Security Awareness, Training and Education Catalog

Transcription

1 Security Awareness, Training and Education Catalog

2 SECURITY AWARENESS, TRAINING AND EDUCATION CATALOG Introduction The human factor what employees do or don t do is the biggest threat to an organization s information security, yet it s often the most overlooked. Whether they are processing credit cards, handling clients personal information, or developing software solutions for your business, your employees are ripe targets for information thieves seeking access to your sensitive data, unless you help them learn how to protect against and respond to security incidents. It s vital to your business to provide security education to your employees and partners. Trustwave offers two key types of security education: Security Awareness Education for all staff Secure Developer Training for technical staff Use this catalog to browse these security education offerings. If you have questions, reach out to your Trustwave account manager or use the Contact Us section of the Trustwave website at

3 Table of Contents Security Awareness Education (SAE) 2 SAE Lessons 3 Banking Security 6 Security Awareness Course Builder 7 SAE Visual Material 8 Secure Development Training (SDT) 9 SDT Lessons 10 Secure Development Bundles 17

4 SECURITY AWARENESS, TRAINING AND EDUCATION CATALOG Security Awareness Education Every Trustwave Security Awareness Education (SAE) program is customized for you, the client. Your options include how your online security education courses will be set up and which additional print-based materials you would like to order to reinforce your program year-round. This section is designed to guide you through the program and help you choose the option that is right for you and your organization. SAE Lessons Use the SAE Lessons list to browse our library of security awareness lessons. Categorized by areas of interest, each lesson s catalog code, topic, and objectives are listed to help you decide which topics are most appropriate for your target audience(s). Most lessons are available in English, Spanish, Portuguese, French, and Swedish. You may also view our lessons in the Trustwave SAE portal. Contact your Trustwave account manager if you would like to receive a free trial. Security Awareness Course Builder The Security Awareness Course Builder page lists the lessons included in each course offering, tailored for common organizational roles requiring security awareness training. If these lesson combinations don t fit your organization s needs, or if you d like to include additional materials such as quizzes or your organization s own information security policies, use the table at the bottom of the Security Awareness Course Builder page to identify the course content you would like us to build. SAE Posters Often, organizations administer formal security awareness training only once per year. Including SAE posters in your office environment helps keep employees aware of their security responsibilities year-round. 2

5 SAE Lessons Each course in your Security Awareness Education program may be comprised of one or more of the following lessons. Use this guide to identify the lessons you would like to include in each course. If you have any questions, or if you would like to receive a free trial, contact your Trustwave account manager. Compliance Lessons These lessons cover the basic principles of various compliance standards mandating training and other information security measures. # Lesson Name Lesson Objectives Supporting Objectives COM-01 COM-02 COM-03 COM-04 Core Concepts PCI Overview HIPAA Overview PCI for Retail Managers PCI Essentials (abbreviated version of PCI Overview) Recognize how the Payment Card Industry (PCI) Data Security Standard (DSS) protects cardholder data. Recognize how U.S. Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) laws protect the privacy and security of protected health information (PHI). Recognize how the PCI DSS affects managers and their role in enacting PCI compliance strategies. Recognize how PCI self-regulates to protect cardholder data. Recognize the key PCI stakeholders, and common merchant acceptance channels and classifications. Recognize high-level compliance requirements. Describe the PCI regulatory environment and recognize high level compliance requirements. Recognize key HIPAA and HITECH stakeholders. Recognize the purpose and scope of HIPAA privacy and security rules. Recognize high-level compliance requirements. Recognize credit card features and security elements. Recognize indicators of credit card fraud or tampering. Understand how to respond in the case of suspicious or fraudulent payment activity. Recognize the cycle of a credit card transaction. Recognize high-level compliance requirements. These lessons cover basic security awareness concepts that all employees should understand. # Lesson Name Lesson Objectives Supporting Objectives COR-01 Introduction to Security Awareness Demonstrate basic knowledge of security awareness. Understand the definition of security awareness. Recognize the importance of protecting information. COR-02 Social Engineering Recognize how common social engineering tactics threaten information security. Define social engineering, recognize who is at risk of becoming a victim and list the types of information targeted by social engineers. Understand the definition of security awareness, recognize the most common channels for social engineering, and recognize popular social engineering ploys. List best practices to avoid becoming a victim of social engineering. 3

6 SECURITY AWARENESS, TRAINING AND EDUCATION CATALOG Security Awareness Topics These lessons cover best practices for common types of tools and activities on the job. Include all those that apply to your employees work activities. # Lesson Name Lesson Objectives Supporting Objectives SAT-01 SAT-02 SAT-03 SAT-04 SAT-05 SAT-06 Physical Security PC Security Security Password Security Web Browsing Security Mobile Device Security Best Practices for Job Roles Define physical security, recognize common threats and list best practices. Define PC security, recognize common threats and list best practices. Define security, recognize common threats and list best practices. Define password security, recognize common threats and list best practices. Define web browsing security, recognize common threats and list best practices. Define mobile device security, recognize common threats and list best practices. Recognize the importance of physical security and list the information at risk. Recognize common attacks on physical security. Recognize physical security vulnerabilities and best practices for securing your workplace. Recognize the risks of leaving your computer unprotected. List and describe common PC attacks, vulnerabilities, and user mistakes that put your information and systems at risk. List and describe critical PC security measures and best practices. Recognize the risk to information security if secure practices are not in place. Recognize the most common scams and the measures you can take to avoid becoming a victim. List best practices for using securely. Recognize the importance of keeping passwords protected. List the ways password protection may be used to keep information secure. List basic rules for building a strong password and recognize best practices for effective password use. Recognize the risks of visiting unknown and unsecure websites. List the most common web security threats and recognize how you may put your organization s information at risk. List and describe best practices for browsing the web securely. Recognize the risks of leaving your device unprotected. Recognize common mobile device attacks and user mistakes that put information at risk. List and describe common mobile device security measures. These lessons target specific job roles within an organization. Each course you create should contain one of these JRT (Job Role Training) lessons, depending on your role and industry. # Lesson Name Lesson Objectives Supporting Objectives JRT-01 JRT-02 Secure Practices for Retail Associates Secure Practices for Retail Managers Recognize the security awareness responsibilities of retail associates and the laws, regulations, methods and best practices that help keep information secure in the retail environment. Recognize the security awareness responsibilities of retail managers and the laws, regulations, methods and best practices that help keep information secure in the retail environment. Recognize the information security responsibilities of retail associates that impact the retail environment. List and describe information security responsibilities and best practices of retail associates. Recognize the security responsibilities of retail managers or owners that impact the retail environment. List and describe information security responsibilities and best practices of retail managers. 4

7 # Lesson Name Lesson Objectives Supporting Objectives JRT-03 JRT-04 JRT-05 JRT-06 Secure Practices for Call Center Employees Secure Practices for Call Center Managers Secure Practices for Enterprise Employees Secure Practices for IT and Engineering Staff Advanced Security Topics Recognize the security awareness responsibilities of call center employees and the laws, regulations, methods and best practices that help to keep information secure. Recognize the security awareness responsibilities of call center managers and the laws, regulations, methods and best practices that help keep information secure in the call center. Recognize the security awareness responsibilities of enterprise employees and the laws, regulations, methods and best practices that help keep information secure. Recognize the security awareness responsibilities of IT and engineering staff and the laws, regulations, methods and best practices that help keep information secure. These lessons cover a wide range of advanced topics for managers and technical personnel. # Lesson Name Lesson Objectives Supporting Objectives ADV-01 ADV-02 PCI Forensic Investigations Exploring Security Trends Recognize how the PCI forensic investigation process works and identify how a breach is discovered, investigated and remediated. Recognize key findings of Trustwave s annual Global Security Report and list ways to improve security this year based on last year s trends. Recognize the information security laws and regulations that impact the call center environment. Recognize the responsibility of call center employees to protect the information they work with each day. List and describe the information security responsibilities and best practices of call center employees. Recognize the information security responsibilities of call center managers and the related laws and regulations that impact the call center environment. List and describe information security responsibilities and best practices of call center managers. Recognize the security responsibilities of enterprise employees and the information security laws and regulations that impact the enterprise environment. List and describe information security responsibilities and best practices of enterprise employees. Recognize the information security-related laws and regulations that impact the IT and application development environment and the responsibilities of personnel to protect the information they work with each day. List and describe the information security responsibilities of IT and engineering staff. List best practices for IT and engineering staff to help keep information secure. Identify common ways breaches are discovered and the high level steps employees should take if a breach is discovered. Learn about the Trustwave PCI forensic investigation process and a breached organization s responsibility to report and remediate security deficiencies. Recognize common security threats and the importance of continuous compliance to protect against them. Recognize the purpose and contents of Trustwave s Global Security Report. Recognize key findings of the current Global Security Report. List security best practices that help organizations avoid the security pitfalls of last year. 5

8 SECURITY AWARENESS, TRAINING AND EDUCATION CATALOG Banking Security Banking Security Online banking has soared in popularity, not only for businesses but for consumers who depend on banks for their everyday financial needs. While you are taking steps to protect their customers from identity theft and financial crimes, customers themselves must also implement security best practices when accessing online banking on their personal or business computers. Providing resources to customers to educate them about best practices for securing their information online demonstrates your commitment to securing your customers information, improves security for you and your customers and helps satisfy Federal Financial Institutions Examination Council (FFIEC) requirements for customer education. These lessons target the specific security awareness needs of bank customers who use online accounts to manage their finances. # Lesson Name Lesson Objectives Supporting Objectives BAN-01 BAN-02 BAN-03 Online Banking Security Protecting Online Accounts for Businesses Protecting Online Accounts for Consumers Recognize the risks and threats that come with online banking, as well as the technology and security best practices available to help combat such threats. Recognize a business s role in helping to secure its own online systems and accounts, and identify the security best practices businesses can follow to do so. Recognize the individual s role in helping to secure their own online accounts, and identify the security best practices individuals can follow to do so. Recognize ways information is stolen from online accounts. Recognize the monetary risk of security incidents and the top attack targets used by criminals. Learn how banks and their customers work together to protect valuable information. Recognize a business s role in keeping their sensitive information secure online. List best practices for businesses to use to protect their sensitive information. Recognize an individual consumer s role in keeping their sensitive information secure online. List best practices consumers can use to protect their sensitive information. 6

9 Security Awareness Course Builder The first table below indicates the lessons included in our basic SAE courses. These lessons are targeted to common roles that fit most organizations. Also shown below is the recommended Job Role Training (JRT) lesson for each role. If you prefer to create a custom course, use the Create Your Own table to indicate what lessons you would like to include in which courses. COM-01 COM-02 COM-03 COR-01 COR-02 SAT-01 SAT-02 SAT-03 SAT-04 SAT-05 SAT-06 BAN-01 BAN-02 BAN-03 JRT-01 JRT-02 JRT-03 JRT-04 JRT-05 JRT-06 ADV-01 ADV-02 Quiz Policy Document Security Awareness for Retail Associates Security Awareness for Retail Managers Security Awareness for Call Center Employees Security Awareness for Call Center Managers Security Awareness for Enterprise Employees Security Awareness for IT and Engineering Staff Security Awareness for Health Care Staff Security Awareness for Bank Staff Create your Own Use this section to mix and match lessons to build up to five courses of your own. Just print this sheet and fill in the necessary information, which you can then share with your Trustwave account manager. 7

10 SECURITY AWARENESS, TRAINING AND EDUCATION CATALOG SAE Visual Material Augment your security awareness program with posters specific to your target audience. Posters are only available in English, and they are in PDF format. Posters are available for download in the SAE portal and are included with clienthosted content packages. 8

11 Secure Development Training (SDT) Trustwave offers a suite of web-based technical lessons that introduce your solution development staff to theory and best practices around planning and writing secure code. You can choose to enroll employees in just one of the lessons that is most relevant to them, or give them access to an SDT lesson bundle. No matter what option you select, this section will help you decide which lessons are right for your staff. Secure Development Lessons Use the SDT Lessons list to browse our library of SDT lessons. Categorized by the stages of the Software Development Life Cycle (SDLC), each lesson s catalog code, topic, and prerequisites (if any) are listed here to help you decide which topics are most appropriate for your target audience(s). Secure Development Bundles The Secure Development Bundles page shown on page 17 in this document defines the lesson bundles available to customers using SDT. You can use the Secure Development Bundles page to note which courses (consisting of various lessons) you would like to offer to your staff. 9

12 SECURITY AWARENESS, TRAINING AND EDUCATION CATALOG SDT Lessons Security Awareness and Process 10 These lessons cover topics related to fundamental security awareness concepts as they relate to software development. # Lesson Name Lesson Objectives Time Prerequisites AWA 101 AWA 102 AWA 110 AWA 111 Fundamentals of Application Security Protecting Online Accounts for Businesses Fundamentals of Security Awareness for Mobile Devices Fundamentals of Security Awareness for Social Media Security Engineering Understand and recognize threats to applications. Understand how to leverage the Open Web Application Security Project (OWASP) top ten list to create more secure web applications and conduct specific activities at each development phase to ensure maximum hardening of applications. Recognize the main characteristics of an SDLC and the activities that an organization should perform to develop secure software. Recognize the need to address software security in everyday work activities. Recognize the security risks of using mobile devices and introduce the five fundamentals of secure mobile computing. Understand and be able to implement security best practices that mitigate risks to privacy, confidential data, reputation, and other assets. Recognize why social media security is important to both employees and employers. Understand general privacy and security best practices that can be applied across all social media sites. Recognize privacy and security issues, best practices for managing company pages, and addressing employer policies for social media usage by employees. 30 minutes None 30 minutes None These lessons cover topics related to the employment of security awareness strategies as a Software Engineer. # Lesson Name Lesson Objectives Time Prerequisites ENG 101 ENG 102 ENG 201 Microsoft SDL for Managers Introduction to the Microsoft SDL SDLC Gap Analysis and Remediation Techniques Introduction to Microsoft SDL (Security Development Lifecycle), an industry leading software-security assurance process, developed by Microsoft to build trustworthy software products. Understand and identify the SDL requirements for building and deploying secure software applications. Understand benefits teams gain by following the SDL. Understand their role and responsibilities as it pertains to their team following the SDL. Understand common problems that can delay or stop product shipment. Learn how to design and implement products that meet an organization s security needs. Identify the benefits of the SDL. Recognize the importance of the Final Security Review. Understand the steps necessary to meet SDL requirements. Identify the appropriate tools required by the SDL. Understand how to identify areas of improvement in the Software Development Life Cycle (SDLC). Review key security engineering activities. Identify measurable goals and appropriate standards. Assess existing development processes. Learn how to build an activity matrix and a remediation road map. Understand goals, processes, and best practices for auditing software security processes within the context of the SDLC. Understanding of the Software Development Life Cycle (SDLC) and technologies; basic understanding of software security. Basic knowledge of software development processes and technologies. Knowledge of the Software Development Life Cycle (SDLC) Knowledge of the SDLC 45 minutes Microsoft SDL for Managers (ENG 101)

13 # Lesson Name Lesson Objectives Time Prerequisites ENG 211 ENG 301 ENG 311 ENG 312 ENG 391 ENG 392 ENG 393 Secure Design How to Create Application Security Design Requirements How to Create an Application Security Threat Model Attack Surface Analysis and Reduction How to Perform a Security Code Review How to Create an Application Security Threat Model for Embedded Systems Attack Surface Analysis and Reduction for Embedded Systems How to Perform a Security Code Review for Embedded Systems Understand, create, and articulate security requirements. Understand the security engineering process. Recognize key security engineering activities to integrate into the SDLC. Understand software security objectives and apply security design guidelines. Identify goals of threat modeling and the corresponding SDLC requirements. Identify the roles and responsibilities involved in the threat modeling process. Recognize when and what to threat model. Identify tools to assist in threat modeling. Understand how to use threat modeling process to accurately identify, mitigate and validate threats. Understand the goals and methodologies of attackers. Identify attack vectors. Learn how to minimize the attack surface of an application. Learn how to define the attack surface of an application. Learn how to reduce the risk to an application by minimizing its attack surfaces. Learn how to best organize a code review. Learn how to prioritize code segments to review. Learn best practices for reviewing source code and maximizing security resources. Learn additional information about creating an Application Security threat model. Learn how to map content to specific compliance and regulatory requirements. Learn about key reference resources that support the topics covered in the module. Assess mastery of key concepts. Learn additional information about Attack Surface Analysis and Reduction (particularly important to embedded software engineers). Learn about key reference resources that support topics covered in this module. Assess mastery of key concepts. Learn additional information about code (particularly important to embedded software engineers). Learn how to map content to specific compliance and regulatory requirements. Learn about key reference resources that support the topics covered in the module. Assess mastery of key concepts. 90 minutes 30 minutes Introduction to the Microsoft SDL (ENG 102) Architecture Risk Analysis and Remediation (DES 212) Fundamentals of Secure Development (COD 101) Architecture Risk Analysis and Remediation (DES 212) Fundamentals of Secure Development (COD 101) Architecture Risk Analysis and Remediation (DES 212) How to Create an Application Security Threat Model (ENG 301) 30 minutes Attack Surface Analysis and Reduction (ENG 311) 30 minutes How to Perform a Security Code Review (ENG 312) These lessons cover topics related to secure software architecture and design, to help plan security into applications before any code is written. # Lesson Name Lesson Objectives Time Prerequisites DES 101 Fundamentals of Secure Architecture Examine the state of the industry from a security perspective. Learn about the biggest security disasters in software design. Understand that confidentiality, integrity, and availability are the three main tenets of information security. Learn how to avoid repeating past information security mistakes. How to Create Application Security Design Requirements (ENG 211) 11

14 SECURITY AWARENESS, TRAINING AND EDUCATION CATALOG # Lesson Name Lesson Objectives Time Prerequisites DES 201 Fundamentals of Cryptography Learn the basic concepts of cryptography and common ways that it is applied, from the perspective of application development. Learn the importance of randomness; the roles of encoding, encryption, and hashing; the concepts of symmetric and asymmetric encryption; the purpose of cryptographic keys; and the roles of message authentication codes (MACs) and digital signatures. Learn about complexity of cryptography. Fundamentals of Secure Development (COD 101) OWASP Top Ten Threats and Mitigations (DES 221) DES 212 DES 213 Architecture Risk Analysis and Remediation Introduction to Security Tools and Technologies Learn concepts, methods, and techniques for analyzing the architecture and design of a software system for security flaws. Review the types of security tools. Learn how to interpret, prioritize, and act on the tool output. Learn strategies for selecting and deploying tools. DES 221 Threats and Mitigation Identify and mitigate the greatest threats that web application developers face. None DES 292 DES 311 DES 391 Secure Coding Architecture Risk Analysis & Remediation for Embedded Systems Creating Secure Application Architecture Creating Secure Application Architecture for Embedded Systems Learn additional information about Architecture Risk Analysis and Remediation training (of particular importance to embedded software engineers). Assess mastery of key concepts. Learn how to harden applications and make them more difficult for intruders to breach. Learn about compartmentalization, centralized input, and data validation as methods to protect applications from malicious input. Learn additional information about Creating Secure Application Architecture (of particular importance to embedded software engineers). Assess mastery of key concepts. Fundamentals of Application Security (AWA 101) Fundamentals of Security Testing (TST 101) 30 minutes Architecture Risk Analysis & Remediation (DES 212) Fundamentals of Security Testing (TST 101) 30 minutes Creating Secure Application Architecture (DES 311) These lessons cover topics related to the implementation stage of the Software Development Life Cycle (when code is actually written). # Lesson Name Lesson Objectives Time Prerequisites COD 101 COD 110 Fundamentals of Secure Development Fundamentals of Secure Mobile Development Learn about the need for secure software development. Learn about the models, standards, and guidelines you can use to understand security issues and improve the security posture of your applications. Learn about key application security principles. Learn how to integrate secure development practices into the SDLC. Learn about common risks associated with mobile applications. Learn mobile application development best practices. Understand mobile development threats and risks. 80 minutes None None COD 141 Fundamentals of Secure Database Development Understand database development best practices. 50 minutes Fundamentals of Application Security (AWA 101) COD 152 Fundamentals of Secure Cloud Development Learn the common risks associated with cloud applications. Understand cloud computing threats and risks, and the programming principals to use to address them. 90 minutes None 12

15 # Lesson Name Lesson Objectives Time Prerequisites COD 153 COD 190 COD 211 COD 212 COD 213 COD 215 COD 217 COD 218 Fundamentals of Secure Ajax Code Fundamentals of Secure Mobile Development for Embedded Systems Creating Secure Code Java Foundations Creating Secure Code C/C++ Foundations Creating Secure Code Windows 7 Foundations Creating Secure Code.NET Framework Foundations Creating Secure Code - iphone Foundations Creating Secure Code - Android Foundations Learn about AJAX technology and its common vulnerabilities and attack vectors. Identify the differences between regular and AJAX applications, common AJAX vulnerabilities that attackers tend to exploit, and major threats to AJAX applications. Learn additional information about Secure Mobile Development (of particular importance to embedded software engineers). Assess mastery of key concepts. Learn best practices and techniques for secure application development in Java. Learn best practices and techniques for secure application development in C/C++. Understand Windows 7 security features. Learn how to build applications that leverage Windows 7 built-in security mechanisms. Learn about.net 4 security features. Learn about changes in.net 4. Learn secure coding best practices. Learn how to build highly secure iphone applications. Learn about key iphone application risks and vulnerabilities. Learn secure programming principles for iphone applications. Learn how to develop secure Android applications. Learn secure programming principles. Learn about key Android attack vectors and mitigation techniques. 35 minutes None 30 minutes 2.5 hours 90 minutes Fundamentals of Secure Mobile Development (COD 110) Fundamentals of Secure Development (COD 101) OWASP Top 10 - Threats and Mitigations (DES 221) Fundamentals of Secure Development (COD 101) OWASP Top 10 - Threats and Mitigations (DES 221) Basic knowledge of Windows programming and memory management, and knowledge of basic security features of Windows versions prior to Windows 7. Fundamentals of Secure Development (COD 101) Fundamentals of Secure Mobile Development (COD 110) Fundamentals of Secure Mobile Development (COD 110) COD 221 Web Vulnerabilities - Threats and Mitigations Understand, avoid, and mitigate the risks posed by web vulnerabilities. Creating Secure Code J2EE Web Applications (COD 313) OR Creating Secure Code ASP.NET (COD 311) COD 222 PCI DSS v3.1 Best Practices for Developers Learn about PCI DSS best practices and how to use them to address application security issues. Fundamentals of Secure Mobile Development (COD 110) COD 231 Introduction to Cross- Site Scripting - With JSP Examples Understand the mechanisms behind cross-site scripting vulnerabilities. Learn how to apply secure coding best practices to prevent cross-site scripting vulnerabilities. 20 minutes Basic knowledge of web technologies, and Java Server Pages (JSP). COD 232 Introduction to Cross- Site Scripting - With ASP. NET Examples Learn about cross-site scripting vulnerabilities and their consequences. Learn secure coding best practices to help prevent cross-site scripting vulnerabilities. 20 minutes Basic knowledge of web technologies, and Java Server Pages (JSP). 13

16 SECURITY AWARENESS, TRAINING AND EDUCATION CATALOG # Lesson Name Lesson Objectives Time Prerequisites COD 241 COD 242 COD 251 COD 252 COD 253 COD 254 COD 255 COD 292 Creating Secure Code Oracle Foundations Creating Secure Code SQL Server Foundations Creating Secure AJAX Code ASP.NET Foundations Creating Secure AJAX Code Java Foundations Creating Secure Cloud Code AWS Foundations Creating Secure Cloud Code Azure Foundations Creating Secure Code Web API Foundations Creating Secure Code C/C++ Foundations for Embedded Systems Understand the scope and requirements of database security as well as the risks presented by insecure database applications. Learn best practices for secure database application development. Learn about common database attacks and how to prevent them. Understand the risks to database applications and common database attacks. Understand the scope and requirements of database security, as well as the risks presented by unsecure database applications. Learn the best practices for secure database application development. Understand the risks to database applications and common database attacks. Understand how to mitigate common vulnerabilities and protect against common attack vectors. Identify threats to AJAX applications from cross-site scripting and other attacks. Learn how to implement countermeasures against attacks. Understand how to mitigate common vulnerabilities and protect against common attack vectors. Identify threats to AJAX applications from cross-site scripting and other attacks. Learn how to implement countermeasures against attacks. Learn about the security vulnerabilities, threats, and mitigations for AWS (Amazon Web Services) cloud computing services. Recognize the most common security threats to cloud development and the best practices to protect against these threats. Learn how to identify AWS security features and how to integrate them into your AWS resources. Learn about the risks associated with creating and deploying applications on Microsoft s Azure cloud platform. Recognize core security considerations for Azure Virtual Machine (VM) security, authentication and access control, legacy.net Framework applications, Azure web sites, and the Microsoft WebMatrix3 IDE. Learn about common web services that may put your application at risk. Learn best practices that you should incorporate to mitigate the risk from web services attacks. Understand various web services threats and the cause and impact of web services attacks. Learn how to implement secure development best practices to protect web services. Learn additional information about C/C++ Foundations of particular importance to software engineers. Assess your mastery of key concepts. 90 minutes Fundamentals of Secure Database Development (COD 141) Fundamentals of of Secure Database Development (COD 141) 35 minutes Fundamentals of Secure AJAX Code (COD 153) 35 minutes Fundamentals of Secure AJAX Code (COD 153) 90 minutes Fundamentals of Secure Cloud Development (COD 152) Fundamentals of Secure Cloud Development (COD 152) Fundamentals of Secure Development (COD 101) OWASP Top Ten Threats and Mitigations (DES 221) 30 minutes Creating Secure Code C/C++ (COD 212) 14

17 # Lesson Name Lesson Objectives Time Prerequisites COD 311 COD 312 COD 313 COD 314 Creating Secure ASP.NET Code Creating Secure C/C++ Code Creating Secure Java Code Creating Secure C# Code Learn how to develop secure web applications in C#. Learn how to avoid common vulnerabilities in C# code. Learn secure coding best practices. Learn (in depth) about application security risks and secure coding standards for C and C++ code. Learn how to detect code errors and remediate them as soon as possible to avoid security issues. Learn real-world best practices and techniques. Identify and use the components of the Java security model. Identify how to use JAAS to control user authentication and authorization in your Java application. Learn how to implement cryptography to sign and verify Java jar files. Learn about application security risks and secure coding standards for C# applications. Understand underlying coding principles and real-world best practices and techniques. 35 minutes and 30 minutes Fundamentals of Secure Development (COD 101) OWASP Top 10 Threats and Mitigations (DES 221) Creating Secure Code.NET Framework Foundations (COD 215) Fundamentals of Secure Development (COD 101) OWASP Top 10 Threats and Mitigations (DES 221) Creating Secure Code C/C++ Foundations (COD 212) Fundamentals of Secure Development (COD 101) OWASP Top 10 Threats and Mitigations (DES 221) Creating Secure Code Java Foundations (COD 211) Fundamentals of Secure Development (COD 101) OWASP Top 10 Threats and Mitigations (DES 221) COD 315 Creating Secure PHP Code Learn the security principles for building secure PHP applications. Assess mastery of key concepts. Fundamentals of Secure Development (COD 101) COD 317 Creating Secure iphone Code in Objective-C Recognize common ios application vulnerabilities and learn secure coding best practices. Recognize and mitigate threats such as malicious user input, threats to privacy and confidentiality, and more. 90 minutes Creating Secure Code - iphone Foundations (COD 217) COD 318 Creating Secure Android Code in Java Learn about common Android application vulnerabilities. Learn secure coding best practices using Java and the Android SDK. Identify and mitigate a variety of attacks. 90 minutes Creating Secure Code Android Foundations (COD 218) COD 411 Integer Overflows - Attacks and Countermeasures Learn security concepts, testing techniques, and best practices to develop robust applications that are secure against integer overflow vulnerabilities. Basic understanding of the C, C++, and C# programming languages. COD 412 Buffer Overflows - Attacks and Countermeasures Learn how to avoid and mitigate the risks posed by buffer overflows. Learn about the protection provided by the Microsoft compiler and the Windows operating system. Learn how to avoid buffer overflows during the design, development, and verification phases of the SDLC. Basic knowledge of Windows programming and memory management in Windows. 15

18 SECURITY AWARENESS, TRAINING AND EDUCATION CATALOG Security Testing These lessons cover topics related to the testing of software for security flaws and remediating defects before release. # Lesson Name Lesson Objectives Time Prerequisites TST 101 TST 191 TST 201 Fundamentals of Security Testing Fundamentals of Security Testing for Embedded Systems Classes of Security Defects Learn security testing concepts and processes. Learn how to conduct effective security testing. Identify common security issues during testing, to uncover security vulnerabilities. Learn additional information about the Fundamentals of Security Testing training (of particular importance to embedded software engineers). Assess mastery of key concepts. Learn what is needed to create a robust defense against common security defects. Learn how and why security defects are introduced into software. Learn about common classes of attacks. Learn about techniques and best practices to help identify, eliminate, and mitigate each class of security defects. How to Create Application Security Design Requirement (ENG 211) 30 minutes Fundamentals of Security Testing (TST 101) 3 hours Protecting Online Accounts for Businesses (AWA 102) TST 211 How to Test for the OWASP Top 10 Learn about the top ten OWASP flaws and how to perform testing to identify these flaws in web applications. and 30 minutes Fundamentals of Security Testing (TST 101) TST 291 Classes of Security Defects for Embedded Systems Learn additional information about Security Defects Classes (of particular importance to embedded software engineers). Assess mastery of key concepts. 30 minutes Classes of Security Defects (TST 201) TST 401 Advanced Software Security Testing - Tools and Techniques Learn about testing for specific security weaknesses. Learn about the top ten types of attacks and the tools to use to test for these attacks. Learn how to test software applications for susceptibility to the top ten attacks. Fundamentals of Security Testing (TST 101) Classes of Security Defects (TST 201) Software Testing Tools and Techniques (TST 301) TST 411 Exploiting Buffer Overflows Understand and mitigate buffer-overflow exploits. Understand the challenges faced by exploit code and how different exploitation techniques overcome environmental limitations. Creating Secure C/C++ Code (COD 312) TST 491 Advanced Software Security Testing for Embedded Systems Learn additional information about Software Security Testing (of particular importance to embedded software engineers). Assess mastery of key concepts. 30 minutes Advanced Software Security Testing Tools & Techniques (TST 401) 16

19 Secure Development Bundles Use this section to determine which bundles you want to provide for your staff. Descriptions of the lessons in each bundle can be found in the SDT Lessons list. Custom bundles, consisting of up to six lessons or 1 of content, can be set up on request. Contact your Trustwave account manager if you would like to configure a custom bundle. C/C++ Developer AWA 101 Fundamentals of Application Security COD 101 Fundamentals of Secure Development COD 212 Creating Secure Code C/C++ Foundations COD 312 Creating Secure C/C++ Code COD 411 Integer Overflows Attacks and Countermeasures COD 412 Buffer Overflows Attacks and Countermeasures ENG 301 How to Create an Application Security Threat Model ENG 312 How to Perform a Security Code Review Embedded Architect DES 101 Fundamentals of Secure Architecture DES 212 Architecture Risk Analysis and Remediation* DES 311 Creating Secure Application Architecture ENG 301 How to Create an Application Security Threat Model* ENG 311 Attack Surface Analysis and Reduction* ENG 312 How to Perform a Security Code Review* Embedded Developer AWA 101 Fundamentals of Application Security COD 101 Fundamentals of Secure Development COD 212 Creating Secure Code C/C++ Foundations* COD 312 Creating Secure C/C++ Code* COD 110 Fundamentals of Secure Mobile Development (optional) Embedded QA/Test TST 101 Fundamentals of Security Testing* TST 201 Classes of Security Defects* TST 401 Advanced Software Security Testing - Tools and Techniques* TST 411 Exploiting Buffer Overflows (optional) Java Developer AWA 101 Fundamentals of Application Security COD 101 Fundamentals of Secure Development COD 153 Fundamentals of Secure AJAX Code COD 211 Creating Secure Code Java Foundations COD 252 Creating Secure AJAX Code Java Foundations COD 313 Creating Secure Java Code COD 352 Creating Secure iquery Code DES 221 OWASP Top 10 Threats and Mitigations ENG 301 How to Create an Application Security Threat Model ENG 312 How to Perform a Security Code Review Platform Bundles Courses marked with an asterisk (*) include an additional module, which pertains specifically to embedded systems. Mobile AWA 110 Fundamentals of Security Awareness for Mobile Devices AWA 111 Fundamentals of Security Awareness for Social Media COD 110 Fundamentals of Secure Mobile Development COD 217 Creating Secure Code iphone Foundations COD 218 Creating Secure Code Android Foundations COD 317 Creating Secure iphone Code in Objective-C COD 318 Creating Secure Android Code in Java ENG 301 How to Create an Application Security Threat Model ENG 312 How to Perform a Security Code Review.NET Developer AWA 101 Fundamentals of Application Security COD 101 Fundamentals of Secure Development COD 153 Fundamentals of Secure AJAX Code COD 213 Creating Secure Code - Windows 7 Foundations COD 215 Creating Secure Code -.NET Framework Foundations COD 251 Creating Secure AJAX Code - ASP.NET Foundations COD 311 Creating Secure ASP.NET Code COD 312 Creating Secure C/C++ Code DES 221 OWASP Top 10 - Threats and Mitigations 17

20 SECURITY AWARENESS, TRAINING AND EDUCATION CATALOG PCI Developer COD 222 PCI Best Practices for Developers DES 221 OWASP Top 10 Threats and Mitigations ENG 301 How to Create an Application Security Threat Model ENG 312 How to Perform a Security Code Review PHP Developer AWA 101 Fundamentals of Application Security COD 101 Fundamentals of Secure Development COD 153 Fundamentals of Secure AJAX Code COD 221 Web Vulnerabilities Threats and Mitigations COD 315 Creating Secure PHP Code DES 221 OWASP Top 10 Threats and Mitigations ENG 301 How to Create an Application Security Threat Mode ENG 312 How to Perform a Security Code Review Project Manager AWA 101 Fundamentals of Application Security COD 101 Fundamentals of Secure Development DES 101 Fundamentals of Secure Architecture ENG 101 Microsoft SDLC for Managers ENG 201 SDLC Gap Analysis and Remediation Techniques ENG 211 How to Create Application Security Design Requirements Security Awareness for Developers AWA 101 Fundamentals of Application Security AWA 102 Software Security Awareness AWA 110 Fundamentals of Security Awareness for Mobile Devices AWA 111 Fundamentals of Security Awareness for Social Media Software Architect AWA 101 Fundamentals of Application Security DES 101 Fundamentals of Secure Architecture DES 221 OWASP Top 10 Threats and Mitigations DES 212 Architecture Risk Analysis and Remediation DES 213 Introduction to Security Tools and Technologies DES 311 Creating Secure Application Architecture ENG 301 How to Create an Application Security Threat Model ENG 311 Attack Surface Analysis and Reduction Test/QA TST 101 Fundamentals of Security Testing TST 201 Classes of Security Defects TST 211 How to Test for the OWASP Top 10 TST 401 Advanced Software Security Testing Web 2.0 AWA 101 Fundamentals of Application Security COD 101 Fundamentals of Secure Development COD 151 Fundamentals of Web 2.0 Security COD 153 Fundamentals of Secure AJAX Code DES 221 OWASP Top 10 Threats and Mitigations COD 351 Creating Secure HTML5 Code COD 352 Creating Secure JQuery Code 18

21 Copyright 2016 Trustwave Holdings, Inc.