about the threat? This section describes Microsoft’s process improvement initiative as well as the best practices associated with each phase of the lifecycle in the SDL.

Measurable improvements at Microsoft This section provides evidence of the positive impact the SDL has had internally at Microsoft.

Deliverables



Classroom setup


15.0 Introduction to Microsoft SDL Threat Modeling

Delivery Method: Instructor-led Duration: 2 hour

Audience

This course is designed for members of development teams which are adopting Microsoft’s Security Development Lifecycle and are looking to add the Threat Modeling exercise to their design phase activities. Prerequisite Knowledge/Skills

This course requires some understanding of how applications are designed. Course Description

In order to help teams adopt the best practice of threat modeling which is part of the Security Development Lifecycle (SDL) this course provides an overview of what Threat Modeling means in the context of the SDL. It is designed to teach how to Threat Model using the Microsoft process which is part of the SDL. Course Objectives


Understand the importance of early lifecycle security best practices such as Threat Modeling Understand the benefits of creating Threat Models of your software Be able effectively produce a Threat Model of your software

Modules Covered

Introduction and Goals This section explains the importance of the Threat Modeling activity and how it relates to creating secure software.

The SDL Approach to Threat Modeling This section walks the participant through the process of Threat Modeling as it is defined in the SDL. This step by step instruction will allow participants to quickly gain and understanding of how to go about building threat models of their software.

Exercise The exercise module allows participants to attempt creation of a threat model using the newly learned techniques from this course.

Demo The demo module is an opportunity for the instructor to introduce the participants to Microsoft’s Threat Modeling Tool. This free tool makes the process of building threat models more efficient.

Deliverables



Classroom setup


16.0 Privacy in Software Development


Audience

This course is designed for anyone involved in the development of software or services. Prerequisite Knowledge/Skills

This course requires some understanding about general software development. Course Description

This course is designed to provide an introduction to privacy guidelines for developing software and services. Course Objectives


Understand the basics of Privacy Understand the need to address privacy in software development Be able to effectively drive privacy compliance within the software development team

Modules Covered

Privacy Basics This section builds an understanding of the basic concepts associated with privacy. This includes a comparison and contrasting between Privacy and Security.

Privacy Guidelines for Developing Software and Services This section provides definition of common privacy concepts such as Notice and Consent. This is done through the use of nine common software scenarios.

Deliverables



Classroom setup


17.0 Quarterly Security Brown-Bag


Audience

This seminar can be tailored to managers or technical teams depending on teams. Prerequisite Knowledge/Skills

This seminar requires a reasonable level of application security awareness Course Description

To ensure that security awareness remains foremost in employees’ minds, that development and testing techniques have been internalized, and to enable any ongoing questions to be answered, we offer a quarterly “brown-bag” web, live presentation or via conference call. Course Objectives


Apply new knowledge about a specific current security issue, technology or compliance standard Strengthen the ongoing security development process Strengthen the ongoing testing efforts

Modules Covered

The content from this course is based on current security issues, technologies or standards based on customer needs. Deliverables



Classroom setup


18.0 PCI Boot Camp for Software Development Teams

Delivery Method: Instructor-led Duration: 4 Days

Audience

This course is intended for software development teams (architects, developers, testers/QA, and managers) who build software application that need to comply with the PCI-DSS (Payment Card Industry Data Security Standard.) Also appropriate for PCI / PA DSS Auditors, PCI Compliance Consultants and Researchers, Project Managers, IT Security Consultants, and anyone who is involved with the Application Development Lifecycle Prerequisite Knowledge/Skills

This course requires functional development and testing knowledge as well as a basic understanding of how applications work. No prior security experience is required, nor do the members need to know about PCI-DSS. Course Description

This course is an intensive deep-dive into the world of application security and PCI. It is designed to walk architects, developers, testers, and managers through application security as it pertains to the PCI-DSS. Topics covered include:

Software Applications - Common Threats

Primer on Web Application Security

Overview of OWASP Top Ten Vulnerabilities

Secure Coding Principles (web and non-web)

Best Practices for Input and Output Validation

Web Application Software Testing Best Practices

Hands-on labs and simulation of web application attack scenarios The course will teach the participants how to think like a security engineer by creating and executing a security test plan. Participants will be exposed to the common software application vulnerabilities as well as secure development and testing techniques. The course introduces tools (both commercial and free) and is taught by a professional security expert and PCI QSA (Qualified Security Assessor.) The course can be customized for specific audiences, e.g., software developers, testing/deployment, etc. Each segment culminates with instructor-led lab exercises in which the students will execute security coding and/or test cases on sample applications. For a customization twist, clients can also choose to have one of their own applications as the application under test. The use of an organization-chosen application has the benefit of easing the transition of knowledge and techniques from classroom back into every day practice for the participants. Course Objectives


Identify why software security matters to their business Build a threat model driven security test plan Quickly Identify the riskiest areas of an application Perform security assessments on software applications (code “white box” and/or as-built “black box” testing) Map security activities to PCI requirements and understand how to validate compliance to the standard(s)

Deliverables

This course is supported by a PowerPoint presentation and course material which is handed to students in-class Corporate Requirements


A projector and whiteboard for the instructor One PC per participant VMWare Player on each participant machine to run provided VirtualMachine Connection to a test version of an application with which the participants are familiar for final day of course


Detailed Course Outline

Introduction to Software Security

What is Security? Why Security Matters Thinking Like a Security Engineer

Introduction to PCI-DSS Overview of the PCI requirements Overview of the PCI audit procedures relevant to software applications

Deep dive into requirements 3 and 6 Understanding and applying testing techniques to validate compliance

Challenging Security Misconceptions

All software applications have bugs Client-side security does not exist QA is not security testing Tools are not solutions Patches do not guarantee security Compliance does not equate to security

Fundamentals of Security in the SDLC

The anatomy of an attack Thinking like the attacker: Threat Modeling Common coding errors and how to exploit them Defensive design and coding principles Examples of security for C, C++, .NET, and Java applications

Common Weaknesses and Vulnerabilities

OWASP TOP 10 Threat-model-driven testing

Threat Based Test Plans Issue Reporting and Tracking: Reproducing Vulnerabilities,

Reporting Business Impact, and Defining Criticality Going Beyond OWASP – Logic flaws and non-web Applications

Data Protection Mechanisms (crypto and more) Injection Attacks (not just SQL!) Fuzz Testing and other Tools Exploiting Authentication

Putting it all together

Mapping PCI to your day-to-day activities as an Architect, Developer and/or Tester Understanding the business impact of insecure software (beyond just PCI compliance)

Boot Camp The participants will spend time putting what they have learned to use on a test version of the selected application. The instructor will act as a mentor and experienced resource as they embark on an interactive security test engagement. The use of the organization’s application rather than a demonstration application has been proven to help students more easily assimilate what they have learned into their daily testing activities. It also has the added benefit of discovering issues which need to be addressed by the organization.

Date post:	18-Nov-2014
Category:	Documents
Upload:	softwarecentral
View:	2,587 times
Download:	0 times

Tested by Security Innovation

Documents