Your SlideShare is downloading. ×
Security Education Catalog
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Security Education Catalog

52
views

Published on

Published in: Technology, Education

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
52
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Security Education Catalogue
  • 2. SECURITY EDUCATION CATALOGUE INTRODUCTION The human factor—what employees do or don’t do—is the biggest threat to an organization’s information security, yet it’s often the most overlooked. Whether they are swiping credit cards, handling clients’ personal information, or developing software solutions for your business, your employees are ripe targets for information thieves seeking access to your sensitive data—if you do not help them learn to protect it. Arm yourself with security education for staff and partners. Use this catalogue to browse Trustwave’s security education offerings, including security awareness training for all staff and secure software development courses for technical staff. If you have questions, reach out to your Trustwave account manager or use the “Contact Us” section of the Trustwave website.
  • 3. Table of Contents Security Awareness Education (SAE)____________________________ 2 • SAE Course Catalogue_______________________________________ 3 • Security Awareness Course Builder ____________________________ 6 • SAE Print Material___________________________________________ 7 • Banking Security____________________________________________ 8 Secure Development Training (SDT)_____________________________ 9 • SDT Course Catalogue______________________________________ 10 • Secure Development Course Bundles__________________________ 16
  • 4. SECURITY EDUCATION CATALOGUE Security Awareness Education (SAE) Every Trustwave Security Awareness Education (SAE) program is customized for you, the client. Your options include how your online security awareness training course will be set up and what additional print-based materials you would like to order to reinforce your program all year round. This section is designed to help guide you through these options and choose the program that is right for you and your organization. SAE Course Catalogue Use these pages to browse our growing library of security awareness lessons. Categorized by areas of interest, each lesson’s catalogue code, topic and objectives are listed here to help you decide which topics are most appropriate for your target audience(s). Most lessons are available in English, Spanish, Portuguese, French and Swedish. You may also view all of our lessons in the Trustwave SAE Portal itself - contact your Trustwave account manager if you would like to receive a free trial account on our service. SAE Custom Course Builder This page lists the lessons included in each of our course offerings for the most common types of organizational roles targeted for security awareness training. If these combinations don’t fit your organization’s needs just right, or you’d like to include additional materials such as quizzes or your organization’s own information security policies as part of the course, use the interactive spaces at the bottom of the page to identify the contents of the course(s) you would like us to build. SAE Pamphlets Do you employ cashiers and servers who do not have ready access to computers at work? Do you hire temporary workers whose schedules don’t allow much time for training? No problem. Instead of enrolling this population in our online service, you can order our security awareness training pamphlets suitable for front-line workers. The content of the brochures is the same as what is included in our online course. Pamphlets are currently available in English, Spanish and Portuguese. SAE Posters Often, organizations administer a formal security awareness training only once per year. Including SAE posters in your office environment helps keep employees aware of their security responsibilities year-round. 2
  • 5. SAE Course Catalogue Each course in your Security Awareness Education (SAE) program can be comprised of one or more of the following lessons. Use this guide to identify the lessons you would like to include in each course. If you have any questions, or if you would like to receive a free trial account on the Trustwave SAE Portal, contact your Trustwave account manager for more information. Compliance Overviews COM lessons cover the basic principles of various compliance standards mandating training and other information security measures. Lesson Name Lesson Objectives COM-01 PCI Overview Recognize how the Payment Card Industry (PCI) self-regulates to protect cardholder data. • Recognize the key PCI stakeholders, and common merchant acceptance channels and classifications. • Recognize the cycle of a credit card transaction. • Describe the PCI regulatory environment and recognize high level compliance requirements. COM-02 HIPAA Overview Recognize how U.S. HIPAA and HITECH laws protect the privacy and security of protected health information (PHI). • Recognize key HIPAA and HITECH stakeholders. • Recognize the purpose and scope of HIPAA privacy and security rules. • Describe the HIPAA regulatory environment and recognize high level compliance requirements. # Core Concepts # COR-01 COR-02 Supporting Objectives COR lessons cover basic security awareness concepts that all employees should understand. We recommend including these 5-minute lessons for all your staff. Lesson Name Lesson Objectives Introduction to Security Awareness Demonstrate basic knowledge of security awareness. • Define security awareness and recognize the importance of protecting information. Social Engineering Define social engineering and recognize common threats to information security and how to avoid becoming a victim. • Define social engineering, recognize who is at risk of becoming victims and list the types of information targeted by social engineers. • List the most common channels for social engineering, and recognize popular ploys. • List best practices to avoid becoming a victim of social engineering. SECURITY AWARENESS TOPICS Supporting Objectives SAT lessons cover best practices for common types of tools and activities on the job. Include all those that apply to your employees’ work activities. # Lesson Name Lesson Objectives SAT-01 Physical Security Define physical security, recognize common threats and list best practices. • Define physical security, recognize the importance of physical security and list the information at risk. • Recognize common attacks on physical security. • Recognize physical security vulnerabilities and best practices for securing your workplace. PC Security Define PC security, recognize common threats and list best practices. • Define PC security and recognize the risks of leaving your computer unprotected. • List and describe common PC attacks, vulnerabilities, and user mistakes that put your information and systems at risk. • List and describe critical PC security measures and best practices. Email Security Define email security, recognize common threats and list best practices. • Define email security and recognize the risk to information security if secure email practices are not in place. • Recognize the most common email scams and the measures you can take to avoid becoming a victim. • List best practices for using email securely. SAT-02 SAT-03 Supporting Objectives 3
  • 6. SECURITY EDUCATION CATALOGUE # Lesson Name Lesson Objectives SAT-04 Password Security Define password security, recognize common threats and list best practices. • Define password security and recognize the importance of keeping passwords protected. • List the ways password protection may be used to keep information secure. • List basic rules for building a strong password and recognize best practices for effective password use. SAT-05 HIPAA Overview Define Web browsing security, recognize common threats and list best practices. • Define Web browsing security and recognize the risks of visiting unknown and unsecure websites. • List the most common Web security threats and recognize how you may put your organization’s information at risk. • List and describe best practices for browsing the Web securely. SAT-06 Mobile Device Security Define mobile device security, recognize common threats and list best practices. • Define mobile device security and recognize the risks of leaving your device unprotected. • Recognize common mobile device attacks and user mistakes that put information at risk. • List and describe common mobile device security measures. BEST PRACTICES FOR JOB ROLES Supporting Objectives JRT lessons target specific job roles within an organization. Each course may contain one JRT lesson to cover best practices for the target role. Lesson Name Lesson Objectives JRT-01 Secure Practices for Retail Associates Recognize the security awareness responsibilities of retail associates and the laws, regulations, methods and best practices that help keep information secure in the retail environment. • Recognize the information security responsibilities of retail associates and the related laws and regulations that impact the retail environment. • List and describe information security responsibilities and best practices of retail associates. JRT-02 Secure Practices for Retail Managers Recognize the security awareness responsibilities of retail managers and the laws, regulations, methods and best practices that help keep information secure in the retail environment. • Recognize the security responsibilities of retail managers or owners and the information security laws and regulations that impact the retail environment. • List and describe information security responsibilities and best practices of retail managers. JRT-03 Secure Practices for Call Center Employees Recognize the security awareness responsibilities of call center employees and the laws, regulations, methods and best practices that help to keep information secure. • Recognize the information security laws and regulations that impact the call center environment. • Recognize the responsibility of call center employees to protect the information they work with each day. • List and describe the information security responsibilities and best practices of call center employees. JRT-04 Secure Practices for Call Center Managers Recognize the security awareness responsibilities of call center managers and the laws, regulations, methods and best practices that help keep information secure in the call center. • Recognize the information security responsibilities of call center managers and the related laws and regulations that impact the call center environment. • List and describe information security responsibilities and best practices of call center managers. JRT-05 Secure Practices for Enterprise Employees Recognize the security awareness responsibilities of enterprise employees and the laws, regulations, methods and best practices that help keep information secure. • Recognize the security responsibilities of enterprise employees and the information security laws and regulations that impact the enterprise environment. • List and describe information security responsibilities and best practices of enterprise employees. Secure Practices for IT and Engineering Staff Recognize the security awareness responsibilities of IT and engineering staff and the laws, regulations, methods and best practices that help keep information secure. • Recognize the information security-related laws and regulations that impact the IT and application development environment and the responsibility of personnel to protect the information they work with each day. • List and describe the information security responsibilities of IT and engineering staff. • List best practices for IT and engineering staff to help keep information secure. # JRT-06 4 Supporting Objectives
  • 7. ADVANCED SECURITY TOPICS # Lesson Name ADV lessons cover a wide range of topics for managers and technical personnel. Lesson Objectives Supporting Objectives ADV-01 PCI Forensic Investigations Recognize how the PCI forensic investigation process works and identify how a breach is discovered, investigated and remediated. • Identify common ways breaches are discovered and the high level steps employees should take if a breach is discovered. • Describe the Trustwave PCI forensic investigation process and a breached organization’s responsibility to report and remediate security deficiencies. • Recognize common security threats and the importance of continuous compliance to protect against them. ADV-02 Exploring Security Trends Recognize key findings of Trustwave’s annual Global Security Report and list ways to improve security this year based on last year’s trends. • Recognize the purpose and contents of Trustwave’s Global Security Report. • Recognize key findings of the current Global Security Report. • List security best practices that help organizations avoid the security pitfalls of last year. 5
  • 8. SECURITY EDUCATION CATALOGUE Security Awareness Course Builder Po Do licy cu me n iz Qu AD V-0 2 AD V-0 1 JR T-0 6 JR T-0 5 JR T-0 4 JR T-0 3 JR T-0 1 JR T-0 2 BA N01 BA N0 BA 2 N03 SA T-0 5 SA T-0 6 SA T-0 4 SA T-0 3 SA T-0 1 SA T-0 2 R02 R01 CO CO M02 CO CO M01 t This page lists the lessons included in our basic Security Awareness Education courses. These courses are targeted to common roles that fit most organizations’ needs. Select the course(s) that fit your target audience(s) by clicking inside the box beside it, or build your own course using the blank spaces below. Descriptions of each lesson in our library can be found in the SAE Course Catalogue. Security Awareness for Retail Associates Security Awareness for Retail Managers Security Awareness for Call Center Employees Security Awareness for Call Center Managers Security Awareness for Enterprise Employees Security Awareness for IT and Engineering Staff Security Awareness for Health Care Workers Security Awareness for Bank Workers Create your Own 6 Use this section to mix and match lessons to build up to five courses of your own. Just use the interactive checkboxes below to select course content.
  • 9. SAE Print Material POSTERS Augment your Security Awareness Education with posters specific to your target audience. Click the check box to select the poster(s) you want. Use the “total” field to specify how many of each poster you want. Posters are available only in English. Contact your Trustwave account manager if you have questions. Retail Total: Total: Total: Call Center Total: Total: Total: Office Total: Total: Total: Total: Total: Total: Total: Web Total: Total: Total: SAE Pamphlets Trustwave’s SAE Pamphlets are perfect for employees who do not have ready access to computers at work, or a lot of time to devote to training. The pamphlets can be cobranded to include your logo and company name, and are available in English, Spanish and Portuguese. Use the “total” field to specify how many pamphlets you would like to order. Each pamphlet consumes a single SAE license. Total: 7
  • 10. SECURITY EDUCATION CATALOGUE Banking Security Online banking has soared in popularity, not only for businesses but for consumers who depend on banks for their everyday financial needs. While you are taking steps to protect their customers from identity theft and financial crimes, customers themselves must also implement security best practices when accessing online banking on their personal or business computers. Providing resources to customers to educate them about best practices for securing their information online demonstrates your commitment to securing your customers’ information, improves security for you and your customers and helps satisfy FFIEC requirements for customer education. BANKING SECURITY BAN lessons target the specific security awareness needs of bank customers who use online accounts to manage their finances. Lesson Name Lesson Objectives BAN-01 Online Banking Security Recognize the risks and threats that come with online banking, as well as the technology and security best practices available to help combat such threats. • Recognize ways information is stolen from online accounts. • Recognize the monetary risk of security incidents and the top attack targets used by criminals. • Describe how banks and their customers work together to protect valuable information. BAN-02 Protecting Online Accounts for Businesses Recognize a business’s role in helping to secure its own online systems and accounts, and identify the security best practices businesses can follow to do so. • Recognize a business’s role in keeping their sensitive information secure online. • List best practices for businesses to use to protect their sensitive information. BAN-03 Protecting Online Accounts for Consumers Recognize the individual’s role in helping to secure their own online accounts, and identify the security best practices individuals can follow to do so. • Recognize an individual consumer’s role in keeping their sensitive information secure online. • List best practices consumers can use to protect their sensitive information. # 8 Supporting Objectives
  • 11. Secure Development Training (SDT) Trustwave offers a suite of Web-based technical courses that introduce your solution development staff to theory and best practices around planning and writing secure code. You can choose to enroll employees in just one of the courses that is most relevant to them, or to give them access to the full suite of Secure Coding Design courses we offer. Whichever option you select, this section will help you decide which course(s) are right for your staff. Secure Development Course Catalogue Use these pages to browse our library of Secure Development courses. Categorized by the stages of the software development life cycle, each course’s catalogue code, topic and prerequisites (if any) are listed here to help you decide which topics are most appropriate for your target audience(s). Secure Development Course Builder This page defines the course bundles available to SDT customers. Use this worksheet to note which courses you would like to offer to your staff. 9
  • 12. SECURITY EDUCATION CATALOGUE SDT Course Catalogue SECURITY AWARENESS AND PROCESS COURSES # Lesson Name Lesson Objectives Time Supporting Objectives AWA 101 Fundamentals of Application Security Upon course completion, students will be able to understand and recognize threats to applications, leverage the OWASP top 10 list to create more secure Web applications and conduct specific activities at each development phase to ensure maximum hardening of your applications. AWA 102 Protecting Online Accounts for Businesses By the end of this course, students will be familiar with the main characteristics of a secure software development lifecycle and the activities that an organization should perform to develop secure software. Additionally, students will recognize the need to address software security in their everyday work. 1 hour • Basic knowledge of software development processes and technologies. AWA 103 Six Fundamentals of Information Security By the end of this course, students will be familiar with the main characteristics of a secure software development lifecycle and the activities that an organization should perform to develop secure software. Additionally, students will recognize the need to address software security in their everyday work. 1 hour • None AWA 104 Fundamentals of the PCI-DSS This course is designed to meet the PCI-DSS requirement and will provide such awareness as well as an basic understanding of each of the PCI-DSS requirements addressing cardholder data security. 1 hour • None AWA 105 Fundamentals of Security Awareness - Mobile and Social Media This security awareness course focuses on how sensitive data and confidential information can be compromised with the use of social media and mobile devices by today’s work force. Using a fun and interactive computer based format, the viewer is made aware of the risks associated with these technologies, and how to use them safely. 30 minutes • None 2 Hours • Understanding of the software development lifecycle and technologies; basic understanding of software security. SECURITY ENGINEERING COURSES # Lesson Name Lesson Objectives Time Supporting Objectives ENG 102 Introduction to the Microsoft SDL The goal of this course is to help students understand and identify the Security Development Life Cycle (SDL) requirements for building and deploying secure software applications. The course demonstrates the benefits teams gain by following the SDL, and it provides managers with information regarding their role and responsibilities in ensuring the team follows the SDL. ENG 201 SDLC Gap Analysis and Remediation Techniques Upon completion of this course, the participant will be able to identify the benefits of the Security Development Lifecycle, recognize the importance of the Final Security Review, follow the necessary steps to meet SDL requirements and identify the appropriate tools required by the SDL. 1 hour • Knowledge of the software development lifecycle. ENG 211 How to Create Application Security Design Requirement This course provides an understanding of the goals, processes and best practices for auditing software security processes within the context of the Microsoft Security Development Life Cycle. 45 minutes • Introduction to the Microsoft SDL (ENG 102), Fundamentals of Application Security (AWA 101). ENG 301 How to Create an Application Security Threat Model This course provides an understanding of the goals, processes and best practices for auditing software security processes within the context of the Microsoft Security Development Life Cycle. 1 hour • Fundamentals of Application Security (AWA 101). 10 1 hour • Knowledge of the software development lifecycle.
  • 13. ENG 311 Attack Surface Analysis and Reduction In this course, students will learn to identify the goals of threat modeling and the corresponding SDL requirements, identify the roles and responsibilities involved in the threat modeling process, recognize when and what to threat model and identify the tools that help with threat modeling. Students will also learn to use the threat modeling process to accurately identify, mitigate and validate threats. ENG 312 How to Preform a Security Code Review Course provides an understanding of the goals and methodologies of attackers, identification of attack vectors and how to minimize the attack surface of an application. ENG 391 How to Create an Application Security Threat Model for Embedded Systems This course provides students with guidance on how to best organize code reviews, prioritize those code segments that will be reviewed, best practices for reviewing source code and maximize security resources. 1 hour • Fundamentals of Secure Architecture (DES 101), How to Create Application Security Design Requirements (ENG 211), How to Create an Application Security Threat Model (ENG 301), Creating Secure Code – ASP.Net (COD 311) OR C/C++ (COD 312) OR J2EE (COD 313). ENG 392 Attack Surface Analysis and Reduction for Embedded Systems This course module provides additional training on How to Create an Application Security Threat Model of particular importance to embedded software engineers. It includes mapping of content to specific compliance and regulatory requirements, links to key reference resources that support the topics covered in the module and a “Knowledge Check” quiz that assesses mastery of key concepts. 30 minutes • How to Create an Application Security Threat Model (ENG 301). ENG 393 How to Perform a Security Code Review for Embedded Systems This course module provides additional training on Attack Surface Analysis and Reduction of particular importance to embedded software engineers. 30 minutes • Attack Surface Analysis and Reduction (ENG 311). Secure DESIGN # 1 hour • Fundamentals of Secure Development (COD 101), Architecture Risk Analysis and Remediation (DES 212). 1 hour • Fundamentals of Secure Development (COD 101), Architecture Risk Analysis and Remediation (DES 212). DES courses cover topics in secure software architecture and design, to help plan security into applications before any code is written. Lesson Name Lesson Objectives Time Supporting Objectives DES 101 Fundamentals of Secure Architecture Understand the state of the software industry from a security perspective, by learning from past software security errors and how to avoid repeating those mistakes. They will also be able to recognize and use confidentiality, integrity and availability (CIA) as the three main tenets of information security. DES 211 OWASP Top 10 - Threats and Mitigations Recognize best practices for understanding, identifying and mitigating the risk of vulnerabilities and attacks within the OWASP Top 10. 2 hour • None DES 212 Architecture Risk Analysis and Remediation Recognize concepts, methods and techniques for analyzing the architecture and design of a software system for security flaws. 1 hour • Fundamentals of Secure Architecture (DES 101). DES 213 Introduction to Security Tools and Technologies This course is designed to educate architects and developers on the technologies available to create more secure systems. 2 hour • Fundamentals of Security Testing (TST 101). DES 301 Introduction to Cryptography Recognize the problems that cryptography can address, the threats that apply to two communicating parties, the appropriate cryptographic solutions to mitigate these threats, and how to describe the mechanisms behind cryptographic protocols. Learners will also be able to recognize how to follow cryptographic best practices and locate cryptography resources. 1 hour • Fundamentals of Secure Development (COD 101). • Architecture Risk Analysis and Remediation (DES 212). DES 311 Creating Secure Application Architecture Recognize key security principles that can be used to improve the security of application architecture and design. Demonstrate how to apply defenses to harden applications and make them more difficult for intruders to breach, reducing the amount of damage an attacker can accomplish. 2 hours 1 hour • None • Fundamentals of Secure Architecture (DES 101). • Architecture Risk Analysis and Remediation (DES 212). 11
  • 14. SECURITY EDUCATION CATALOGUE Secure Coding # COD courses cover security topics in the implementation stage of the software development life cycle, when code is actually being written. Lesson Name Lesson Objectives Time Supporting Objectives COD 101 Fundamentals of Secure Development Recognize the latest trends in software security, as well as the importance of software security for business. Demonstrate how to perform threat modeling to identify threats proactively, create threat trees for application components, use threat tress to find and classify vulnerabilities and perform risk analysis and prioritize security fixes. COD 110 Fundamentals of Secure Mobile Development This course introduces some of the common mobile application risks and the best development practices that you should follow for development to overcome risks. The course also explains how to create a mobile application threat model. 2 hours • None COD 111 Fundamentals of Web 2.0 Security This course introduces you to the fundamentals of secure Web 2.0 development. The course begins with a discussion about Web 2.0, its evolution, and the technologies behind it. The course describes common Web 2.0 attacks that can cause significant loss to organizations. It reviews the best practices that you should incorporate to mitigate the risks from Web 2.0 attacks, as well as practices to avoid. The course concludes with a walk-through of a software system scenario that can help you better understand Web 2.0 attacks and apply the best practices discussed in the course. 2 hours • None COD 201 Fundamentals of Secure Database Development This course will demonstrate database development best practices for software architects and developers. 2 hours • Fundamentals of Secure Development (COD 101). COD 211 Understanding Secure Code - JRE Recognize and remediate common Java Web software security vulnerabilities. Define data leakage, injection attacks, client/server protocol manipulation attacks, and authentication exploitations and mitigate these security vulnerabilities. 1 hour • Fundamentals of Secure Development (COD 101). COD 212 Understanding Secure Code - C/C++ Recognize how to write secure code in C/C++ for Windows and Unix platforms, robust code development and secure socket programming. Demonstrate how to apply time-tested defensive coding principles to develop secure applications. Recognize the nine defensive coding principles and how to use them to prevent common security vulnerabilities. 75 minutes • Fundamentals of Secure Development (COD 101). COD 213 Understanding Secure Code - Windows 7 Define Windows 7 security features and build applications that leverage Windows 7’s builtin security mechanisms. 2 hours • Basic knowledge of Windows programming and memory management, and knowledge of basic security features of Windows versions prior to Windows 7. Understanding Secure Code - .NET 4.0 Recognize .NET 4.0 security features, including concepts such as Code Access Security (CAS) and .NET cryptographic technologies. Recognize security changes in .NET 4.0 including level 2 security transparency, the new sandboxing and permission model, introduction of conditional APTCA and changes to evidence objects and collections. Define secure coding best practices that will enable students to build more secure applications in .NET 4.0. 2 hours • Fundamentals of Secure Development (COD 101). COD 215 12 1 hour • None
  • 15. # Lesson Name Lesson Objectives Time Supporting Objectives COD 216 Understanding Secure Code - NET 2.0 Define .NET 2.0 security features, including concepts such as Code Access Security (CAS) and .NET cryptographic technologies. Recognize secure coding best practices that will enable students to build more secure applications in .NET 2.0. 2 hours • Fundamentals of Secure Development (COD 101). COD 217 Creating Secure Code iPhone Foundations Learn to develop and deploy secure iPhone applications by leveraging Apple’s security services and following Web application secure coding best practices. 1 hour • Fundamentals of Secure Mobile Development (COD 110). COD 218 Creating Secure Code Android Foundations Learn to develop secure Android applications by applying Android-specific secure development best practices and techniques. The course emphasizes key Android security features that can help you prevent common application vulnerabilities. 90 minutes • Fundamentals of Secure Mobile Development (COD 110). COD 221 Web Vulnerabilities Threats and Mitigations Recognize, avoid and mitigate the risks posed by Web vulnerabilities. Define the most common and recent attacks against Web-based applications, such as cross-site scripting attacks and cross-site request forgery attacks. Demonstrate how to avoid and/or mitigate Web vulnerabilities using real-world examples. 1 hour • Creating Secure Code – J2EE Web Applications (COD 313) OR Creating Secure Code – ASP. NET (COD 311). COD 222 PCI Best Practices for Developers Recognize application security issues within the PCI DSS and best practices for addressing each requirement. Recognize how addressing the PCI DSS requirements during the design and build stages of the development life cycle will improve application security and will simplify compliance. 1 hour • Fundamentals of Secure Architecture (DES 101). COD 231 Introduction to CrossSite Scripting - With JSP Examples Recognize the mechanisms behind cross-site scripting vulnerabilities, describe cross-site scripting vulnerabilities and their consequences, and apply secure coding best practices to prevent cross-site scripting vulnerabilities. 20 minutes • Basic knowledge of Web technologies, and Java Server Pages (JSP). COD 232 Introduction to Cross-Site Scripting - With ASP.NET Examples Recognize the mechanisms behind cross-site scripting vulnerabilities, describe cross-site scripting vulnerabilities and their consequences and apply secure coding best practices to prevent cross-site scripting vulnerabilities. 20 minutes • Basic knowledge of Web technologies, and Java Server Pages (JSP). Creating Secure Code ASP .NET Demonstrate the development of secure web applications in C#. Recognize common web application vulnerabilities and demonstrate ways to avoid those vulnerabilities in C# code. In the hands-on section, students will discover the vulnerabilities for themselves and find ways to address them, greatly enhancing the security of their code. Upon completion of this class, participants will be able to recognize the need to follow secure coding best practices, follow secure coding best practices and locate additional resources on secure coding best practices for ASP.NET. 4 hours • Understanding Secure Code - .Net 4.0 (COD 215). Creating Secure Code C/C++ Define application security risks and secure coding standards for C and C++ applications, and the different types of errors that can be introduced while coding. Recognize the importance of detecting these errors and remediating them as early as possible to avoid security issues. Define real-world best practices and techniques, and static analysis tools to detect and resolve security vulnerabilities in code. 90 minutes • Understanding Secure Code – C/C++ (COD 212). COD 311 COD 312 13
  • 16. SECURITY EDUCATION CATALOGUE # Lesson Name Lesson Objectives Time Supporting Objectives COD 313 Create Secure Code J2EE Web Applications Demonstrate development of secure web applications in Java. Recognize common web application vulnerabilities and define ways to avoid those vulnerabilities in Java code. In the hands-on section, students will discover the vulnerabilities themselves and find ways to address them, greatly enhancing the security of their code. Upon completion of this course, participants will be able to recognize why software security matters to their business, recognize the root causes of the more common vulnerabilities, identify the symptoms of common vulnerabilities and use security best practices to prevent common vulnerabilities. COD 314 Creating Secure C# Code This course will provide a deep understanding of application security risks and secure coding standards for C# applications. The main lesson guides students through the concepts underlying the coding principles and illustrates real-world best practices and techniques and the labs allow students to test what they have learned 3 hours • Understanding Secure Code - .NET 4.0 Foundations (COD 215) COD 315 Creating Secure PHP Code This course introduces best practices for developing secure PHP code. The course also identifies common PHP vulnerabilities that attackers can exploit to gain access to critical information. In addition, the course explains mitigation techniques that you can use to avoid common PHP vulnerabilities and write secure code. 2 hours • Fundamentals of Secure Development (COD101) COD 321 Creating Secure Code Oracle Foundations This course provides the student with an understanding of the scope and requirements of database security as well as the risks presented by insecure database applications. After taking this course, the student will be able to understand the risks to database applications; apply security best practices when developing database applications; understand common database attacks; code applications with countermeasures to common database attacks. 2 hours • Fundamentals of Secure Database Development (COD 201) COD 322 Creating Secure Code SQL Server Foundations This course provides the student with an understanding of the scope and requirement of database security as well as the risks presented by unsecure database applications. After taking this course, the student will be able to understand the risks to database applications; apply security best practices when developing database applications; understand common database attacks; code applications with countermeasures to common database attacks. 90 minutes • Fundamentals of Secure Database Development (COD 201) COD 411 Integer Overflows - Attacks and Countermeasures An integer overflow is a programming error that can severely impact a computer system’s security. Due to the subtlety of this bug, integer overflows are often overlooked during development. This course covers the security concepts, testing techniques and best practices that will enable students to develop robust applications that are secure against integer overflow vulnerabilities. 1 hour • Basic understanding of the C, C++, and C# programming languages. COD 412 Buffer Overflows - Attacks and Countermeasures Recognize how to avoid and mitigate the risks posed by buffer overflows. Recognize protections provided by the Microsoft complier and the Windows operation system, and advice on how to avoid buffer overflows during the design, development and verification phase of the software development life cycle. 2 hours • Basic knowledge of Windows programming and memory management in Windows. 14 2 hours • Understanding Secure Code – JRE (COD 211)
  • 17. Security Testing # TST courses cover topics in testing software for security flaws and remediating defects before release. Lesson Name Lesson Objectives Time Supporting Objectives Fundamentals of Security Testing Define security-testing concepts and processes that will help students analyze an application from a security perspective and to conduct effective security testing. Recognize different categories of security vulnerabilities and the various testing approaches that target these classes of vulnerabilities. Several manual and automated testing techniques are presented which will help identify common security issues during testing and uncover security vulnerabilities. 2 hours • None TST 201 Classes of Security Defects Recognize how to create a robust defense against common security defects. Students will learn why and how security defects are introduced into software, and will be presented with common classes of attacks, which will be discussed in detail. Along with examples of real life security bugs, students will be shown techniques and best practices that will enable the team to identify, eliminate and mitigate each class of security defects. Additional mitigation techniques and technologies are described for each class of security defect. 3 hours • None TST 211 How to Test for the OWASP Top 10 The Open Web Application Security Project (OWASP) Top Ten is a listing of critical security flaws found in web applications. Recognize how these flaws occur and demonstrate testing strategies to identify the flaws in web applications. 1 hour • Fundamentals of Security Testing (TST 101) TST 301 Software Testing - Tools and Techniques This course introduces the tools and techniques used during software security testing. After taking this course, the student will be able to create a software security test plan; decide which software security testing tools to use; know how to apply the testing tools; understand and apply penetration testing techniques. 90 minutes • None TST 401 Advanced Software Security Testing Techniques This course delves deeply into the techniques for testing specific security weaknesses. After taking this course, the student will be able to understand the ten types of attacks; know which tools to use to test for these attacks; test software applications for susceptibility to the ten specific attacks; describe the expected mitigations required to prevent these attacks. 2 hours • Software Testing - Tools and Techniques (TST 301) TST 411 Exploiting Buffer Overflows Recognize the threats posed by buffer-overflow exploits, and the mechanisms behind exploitation of stack-based and heap-based buffer overflows. Define challenges faced by exploit code and how different exploitation techniques overcome environmental limitations. 2 hours • Creating Secure Code – C/C++ (COD 312) TST 101 • Fundamentals of Security Testing (TST 101) 15
  • 18. SECURITY EDUCATION CATALOGUE Secure Development Course Bundles Use this checklist to determine which course(s) you want to provide for your staff. Descriptions of each course in the SDT library can be found in the SDT Course Catalogue on the previous pages. Custom bundles, consisting of up to six (6) courses or twelve (12) hours of content, can be set up on request. Contact your Trustwave account representative if you would like to configure a custom bundle. Java Developer PHP Developer Project Manager • AWA-101 Fundamentals of Application Security • AWA-101 Fundamentals of Application Security • ENG-101 Microsoft SDL for Managers • COD-101 Fundamentals of Secure Development • COD-101 Fundamentals of Secure Development • COD-221 Web Vulnerabilities – Threats & Mitigations • COD-221 Web Vulnerabilities – Threats & Mitigations • ENG-201 SDLC Gap Analysis and Remediation Techniques • COD-211 Creating Secure Code – JRE Foundations • COD-315 Creating Secure PHP Code • COD-313 Creating Secure J2EE Code .NET Developer • AWA-101 Fundamentals of Application Security • COD-101 Fundamentals of Secure Development • COD-221 Web Vulnerabilities – Threats & Mitigations • COD-215 Creating Secure Code - .NET 4.0 Foundations (or .NET 2.0 version) • COD-311 Creating Secure ASP.NET Code C/C++ Developer Mobile Applications • AWA-105 Security Awareness – Mobile & Social Media • COD-110 Fundamentals of Secure Mobile Development • COD-217 Creating Secure Code – iPhone Foundations • COD-218 Creating Secure Code – Android Foundations Software Architect • AWA-101 Fundamentals of Application Security • AWA-101 Fundamentals of Application Security • COD-101 Fundamentals of Secure Development • DES-101 Fundamentals of Secure Architecture • COD-312 Creating Secure Code – C/C++ Foundations • DES-212 Architecture Risk Analysis and Remediation • COD-392 Creating Secure C/C++ Code • DES-311 Creating Secure Application Architecture • ENG-301 How to Create an Application Security Threat Model • ENG-311 Attack Surface Analysis and Reduction 16 • ENG-211 How to Create Application Security Design Requirements • COD-101 Fundamentals of Secure Development • DES-101 Fundamentals of Secure Architecture Test/QA • TST-101 Fundamentals of Security Testing • TST-201 Classes of Security Defects • TST-211 How to Test for the OWASP Top 10 • TST-301 Software Security Testing – Tools & Techniques • TST-401 Advanced Software Security Testing
  • 19. 17
  • 20. Learn more at Trustwave.com Trustwave is a leading provider of compliance, Web, application, network and data security solutions delivered through the cloud, managed security services, software and appliances. For organizations faced with today’s challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its TrustKeeper® portal and other proprietary security solutions. Trustwave helps millions of organizations manage compliance and secure their network infrastructure— ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers—manage compliance and secure their network infrastructures, data communications and critical information assets. Trustwave is headquartered in Chicago with offices worldwide. For more information: https://www.trustwave.com. Copyright © 2013 Trustwave Holdings, Inc.