Tested by Security Innovation
Upcoming SlideShare
Loading in...5
×
 

Tested by Security Innovation

on

  • 2,419 views

 

Statistics

Views

Total Views
2,419
Views on SlideShare
2,419
Embed Views
0

Actions

Likes
0
Downloads
5
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Tested by Security Innovation Tested by Security Innovation Document Transcript

  • Application Security Education Curriculum Courses to help build and deploy more secure software applications and systems
  • Table of Contents 1.0 Security Education Curriculum Map .................................................................................................... 3 2.0 Information and Application Security Awareness ............................................................................... 4 3.0 Attacker Techniques Exposed: Threats, Vulnerabilities and Exploits .................................................. 5 4.0 Architecting Secure Solutions .............................................................................................................. 7 5.0 Creating Secure Code .......................................................................................................................... 8 6.0 Creating Secure Code – C/C++ ........................................................................................................... 10 7.0 Creating Secure Code – Java .............................................................................................................. 12 8.0 Creating Secure Code – ASP.NET ....................................................................................................... 14 9.0 Creating Secure Code – J2EE Applications......................................................................................... 16 10.0 Web Application Security Testing.................................................................................................... 18 11.0 How to Break Software Security ...................................................................................................... 20 12.0 How to Break Web Software ........................................................................................................... 22 13.0 Security Testing Boot camp ............................................................................................................. 24 14.0 Introduction to the Microsoft Security Development Lifecycle (SDL) ............................................. 25 15.0 Introduction to Microsoft SDL Threat Modeling ............................................................................. 26 16.0 Privacy in Software Development ................................................................................................... 27 17.0 Quarterly Security Brown-Bag ......................................................................................................... 28 18.0 PCI Boot Camp for Software Development Teams.......................................................................... 29
  • 1.0 Security Education Curriculum Map EXECUTIVES, MANAGERS, DEVELOPMENT TEAMS INTRODUCTORY CLASSES Title: Title: Information and Application Attacker Techniques Exposed Security Awareness Duration: 1 day Duration: 2 hours ARCHITECT DEVELOPER TESTER Title: Title: Title: Title: Architecting secure How to break How to break web Creating Secure Code solutions software security software security Duration: 2 days Duration: 2 days Duration: 2 days Duration: 2 days CORE CLASSES EXAM EXAM EXAM EXAM Number of Number of Number of Number of questions: 15 questions: 15 questions: 15 questions: 15 Format: Multiple Format: Multiple Format: Multiple Format: Multiple choice questions choice questions choice questions choice questions MANAGER / ARCHITECT, DEVELOPER, TESTER Title: Quarterly Security Brown Bag Duration: 2 hours DEVELOPER TESTER Title: Title: Title: Title: Title: Creating Secure Creating Secure Creating Secure Creating Secure Security Testing Code – Java Code – ASP.NET Code – C/C++ Code – J2EE Bootcamp Applications SPECIALIZED CLASSES Duration: 2 days Duration: 2 days Duration: 3 days Duration: 2 days Duration: 2 days EXAM EXAM EXAM EXAM Number of Number of Number of Number of questions: 15 questions: 15 questions: 15 questions: 15 Format: Format: Format: Format: Multiple choice Multiple choice Multiple choice Multiple choice questions questions questions questions Education Curriculum 3
  • 2.0 Information and Application Security Awareness Delivery Method: Instructor-led Duration: 2 hours Audience This course is intended for all audiences (from marketing managers to testers) Prerequisite Knowledge/Skills There are no prerequisites for this class Course Description This course explores the consequences of failure, examines the root cause of software vulnerabilities, assesses the true cost of software vulnerability and presents a model to integrate security into the organization. Course Objectives Upon completion of this class, participants will be able to: Discuss why application security is critical List the main drivers for application security Recognize that they (as everyone else in the organization) play a role in security Modules Covered Series of case studies/examples This module introduces a series of case studies where security vulnerabilities have resulted in huge financial losses. These studies look beyond IT losses to broader consequences such as impact on stock value, remediation expense, reputation loss, liability, etc. The increasing reliance of software to manage sensitive data and systems In this module we assess the true reliance of businesses and critical systems on software and explore the consequences of failure. Most system vulnerabilities have their roots in software This module examines the threats that can be mitigated at the network layer as opposed to those that must be addressed in software. Software vulnerabilities have real costs and consequences to customers and vendors This module addresses the true cost of software vulnerability. Legislative requirements are also examined and attendees will take a tour through current and looming regulation challenges. Getting to the root of software vulnerabilities This module will demonstrate that most security problems are not in security-specific components; rather they are errors in general software routines and functions. Illustrative examples are shown. Looking forward: balancing security Security is a major concern, but principles must be applied in the context of other organizational goals. Security is also more than just technology. It spans policy, procedure, people and technology. This section looks forward to what can be done to integrate security into the organization and discusses strategies to build a culture of security. Deliverables This course is supported by a PowerPoint presentation, a hand-out of which is presented to the students at the beginning of the course. Assessments No assessment is provided for this course Corporate Requirements Classroom setup Education Curriculum 4
  • 3.0 Attacker Techniques Exposed: Threats, Vulnerabilities and Exploits Delivery Method: Instructor-led Duration: 1 day Audience This course is intended for all technical/development team audiences Prerequisite Knowledge/Skills There are no prerequisites for this class Course Description This course examines trends in software vulnerabilities, demonstrates examples of security breaches, explores a wide range of live software vulnerabilities and introduces Threat Modeling techniques. Course Objectives Upon completion of this class, participants will be able to: Recognize the need for integrating security at each phase of the Software Development LifeCycle Identify missing processes that are needed to improve the security of their systems Create a high-level map of needs for the organization’s people, processes and technology Modules Covered The potential attacker The course begins by discussing the different genres of attackers, their different skill sets and their different goals. The anatomy of an attack This section examines the different steps of an attack from information gathering to the attack’s consequences. Attacks and defenses This section goes over the layered security model, and the different defenses that will help mitigate security risks Live vulnerability and exploit tour! This is the core of the course. In this section, attendees will go through a wide range of software vulnerabilities and the instructor will show sample exploits for these vulnerabilities live. Attendees will gain awareness and key insights into these vulnerability types as well as the ease with which the attacker community can exploit them. Tools and threats The threat is growing and so is the number of tools that lower the bar for attackers. This section takes the audience inside the underground world of the attacker and illustrates the range of tools available to adversaries. Thinking like the attacker: threat modeling A critical step in securing an application or system is to methodically think through threats. In this section we present several techniques for threat modeling and also walk the audience through the process of modeling threats against several systems. Incorporating threats into software/system design, development, testing and deployment By thinking about threats at each stage of the development lifecycle, we can make software and systems that are more resilient to attack. Attendees will walk away with an introduction to tools and techniques to build security in. Education Curriculum 5
  • Deliverables This course is supported by a PowerPoint presentation; a hand-out of which is presented to the students at the beginning of the course. Assessments No assessment is provided for this course Corporate Requirements Classroom setup Education Curriculum 6
  • 4.0 Architecting Secure Solutions Delivery Method: Instructor-led Duration: 2 days Audience This course is intended for developers, architects and testers Prerequisite Knowledge/Skills This course requires software design/programming knowledge and experience. Course Description This course illustrates the importance of deploying secure solutions and describes the main secure design principles, what purpose they serve, how to apply them, and what technologies can be used to support these principles. Course Objectives Upon completion of this class, participants will be able to: Design software with security in mind Use technologies pertaining to networks, encryption, anti-virus, and authentication to increase system security Discuss and utilize the different technologies available to create secure systems Integrate missing methodologies to improve the security of enterprise level computing and management Modules Covered Security Goals This section discusses the four basic tenets of software security: Integrity, Availability, Privacy and Confidentiality. It highlights the need for them in the development process and sets the stage for specific techniques and technologies that enable secure software development. The Business Context This section discusses the role that security concerns and technologies play in product business decisions is discussed. Some of the tradeoffs are highlighted and also topics such as security estimation and metrics along with quantifiable risk assessment are touched on. Security Principles The fundamental principles of secure design/implementation are outlined. The content is sprinkled with not only code examples, but also with live demonstrations of the critical issues and failures. Technologies This section is designed to educate developers and testers on the technologies available to create more secure systems. The thrust of this section is to impart knowledge on constituent technologies that can essentially be “plugged in” to obtain a particular level of assurance. Methodologies and Techniques This section broadly discusses fundamental principals of secure design. This section will also provide background information to better frame the technologies section. Deliverables This course is supported by a PowerPoint presentation a hand-out of this is presented to the students at the beginning of the course. Assessments A 15 question multiple choice exam is taken at the end of the course Corporate Requirements Classroom setup Education Curriculum 7
  • 5.0 Creating Secure Code Delivery Method: Instructor-led Duration: 2 days Audience This course is intended for developers (and testers with programming experience). Prerequisite Knowledge/Skills This course requires software design/programming knowledge and experience. Course Description Secure coding is the process of reducing the susceptibility of code to vulnerabilities. It includes items that are classed as defensive in nature (e.g. checking error return codes before using handles and other data structures that should have been created, or protecting against using a pointer after it has been released). It also includes items that may be more normally associated with cryptographic procedures (e.g. random number generation, encryption algorithms, etc.) This course examines vulnerabilities that are common across language implementations (C, C++ and Java) and covers real-world examples – illustrated in code - of failures along with methods to find, fix and prevent each type of flaw. Students are presented with a set of security coding best practices and practical recommendations. Course Objectives Upon completion of this class, participants will be able to: Identify why Software Security matters to their business Proactively recognize and remediate common coding errors that lead to vulnerabilities Perform threat modeling to identify vulnerabilities and analyze risks Design and develop secure applications leveraging time-tested defensive coding principles Modules Covered Introduction to Software Security This section provides insight into Software Security, why it is needed, and what the consequences of security vulnerabilities can be. Common coding errors in C/C++ This section teaches how to recognize and remediate common coding errors and what tools can support this effort. Threat modeling This section will show how threat modeling is a great technique to find, classify and prioritize security vulnerabilities. Defensive coding principles This section educates the students on 19 time-tested defensive coding principles and how to use them to effectively prevent common security vulnerabilities. Web Vulnerabilities The web is different! This section will address common web vulnerabilities, how to find them, how to prevent them. Security Testing and Quality Assurance This section is optional and designed to educate both developer and testers on the differentiating factors between functional and security testing, the three classes of security bugs and how to spot these. Training labs will be used to provide practical experience Education Curriculum 8
  • Deliverables This course is supported by a PowerPoint presentation; a hand-out of which is presented to the students at the beginning of the course. Assessments A 15 question multiple choice exam is taken at the end of the course Corporate Requirements Classroom setup with: At least one PC for 2 students Internet connection with ports 8080 to 8085 open preferred, or isolated network where the instructor can plug in his/her laptop (with DHCP settings for all workstations). Please let us know which option you will accommodate at time of booking. Windows 2000 / XP .net framework 2.0 Visual Studio – a free version of Visual Studio can be found at http://msdn.microsoft.com/vstudio/express/default.aspx Note: When VS Express is installed, the user is asked to choose a programming language, and VS will be installed for that language only. C++ should be chosen as the language Education Curriculum 9
  • 6.0 Creating Secure Code – C/C++ Delivery Method: Instructor-led Duration: 3 days Audience This course is intended for developers and testers with C/C++ programming experience. Prerequisite Knowledge/Skills This course requires software C/C++ programming knowledge and experience. Course Description Secure coding is the process of reducing the susceptibility of code to vulnerabilities. It includes items that are classed as defensive in nature (e.g. checking error return codes before using handles and other data structures that should have been created, or protecting against using a pointer after it has been released). It also includes items that may be more normally associated with cryptographic procedures (e.g. random number generation, encryption algorithms, etc.) This course examines vulnerabilities that are specific to C/C++ and covers real-world examples – illustrated in code - of failures along with methods to find, fix and prevent each type of flaw. Students are provided with a set security coding best practices and practical recommendations. Course Objectives Upon completion of this class, participants will be able to: Identify why Software Security matters to their business Write secure code on Windows and *nix platforms Proactively recognize and remediate common coding errors that lead to vulnerabilities Perform threat modeling to identify vulnerabilities and analyze risks Design and develop secure applications leveraging time-tested defensive coding principles Modules Covered Introduction to software security This section provides insight into Software Security, why it is needed, and what the consequences of security vulnerabilities can be. OS security This section goes deep into Windows and *nix security and the programming caveats that they present. It then describes best practices to write robust code (exception handling etc). Finally it describes the risks of socket programming and identifies secure practices. Common coding errors in C/C++ This section teaches how to recognize and remediate common C/C++ coding errors and what tools can support this effort. Threat modeling This section will show how threat modeling is a great technique to find, classify and prioritize security vulnerabilities. Defensive coding principles This section educates the students on 12 time-tested defensive coding principles and how to use them to effectively prevent common security vulnerabilities. Training labs will be used to provide practical experience Education Curriculum 10
  • Deliverables This course is supported by a PowerPoint presentation; a hand-out of which is presented to the students at the beginning of the course. Assessments A 15 question multiple choice exam is taken at the end of the course Corporate Requirements Classroom setup with: At least one PC for 2 students Internet connection with ports 8080 to 8085 open preferred, or isolated network where the instructor can plug in his/her laptop (with DHCP settings for all workstations). Please let us know which option you will accommodate at time of booking. Windows 2000 / XP .net framework 2.0 Visual Studio – a free version of Visual Studio can be found at http://msdn.microsoft.com/vstudio/express/default.aspx Note: When VS Express is installed, the user is asked to choose a programming language, and VS will be installed for that language only. C++ should be chosen as the language Education Curriculum 11
  • 7.0 Creating Secure Code – Java Delivery Method: Instructor-led Duration: 2 days Audience This course is intended for developers and testers with Java programming experience. Prerequisite Knowledge/Skills This course requires software Java programming knowledge and experience. Course Description Secure coding is the process of reducing the susceptibility of code to vulnerabilities. It includes items that are classed as defensive in nature (e.g. checking error return codes before using handles and other data structures that should have been created, or protecting against using a pointer after it has been released). It also includes items that may be more normally associated with cryptographic procedures (e.g. random number generation, encryption algorithms, etc.) This course deals specifically with Java. The course will describe platform-provided security features, threat modeling techniques and will then provide the students with a set of security coding best practices and practical recommendations. Course Objectives Upon completion of this class, participants will be able to: Identify why software security matters to their business Write secure Java code by taking advantage of platform-provided security features Create and use threat trees to find threats and vulnerabilities Perform risk analysis and prioritize security fixes Design and develop secure applications leveraging time-tested Java best practices Modules Covered Introduction to software security This section provides insight into Software Security, why it is needed, and what the consequences of security vulnerabilities can be. Java Virtual Machine This section provides an overview of the Java Virtual Machine. Java Security In this section the students will learn platform-provided security features that should be leveraged to minimize the number of security vulnerabilities. Threat modeling This section will show how threat modeling is a great technique to find, classify and prioritize security vulnerabilities. Coding best practices This section educates the students on 16 time-tested best practices, what the consequences are of not following them, and how to use them to effectively prevent common security vulnerabilities. Training labs will be used to provide practical experience Education Curriculum 12
  • Deliverables This course is supported by a PowerPoint presentation; a hand-out of which is presented to the students at the beginning of the course Assessments A 15 question multiple choice exam is taken at the end of the course Corporate Requirements Classroom setup with: At least one PC for 2 students Internet connection with ports 8080 to 8085 open preferred, or isolated network where the instructor can plug in his/her laptop (with DHCP settings for all workstations). Please let us know which option you will accommodate at time of booking. Windows 2000 with J2SE Developer Kit of at least 1.4.2. and Eclipse 3.2.2 Education Curriculum 13
  • 8.0 Creating Secure Code – ASP.NET Delivery Method: Instructor-led Duration: 2 days Audience This course is intended for developers with ASP.NET programming experience. Prerequisite Knowledge/Skills This course requires ASP.NET programming knowledge and experience. Course Description This course gives developers an in-depth emersion into secure coding practices with an emphasis on solutions built around ASP.NET code. We will discuss in-depth the principles of secure development; common coding errors for ASP.NET code and web apps; secure coding best practices and how they can be used to develop more secure applications. Course Objectives Upon completion of this class, participants will be able to: Identify why software security matters to their business Recognize the root causes of the more common vulnerabilities Write secure ASP.NET code by taking advantage of Windows-provided security features Identify the symptoms of common vulnerabilities Design and develop secure applications leveraging time-tested ASP.NET code best practices Modules Covered The Need For Security This section describes the need for application security and provides a high-level description of application-based attacks. Common Web Software Security Vulnerabilities This section describes the most common security vulnerabilities and how to uncover them in your software. Secure Programming Best Practices This section educates the students on 13 time-tested best practices, how the ASP.NET framework can support following them, what the consequences are of not following them, and how to use them to effectively prevent common security vulnerabilities. Suggested Readings and Sites References are provided in this section Training labs will be used to provide practical experience Deliverables This course is supported by a PowerPoint presentation; a hand-out of which is presented to the students at the beginning of the course. Assessments A 15 question multiple choice exam is taken at the end of the course Education Curriculum 14
  • Corporate Requirements Classroom setup with: At least one PC for 2 students Internet connection with ports 8080 to 8085 open preferred, or isolated network where the instructor can plug in his/her laptop (with DHCP settings for all workstations). Please let us know which option you will accommodate at time of booking. Windows 2000 / XP .net framework 2.0 Visual Studio (or other asp development environment) – a free version of Visual Studio can be found at http://msdn.microsoft.com/vstudio/express/default.aspx Note: When VS Express is installed, the user is asked to choose a programming language, and VS will be installed for that language only. Please select C# Education Curriculum 15
  • 9.0 Creating Secure Code – J2EE Applications Delivery Method: Instructor-led Duration: 2 days Audience This course is intended for developers and testers with Java web programming experience. Prerequisite Knowledge/Skills This course requires Java programming knowledge and experience. Course Description This class dives deep into developing secure web applications in Java. It provides an overview of common web application vulnerabilities and presents ways to avoid those vulnerabilities in Java code. In the hands-on section, students will discover the vulnerabilities for themselves and find ways to deal with them, greatly enhancing the security of their code. Course Objectives Upon completion of this class, participants will be able to: Identify why software security matters to their business Recognize the root causes of the more common vulnerabilities Write secure J2EE code by taking advantage of Java-provided security features Identify the symptoms of common vulnerabilities Design and develop secure applications leveraging time-tested J2EE code best practices Modules Covered The Need For Security This section describes the need for application security and provides a high-level description of application-based attacks. Common Web Software Security Vulnerabilities This section describes the most common security vulnerabilities and how to uncover them in your software. Secure Programming Best Practices This section educates the students on 13 time-tested best practices, how the J2EE framework can support following them, what the consequences are of not following them, and how to use them to effectively prevent common security vulnerabilities. Suggested Readings and Sites References are provided in this section Training labs will be used to provide practical experience Deliverables This course is supported by a PowerPoint presentation; a hand-out of which is presented to the students at the beginning of the course Assessments A 15 question multiple choice exam is taken at the end of the course Education Curriculum 16
  • Corporate Requirements Classroom setup with: At least one PC for 2 students Internet connection with ports 8080 to 8085 open preferred, or isolated network where the instructor can plug in his/her laptop (with DHCP settings for all workstations). Please let us know which option you will accommodate at time of booking. Windows 2000 with J2SE Developer Kit of at least 1.4.2. and Eclipse 3.2.2 Education Curriculum 17
  • 10.0 Web Application Security Testing Delivery Method: Instructor-led Duration: 5 Day Course including hands-on labs Audience Web Testers Prerequisite Knowledge/Skills Functional testing knowledge as well as a basic understanding of how applications work. No prior security testing experience is required. Course Description This course is an intensive deep dive into the world of web application security testing. It is designed to walk testers through every step of web application penetration testing arming them with the knowledge and tools they will need to begin conducting their own security testing. The course will teach the participants how to think like a security engineer by creating and executing a security test plan. Participants will be exposed to the common web application vulnerabilities, testing techniques and tools by a professional security tester. The course will culminate in a full day guided penetration test in which the students will execute security test cases on one of their own applications with the help of the instructor. The use of one of the organization’s applications has the benefit of easing the transition of knowledge and techniques from classroom back into every day practice for the participants as well as providing the organization with a partial penetration test of an application. Course Objectives Upon completion of this class, participants will be able to: Identify why software security matters to their business Build a threat model driven security test plan Quickly Identify the riskiest areas of an application Perform a high-level security assessment on their application. Integrate security test cases and tools as part of their test suites Report findings in a comprehensive manner in order to enable timely remediation Detailed Course Outline Introduction to Software Security Security in the System Development Lifecycle Thinking Like a Security Engineer Enumerating the Attack Surface What is an Attack Surface? Standard Application Attack Vectors  GET and POST  Header  Cookies  Tools: Man-in-the-Middle Proxies Extending the Application  Web 2.0 and Web Services Beyond the Application  Server Fingerprinting  Port Scanning  Tools: HTTPrint, NMap, etc Education Curriculum 18
  • More Tools and Techniques  Google Hacking  Nessus  TamperData  Spidering  Scripting (Python) Common Weaknesses Data Leakage Attacks  Sniffing  Decompiling of Client-side code  Probing the Application through Error Reporting  WSDL Scanning Modification of Assumed Immutable Data (MAID)  Direct Request (Forced Browsing)  Path Traversal  Parameter Tampering (Hands On!) Incorrect Resource Transfer Between Spheres  Bypassing Client-side Enforcement of Security  Unrestricted File Upload Injection Attacks  SQL Injection (Hands On!)  Cross-site Scripting (XSS) (Hands On!)  HTTP Response Splitting  XPath, XQuery and XML Injection (Hands On!)  AJAX Code Injection  Recursive XML Payload  Buffer Overflow Exploiting Authentication  Insufficient Session Timeout  Session Hijacking/Replaying  Session Fixation  Session Riding/Cross-site Request Forgery (XSRF) Threat Based Testing Threat Modeling  Decomposing the Application  Identifying Threats and Building Threat Trees  Identifying Mitigations and Vulnerabilities Threat Based Test Plans  Building Test Plans from the Threat Tree  Test Execution and Coverage Issue Reporting and Tracking  Reproducing Vulnerabilities  Reporting Business Impact  Defining Criticality Boot Camp Participants will spend the last day of the putting what they have learned to use on a test version of the application on which they work daily. The instructor will act as a mentor and experienced resource as they embark on their first security test engagement. The use of the organization’s application rather than a demonstration application has been proven to help students more easily assimilate what they have learned into their daily testing activities. It also has the added benefit of discovering issues which need to be addressed by the organization. Education Curriculum 19
  • 11.0 How to Break Software Security Delivery Method: Instructor-led Duration: 2 Day Course including hands-on labs 1 Day Course, Lecture Only Audience This course is intended for testers. Prerequisite Knowledge/Skills This course requires functional testing knowledge as well as a basic understanding of how applications work Course Description Learn how to recognize potential security holes before attackers do! This course is designed to give testers and developers the tools , techniques and mindset they need to find security problems before their application is released Course Objectives Upon completion of this class, participants will be able to: Identify why software security matters to their business Conduct attacks to uncover security vulnerabilities Recognize where attacks are applicable Identify the symptoms of security vulnerabilities Modules Covered Introduction This section describes why security bugs are different from functional bugs in software; the students will gain an understanding as to why security bugs are usually missed during functional testing and learn to recognize symptoms of insecure software behavior The Four Classes of Security Vulnerabilities In this section participants learn what a security bug really is and the four basic classifications of security vulnerabilities. Assessing Risk This section will help the students learn to identify the threats to their application An Overview of the Methodology of How to Break Software Security This section describes how to determine which security attacks apply to their application and learn how to quickly develop security test cases for each attack, tailored to their application. Attacking Dependencies In this section the students will learn different techniques allowing them to test and ensure the securely response of their application under different, simulated, dependency failures. Attacking through the User Interface In this section the students will learn testing techniques to expose security vulnerabilities in their software through the user interface. Attacking Design This section will provide the students with techniques to expose vulnerabilities that can creep into an application at the design stage. Education Curriculum 20
  • Attacking Implementation In this section students will learn techniques that can be used to expose vulnerabilities that exist because of implementation errors. Training labs will be used to provide practical experience (in the 2-day version of this class) Deliverables This course is supported by a PowerPoint presentation; a hand-out of which is presented to the students at the beginning of the course. Assessments A 15 question multiple choice exam is taken at the end of the course Corporate Requirements Classroom setup with: At least one PC for 2 students Internet connection with ports 8080 to 8085 open preferred, or isolated network where the instructor can plug in his/her laptop (with DHCP settings for all workstations). Please let us know which option you will accommodate at time of booking. Windows XP (preferred) or 2000 with .NET frameworks v2.0 and MS Office Education Curriculum 21
  • 12.0 How to Break Web Software Delivery Method: Instructor-led Duration: 2 Day Course including hands-on labs 1 Day Course, Lecture Only Audience This course is intended for web application testers. Prerequisite Knowledge/Skills This course requires functional testing knowledge as well as a basic understanding of how applications work Course Description This course outlines a model for web application testing as well as web application concerns including accountability, availability, confidentiality and integrity. We will go well beyond the OWASP to 10, looking at 19 specific web application attacks including attacking the client, state, data and the server. Course Objectives Upon completion of this class, participants will be able to: Identify why software security matters to their business Conduct attacks to uncover security web application vulnerabilities Recognize where attacks are applicable Identify the symptoms of security vulnerabilities for web applications Modules Covered Gathering information on the target In this section the students will learn how web applications are built and what attacks are applicable for this type of applications. Attacking the client In this section students will learn different client based attacks such as Bypass and Client side validation Attacking State In this section students will learn why state is important and different stated based attacks such as Cgi parameters and Cookie Poisoning Attacking Data In this section students will learn different data based attacks such as Cross-site scripting and SQL Injection. Attacking the server In this section students will learn different server based attacks such as SQL injection II – stored procedures and Command injection Privacy This section provides the students with an introduction to privacy: who you are, where you have been; as well as different data gathering methods. Web services In this section we introduce participants to web services and discuss common attacks Training labs will be used to provide practical experience (in the 2-day version of this class) Education Curriculum 22
  • Deliverables This course is supported by a PowerPoint presentation; a hand-out of which is presented to the students at the beginning of the course. Assessments A 15 question multiple choice exam is taken at the end of the course Corporate Requirements Classroom setup with: At least one PC for 2 students Internet connection with ports 8080 to 8085 open preferred, or isolated network where the instructor can plug in his/her laptop (with DHCP settings for all workstations). Please let us know which option you will accommodate at time of booking. No OS requirements. Text editor of choice Localhost proxy: paros, or webscarab Education Curriculum 23
  • 13.0 Security Testing Boot camp Delivery Method: Instructor led Duration: 2 Day practical session Audience This course is intended for testers. Prerequisite Knowledge/Skills This course can only be followed after the successful completion of one of the following courses: - How to Break Software Security - How to Break Web Software Course Description This course is unique in the security industry. Rather than learning through lecture and general hands on labs, this course walks the students through the security issues of one of the actual applications that they are responsible for testing on a daily basis. Course Objectives Upon completion of this class, participants will be able to: Quickly Identify the riskiest areas of an application Perform a high-level security assessment on their application. Integrate security test cases as part of their test suites Boot Camp set up Pre-Course Self Study and Nightly Assignments Students will need to complete required reading and analyze how specific security issues correspond to their area of testing focus of the application Security Briefings Each morning will start with a briefing on the security issues specific to the application. Application-specific security testing issues are discussed every morning and then immediately implemented against the application and throughout the day-long deep security testing sessions. Application-specific Security Testing Several days of intense hands-on assessment of the application is performed by the students. The class is broken into two-person teams who compete to find the most security defects by performing specific attacks on the sections of the product they typically perform QA testing. Deliverables No specific deliverables are provided for this class Assessments No assessment is provided for this class Corporate Requirements To achieve the required results, your company needs to provide access to a developer knowledgeable of the entire application, the complete threat model as well as details on past defects discovered in the application. This will enable a strategic attack plan to be created prior to the course that will be discussed and explained during the class. Additionally, your company needs to make sure the students do all pre-course reading and all nightly assignments. This will be an intense several days of security education and testing that will push each student as they evolve from top quality assurance testers into lead security testers. Prizes should be provided to the students for each security defect discovered with special prizes to the top three teams based on the number and severity of the security bugs they find. Education Curriculum 24
  • 14.0 Introduction to the Microsoft Security Development Lifecycle (SDL) Delivery Method: Instructor-led Duration: 1 hour Audience This course is designed for all members of development teams which are adopting Microsoft’s Security Development Lifecycle. Prerequisite Knowledge/Skills This course requires some understanding about general software development lifecycles Course Description In order to help teams adopt the best practices which are parts of the Security Development Lifecycle (SDL) this course provides an overview of what the SDL is and how it can be used by your team to produce solutions which meet a higher security quality standard. Course Objectives Upon completion of this seminar participants will be able to: Understand the need to address security at all phases of software development Understand the benefits of adopting the SDL Be able to identify the best practices from the SDL not currently in place at the organization Modules Covered Applications Under Attack This section describes the need for application security and provides a look at the impact of application vulnerabilities. Origins of the Microsoft SDL This section describes the evolution of security at Microsoft and how the SDL came to be. What is Microsoft doing about the threat? This section describes Microsoft’s process improvement initiative as well as the best practices associated with each phase of the lifecycle in the SDL. Measurable improvements at Microsoft This section provides evidence of the positive impact the SDL has had internally at Microsoft. Deliverables This course is supported by a PowerPoint presentation; a hand-out of which is presented to the students at the beginning of the course. Assessments No assessment is provided for this course Corporate Requirements Classroom setup Education Curriculum 25
  • 15.0 Introduction to Microsoft SDL Threat Modeling Delivery Method: Instructor-led Duration: 2 hour Audience This course is designed for members of development teams which are adopting Microsoft’s Security Development Lifecycle and are looking to add the Threat Modeling exercise to their design phase activities. Prerequisite Knowledge/Skills This course requires some understanding of how applications are designed. Course Description In order to help teams adopt the best practice of threat modeling which is part of the Security Development Lifecycle (SDL) this course provides an overview of what Threat Modeling means in the context of the SDL. It is designed to teach how to Threat Model using the Microsoft process which is part of the SDL. Course Objectives Upon completion of this seminar participants will be able to: Understand the importance of early lifecycle security best practices such as Threat Modeling Understand the benefits of creating Threat Models of your software Be able effectively produce a Threat Model of your software Modules Covered Introduction and Goals This section explains the importance of the Threat Modeling activity and how it relates to creating secure software. The SDL Approach to Threat Modeling This section walks the participant through the process of Threat Modeling as it is defined in the SDL. This step by step instruction will allow participants to quickly gain and understanding of how to go about building threat models of their software. Exercise The exercise module allows participants to attempt creation of a threat model using the newly learned techniques from this course. Demo The demo module is an opportunity for the instructor to introduce the participants to Microsoft’s Threat Modeling Tool. This free tool makes the process of building threat models more efficient. Deliverables This course is supported by a PowerPoint presentation; a hand-out of which is presented to the students at the beginning of the course. Assessments No assessment is provided for this course Corporate Requirements Classroom setup Education Curriculum 26
  • 16.0 Privacy in Software Development Delivery Method: Instructor-led Duration: 2 hours Audience This course is designed for anyone involved in the development of software or services. Prerequisite Knowledge/Skills This course requires some understanding about general software development. Course Description This course is designed to provide an introduction to privacy guidelines for developing software and services. Course Objectives Upon completion of this seminar participants will be able to: Understand the basics of Privacy Understand the need to address privacy in software development Be able to effectively drive privacy compliance within the software development team Modules Covered Privacy Basics This section builds an understanding of the basic concepts associated with privacy. This includes a comparison and contrasting between Privacy and Security. Privacy Guidelines for Developing Software and Services This section provides definition of common privacy concepts such as Notice and Consent. This is done through the use of nine common software scenarios. Deliverables This course is supported by a PowerPoint presentation; a hand-out of which is presented to the students at the beginning of the course. Assessments No assessment is provided for this course Corporate Requirements Classroom setup Education Curriculum 27
  • 17.0 Quarterly Security Brown-Bag Delivery Method: Instructor-led Duration: 2 hours Audience This seminar can be tailored to managers or technical teams depending on teams. Prerequisite Knowledge/Skills This seminar requires a reasonable level of application security awareness Course Description To ensure that security awareness remains foremost in employees’ minds, that development and testing techniques have been internalized, and to enable any ongoing questions to be answered, we offer a quarterly “brown-bag” web, live presentation or via conference call. Course Objectives Upon completion of this seminar participants will be able to: Apply new knowledge about a specific current security issue, technology or compliance standard Strengthen the ongoing security development process Strengthen the ongoing testing efforts Modules Covered The content from this course is based on current security issues, technologies or standards based on customer needs. Deliverables This course is supported by a PowerPoint presentation; a hand-out of which is presented to the students at the beginning of the course. Assessments No assessment is provided for this course Corporate Requirements Classroom setup Education Curriculum 28
  • 18.0 PCI Boot Camp for Software Development Teams Delivery Method: Instructor-led Duration: 4 Days Audience This course is intended for software development teams (architects, developers, testers/QA, and managers) who build software application that need to comply with the PCI-DSS (Payment Card Industry Data Security Standard.) Also appropriate for PCI / PA DSS Auditors, PCI Compliance Consultants and Researchers, Project Managers, IT Security Consultants, and anyone who is involved with the Application Development Lifecycle Prerequisite Knowledge/Skills This course requires functional development and testing knowledge as well as a basic understanding of how applications work. No prior security experience is required, nor do the members need to know about PCI-DSS. Course Description This course is an intensive deep-dive into the world of application security and PCI. It is designed to walk architects, developers, testers, and managers through application security as it pertains to the PCI-DSS. Topics covered include: Software Applications - Common Threats Primer on Web Application Security Overview of OWASP Top Ten Vulnerabilities Secure Coding Principles (web and non-web) Best Practices for Input and Output Validation Web Application Software Testing Best Practices Hands-on labs and simulation of web application attack scenarios The course will teach the participants how to think like a security engineer by creating and executing a security test plan. Participants will be exposed to the common software application vulnerabilities as well as secure development and testing techniques. The course introduces tools (both commercial and free) and is taught by a professional security expert and PCI QSA (Qualified Security Assessor.) The course can be customized for specific audiences, e.g., software developers, testing/deployment, etc. Each segment culminates with instructor-led lab exercises in which the students will execute security coding and/or test cases on sample applications. For a customization twist, clients can also choose to have one of their own applications as the application under test. The use of an organization-chosen application has the benefit of easing the transition of knowledge and techniques from classroom back into every day practice for the participants. Course Objectives Upon completion of this class, participants will be able to: Identify why software security matters to their business Build a threat model driven security test plan Quickly Identify the riskiest areas of an application Perform security assessments on software applications (code “white box” and/or as-built “black box” testing) Map security activities to PCI requirements and understand how to validate compliance to the standard(s) Deliverables This course is supported by a PowerPoint presentation and course material which is handed to students in-class Corporate Requirements Classroom setup with: A projector and whiteboard for the instructor One PC per participant VMWare Player on each participant machine to run provided VirtualMachine Connection to a test version of an application with which the participants are familiar for final day of course Education Curriculum 29
  • Detailed Course Outline Introduction to Software Security What is Security? Why Security Matters Thinking Like a Security Engineer Introduction to PCI-DSS Overview of the PCI requirements Overview of the PCI audit procedures relevant to software applications  Deep dive into requirements 3 and 6 Understanding and applying testing techniques to validate compliance Challenging Security Misconceptions All software applications have bugs Client-side security does not exist QA is not security testing Tools are not solutions Patches do not guarantee security Compliance does not equate to security Fundamentals of Security in the SDLC The anatomy of an attack Thinking like the attacker: Threat Modeling Common coding errors and how to exploit them Defensive design and coding principles Examples of security for C, C++, .NET, and Java applications Common Weaknesses and Vulnerabilities OWASP TOP 10 Threat-model-driven testing  Threat Based Test Plans  Issue Reporting and Tracking: Reproducing Vulnerabilities, Reporting Business Impact, and Defining Criticality Going Beyond OWASP – Logic flaws and non-web Applications  Data Protection Mechanisms (crypto and more)  Injection Attacks (not just SQL!)  Fuzz Testing and other Tools  Exploiting Authentication Putting it all together Mapping PCI to your day-to-day activities as an Architect, Developer and/or Tester Understanding the business impact of insecure software (beyond just PCI compliance) Boot Camp The participants will spend time putting what they have learned to use on a test version of the selected application. The instructor will act as a mentor and experienced resource as they embark on an interactive security test engagement. The use of the organization’s application rather than a demonstration application has been proven to help students more easily assimilate what they have learned into their daily testing activities. It also has the added benefit of discovering issues which need to be addressed by the organization. Education Curriculum 30