Tested by Security Innovation
-
Upload
softwarecentral -
Category
Documents
-
view
2.588 -
download
0
description
Transcript of Tested by Security Innovation
Application Security Education Curriculum
Courses to help build and deploy more secure software applications and systems
Table of Contents
1.0 Security Education Curriculum Map .................................................................................................... 3
2.0 Information and Application Security Awareness ............................................................................... 4
3.0 Attacker Techniques Exposed: Threats, Vulnerabilities and Exploits .................................................. 5
4.0 Architecting Secure Solutions .............................................................................................................. 7
5.0 Creating Secure Code .......................................................................................................................... 8
6.0 Creating Secure Code – C/C++ ........................................................................................................... 10
7.0 Creating Secure Code – Java .............................................................................................................. 12
8.0 Creating Secure Code – ASP.NET ....................................................................................................... 14
9.0 Creating Secure Code – J2EE Applications ......................................................................................... 16
10.0 Web Application Security Testing .................................................................................................... 18
11.0 How to Break Software Security ...................................................................................................... 20
12.0 How to Break Web Software ........................................................................................................... 22
13.0 Security Testing Boot camp ............................................................................................................. 24
14.0 Introduction to the Microsoft Security Development Lifecycle (SDL) ............................................. 25
15.0 Introduction to Microsoft SDL Threat Modeling ............................................................................. 26
16.0 Privacy in Software Development ................................................................................................... 27
17.0 Quarterly Security Brown-Bag ......................................................................................................... 28
18.0 PCI Boot Camp for Software Development Teams .......................................................................... 29
Education Curriculum 3
1.0 Security Education Curriculum Map
Title:
Creating Secure Code
Duration: 2 days
Title:
How to break
software security
Duration: 2 days
ARCHITECT TESTERDEVELOPER
Title:
Architecting secure
solutions
Duration: 2 days
Number of
questions: 15
Format: Multiple
choice questions
EXAM EXAM EXAM
Title:
How to break web
software security
Duration: 2 days
Title: Quarterly Security Brown Bag
Duration: 2 hours
Number of
questions: 15
Format: Multiple
choice questions
Number of
questions: 15
Format: Multiple
choice questions
EXAM
Number of
questions: 15
Format: Multiple
choice questions
Title:
Security Testing
Bootcamp
Duration: 2 days
TESTERDEVELOPER
EXAM
Number of
questions: 15
Format:
Multiple choice
questions
Title:
Creating Secure
Code – Java
Duration: 2 days
INT
RO
DU
CT
OR
Y
CL
AS
SE
SC
OR
E C
LA
SS
ES
SP
EC
IAL
IZE
D C
LA
SS
ES
Title:
Creating Secure
Code – J2EE
Applications
Duration: 2 days
Number of
questions: 15
Format:
Multiple choice
questions
Title:
Creating Secure
Code – C/C++
Duration: 3 days
Number of
questions: 15
Format:
Multiple choice
questions
Title:
Creating Secure
Code – ASP.NET
Duration: 2 days
Number of
questions: 15
Format:
Multiple choice
questions
EXAM EXAM EXAM
Title:
Information and Application
Security Awareness
Duration: 2 hours
Title:
Attacker Techniques Exposed
Duration: 1 day
MANAGER / ARCHITECT, DEVELOPER, TESTER
EXECUTIVES, MANAGERS, DEVELOPMENT TEAMS
Education Curriculum 4
2.0 Information and Application Security Awareness
Delivery Method: Instructor-led Duration: 2 hours
Audience
This course is intended for all audiences (from marketing managers to testers)
Prerequisite Knowledge/Skills
There are no prerequisites for this class
Course Description
This course explores the consequences of failure, examines the root cause of software vulnerabilities, assesses the true cost of software vulnerability and presents a model to integrate security into the organization.
Course Objectives
Upon completion of this class, participants will be able to: Discuss why application security is critical List the main drivers for application security Recognize that they (as everyone else in the organization) play a role in security
Modules Covered
Series of case studies/examples This module introduces a series of case studies where security vulnerabilities have resulted in huge financial losses. These studies look beyond IT losses to broader consequences such as impact on stock value, remediation expense, reputation loss, liability, etc.
The increasing reliance of software to manage sensitive data and systems In this module we assess the true reliance of businesses and critical systems on software and explore the consequences of failure.
Most system vulnerabilities have their roots in software This module examines the threats that can be mitigated at the network layer as opposed to those that must be addressed in software.
Software vulnerabilities have real costs and consequences to customers and vendors This module addresses the true cost of software vulnerability. Legislative requirements are also examined and attendees will take a tour through current and looming regulation challenges.
Getting to the root of software vulnerabilities This module will demonstrate that most security problems are not in security-specific components; rather they are errors in general software routines and functions. Illustrative examples are shown.
Looking forward: balancing security Security is a major concern, but principles must be applied in the context of other organizational goals. Security is also more than just technology. It spans policy, procedure, people and technology. This section looks forward to what can be done to integrate security into the organization and discusses strategies to build a culture of security.
Deliverables
This course is supported by a PowerPoint presentation, a hand-out of which is presented to the students at the beginning of the course.
Assessments
No assessment is provided for this course
Corporate Requirements
Classroom setup
Education Curriculum 5
3.0 Attacker Techniques Exposed: Threats, Vulnerabilities and Exploits
Delivery Method: Instructor-led Duration: 1 day
Audience
This course is intended for all technical/development team audiences Prerequisite Knowledge/Skills
There are no prerequisites for this class Course Description
This course examines trends in software vulnerabilities, demonstrates examples of security breaches, explores a wide range of live software vulnerabilities and introduces Threat Modeling techniques. Course Objectives
Upon completion of this class, participants will be able to:
Recognize the need for integrating security at each phase of the Software Development LifeCycle Identify missing processes that are needed to improve the security of their systems Create a high-level map of needs for the organization’s people, processes and technology
Modules Covered
The potential attacker The course begins by discussing the different genres of attackers, their different skill sets and their different goals.
The anatomy of an attack
This section examines the different steps of an attack from information gathering to the attack’s consequences. Attacks and defenses
This section goes over the layered security model, and the different defenses that will help mitigate security risks Live vulnerability and exploit tour!
This is the core of the course. In this section, attendees will go through a wide range of software vulnerabilities and the instructor will show sample exploits for these vulnerabilities live. Attendees will gain awareness and key insights into these vulnerability types as well as the ease with which the attacker community can exploit them.
Tools and threats
The threat is growing and so is the number of tools that lower the bar for attackers. This section takes the audience inside the underground world of the attacker and illustrates the range of tools available to adversaries.
Thinking like the attacker: threat modeling
A critical step in securing an application or system is to methodically think through threats. In this section we present several techniques for threat modeling and also walk the audience through the process of modeling threats against several systems.
Incorporating threats into software/system design, development, testing and deployment
By thinking about threats at each stage of the development lifecycle, we can make software and systems that are more resilient to attack. Attendees will walk away with an introduction to tools and techniques to build security in.
Education Curriculum 6
Deliverables
This course is supported by a PowerPoint presentation; a hand-out of which is presented to the students at the beginning of the course. Assessments
No assessment is provided for this course Corporate Requirements
Classroom setup
Education Curriculum 7
4.0 Architecting Secure Solutions
Delivery Method: Instructor-led Duration: 2 days
Audience
This course is intended for developers, architects and testers
Prerequisite Knowledge/Skills
This course requires software design/programming knowledge and experience.
Course Description
This course illustrates the importance of deploying secure solutions and describes the main secure design principles, what purpose they serve, how to apply them, and what technologies can be used to support these principles.
Course Objectives
Upon completion of this class, participants will be able to:
Design software with security in mind Use technologies pertaining to networks, encryption, anti-virus, and authentication to increase system security Discuss and utilize the different technologies available to create secure systems Integrate missing methodologies to improve the security of enterprise level computing and management
Modules Covered
Security Goals This section discusses the four basic tenets of software security: Integrity, Availability, Privacy and Confidentiality. It highlights the need for them in the development process and sets the stage for specific techniques and technologies that enable secure software development.
The Business Context This section discusses the role that security concerns and technologies play in product business decisions is discussed. Some of the tradeoffs are highlighted and also topics such as security estimation and metrics along with quantifiable risk assessment are touched on.
Security Principles The fundamental principles of secure design/implementation are outlined. The content is sprinkled with not only code examples, but also with live demonstrations of the critical issues and failures.
Technologies This section is designed to educate developers and testers on the technologies available to create more secure systems. The thrust of this section is to impart knowledge on constituent technologies that can essentially be “plugged in” to obtain a particular level of assurance.
Methodologies and Techniques This section broadly discusses fundamental principals of secure design. This section will also provide background information to better frame the technologies section.
Deliverables
This course is supported by a PowerPoint presentation a hand-out of this is presented to the students at the beginning of the course.
Assessments
A 15 question multiple choice exam is taken at the end of the course
Corporate Requirements
Classroom setup
Education Curriculum 8
5.0 Creating Secure Code
Delivery Method: Instructor-led Duration: 2 days
Audience
This course is intended for developers (and testers with programming experience). Prerequisite Knowledge/Skills
This course requires software design/programming knowledge and experience. Course Description
Secure coding is the process of reducing the susceptibility of code to vulnerabilities. It includes items that are classed as defensive in nature (e.g. checking error return codes before using handles and other data structures that should have been created, or protecting against using a pointer after it has been released). It also includes items that may be more normally associated with cryptographic procedures (e.g. random number generation, encryption algorithms, etc.) This course examines vulnerabilities that are common across language implementations (C, C++ and Java) and covers real-world examples – illustrated in code - of failures along with methods to find, fix and prevent each type of flaw. Students are presented with a set of security coding best practices and practical recommendations. Course Objectives
Upon completion of this class, participants will be able to:
Identify why Software Security matters to their business Proactively recognize and remediate common coding errors that lead to vulnerabilities Perform threat modeling to identify vulnerabilities and analyze risks Design and develop secure applications leveraging time-tested defensive coding principles
Modules Covered
Introduction to Software Security This section provides insight into Software Security, why it is needed, and what the consequences of security vulnerabilities can be.
Common coding errors in C/C++
This section teaches how to recognize and remediate common coding errors and what tools can support this effort. Threat modeling
This section will show how threat modeling is a great technique to find, classify and prioritize security vulnerabilities. Defensive coding principles
This section educates the students on 19 time-tested defensive coding principles and how to use them to effectively prevent common security vulnerabilities.
Web Vulnerabilities
The web is different! This section will address common web vulnerabilities, how to find them, how to prevent them.
Security Testing and Quality Assurance This section is optional and designed to educate both developer and testers on the differentiating factors between functional and security testing, the three classes of security bugs and how to spot these.
Training labs will be used to provide practical experience
Education Curriculum 9
Deliverables
This course is supported by a PowerPoint presentation; a hand-out of which is presented to the students at the beginning of the course. Assessments
A 15 question multiple choice exam is taken at the end of the course Corporate Requirements
Classroom setup with:
At least one PC for 2 students Internet connection with ports 8080 to 8085 open preferred, or isolated network where the instructor can plug in
his/her laptop (with DHCP settings for all workstations). Please let us know which option you will accommodate at time of booking.
Windows 2000 / XP .net framework 2.0 Visual Studio – a free version of Visual Studio can be found at
http://msdn.microsoft.com/vstudio/express/default.aspx
Note: When VS Express is installed, the user is asked to choose a programming language, and VS will be installed for that language only. C++ should be chosen as the language
Education Curriculum 10
6.0 Creating Secure Code – C/C++
Delivery Method: Instructor-led Duration: 3 days
Audience
This course is intended for developers and testers with C/C++ programming experience. Prerequisite Knowledge/Skills
This course requires software C/C++ programming knowledge and experience. Course Description
Secure coding is the process of reducing the susceptibility of code to vulnerabilities. It includes items that are classed as defensive in nature (e.g. checking error return codes before using handles and other data structures that should have been created, or protecting against using a pointer after it has been released). It also includes items that may be more normally associated with cryptographic procedures (e.g. random number generation, encryption algorithms, etc.) This course examines vulnerabilities that are specific to C/C++ and covers real-world examples – illustrated in code - of failures along with methods to find, fix and prevent each type of flaw. Students are provided with a set security coding best practices and practical recommendations. Course Objectives
Upon completion of this class, participants will be able to:
Identify why Software Security matters to their business Write secure code on Windows and *nix platforms Proactively recognize and remediate common coding errors that lead to vulnerabilities Perform threat modeling to identify vulnerabilities and analyze risks Design and develop secure applications leveraging time-tested defensive coding principles
Modules Covered Introduction to software security
This section provides insight into Software Security, why it is needed, and what the consequences of security vulnerabilities can be.
OS security
This section goes deep into Windows and *nix security and the programming caveats that they present. It then describes best practices to write robust code (exception handling etc). Finally it describes the risks of socket programming and identifies secure practices.
Common coding errors in C/C++ This section teaches how to recognize and remediate common C/C++ coding errors and what tools can support this effort.
Threat modeling
This section will show how threat modeling is a great technique to find, classify and prioritize security vulnerabilities. Defensive coding principles
This section educates the students on 12 time-tested defensive coding principles and how to use them to effectively prevent common security vulnerabilities.
Training labs will be used to provide practical experience
Education Curriculum 11
Deliverables
This course is supported by a PowerPoint presentation; a hand-out of which is presented to the students at the beginning of the course. Assessments
A 15 question multiple choice exam is taken at the end of the course Corporate Requirements
Classroom setup with:
At least one PC for 2 students Internet connection with ports 8080 to 8085 open preferred, or isolated network where the instructor can plug in
his/her laptop (with DHCP settings for all workstations). Please let us know which option you will accommodate at time of booking.
Windows 2000 / XP .net framework 2.0 Visual Studio – a free version of Visual Studio can be found at
http://msdn.microsoft.com/vstudio/express/default.aspx
Note: When VS Express is installed, the user is asked to choose a programming language, and VS will be installed for that language only. C++ should be chosen as the language
Education Curriculum 12
7.0 Creating Secure Code – Java
Delivery Method: Instructor-led Duration: 2 days
Audience
This course is intended for developers and testers with Java programming experience. Prerequisite Knowledge/Skills
This course requires software Java programming knowledge and experience. Course Description
Secure coding is the process of reducing the susceptibility of code to vulnerabilities. It includes items that are classed as defensive in nature (e.g. checking error return codes before using handles and other data structures that should have been created, or protecting against using a pointer after it has been released). It also includes items that may be more normally associated with cryptographic procedures (e.g. random number generation, encryption algorithms, etc.) This course deals specifically with Java. The course will describe platform-provided security features, threat modeling techniques and will then provide the students with a set of security coding best practices and practical recommendations. Course Objectives
Upon completion of this class, participants will be able to:
Identify why software security matters to their business Write secure Java code by taking advantage of platform-provided security features Create and use threat trees to find threats and vulnerabilities Perform risk analysis and prioritize security fixes Design and develop secure applications leveraging time-tested Java best practices
Modules Covered
Introduction to software security This section provides insight into Software Security, why it is needed, and what the consequences of security vulnerabilities can be.
Java Virtual Machine
This section provides an overview of the Java Virtual Machine. Java Security
In this section the students will learn platform-provided security features that should be leveraged to minimize the number of security vulnerabilities.
Threat modeling
This section will show how threat modeling is a great technique to find, classify and prioritize security vulnerabilities. Coding best practices
This section educates the students on 16 time-tested best practices, what the consequences are of not following them, and how to use them to effectively prevent common security vulnerabilities.
Training labs will be used to provide practical experience
Education Curriculum 13
Deliverables
This course is supported by a PowerPoint presentation; a hand-out of which is presented to the students at the beginning of the course Assessments
A 15 question multiple choice exam is taken at the end of the course Corporate Requirements
Classroom setup with:
At least one PC for 2 students Internet connection with ports 8080 to 8085 open preferred, or isolated network where the instructor can plug in
his/her laptop (with DHCP settings for all workstations). Please let us know which option you will accommodate at time of booking.
Windows 2000 with J2SE Developer Kit of at least 1.4.2. and Eclipse 3.2.2
Education Curriculum 14
8.0 Creating Secure Code – ASP.NET
Delivery Method: Instructor-led Duration: 2 days
Audience
This course is intended for developers with ASP.NET programming experience. Prerequisite Knowledge/Skills
This course requires ASP.NET programming knowledge and experience. Course Description
This course gives developers an in-depth emersion into secure coding practices with an emphasis on solutions built around ASP.NET code. We will discuss in-depth the principles of secure development; common coding errors for ASP.NET code and web apps; secure coding best practices and how they can be used to develop more secure applications. Course Objectives
Upon completion of this class, participants will be able to:
Identify why software security matters to their business Recognize the root causes of the more common vulnerabilities Write secure ASP.NET code by taking advantage of Windows-provided security features Identify the symptoms of common vulnerabilities Design and develop secure applications leveraging time-tested ASP.NET code best practices
Modules Covered
The Need For Security This section describes the need for application security and provides a high-level description of application-based attacks.
Common Web Software Security Vulnerabilities This section describes the most common security vulnerabilities and how to uncover them in your software.
Secure Programming Best Practices This section educates the students on 13 time-tested best practices, how the ASP.NET framework can support following them, what the consequences are of not following them, and how to use them to effectively prevent common security vulnerabilities.
Suggested Readings and Sites References are provided in this section
Training labs will be used to provide practical experience
Deliverables
This course is supported by a PowerPoint presentation; a hand-out of which is presented to the students at the beginning of the course. Assessments
A 15 question multiple choice exam is taken at the end of the course
Education Curriculum 15
Corporate Requirements
Classroom setup with:
At least one PC for 2 students Internet connection with ports 8080 to 8085 open preferred, or isolated network where the instructor can plug in
his/her laptop (with DHCP settings for all workstations). Please let us know which option you will accommodate at time of booking.
Windows 2000 / XP .net framework 2.0 Visual Studio (or other asp development environment) – a free version of Visual Studio can be found at
http://msdn.microsoft.com/vstudio/express/default.aspx
Note: When VS Express is installed, the user is asked to choose a programming language, and VS will be installed for that language only. Please select C#
Education Curriculum 16
9.0 Creating Secure Code – J2EE Applications
Delivery Method: Instructor-led Duration: 2 days
Audience
This course is intended for developers and testers with Java web programming experience.
Prerequisite Knowledge/Skills
This course requires Java programming knowledge and experience.
Course Description
This class dives deep into developing secure web applications in Java. It provides an overview of common web application vulnerabilities and presents ways to avoid those vulnerabilities in Java code. In the hands-on section, students will discover the vulnerabilities for themselves and find ways to deal with them, greatly enhancing the security of their code.
Course Objectives
Upon completion of this class, participants will be able to:
Identify why software security matters to their business Recognize the root causes of the more common vulnerabilities Write secure J2EE code by taking advantage of Java-provided security features Identify the symptoms of common vulnerabilities Design and develop secure applications leveraging time-tested J2EE code best practices
Modules Covered
The Need For Security This section describes the need for application security and provides a high-level description of application-based attacks.
Common Web Software Security Vulnerabilities This section describes the most common security vulnerabilities and how to uncover them in your software.
Secure Programming Best Practices This section educates the students on 13 time-tested best practices, how the J2EE framework can support following them, what the consequences are of not following them, and how to use them to effectively prevent common security vulnerabilities.
Suggested Readings and Sites References are provided in this section
Training labs will be used to provide practical experience Deliverables
This course is supported by a PowerPoint presentation; a hand-out of which is presented to the students at the beginning of the course
Assessments
A 15 question multiple choice exam is taken at the end of the course
Education Curriculum 17
Corporate Requirements
Classroom setup with:
At least one PC for 2 students Internet connection with ports 8080 to 8085 open preferred, or isolated network where the instructor can plug in
his/her laptop (with DHCP settings for all workstations). Please let us know which option you will accommodate at time of booking.
Windows 2000 with J2SE Developer Kit of at least 1.4.2. and Eclipse 3.2.2
Education Curriculum 18
10.0 Web Application Security Testing
Delivery Method: Instructor-led Duration: 5 Day Course including hands-on labs
Audience
Web Testers Prerequisite Knowledge/Skills
Functional testing knowledge as well as a basic understanding of how applications work. No prior security testing experience is required. Course Description
This course is an intensive deep dive into the world of web application security testing. It is designed to walk testers through every step of web application penetration testing arming them with the knowledge and tools they will need to begin conducting their own security testing. The course will teach the participants how to think like a security engineer by creating and executing a security test plan. Participants will be exposed to the common web application vulnerabilities, testing techniques and tools by a professional security tester. The course will culminate in a full day guided penetration test in which the students will execute security test cases on one of their own applications with the help of the instructor. The use of one of the organization’s applications has the benefit of easing the transition of knowledge and techniques from classroom back into every day practice for the participants as well as providing the organization with a partial penetration test of an application. Course Objectives
Upon completion of this class, participants will be able to:
Identify why software security matters to their business Build a threat model driven security test plan Quickly Identify the riskiest areas of an application Perform a high-level security assessment on their application. Integrate security test cases and tools as part of their test suites Report findings in a comprehensive manner in order to enable timely remediation
Detailed Course Outline
Introduction to Software Security Security in the System Development Lifecycle Thinking Like a Security Engineer
Enumerating the Attack Surface What is an Attack Surface? Standard Application Attack Vectors
GET and POST Header Cookies Tools: Man-in-the-Middle Proxies
Extending the Application Web 2.0 and Web Services
Beyond the Application Server Fingerprinting Port Scanning Tools: HTTPrint, NMap, etc
Education Curriculum 19
More Tools and Techniques Google Hacking Nessus TamperData Spidering Scripting (Python)
Common Weaknesses Data Leakage Attacks
Sniffing Decompiling of Client-side code Probing the Application through Error Reporting WSDL Scanning
Modification of Assumed Immutable Data (MAID) Direct Request (Forced Browsing) Path Traversal Parameter Tampering (Hands On!)
Incorrect Resource Transfer Between Spheres Bypassing Client-side Enforcement of Security Unrestricted File Upload
Injection Attacks SQL Injection (Hands On!) Cross-site Scripting (XSS) (Hands On!) HTTP Response Splitting XPath, XQuery and XML Injection (Hands On!) AJAX Code Injection Recursive XML Payload Buffer Overflow
Exploiting Authentication Insufficient Session Timeout Session Hijacking/Replaying Session Fixation Session Riding/Cross-site Request Forgery (XSRF)
Threat Based Testing Threat Modeling
Decomposing the Application Identifying Threats and Building Threat Trees Identifying Mitigations and Vulnerabilities
Threat Based Test Plans Building Test Plans from the Threat Tree Test Execution and Coverage
Issue Reporting and Tracking Reproducing Vulnerabilities Reporting Business Impact Defining Criticality
Boot Camp Participants will spend the last day of the putting what they have learned to use on a test version of the application on which they work daily. The instructor will act as a mentor and experienced resource as they embark on their first security test engagement. The use of the organization’s application rather than a demonstration application has been proven to help students more easily assimilate what they have learned into their daily testing activities. It also has the added benefit of discovering issues which need to be addressed by the organization.
Education Curriculum 20
11.0 How to Break Software Security
Delivery Method: Instructor-led Duration: 2 Day Course including hands-on labs
1 Day Course, Lecture Only Audience
This course is intended for testers. Prerequisite Knowledge/Skills
This course requires functional testing knowledge as well as a basic understanding of how applications work Course Description
Learn how to recognize potential security holes before attackers do! This course is designed to give testers and developers the tools , techniques and mindset they need to find security problems before their application is released Course Objectives
Upon completion of this class, participants will be able to:
Identify why software security matters to their business Conduct attacks to uncover security vulnerabilities Recognize where attacks are applicable Identify the symptoms of security vulnerabilities
Modules Covered
Introduction This section describes why security bugs are different from functional bugs in software; the students will gain an understanding as to why security bugs are usually missed during functional testing and learn to recognize symptoms of insecure software behavior
The Four Classes of Security Vulnerabilities
In this section participants learn what a security bug really is and the four basic classifications of security vulnerabilities.
Assessing Risk
This section will help the students learn to identify the threats to their application An Overview of the Methodology of How to Break Software Security
This section describes how to determine which security attacks apply to their application and learn how to quickly develop security test cases for each attack, tailored to their application.
Attacking Dependencies
In this section the students will learn different techniques allowing them to test and ensure the securely response of their application under different, simulated, dependency failures.
Attacking through the User Interface
In this section the students will learn testing techniques to expose security vulnerabilities in their software through the user interface.
Attacking Design
This section will provide the students with techniques to expose vulnerabilities that can creep into an application at the design stage.
Education Curriculum 21
Attacking Implementation
In this section students will learn techniques that can be used to expose vulnerabilities that exist because of implementation errors.
Training labs will be used to provide practical experience (in the 2-day version of this class) Deliverables
This course is supported by a PowerPoint presentation; a hand-out of which is presented to the students at the beginning of the course. Assessments
A 15 question multiple choice exam is taken at the end of the course Corporate Requirements
Classroom setup with:
At least one PC for 2 students Internet connection with ports 8080 to 8085 open preferred, or isolated network where the instructor can plug in
his/her laptop (with DHCP settings for all workstations). Please let us know which option you will accommodate at time of booking.
Windows XP (preferred) or 2000 with .NET frameworks v2.0 and MS Office
Education Curriculum 22
12.0 How to Break Web Software
Delivery Method: Instructor-led Duration: 2 Day Course including hands-on labs
1 Day Course, Lecture Only Audience
This course is intended for web application testers. Prerequisite Knowledge/Skills
This course requires functional testing knowledge as well as a basic understanding of how applications work Course Description
This course outlines a model for web application testing as well as web application concerns including accountability, availability, confidentiality and integrity. We will go well beyond the OWASP to 10, looking at 19 specific web application attacks including attacking the client, state, data and the server. Course Objectives
Upon completion of this class, participants will be able to:
Identify why software security matters to their business Conduct attacks to uncover security web application vulnerabilities Recognize where attacks are applicable Identify the symptoms of security vulnerabilities for web applications
Modules Covered
Gathering information on the target In this section the students will learn how web applications are built and what attacks are applicable for this type of applications.
Attacking the client
In this section students will learn different client based attacks such as Bypass and Client side validation Attacking State
In this section students will learn why state is important and different stated based attacks such as Cgi parameters and Cookie Poisoning
Attacking Data
In this section students will learn different data based attacks such as Cross-site scripting and SQL Injection. Attacking the server
In this section students will learn different server based attacks such as SQL injection II – stored procedures and Command injection
Privacy
This section provides the students with an introduction to privacy: who you are, where you have been; as well as different data gathering methods.
Web services
In this section we introduce participants to web services and discuss common attacks Training labs will be used to provide practical experience (in the 2-day version of this class)
Education Curriculum 23
Deliverables
This course is supported by a PowerPoint presentation; a hand-out of which is presented to the students at the beginning of the course. Assessments
A 15 question multiple choice exam is taken at the end of the course Corporate Requirements
Classroom setup with:
At least one PC for 2 students Internet connection with ports 8080 to 8085 open preferred, or isolated network where the instructor can plug in
his/her laptop (with DHCP settings for all workstations). Please let us know which option you will accommodate at time of booking.
No OS requirements. Text editor of choice Localhost proxy: paros, or webscarab
Education Curriculum 24
13.0 Security Testing Boot camp
Delivery Method: Instructor led Duration: 2 Day practical session
Audience
This course is intended for testers.
Prerequisite Knowledge/Skills
This course can only be followed after the successful completion of one of the following courses: - How to Break Software Security - How to Break Web Software
Course Description
This course is unique in the security industry. Rather than learning through lecture and general hands on labs, this course walks the students through the security issues of one of the actual applications that they are responsible for testing on a daily basis.
Course Objectives
Upon completion of this class, participants will be able to: Quickly Identify the riskiest areas of an application Perform a high-level security assessment on their application. Integrate security test cases as part of their test suites
Boot Camp set up
Pre-Course Self Study and Nightly Assignments Students will need to complete required reading and analyze how specific security issues correspond to their area of testing focus of the application
Security Briefings Each morning will start with a briefing on the security issues specific to the application. Application-specific security testing issues are discussed every morning and then immediately implemented against the application and throughout the day-long deep security testing sessions.
Application-specific Security Testing Several days of intense hands-on assessment of the application is performed by the students. The class is broken into two-person teams who compete to find the most security defects by performing specific attacks on the sections of the product they typically perform QA testing.
Deliverables
No specific deliverables are provided for this class
Assessments
No assessment is provided for this class
Corporate Requirements
To achieve the required results, your company needs to provide access to a developer knowledgeable of the entire application, the complete threat model as well as details on past defects discovered in the application. This will enable a strategic attack plan to be created prior to the course that will be discussed and explained during the class. Additionally, your company needs to make sure the students do all pre-course reading and all nightly assignments. This will be an intense several days of security education and testing that will push each student as they evolve from top quality assurance testers into lead security testers. Prizes should be provided to the students for each security defect discovered with special prizes to the top three teams based on the number and severity of the security bugs they find.
Education Curriculum 25
14.0 Introduction to the Microsoft Security Development Lifecycle (SDL)
Delivery Method: Instructor-led Duration: 1 hour
Audience
This course is designed for all members of development teams which are adopting Microsoft’s Security Development Lifecycle. Prerequisite Knowledge/Skills
This course requires some understanding about general software development lifecycles Course Description
In order to help teams adopt the best practices which are parts of the Security Development Lifecycle (SDL) this course provides an overview of what the SDL is and how it can be used by your team to produce solutions which meet a higher security quality standard. Course Objectives
Upon completion of this seminar participants will be able to:
Understand the need to address security at all phases of software development Understand the benefits of adopting the SDL Be able to identify the best practices from the SDL not currently in place at the organization
Modules Covered
Applications Under Attack This section describes the need for application security and provides a look at the impact of application vulnerabilities.
Origins of the Microsoft SDL This section describes the evolution of security at Microsoft and how the SDL came to be.
What is Microsoft doing about the threat? This section describes Microsoft’s process improvement initiative as well as the best practices associated with each phase of the lifecycle in the SDL.
Measurable improvements at Microsoft This section provides evidence of the positive impact the SDL has had internally at Microsoft.
Deliverables
This course is supported by a PowerPoint presentation; a hand-out of which is presented to the students at the beginning of the course. Assessments
No assessment is provided for this course Corporate Requirements
Classroom setup
Education Curriculum 26
15.0 Introduction to Microsoft SDL Threat Modeling
Delivery Method: Instructor-led Duration: 2 hour
Audience
This course is designed for members of development teams which are adopting Microsoft’s Security Development Lifecycle and are looking to add the Threat Modeling exercise to their design phase activities. Prerequisite Knowledge/Skills
This course requires some understanding of how applications are designed. Course Description
In order to help teams adopt the best practice of threat modeling which is part of the Security Development Lifecycle (SDL) this course provides an overview of what Threat Modeling means in the context of the SDL. It is designed to teach how to Threat Model using the Microsoft process which is part of the SDL. Course Objectives
Upon completion of this seminar participants will be able to:
Understand the importance of early lifecycle security best practices such as Threat Modeling Understand the benefits of creating Threat Models of your software Be able effectively produce a Threat Model of your software
Modules Covered
Introduction and Goals This section explains the importance of the Threat Modeling activity and how it relates to creating secure software.
The SDL Approach to Threat Modeling This section walks the participant through the process of Threat Modeling as it is defined in the SDL. This step by step instruction will allow participants to quickly gain and understanding of how to go about building threat models of their software.
Exercise The exercise module allows participants to attempt creation of a threat model using the newly learned techniques from this course.
Demo The demo module is an opportunity for the instructor to introduce the participants to Microsoft’s Threat Modeling Tool. This free tool makes the process of building threat models more efficient.
Deliverables
This course is supported by a PowerPoint presentation; a hand-out of which is presented to the students at the beginning of the course. Assessments
No assessment is provided for this course Corporate Requirements
Classroom setup
Education Curriculum 27
16.0 Privacy in Software Development
Delivery Method: Instructor-led Duration: 2 hours
Audience
This course is designed for anyone involved in the development of software or services. Prerequisite Knowledge/Skills
This course requires some understanding about general software development. Course Description
This course is designed to provide an introduction to privacy guidelines for developing software and services. Course Objectives
Upon completion of this seminar participants will be able to:
Understand the basics of Privacy Understand the need to address privacy in software development Be able to effectively drive privacy compliance within the software development team
Modules Covered
Privacy Basics This section builds an understanding of the basic concepts associated with privacy. This includes a comparison and contrasting between Privacy and Security.
Privacy Guidelines for Developing Software and Services This section provides definition of common privacy concepts such as Notice and Consent. This is done through the use of nine common software scenarios.
Deliverables
This course is supported by a PowerPoint presentation; a hand-out of which is presented to the students at the beginning of the course. Assessments
No assessment is provided for this course Corporate Requirements
Classroom setup
Education Curriculum 28
17.0 Quarterly Security Brown-Bag
Delivery Method: Instructor-led Duration: 2 hours
Audience
This seminar can be tailored to managers or technical teams depending on teams. Prerequisite Knowledge/Skills
This seminar requires a reasonable level of application security awareness Course Description
To ensure that security awareness remains foremost in employees’ minds, that development and testing techniques have been internalized, and to enable any ongoing questions to be answered, we offer a quarterly “brown-bag” web, live presentation or via conference call. Course Objectives
Upon completion of this seminar participants will be able to:
Apply new knowledge about a specific current security issue, technology or compliance standard Strengthen the ongoing security development process Strengthen the ongoing testing efforts
Modules Covered
The content from this course is based on current security issues, technologies or standards based on customer needs. Deliverables
This course is supported by a PowerPoint presentation; a hand-out of which is presented to the students at the beginning of the course. Assessments
No assessment is provided for this course Corporate Requirements
Classroom setup
Education Curriculum 29
18.0 PCI Boot Camp for Software Development Teams
Delivery Method: Instructor-led Duration: 4 Days
Audience
This course is intended for software development teams (architects, developers, testers/QA, and managers) who build software application that need to comply with the PCI-DSS (Payment Card Industry Data Security Standard.) Also appropriate for PCI / PA DSS Auditors, PCI Compliance Consultants and Researchers, Project Managers, IT Security Consultants, and anyone who is involved with the Application Development Lifecycle Prerequisite Knowledge/Skills
This course requires functional development and testing knowledge as well as a basic understanding of how applications work. No prior security experience is required, nor do the members need to know about PCI-DSS. Course Description
This course is an intensive deep-dive into the world of application security and PCI. It is designed to walk architects, developers, testers, and managers through application security as it pertains to the PCI-DSS. Topics covered include:
Software Applications - Common Threats
Primer on Web Application Security
Overview of OWASP Top Ten Vulnerabilities
Secure Coding Principles (web and non-web)
Best Practices for Input and Output Validation
Web Application Software Testing Best Practices
Hands-on labs and simulation of web application attack scenarios The course will teach the participants how to think like a security engineer by creating and executing a security test plan. Participants will be exposed to the common software application vulnerabilities as well as secure development and testing techniques. The course introduces tools (both commercial and free) and is taught by a professional security expert and PCI QSA (Qualified Security Assessor.) The course can be customized for specific audiences, e.g., software developers, testing/deployment, etc. Each segment culminates with instructor-led lab exercises in which the students will execute security coding and/or test cases on sample applications. For a customization twist, clients can also choose to have one of their own applications as the application under test. The use of an organization-chosen application has the benefit of easing the transition of knowledge and techniques from classroom back into every day practice for the participants. Course Objectives
Upon completion of this class, participants will be able to:
Identify why software security matters to their business Build a threat model driven security test plan Quickly Identify the riskiest areas of an application Perform security assessments on software applications (code “white box” and/or as-built “black box” testing) Map security activities to PCI requirements and understand how to validate compliance to the standard(s)
Deliverables
This course is supported by a PowerPoint presentation and course material which is handed to students in-class Corporate Requirements
Classroom setup with:
A projector and whiteboard for the instructor One PC per participant VMWare Player on each participant machine to run provided VirtualMachine Connection to a test version of an application with which the participants are familiar for final day of course
Education Curriculum 30
Detailed Course Outline
Introduction to Software Security
What is Security? Why Security Matters Thinking Like a Security Engineer
Introduction to PCI-DSS Overview of the PCI requirements Overview of the PCI audit procedures relevant to software applications
Deep dive into requirements 3 and 6 Understanding and applying testing techniques to validate compliance
Challenging Security Misconceptions
All software applications have bugs Client-side security does not exist QA is not security testing Tools are not solutions Patches do not guarantee security Compliance does not equate to security
Fundamentals of Security in the SDLC
The anatomy of an attack Thinking like the attacker: Threat Modeling Common coding errors and how to exploit them Defensive design and coding principles Examples of security for C, C++, .NET, and Java applications
Common Weaknesses and Vulnerabilities
OWASP TOP 10 Threat-model-driven testing
Threat Based Test Plans Issue Reporting and Tracking: Reproducing Vulnerabilities,
Reporting Business Impact, and Defining Criticality Going Beyond OWASP – Logic flaws and non-web Applications
Data Protection Mechanisms (crypto and more) Injection Attacks (not just SQL!) Fuzz Testing and other Tools Exploiting Authentication
Putting it all together
Mapping PCI to your day-to-day activities as an Architect, Developer and/or Tester Understanding the business impact of insecure software (beyond just PCI compliance)
Boot Camp The participants will spend time putting what they have learned to use on a test version of the selected application. The instructor will act as a mentor and experienced resource as they embark on an interactive security test engagement. The use of the organization’s application rather than a demonstration application has been proven to help students more easily assimilate what they have learned into their daily testing activities. It also has the added benefit of discovering issues which need to be addressed by the organization.