Course Description
Who Should Attend
Test
Course OutlineIntroduction
Secure Software Development
- Assets, Threats & Vulnerabilities
- Security Risk Analysis (Bus & Tech)
- Secure Dev Processes (MS, BSI…)
- Defense in Depth
- Approach for this course
Introductory Case Study
The Context for Secure Development
- Assets to be protected
- Threats Expected
- Security Imperatives (int&external)
- Organization's Risk Appetite
- Security Terminology
- Organizational Security Policy
- Security Roles and Responsibilities
- Security Training for Roles
- Generic Security Goals & Requirements
Exercise: Our Own Security Context
Security Requirements
- Project-Specific Security Terms
- Project-Related Assets & Security Goals
- Product Architecture Analysis
- Use Cases & MisUse/Abuse Cases
- Dataflows with Trust Boundaries
- Product Security Risk Analysis
- Elicit, Categorize, Prioritize SecRqts
- Validate Security Requirements
Exercise: Managing Security Requirements
Designing Secure Software
- High-Level Design
- Architectural Risk Analysis
- Design Requirements
- Analyze Attack Surface
- Threat Modeling
- Trust Boundaries
- Eliminate Race Objects
- Detail-Level Design
- Secure Design Principles
- Use of Security Wrappers
- Input Validation
- Design Pitfalls
- Validating Design Security
- Pairing Mem Mgmt Functinos
- Exclude User Input from format strings
- Canonicalization
- TOCTOU
- Close Race Windows
- Taint Analysis
Exercise: A Secure Software Design, Instructor Q & A
Writing Secure Code
- Coding
- Developer guidelines & checklists
- Compiler Security Settings (per)
- Tools to use
- Coding Standards (per language)
- Common pitfalls (per language)
- Secure/Safe functions/methods
- Stack Canaries
- Encrypted Pointers
- Memory Initialization
- Function Retrun Checking (e.e. malloc)
- Dereferencing Pointers
- Integer type selection
- Range Checking
- Pre/post checking
- Synchronization Primatives
- Early Verification
- Static Analysis (Code Review w/tools)
- Unit & Dev Team Testing
- Risk-Based Security Testing
- Taint Analysis
Exercise: Securing Coding Q & A
Testing for Software Security
- Assets to be protected
- Threats Expected
- Security Imperatives (int&external)
- Organization's Risk Appetite
- Static Analysis
- Dynamic Analysis
- Risk-Based Security testing
- Fuzz Testing (Whitebox vs Blackbox)
- Penetration Testing (Whitebox vs Blackbox)
- Attack Surface Review
- Code audits
- Independent Security Review
Exercise: Testing Software for Security
Releasing & Operating Secure Software
- Incident Response Planning
- Final Security Review
- Release Archive
- OS Protections:
- Address Space Layout Randomization
- Non-Executable Stacks
- W^X
- Data Execution Prevention
/ul>
- Monitoring
- Incident Response
- Penetration Testing
Exercise: A Secure Software Release
Making Software Development More Secure
- Process Review
- Getting Started
- Priorities
Exercise: Your Secure Software Plan
Important Course Information
-
Requirements
There are no formal prerequisites for this course.
Exam Entry CriteriaThe rules of information security aren’t what they used to be. Hackers aren’t kids in basements–they’re state sponsored professionals and organized criminal groups all around the world. They break into systems and steal data any way they can.
Unfortunately, the vast majority of hacks are not due to insecure networks or misconfigured firewalls; they are a result of common software flaws that get coded into applications. Even with good information security policy and staff, the reality is that software developers are often underserved when it comes to security strategy. If their applications get built without attention to good software security practices, risk gets passed downstream and by the time an incident occurs it’s too late to be proactive.
From proactive requirements to coding and testing, this secure software development training course covers the best practices any software developer needs to avoid opening up their users, customers and organization to attack at the application layer. We teach only constantly updated best practices, and our experts answer your questions live in class. Return to work ready to build higher quality, more robustly protected applications.
Cancellation Policy:
If a customer would like to cancel or transfer their course, they must notify Learning Tree prior to two weeks before the start date of the course or within seven days of registration. If a customer transfers to another course prior to two weeks before the start date or within seven days of registration of the course in which originally enrolled, 100% of any prepaid course tuition will be applied toward the course tuition for the subsequent course. If a customer needs to cancel an enrollment two weeks prior to the start of the class or within seven days of registration, we will refund 100% of any prepaid course tuition for that enrollment. If a customer does need to transfer or cancel a course within two weeks of the start date of the course or after seven days from the date of registration, a fee equal to 50% of the price of the course will be assessed for any standard attendances.
Audience
Test