elearning Course Catalog
|
|
- Aubrey McCormick
- 6 years ago
- Views:
Transcription
1 elearning Course Catalog Updated 11/28/ Park Plaza, Suite 1400 Boston, MA
2 GENERAL DISCLAIMER This document presents details about the training offerings from Synopsys at the time of its creation. Synopsys has used reasonable efforts to ensure that the information provided in this document is accurate and up-to-date, but details and offerings are subject to change. This document contains confidential information about Synopsys and its businesses. Copies of this document may only be provided, and disclosure of the information contained in it may only be made, with written prior agreement from Synopsys. Ownership and Disposal The information contained in this document is owned by Synopsys. The recipient shall dispose of the data as confidential waste and/or return the document to Synopsys upon request. The Synopsys difference Synopsys offers the most comprehensive solution for building integrity security and quality into your SDLC and supply chain. We ve united leading testing technologies, automated analysis, and experts to create a robust portfolio of products and services. This portfolio enables companies to develop customized programs for detecting and remediating defects and vulnerabilities early in the development process, minimizing risk and maximizing productivity. Synopsys, a recognized leader in application security testing, is uniquely positioned to adapt and apply best practices to new technologies and trends such as IoT, DevOps, CI/CD, and the Cloud. We don t stop when the test is over. We offer onboarding and deployment assistance, targeted remediation guidance, and a variety of training solutions that empower you to optimize your investment. Whether you re just starting your journey or well on your way, our platform will help ensure the integrity of the applications that power your business. For more information go to Synopsys, Inc. 185 Berry Street, Suite 6500 San Francisco, CA USA U.S. Sales: International Sales: sig-info@synopsys.com 2
3 Synopsys elearning...4 Security Training for Every Role...5 Fundamental Foundations of Software Security... 6 Foundations of Information Security Awareness... 8 OWASP Top Attack and Defense PCI DSS Security Introduction to Cryptography for Developers and Architects...15 Defensive Strategies Secure Password Storage...17 Languages and Platforms Introduction to JavaScript Security...19 Java Security Fundamentals...21 Foundations of.net Platform Security...23 Foundations of PHP Security...25 Foundations of COBOL Security...27 Java Advanced Secure Coding...29 Defensive Programming for Python and Django...31 Defensive Programming for JavaScript and HTML Defensive Programming for JavaEE Web Applications...35 Defensive Programming for PHP...37 Building Security into ASP.NET MVC with C#...39 C/C++ Security Defensive Programming for COBOL...43 Security Enablement Services OAuth 2.0 Security SAML Security OpenID Connect Mobile Foundations of Mobile Security...51 Android Security Fundamentals of ios Secure Programming for ios...58 Requirements, Architecture, and Training Architecture Risk Analysis...60 Foundations of Software Security Requirements...62 Risk-Based Security Testing Strategy...64 Microcourses Hapi.js Security React.js Security Securing MongoDB
4 SYNOPSYS ELEARNING Synopsys offers a hosted elearning curriculum that enables organizations of all sizes to quickly deploy industry-leading training companywide. Synopsys elearning is a subscription-based online training service providing on-demand, unlimited access to Synopsys comprehensive library of hosted elearning courses. With an annual subscription, you get 24/7 access to Synopsys interactive security courses including knowledge checks and final exams, individual and group reporting, and periodic content updates so you can easily meet compliance and contractual training requirements. For companies that deploy their own learning management system (LMS), all elearning courses are SCORM-compliant and can be deployed within your current LMS. The Synopsys difference Synopsys offers the most comprehensive solution for building integrity security and quality into your SDLC and supply chain. We ve united leading testing technologies, automated analysis, and experts to create a robust portfolio of products and services. This portfolio enables companies to develop customized programs for detecting and remediating defects and vulnerabilities early in the development process, minimizing risk and maximizing productivity. Synopsys, a recognized leader in application security testing, is uniquely positioned to adapt and apply best practices to new technologies and trends such as IoT, DevOps, CI/CD, and the Cloud. We don t stop when the test is over. We offer onboarding and deployment assistance, targeted remediation guidance, and a variety of training solutions that empower you to optimize your investment. Whether you re just starting your journey or well on your way, our platform will help ensure the integrity of the applications that power your business. For more information go to Synopsys, Inc. 185 Berry Street, Suite 6500 San Francisco, CA USA U.S. Sales: International Sales: sig-info@synopsys.com 4
5 SECURITY TRAINING FOR EVERY ROLE Synopsys software security curriculum provides valuable knowledge across every role within software development organizations. Synopsys elearning features a broad library of 29 courses and 3 microcourses, so you can design a longterm plan to increase the security knowledge and skills of everyone within your SDLC. Below you ll find some sample learning paths for developers and architects. Pick and choose the courses your developers need, or design your own learning path it s up to you. Front-End Developers Back-End Developers Enterprise Developers Mobile Developers QA Engineers Architects Foundations of Software Security Foundations of Software Security Foundations of Software Security Foundations of Mobile Security Foundations of Software Security Foundations of Software Security OWASP Top 10 OWASP Top 10 Attack and Defense OWASP Top 10 OWASP Top 10 OWASP Top 10 PCI DSS Security PCI DSS Security Introduction to Cryptography PCI DSS Security Foundations of Software Security Requirements PCI DSS Security Introduction to Cryptography Introduction to Cryptography Secure Password Storage Introduction to Cryptography Risk-Based Security Testing Strategy Introduction to Cryptography Secure Password Storage Secure Password Storage Foundations of COBOL Security Fundamentals of ios Secure Password Storage Introduction to JavaScript Security or PHP OAuth 2.0 Security OAuth 2.0 Security OAuth 2.0 Security Android Security SAML Security SAML Security SAML Security Hapi.js Security React.js Security React.js Security Hapi.js Security OpenID Connect Securing MongoDB Securing MongoDB Defensive Programming for JavaScript and HTML5 or PHP Foundations of.net Java Advanced Secure Coding Defensive Programming for COBOL, Java Advanced Secure Coding, C/C++ Security, Building Security into ASP.NET MVC with C# Java Advanced Secure Coding, Secure Programming for ios Introductory Intermediate Advanced Java Advanced Secure Coding, Architecture Risk Analysis 5
6 Foundations of Software Security Fundamental Description Dive into the basics of software security inside the development process. This course introduces the fundamentals of software security problems, risks, and general approaches for producing better software. It also describes an approach to building software security into the development process to help you produce better software. This course was created by the experts who literally wrote the book on software security. The approaches described here are currently being utilized by leading global companies with mature software security initiatives. Course Themes Clearly define the software security problem Describe how and why software is exploited Introduce and describe a set of key software security principles and concepts that can be integrated into any existing software development life cycle Learning Objectives Discuss basic security terminology comfortably when discussing your own development work Confidently contribute to discussions surrounding software security principles Participate in the initial strategy, formation, and role delegation of a software security initiative Confidently begin to contribute to your company s overall design of a software security strategy Intended Audience Developers Development Managers QA Engineers Architects Application Security Specialists Competencies Understanding of the software development life cycle Prerequisites None ¾ Hour Introductory 6
7 Foundations of Software Security Fundamental Course Outline Basic Software Security Concepts The Importance of Software Security Software Security Vocabulary What Is Secure Software? Obstacles to Software Security Building Security In Roles in Software Security Software Security Engineering (Continued) Software Security Intelligence Technical Standards and Reference Frameworks Training Defect Discovery and Management Assessing Software Is Necessary Discovery Method Pros and Cons The Importance of Fixing Software Fundamentals of a Software Security Initiative Goals of a Software Security Initiative Engineering and Governance SSG, Outreach, and Satellites Vendor Management Evolution of a Software Security Initiative Software Security Engineering The Touchpoints Secure Software Development Life Cycle 7
8 Foundations of Information Security Awareness Fundamental Description Security awareness is a process of constant refinement and education. Every person has a key role in keeping their company secure and out of the headlines. This course will walk through what it takes to effectively identify and act upon security risks in your personal and work lives. It will cover a broad range of modern security topics and provide actionable advice for increasing your overall security posture. Course Themes When delivered effectively, a comprehensive information security awareness program can reduce the attack surface and corporate risk of an organization and build a culture of responsibility around information security. A company is only as strong as its weakest link, and this course aims to educate and inform employees about pressing security topics that they can take action on immediately. Learning Objectives Quickly identify potential common security risks in the workplace Assess the security of workstations, mobile devices, and office spaces Build a strong password creation and storage mechanism Recognize the implications of real-world data breaches Identify corporate information assets and understand how to handle them securely Intended Audience Everyone Competencies None Prerequisites None 1 Hour Introductory 8
9 Foundations of Information Security Awareness Fundamental Course Outline Introduction to Information Security Awareness What Exactly Is Security Awareness? Identifying and Understanding Information Assets Boundaries Between Work and Home Workstation Security Overview Physical Security Network Connections Malicious Software Defense Mechanisms User Account Security Introduction: Accounts Rule the Web Password Security Password Managers Multifactor Authentication Social Engineering Introduction: People as a Target Physical Social Engineering Phishing Attacks Voice and SMS Phishing Phishing in the Real World Anatomy of a Breach Introduction The Entry The Foothold The Exploit Fallout and Impact Lessons Learned Mobile Device Security Intro: Mobile Devices in the Workplace Physical Device Security Mobile Device Security Settings 9
10 OWASP Top 10 Fundamental Description This course will help professionals understand the value and limits of the OWASP Top 10. While the OWASP Top 10 is a valuable awareness document about some of the major risks in web applications today, the list is incomplete and largely provides only an attacker perspective. The course will both highlight the good and point out some things that are missing in the OWASP Top 10 that IT professionals still need to be aware of. Course Themes Introduce the most prevalent web application security issues Describe testing methods and applications Provide remediation guidance to help eradicate specific issues Demonstrate how the issues are exploited by attackers Learning Objectives Discuss the role of security in the software development life cycle and how best to create secure applications Recognize how these software security defects are exploited Discuss discovery methods for these issues Implement the practices that help prevent the most common mistakes and lead to more secure software Intended Audience Developers Development Managers QA Engineers Architects Application Security Specialists Competencies Familiarity with at least one web programming language Prerequisites 1 ½ Hours Introductory Foundations of Software Security 10
11 OWASP Top 10 Fundamental Course Outline Introduction to the OWASP Top 10 Injection SQL Injection Command Injection When Injection Gets Serious Broken Authentication and Session Management Session Security Overview Session Security Considerations Authentication Security Lifeboat s Sinking Ship Cross-Site Scripting XSS Protection Checklist Samy and His Friends XSS Protection: Guidelines Insecure Direct Object References Insecure Direct Object References: In a Nutshell Creating Your Own Users for Fun and Profit Sensitive Data Exposure Handling Sensitive Data Securely Source Code Woes Missing Function Level Access Control Strategies Cross-Site Request Forgery Protecting Against CSRF A Sly DNS Swap Using Components With Known Vulnerabilities Securing Third-Party Software Components An Upstream Bug Unvalidated Redirects and Forwards About Redirects About Forwards Preventing Unvalidated Redirects and Forwards Yahoo s Unvalidated Redirect Security Misconfigurations Protection Is Big Brother Watching? 11
12 Attack and Defense Fundamental Description Web applications are becoming an increasingly high-value target for hackers looking to make a quick buck, damage reputations, or just boost their street cred. There is no shortage of publicly known attack tools and techniques, and as software developers we are outnumbered and at the front line of the defense. This course will teach you how vulnerabilities are discovered and exploited in the real world and how to build a strong line of defense. Course Themes Anatomy of a web application attack Exploitation Testing for vulnerabilities Secure development concepts Defending against attacks Monitoring and identifying suspicious behavior Learning Objectives Recognize security flaws in web applications Build defenses against common web application vulnerabilities Use tools and techniques to test your own applications for vulnerabilities Implement application features that will enhance your users security posture Intended Audience Developers System Administrators Architects Security Specialists Competencies Familiarity with at least one programming language General web application knowledge Prerequisites 1 Hour Introductory Foundations of Software Security Foundations of Information Security Awareness 12
13 Attack and Defense Fundamental Course Outline Introduction to Attack and Defense Vulnerabilities Are Here to Stay Security Is a Challenge Impacts of Insecure Software Understanding the Adversary Real-World Impacts Data Protection Protecting Data in Motion Protecting Data at Rest Handling User Input Injection Attacks Authentication and Authorization Authentication and Authorization Attacks Authentication and Authorization Defenses Session Protection Attacking Sessions Session Protection Mechanisms Security Configurations Third-Party Components Default Configurations Debugging and Error Handling Monitoring and Detection Intrusion Detection Honeypots Anomaly Detection (Geolocation and Pattern Matching) 13
14 PCI DSS Security Fundamental Description Developers that work on PCI DSS relevant applications are mandated to complete security training on an annual basis. In this course, developers will learn the PCI DSS training requirements, the current OWASP Top 10 vulnerabilities, coding practices that help prevent them, secure memory handling for application development, attacks that leverage volatile memory, and techniques for protecting sensitive data. Course Themes PCI DSS training requirements for developers OWASP Top 10 vulnerabilities and how to avoid them Secure memory development Impact of memory handling vulnerabilities Learning Objectives Understand the annual development training requirements mandated by the PCI DSS Demonstrate understanding of the OWASP Top 10 web vulnerabilities Understand methods for developing code securely and preventing the OWASP Top 10 vulnerabilities Understand the importance of developing applications that handle sensitive information in memory securely Satisfy requirement 6.5 of the PCI DSS Intended Audience Developers Product Architects Security Architects Competencies Familiarity with web programming environments and technologies Prerequisites OWASP Top 10 ½ Hour Introductory 14
15 Introduction to Cryptography for Developers and Architects Fundamental Description Cryptography is used to address issues of confidentiality, data integrity, data origin, authentication, entity authentication, and nonrepudiation. Although cryptography does not eliminate security issues, it does make them more manageable by reducing the task of protecting a large amount of data to a matter of protecting a relatively small key. This course discusses the use of cryptographic algorithms and techniques as they are typically applied within the practice of information security. Course Themes Examine the security of various cryptographic primitives and protocols Describe important options to consider when choosing such primitives Provide a comprehensive overview of common mistakes and lessons learned when designing and implementing cryptographic controls Learning Objectives Define cryptography and cryptographic primitives as they apply to software security practices Identify the most common cryptographic primitives and respective purposes Identify common cryptography errors and how to avoid them Make appropriate design decisions when implementing cryptographic controls into the information security process Intended Audience Developers Architects Competencies Familiarity with standard software design and development Prerequisites 1 ½ Hours Introductory Foundations of Software Security OWASP Top 10 or Attack and Defense 15
16 Introduction to Cryptography for Developers and Architects Fundamental Course Outline Cryptography and Cryptographic Primitives Uses of Cryptography Common Cryptographic Primitives Encryption Symmetric vs. Asymmetric Encryption Common Types of Encryption Block Ciphers and Stream Ciphers Block Cipher Encryption Modes Initialization Vectors Block Cipher Padding Modes Common Types of Asymmetric Key Encryption Hash Functions Cryptographic Hash Functions Algorithms and Uses Protecting Data Integrity Message Authentication Codes (MAC) Common Functions and Algorithms How It Works Problem and Solution Digital Signatures Digital Signatures Algorithms Problem and Solutions Putting It All Together SSL Security of Cryptographic Primitives and Protocols Cryptographic Primitive/Protocol Security Security of Algorithms Over Time Security Over Time Lessons Learned Choosing Your Cryptographic Primitives Typical Attackers and Attacks Criminals Kiddies/Amateur Hackers Crime/Dedicated Hackers Researchers Government Agencies Common Mistakes and Lessons Learned TI Digital Signature Transponder Case Study GSM Security Content Scrambling System Wired Equivalent Privacy Secure Sockets Layer Cryptographic Algorithms Implementation Case Study Using WEP Using Cryptography Future of Cryptography 16
17 Secure Password Storage Defensive Strategies Description This course introduces popular approaches to user password protection and storage, analyzing their common weaknesses and those properties that help schemes resist attack. By learning to evaluate password storage schemes through the properties of their building blocks (hashes, salts, and algorithms), you will be able to properly evaluate password storage options in your development framework and to articulate the trade-offs between modern schemes. At course end, you will be able to select and harden through configuration your application s password storage scheme or select a suitable replacement that best meets your application s needs. Learning Objectives Evaluate current best practice solutions for secure password storage Recognize that attackers have sophisticated cracking resources Discuss how current adopted password storage solutions are insecure Show why current solutions do not prevent user passwords from being revealed to an attacker Discuss the password security pros and cons of algorithms like bcrypt/scrypt Propose an alternate approach to strengthening current password security solutions Intended Audience Developers QA Engineers Architects Application Security Specialists Competencies None Prerequisites None 1 Hour Intermediate 17
18 Secure Password Storage Defensive Strategies Course Outline Password Storage Overview Introduction Password Storage Defined The Bumpy Road Password Storage Risk Two Basic Rules Risks Revealed Simple Hashes Introduction What Is a Hash Function? Hash Function Properties Example Hash Function Risk of Hash Function Rainbow Tables Rainbow vs. Lookup Tables Conclusion Salted Hashes Introduction Salted Hash Definition Benefits of Salted Hashes Risks of Salted Hashes Salted Hashes Best Practices Conclusion Keyed Hash Functions Introduction Defining HMACS HMAC Password Storage Benefits of HMAC HMAC Considerations Implementation Challenges Implementation Recommendations Conclusion Adaptive Hash Functions Introduction What Is an Adaptive Hash? Benefits of Adaptive Hashes Adaptive Hash Protection Examples of Adaptive Hash Considerations Recommendations Conclusion 18
19 Introduction to JavaScript Security Languages and Platforms Description This course presents an overview of the quirks and features that make JavaScript a flexible, powerful, and popular language. This course covers the security features built into the JavaScript language, as well as the security features provided by browsers that are utilized by JavaScript web applications. Other lesson topics include cross-site scripting, JavaScript execution contexts, dataflow concepts for identifying the issues, protection mechanisms, the clickjacking vulnerability, and mitigation methods. Course Themes JavaScript language specifics Browser security controls JavaScript execution contexts Common vulnerabilities and mitigation techniques JavaScript code analysis Learning Objectives Navigate JavaScript language specifics, like comparisons and scoping, that can cause security issues Identify JavaScript execution contexts Perform manual dataflow analysis with the knowledge of JavaScript sources and sinks Find common XSS issues in JavaScript code and select the best protection method for each case Apply several mitigation techniques against clickjacking vulnerabilities Compare different tools for managing third-party dependencies Intended Audience JavaScript developers with limited security knowledge Competencies 1-2 years experience developing in JavaScript Prerequisites OWASP Top 10 1 ¼ Hours Introductory 19
20 Introduction to JavaScript Security Languages and Platforms Course Outline Introduction to JavaScript JavaScript Basics Strict Mode XSS and Untrusted Data Sources XSS Dataflow Untrusted Data Sources JavaScript Execution Contexts Inline JavaScript External JavaScript Event Handlers Scalable Vector Graphics Uniform Resource Identifier Time Functions XSS Defense Measures Output Encoding HTML Sanitization AngularJS Input Validation JSON Load Resourcing Content Security Policy Hashing and Nonces Content Security Policy Iframes and Clickjacking Content Security Policy X-Frame-Options Frame Busting Managing Third-Party Dependencies and Code Analysis Package Managers Third-Party Dependency Audit Code Analysis 20
21 Java Security Fundamentals Languages and Platforms Description No matter what product or service you re building, understanding Java platform security is an essential foundation. Learn platform security concepts along with practical security knowledge you can immediately apply to your own project. Learners will write secure code using platform APIs and identify common mistakes. This course is beneficial whether you re building desktop applications, web applications, service infrastructure, the Internet of Things (IoT), or embedded applications. Course Themes Platform security concepts, features, and tools Secure platform coding techniques Avoiding common pitfalls Learning Objectives Tackle Java platform security concepts and architecture Implement public key infrastructure (PKI) and Java trust management concepts Write secure code using Java SE APIs Avoid common platform security pitfalls Intended Audience Developers Product Architects Security Architects Competencies Working knowledge of the Java platform and language Prerequisites None 1 Hour Introductory 21
22 Java Security Fundamentals Languages and Platforms Course Outline The Java Security Architecture The Java Security Model The Bytecode Verifier The Class Loader The Security Manager Security Features of the Java Platform Security Advantages of the Language Automatic Memory Management Code Signing Application Sandboxing Code-Centric Access Control Permissions Protection Domains and Security Policies Security Managers and Access Controllers Access Controller Algorithm Cryptography The Java Cryptographic Architecture (JCA) Cryptographic Services The JCA API Other Security Services Java Authentication and Authorization Services Public Key Infrastructure Channel Security Risks Inherent to the Java Platform Immutable Strings The doprivileged() Function The Java Native Interface (JNI) Introspection 22
23 Foundations of.net Platform Security Languages and Platforms Description The.NET platform serves as a powerful framework for developing a wide range of applications, from rich websites and desktop applications to versatile shared libraries and embedded systems. The platform s specific architecture and unique security model set it apart from other environments. While these traits offer developers and architects a variety of enhancements to the capabilities of their applications, they also introduce specific risks from an application security perspective. Course Themes Clearly define the.net platform security model Describe fundamental components of the.net platform and the security implications of each Explain common security issues inherent in key features of the platform along with mitigation strategies for each Learning Objectives Identify the.net framework components and related concepts Identify and strategize the use of.net security features Identify limitations for each security feature Implement security processes into the development of.net applications based on best practices Intended Audience Developers QA Engineers Architects Application Security Specialists Competencies Familiarity with the.net platform and.net programming languages such as C#.NET Prerequisites ¾ Hour Intermediate Foundations of Software Security OWASP Top 10 or Attack and Defense 23
24 Foundations of.net Platform Security Languages and Platforms Course Outline Java Platform Security Overview Platform Security Cryptography Authentication and Access Control Secure Communications Public Key Infrastructure (PKI) Platform Security Strong Data Typing Automatic Memory Management Bytecode Verification Secure Class Loading Exception Handling Operational Concerns Strategic Design for Security Restrict Process Security Privileges Data Validation Logging Logging Concepts Logging for Security, Audit, and Diagnostics Java Logging and Alternatives Advanced Secure Coding Concepts Avoid Strings for Volatile Secrets Avoid Deserializing Objects From Untrusted Sources Java Native Interface (JNI) Bypasses Platform Safety Controls Safe Expansion of ZIP Files 24
25 Foundations of PHP Security Languages and Platforms Description PHP has evolved significantly from its insecure early versions into a robust and trustworthy language. However, many of the fundamentally insecure features remain in common use today. PHP developers must familiarize themselves with common security vulnerabilities and how they can be exploited to damage a web application. This course prepares you for Defensive Programming for PHP by explaining the attack surface so you can easily recognize the errors that can put an overall system at risk. Course Themes Describe the risks inherent to the PHP programming language Explain common vulnerabilities affecting PHP applications and web applications as a whole Demonstrate the risks resulting from insecure PHP configuration Learning Objectives Identify the risks inherent to the PHP programming language Explain the risks resulting from insecure PHP configurations Distinguish between common vulnerabilities that affect PHP applications Intended Audience Developers QA Engineers Architects Application Security Specialists Competencies Familiarity with the PHP programming language Prerequisites ¾ Hour Intermediate Foundations of Software Security OWASP Top 10 25
26 Foundations of PHP Security Languages and Platforms Course Outline General PHP Security Concerns Lack of Sandboxing Local File Inclusion Unsafe PHP Functions Unsafe PHP Configuration NULL Byte Issues PRNG in PHP.inc File Extension Dynamic Code Risk Description Dynamic Variables Dynamic Functions Array Functions Uninitialized Variables Common Web Vulnerabilities in PHP Applications Cross-Site Scripting SQL Injection Cross-Site Request Forgery Other Issues Mail Injection XML Injection LDAP Injection 26
27 Foundations of COBOL Security Languages and Platforms Description There are many risks and myths associated with COBOL programming security. In this course, we ll review COBOL programming best practices, discuss a taxonomy of COBOL system vulnerabilities, and provide guidance on how to avoid or mitigate them. Course Themes COBOL application architecture and implementing security requirements within code and environment configurations Best practices for mitigating common vulnerabilities Increased coverage of secure logging, error handling, secure input validation, and data representation Learning Objectives Recognize common security risks with COBOL programs Identify security vulnerabilities in COBOL code Write secure code to mitigate risk Intended Audience Developers QA Engineers Architects Application Security Specialists Competencies Understanding of COBOL development Prerequisites 1 Hour Introductory Foundations of Software Security OWASP Top 10 or Attack and Defense 27
28 Foundations of COBOL Security Languages and Platforms Course Outline COBOL Ecosystem Introduction OLTP Applications Batch Processing Applications Examples of COBOL Applications Architecture Architecture Exploitation With Middleware Architecture Key Terms Changing Environment Typical COBOL System Assets Introduction Never Disclose Mainframe Software Handling Sensitive Information Unauthorized Access The Cost of (In)Security Security Breaches and COBOL Hacking Critical Business Assets Hacking Insurance Sailing With Pirates COBOL Security Myths The Security Myths of COBOL Myth 1: COBOL Applications Are Not Connected to the Internet Myth 2: Common Attack Techniques Do Not Apply to Batch-Mode Mainframe Applications Myth 3: COBOL Applications Are Not Responsible for Input Validation Myth 4: Hackers Are Not Interested in Targeting COBOL Applications Understand Security Principles Introduction to Security Principles Building an application? Ask These Questions Authentication Overview Achieving Secure Authentication Authorization Overview Authorization Models and Solutions Authorization Check Example Vulnerabilities Identified in z/os Mainframe Systems Further Learning Ensure Secure Input Validation and Data Representation Recognizing Harmful Data SQL Injection and COBOL Prevent Data Leakage: Buffer Overflow Approaching Input Validation Output Encoding Output Encoding Example Secure Database Access Why Databases Are Business- Critical Assuring Access Is Secure Example: Clear Text Example: Insecure Data Access Using BIND Utility Secure Logging Practices Why Logs Are Kept Logs and Attackers Follow Logging Practices Example: Scrubbing Logs of Sensitive Information Secure Error Handling Introduction Security Problems Common Problems Hackers Looking for Messages Error Handling: Mitigation Practices Failure to Handle Errors Detection Next Steps Errors and System Functions Example: Secure Error Handling 28
29 Java Advanced Secure Coding Languages and Platforms Description Java Advanced Secure Coding builds on the concepts introduced in Java Security Fundamentals. In this course, developers will learn advanced coding concepts and platform security features, such as injection attack prevention, platform authentication and access control, cryptography, secure network communications, public key infrastructure, web security, and an introduction to the new features introduced in Java 8/9. Course Themes Common vulnerabilities Platform and third-party security controls Applied defensive techniques Learning Objectives Understand platform authentication and access control libraries, cryptography, and secure communications over untrusted networks Understand PKI concepts and relevant Java platform security controls, such as the CertPath API, PKIX, and OCSP/CRL revocation services Apply practical ideas to defend against SQL injection, XML parser attacks, CSRF, XSS, URL attacks and HTTP response redirect attacks, and more using Java platform and third-party security libraries, such as OWASP Intended Audience Developers Product Architects Security Architects Competencies Understanding of Java language Prerequisites 1 Hour Advanced Java Security Fundamentals 29
30 Java Advanced Secure Coding Languages and Platforms Course Outline Java Advanced Secure Coding Introduction Preventing Injection Authentication and Access Control Cryptography Secure Communications Public Key Infrastructure (PKI) Web Security Important Security Features in Java SE 8/9 Preventing Injection Introduction Defending Against SQL Injection: JDBC Prepared Statements Encoding Reserved Control Sequences Within Untrusted Input XML Parsers Protection From XXE Secure Random Number Generation Authentication and Access Control Introduction Java Authentication and Authorization Service (JAAS) Security Policies Security Manager Sandbox Security Hot Waters: Building Your Own Security Controls Cryptography Introduction Message Digests Ciphers Digital Signatures Heartbleed Bug Secure Communications Introduction Java Secure Socket Extension GSS-API SASL-API Public Key Infrastructure Introduction Java s PKI Model Support Trust Management in Java Java CertPath API Revocation Services Web Security Introduction Cross-Site Request Forgery Defense CSRF Defense Example Advice for Defending Against CSRF Attacks Open Redirect Defense URL Validation HTTP Security Response Headers User Interface Security Important Security Features Introduction Security Changes for Java 8 Security Changes for Java 9 Brief Considerations When Upgrading to Java 9 Java Advanced Secure Coding Assessment 30
31 Defensive Programming for Python and Django Languages and Platforms Description Django is a web framework built on Python that allows developers to quickly build web applications in a familiar MVC architecture. While the Django project treats security as a first-class citizen, there are still pitfalls to be aware of when writing web applications using Django. This course focuses on teaching defensive programming techniques for safely using Python and Django. Course Themes Demonstrate methods to secure dataflow by consistently applying input validation and output encoding techniques Introduce secure methods to ensure permissions are applied at the right level of granularity for authorization Introduce and explain common security assessment approaches Learning Objectives Recognize Django as a web development framework Implement Django configuration in a secure fashion Implement proper authentication and authorization Recognize best practices for secure session management Strategize the prevention of injection attacks Intended Audience Developers QA Engineers Architects Application Security Specialists Competencies 1 ½ Hours Advanced Basic understanding of computer and operating system architecture Basic understanding of the software development life cycle Basic understanding of Python Prerequisites Foundations of Software Security OWASP Top 10 31
32 Defensive Programming for Python and Django Languages and Platforms Course Outline Introduction to Python Python Overview Django Overview Authentication Authentication Overview Missing and Broken Authentication Client-Side Authentication Authentication Factors and Multifactor Authentication Authentication in Django User Authentication and Access Restriction Brute Force Attack Protection Authorization Authorization Overview Vertical and Horizontal Privilege Escalation Forceful Browsing Authorization in Django Django Permissions Session Management Session Management Overview Session ID Attacks: Brute Force and Fixation Network Sniffing Session Management in Django Persistent and Cookie-Based Sessions Cryptographic Signing Validation and Encoding Input Validation and Output Encoding Injection, Path Traversal, and Open Redirect Attacks Best Protection Against Injection Attacks Input Validation and Output Encoding in Django Input, Field, and Form Validation Validation Methods and Errors Object-Role Modeling Object-Role Modeling in Django Adding Permissions to a Model and Modifying Permissions SQL Injection Vulnerabilities in Django Django ORM Protection Insecure SQL Examples: raw(), connection.cursor(), extra() Protection from SQL Injection in Django Stored Procedures and Escaping User Input Configuration Environment/Framework Configuration Environment/Framework for Django Environment-Specific Configuration Configuring Error-Handling Pages and Notifications Password Storage Direct Attack Resistance Direct Attack Overview Cross-Site Request Forgery, Cross-Site Scripting, DOM- Based XSS, and Clickjacking Direct Attack Protection in Django 32
33 Defensive Programming for JavaScript and HTML5 Languages and Platforms Description HTML5 and JavaScript introduce a new set of functionality to help developers create even more dynamic and feature-rich web applications. This functionality introduces its very own set of security risks that needs to be carefully considered. Creating secure modern web applications requires that developers follow a set of defensive programming best practices for clientside storage, cross-domain communications, and secure I/O. This course focuses on teaching defensive programming techniques for safely using JavaScript, HTML5, and associated technologies such as JSON. Course Themes Demonstrate methods to secure dataflow by consistently applying input validation and output encoding techniques Introduce secure methods to store sensitive data and secure cross-domain communications Prescribe the secure usage of features such as cross-origin resource sharing (CORS), iframe sandboxing, and web storage Introduce and explain common security assessment approaches Learning Objectives Confidently apply HTML5, JavaScript, and JSON defensive programming techniques Evaluate common approaches for selecting defensive programming techniques Intended Audience Developers QA Engineers Architects Application Security Specialists Competencies Familiarity with web programming languages, specifically JavaScript or HTML Prerequisites ½ Hour Advanced Foundations of Software Security OWASP Top 10 33
34 Defensive Programming for JavaScript and HTML5 Languages and Platforms Course Outline Storage of Sensitive Data Secure Cross-Domain Communications Validating Message Origin and Data Enforcing a Strict CORS Policy Weak CORS Policy Fixing the CORS Policy Properly Sandboxing Iframes Other Cross-Domain Considerations window.name for Messaging Fragment Identifier Messaging document.domain Property WebSocket Origin Header Implementing Secure Dataflow Understanding Dataflow Performing Input Validation Whitelisting, Blacklisting, and Rostering Encoding Output Additional Strategies for Preventing Malicious JavaScript Setting Cookies as HttpOnly JSON-Related Best Practices Common Assessment Approaches Secure Code Reviewing Dynamic Analysis 34
35 Defensive Programming for JavaEE Web Applications Languages and Platforms Description JavaEE-based applications are prone to vulnerabilities common in all enterprise applications. Due to the characteristics of the platform, JavaEE applications can also be affected by a set of very specific issues that do not apply to other environments. This course focuses on teaching defensive programming techniques for safely using JavaEE to thwart attacks and reduce the risk of information breaches. Course Themes Review the basic constructs of the Java platform as they pertain to software security Outline secure ways of handling errors, data input, and data output Illustrate common security errors and how they might appear in your source code Recommend best practices for engineering security features Learning Objectives Apply best practices when developing software to avoid common security coding errors Identify ways in which JavaEE vulnerabilities can be exploited Identify multiple secure alternatives to fix common security bugs in code Recognize more security errors when reviewing source code either manually or using automated code-scanning tools Eliminate or mitigate security coding errors in your products with increased efficiency Intended Audience Developers QA Engineers Architects Application Security Specialists Competencies Familiarity with Java and JSP programming Prerequisites 2 ½ Hours Advanced Foundations of Software Security OWASP Top 10 or Attack and Defense Java Security Fundamentals 35
36 Defensive Programming for JavaEE Web Applications Languages and Platforms Course Outline Introduction Software Vulnerability Growth The Software Security Challenge Understanding the Platform Language Considerations Memory Management Features Garbage Collection Framework Security Model Java Security Model Dangers of doprivileged() Security Manager Best Practices Identity and Session Management Authentication Authorization Session Management Injection Attacks Data and Control Vectors Command Injection Input Validation Regular Expressions Unicode Mishandling Output Encoding HTML and URL Encoding in Practice Input Validation Theory and Flow Injection Attacks and Remediation SQL Injection Cross-Site Scripting XML Attacks Log Injection Path Manipulation Cross-Site Request Forgery Client-Side Trust Determinism and Concurrency Accessing Resources Understanding TOCTOU Problems Reliable Locking Schemes Random Numbers and Temporary Files Safe Error Handling and Logging Error and Exception Handling Programmatic Checks and Assertions Assertion Schemes Numeric Data Types Audit Logging Information Leakage and Debug Code Cryptography Symmetric and Asymmetric Encryption Secure Hash Functions Message Authentication Codes and Digital Signatures Code Signing Software Security in Operations Java Web Application Configuration Application Packaging Managing Key Material Secrets Inside Code Secret Encryption Key Exposure 36
37 Defensive Programming for PHP Languages and Platforms Description PHP applications are prone to vulnerabilities common in all web applications. Due to the characteristics of the platform, PHP applications can be affected by a set of very specific issues that do not apply to other environments. This course focuses on teaching defensive programming techniques for safely using PHP in your web applications to thwart attacks and reduce the risk of information breaches. Course Themes Introduce defensive programming and configuration techniques for PHPspecific security issues Demonstrate methods to secure web application dataflow Prescribe ways to protect against cross-site request forgery Recommend effective tactics to implement secure SQL access, secure file upload and access, password handling, and secure PHP configuration Learning Objectives Apply defensive programming techniques to mitigate PHP-specific security issues Apply defensive techniques to mitigate common web vulnerabilities Implement system access based on best practices Implement secure configuration based on best practices Confidently architect PHP applications securely Intended Audience Developers QA Engineers Architects Application Security Specialists Competencies Understanding of the PHP programming language Prerequisites 1 Hour Advanced Foundations of Software Security OWASP Top 10 Foundations of PHP Security 37
38 Defensive Programming for PHP Languages and Platforms Course Outline Input Validation Bad Code How to Do It Whitelisting, Blacklisting, and Rostering PHP Functions for Input Validation Better Code Output Encoding Bad Code Implementing Secure Output Encoding Select the Proper Encoding Scheme Encoding Caveats Cross-Site Request Forgery Description Mitigation CSRF Protection Secure SQL Access SQL Injection Issues Mitigation Approach Better Code System Command Handling Error Handling Information Disclosure and Failing Insecurely Mitigation Approach File Upload and File Access Insecure File Handling Secure File Upload Secure File Access Fixing Code Password Handling in PHP PHP Configuration Best Practices Weak Configuration SQL Access Secure Settings Good Configuration 38
39 Building Security into ASP.NET MVC with C# Languages and Platforms Description ASP.NET MVC is the platform of choice for.net developers. The security built into the ASP.NET framework has come a long way in 15 years, but developers must still remain vigilant when guarding their applications from attackers. In this course, learn the ins and outs of identity management, data protection best practices, attack prevention techniques, and other.net security topics. Course Themes Security principles Data protection Identity management Attack prevention Learning Objectives Determine what features of ASP.NET MVC already meet your security requirements Understand where.net leaves security up to the user Understand the weaknesses in the built-in.net security controls Intended Audience Developers Product Architects Security Architects Competencies Familiarity with ASP.NET MVC Prerequisites None 1 Hour Intermediate 39
40 Building Security into ASP.NET MVC with C# Languages and Platforms Course Outline Basics of Application Security Similar to What Is There, More Up-to-Date Rise of the Vulnerability (Stats and Whatnot) Accountability Business Impact Cost of Incidents and Detection Security Principles Defense in Depth Positive Security Model Fail Securely Complexity Is the Enemy of Security Security by Obscurity Least Privilege Separation of Duties Do Not Trust the Client Controls Built Into C# How the CLR Helps With Security System.Security Entity Framework and SQLi XML Protection Handling Input Securely Input Validation Output Encoding Securing Viewstate Template Injection Information Disclosure Anti-Request Forgery Open Redirect Attacks Cross-Site Scripting Enabling Cross-Origin Resource Sharing (CORS) Identity Management Authentication Authorization The Windows File System Directory Traversal File Injection Buffer Overrun Exception Management Fully Managed Exceptions Logging Debugging Data Protection Hashing for Integrity Hashing for Password Protection Encryption of Data at Rest Encryption of Data in Motion Key Management 40
41 C/C++ Security Languages and Platforms Description Writing secure code in C/C++ is far from trivial. This course introduces the complexity of working with the C/C++ family of languages, especially from a security perspective. Learn about major security flaws that can lead to insecure programs and how to combat them. Lesson topics include string handling, memory management, integer overflow and wrapping, format string attacks, and more. Course Themes C/C++ language common pitfalls and security controls Knowing your legacy code and undefined behavior in the context of C/C++ and why it should be avoided Use of deprecated string functions, their replacements, and common patterns that lead to security flaws Concepts such as memory management and string handling, with realworld exploits and code examples Learning Objectives Identify use cases where C/C++ is widely used Apply new best practices for safely manipulating strings Identify unsafe memory handling practices Apply mitigation techniques to common integer mishandling Understand issues with concurrency and parallelism Describe best practices for access controls 1 Hour Advanced Intended Audience Developers QA Engineers Architects Application Security Specialists Code Auditors Competencies Fluency in C or C++ development Understanding of component design Prerequisites Foundations of Software Security OWASP Top 10 Attack and Defense 41
42 C/C++ Security Languages and Platforms Course Outline Introduction to C/C++ Security C/C++ History The Challenge With C/C++ Undefined Behavior String Handling Introduction to String Handling Representation of Strings Improperly Bounded String Copies Off-by-One Errors Null-Termination Errors Truncation Issues Memory Management Introduction to Memory Management Initialization Issues Checking Return Values Writing to Freed Memory Dereferencing Null Pointers Double Free Memory Leaks Zero-Length Allocations C++ Memory Management Checking for Allocation Failures Allocation and Deallocation Functions Exceptions in Destructors Integers Integer Representation Wraparound Truncation Errors Format String Attacks Introduction to Format Strings Crashing Programs Reading From the Stack Reading From Arbitrary Memory Addresses Buffer Overflows Writing to Arbitrary Memory Addresses Concurrency Introduction to Concurrency Race Conditions Race Condition Mitigation With Mutex Value Corruption Volatile Objects Deadlock File I/O Introduction to Interfaces Access Control Overview Elevated Privileges Dropping Privileges Permanently Dropping Privileges Directory Traversal Time of Check to Time of Use (TOCTOU) 42
Instructor-led Training Course Catalog
Instructor-led Training Course Catalog January 2018 800.873.8193 sig-info@synopsys.com synopsys.com/software GENERAL DISCLAIMER This document presents details about the training offerings from Synopsys
More information"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary
Course Summary Description Securing.Net Web Applications - Lifecycle is a lab-intensive, hands-on.net security training course, essential for experienced enterprise developers who need to produce secure.net-based
More informationTraining Program Catalog SECURITY INNOVATION
Training Program Catalog SECURITY INNOVATION Table of Contents Computer Based Training - Security Awareness - General Staff AWA 007 - Information Privacy and Security Awareness for Executives (Duration:
More informationCSWAE Certified Secure Web Application Engineer
CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized
More informationStudents should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:
Secure Java Web Application Development Lifecycle - SDL (TT8325-J) Day(s): 5 Course Code: GK1107 Overview Secure Java Web Application Development Lifecycle (SDL) is a lab-intensive, hands-on Java / JEE
More informationOWASP Top 10 The Ten Most Critical Web Application Security Risks
OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain
More informationStudents should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:
Securing Java/ JEE Web Applications (TT8320-J) Day(s): 4 Course Code: GK1123 Overview Securing Java Web Applications is a lab-intensive, hands-on Java / JEE security training course, essential for experienced
More informationCourse 834 EC-Council Certified Secure Programmer Java (ECSP)
Course 834 EC-Council Certified Secure Programmer Java (ECSP) Duration: 3 days You Will Learn How To Apply Java security principles and secure coding practices Java Security Platform, Sandbox, JVM, Class
More informationTRAINING CURRICULUM 2017 Q2
TRAINING CURRICULUM 2017 Q2 Index 3 Why Security Compass? 4 Discover Role Based Training 6 SSP Suites 7 CSSLP Training 8 Course Catalogue 14 What Can We Do For You? Why Security Compass? Role-Based Training
More informationCybersecurity Education Catalog
Cybersecurity Education Catalog CYBERSECURITY EDUCATION CATALOG Introduction The human factor what employees do or don t do is the biggest vulnerability to an organization s information security, yet it
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationOWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati
OWASP TOP 10 2017 Release Andy Willingham June 12, 2018 OWASP Cincinnati Agenda A quick history lesson The Top 10(s) Web Mobile Privacy Protective Controls Why have a Top 10? Software runs the world (infrastructure,
More informationSecurity Communications and Awareness
Security Communications and Awareness elearning OVERVIEW Recent high-profile incidents underscore the need for security awareness training. In a world where your employees are frequently exposed to sophisticated
More informationC and C++ Secure Coding 4-day course. Syllabus
C and C++ Secure Coding 4-day course Syllabus C and C++ Secure Coding 4-Day Course Course description Secure Programming is the last line of defense against attacks targeted toward our systems. This course
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationTable of Contents Computer Based Training - Security Awareness - General Staff AWA 007 AWA 008 AWA 009 AWA 010 AWA 012 AWA 013 AWA 014 AWA 015
Table of Contents Computer Based Training - Security Awareness - General Staff AWA 007 - Information Privacy and Security Awareness for Executives (Duration: 45 minutes)...1 AWA 008 - Information Privacy
More information90% of data breaches are caused by software vulnerabilities.
90% of data breaches are caused by software vulnerabilities. Get the skills you need to build secure software applications Secure Software Development (SSD) www.ce.ucf.edu/ssd Offered in partnership with
More informationSecurity Communications and Awareness
Security Communications and Awareness elearning OVERVIEW Recent high-profile incidents underscore the need for security awareness training. In a world where your employees are frequently exposed to sophisticated
More informationSecurity Awareness, Training and Education Catalog
Security Awareness, Training and Education Catalog SECURITY AWARENESS, TRAINING AND EDUCATION CATALOG Introduction The human factor what employees do or don t do is the biggest threat to an organization
More informationCertified Secure Web Application Engineer
Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),
More informationCertified Secure Web Application Secure Development Checklist
www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands About Certified Secure Checklist Certified Secure exists to encourage and fulfill
More informationCASP CompTIA Advanced Security Practitioner Study Guide: (Exam CAS-001)
CASP CompTIA Advanced Security Practitioner Study Guide: (Exam CAS-001) Gregg, Michael ISBN-13: 9781118083192 Table of Contents Foreword xxi Introduction xxvii Assessment Test xliv Chapter 1 Cryptographic
More informationRiskSense Attack Surface Validation for Web Applications
RiskSense Attack Surface Validation for Web Applications 2018 RiskSense, Inc. Keeping Pace with Digital Business No Excuses for Not Finding Risk Exposure We needed a faster way of getting a risk assessment
More informationCopyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
More informationSECURITY TRAINING SECURITY TRAINING
SECURITY TRAINING SECURITY TRAINING Addressing software security effectively means applying a framework of focused activities throughout the software lifecycle in addition to implementing sundry security
More informationCloudy with a chance of hack. OWASP November, The OWASP Foundation Lars Ewe CTO / VP of Eng. Cenzic
Cloudy with a chance of hack November, 2010 Lars Ewe CTO / VP of Eng. Cenzic lars@cenzic.com Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms
More informationThe SANS Institute Top 20 Critical Security Controls. Compliance Guide
The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise
More information01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED
01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED Contents 1. Introduction 3 2. Security Testing Methodologies 3 2.1 Internet Footprint Assessment 4 2.2 Infrastructure Assessments
More informationApplication. Security. on line training. Academy. by Appsec Labs
Application Security on line training Academy by Appsec Labs APPSEC LABS ACADEMY APPLICATION SECURITY & SECURE CODING ON LINE TRAINING PROGRAM AppSec Labs is an expert application security company serving
More informationThe Top 6 WAF Essentials to Achieve Application Security Efficacy
The Top 6 WAF Essentials to Achieve Application Security Efficacy Introduction One of the biggest challenges IT and security leaders face today is reducing business risk while ensuring ease of use and
More informationApplication security : going quicker
Application security : going quicker The web application firewall example Agenda Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF
More informationSynopsys Static Analysis Support for SEI CERT C Coding Standard
Synopsys Static Analysis Support for SEI CERT C Coding Standard Fully ensure the safety, reliability, and security of software written in C The SEI CERT C Coding Standard is a list of rules for writing
More informationWeb Application Vulnerabilities: OWASP Top 10 Revisited
Pattern Recognition and Applications Lab Web Application Vulnerabilities: OWASP Top 10 Revisited Igino Corona igino.corona AT diee.unica.it Computer Security April 5th, 2018 Department of Electrical and
More informationPRACTICAL WEB DEFENSE VERSION 1
PRACTICAL WEB DEFENSE VERSION 1 The most practical and comprehensive training course on web application defense elearnsecurity has been chosen by students in over 140 countries in the world and by leading
More informationWeb Application Penetration Testing
Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate
More informationSolutions Business Manager Web Application Security Assessment
White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security
More informationV Conference on Application Security and Modern Technologies
V Conference on Application Security and Modern Technologies In collaborazione con Venezia, Università Ca Foscari 6 Ottobre 2017 1 Matteo Meucci OWASP Nuovi standard per la sicurezza applicativa 2
More informationCOMP9321 Web Application Engineering
COMP9321 Web Application Engineering Semester 2, 2017 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2465 1 Assignment
More informationSecurity Solutions. Overview. Business Needs
Security Solutions Overview Information security is not a one time event. The dynamic nature of computer networks mandates that examining and ensuring information security be a constant and vigilant effort.
More informationW e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s
W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s Session I of III JD Nir, Security Analyst Why is this important? ISE Proprietary Agenda About ISE Web Applications
More informationOWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13
Airlock and the OWASP TOP 10-2017 Version 2.1 11.24.2017 OWASP Top 10 A1 Injection... 3 A2 Broken Authentication... 5 A3 Sensitive Data Exposure... 6 A4 XML External Entities (XXE)... 7 A5 Broken Access
More informationSecure Programming Techniques
Secure Programming Techniques Meelis ROOS mroos@ut.ee Institute of Computer Science Tartu University spring 2014 Course outline Introduction General principles Code auditing C/C++ Web SQL Injection PHP
More informationContinuously Discover and Eliminate Security Risk in Production Apps
White Paper Security Continuously Discover and Eliminate Security Risk in Production Apps Table of Contents page Continuously Discover and Eliminate Security Risk in Production Apps... 1 Continuous Application
More informationSecure coding practices
Secure coding practices www.infosys.com/finacle Universal Banking Solution Systems Integration Consulting Business Process Outsourcing Secure coding practices Writing good code is an art but equally important
More informationThe requirements were developed with the following objectives in mind:
FOREWORD This document defines four levels of application security verification. Each level includes a set of requirements for verifying the effectiveness of security controls that protect web applications
More informationOWASP TOP OWASP TOP
ANALYZING THE OWASP TOP 10 TOP APPLICATION SECURITY THREATS & HOW TO MITIGATE THEM Cars require seatbelts. Pill bottles need safety caps. Applications need web application firewalls, and for good reason.
More informationCPET 499/ITC 250 Web Systems Chapter 16 Security. Topics
CPET 499/ITC 250 Web Systems Chapter 16 Security Text Book: * Fundamentals of Web Development, 2015, by Randy Connolly and Ricardo Hoar, published by Pearson Paul I-Hai, Professor http://www.etcs.ipfw.edu/~lin
More informationFortify Software Security Content 2017 Update 4 December 15, 2017
Software Security Research Release Announcement Micro Focus Security Fortify Software Security Content 2017 Update 4 December 15, 2017 About Micro Focus Security Fortify SSR The Software Security Research
More informationKishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009
Securing Web Applications: Defense Mechanisms Kishin Fatnani Founder & Director K-Secure Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009 1 Agenda Current scenario in Web Application
More informationSOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management
SOLUTION BRIEF CA API MANAGEMENT Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management 2 SOLUTION BRIEF ENABLE AND PROTECT YOUR WEB APPLICATIONS WITH CA API MANAGEMENT ca.com
More informationHacking by Numbers OWASP. The OWASP Foundation
Hacking by Numbers OWASP Tom Brennan WhiteHat Security Inc. tom.brennan@whitehatsec.com 973-506-9303 skype: jinxpuppy Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify
More informationWeb Application Whitepaper
Page 1 of 16 Web Application Whitepaper Prepared by Simone Quatrini and Isa Shorehdeli Security Advisory EMEAR 6 th September, 2017 1.0 General Release Page 2 of 16 1. Introduction In this digital age,
More informationDevelopment Security Guide Oracle Banking Virtual Account Management Release July 2018
Development Security Guide Oracle Banking Virtual Account Management Release 14.1.0.0.0 July 2018 Oracle Banking Virtual Account Management Development Security Guide Oracle Financial Services Software
More informationDXC Security Training
DXC Security Training DXC Security Training Table of contents About DXC Security Training 2 About DXC Technology 3 Inforsec Registered Assessors Program (IRAP) 4 ISM Fundamentals 6 Cyber Security Incident
More informationDevelopment Security Guide Oracle Banking Credit Facilities Process Management Release [July] [2018]
Development Security Guide Oracle Banking Credit Facilities Process Management Release 14.1.0.0.0 [July] [2018] Security Guide Table of Contents 1. ABOUT THIS MANUAL... 1-1 1.1 INTRODUCTION... 1-1 1.2
More informationProcurement Language for Supply Chain Cyber Assurance
Procurement Language for Supply Chain Cyber Assurance Procurement Language for Supply Chain Cyber Assurance Introduction For optimal viewing of this PDF, please view in Adobe Acrobat. This document serves
More informationMobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing
Mobile Malfeasance Exploring Dangerous Mobile Code Jason Haddix, Director of Penetration Testing Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to
More informationCSE484 Final Study Guide
CSE484 Final Study Guide Winter 2013 NOTE: This study guide presents a list of ideas and topics that the TAs find useful to know, and may not represent all the topics that could appear on the final exam.
More informationSecure Development Guide
Secure Development Guide Oracle Health Sciences InForm 6.1.1 Part number: E72493-01 Copyright 2016, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided
More informationEngineering Your Software For Attack
Engineering Your Software For Attack Robert A. Martin Senior Principal Engineer Cyber Security Center Center for National Security The MITRE Corporation 2013 The MITRE Corporation. All rights reserved.
More informationOPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES
OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES What is the OWASP Top 10? A list of the top ten web application vulnerabilities Determined by OWASP and the security community at large
More informationSecurity+ SY0-501 Study Guide Table of Contents
Security+ SY0-501 Study Guide Table of Contents Course Introduction Table of Contents About This Course About CompTIA Certifications Module 1 / Threats, Attacks, and Vulnerabilities Module 1 / Unit 1 Indicators
More informationData Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle
Data Security and Privacy : Compliance to Stewardship Jignesh Patel Solution Consultant,Oracle Agenda Connected Government Security Threats and Risks Defense In Depth Approach Summary Connected Government
More informationBrochure. Security. Fortify on Demand Dynamic Application Security Testing
Brochure Security Fortify on Demand Dynamic Application Security Testing Brochure Fortify on Demand Application Security as a Service Dynamic Application Security Testing Fortify on Demand delivers application
More informationSIEMLESS THREAT MANAGEMENT
SOLUTION BRIEF: SIEMLESS THREAT MANAGEMENT SECURITY AND COMPLIANCE COVERAGE FOR APPLICATIONS IN ANY ENVIRONMENT Evolving threats, expanding compliance risks, and resource constraints require a new approach.
More informationCertified Secure Web Application Security Test Checklist
www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands Certified Secure Checklist About Certified Secure exists to encourage and fulfill
More informationHow NOT To Get Hacked
How NOT To Get Hacked The right things to do so the bad guys can t do the wrong ones Mark Burnette Partner, LBMC -Risk Services October 25, 2016 Today s Agenda Protecting Against A Hack How should I start?
More informationVULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED
AUTOMATED CODE ANALYSIS WEB APPLICATION VULNERABILITIES IN 2017 CONTENTS Introduction...3 Testing methods and classification...3 1. Executive summary...4 2. How PT AI works...4 2.1. Verifying vulnerabilities...5
More informationRuby on Rails Secure Coding Recommendations
Introduction Altius IT s list of Ruby on Rails Secure Coding Recommendations is based upon security best practices. This list may not be complete and Altius IT recommends this list be augmented with additional
More informationUsing the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway
Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway Applying Application Delivery Technology to Web Services Overview The Cisco ACE XML Gateway is the newest
More information1 About Web Security. What is application security? So what can happen? see [?]
1 About Web Security What is application security? see [?] So what can happen? 1 taken from [?] first half of 2013 Let s focus on application security risks Risk = vulnerability + impact New App: http://www-03.ibm.com/security/xforce/xfisi
More information200 IT Security Job Interview Questions The Questions IT Leaders Ask
200 IT Security Job Interview Questions The Questions IT Leaders Ask IT security professionals with the right skills are in high demand. In 2015, the unemployment rate for information security managers
More informationDreamFactory Security Guide
DreamFactory Security Guide This white paper is designed to provide security information about DreamFactory. The sections below discuss the inherently secure characteristics of the platform and the explicit
More informationCourse overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)
Overview This course is intended for those wishing to qualify with CompTIA Security+. CompTIA's Security+ Certification is a foundation-level certificate designed for IT administrators with 2 years' experience
More informationDevelopment*Process*for*Secure* So2ware
Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development
More informationEasyCrypt passes an independent security audit
July 24, 2017 EasyCrypt passes an independent security audit EasyCrypt, a Swiss-based email encryption and privacy service, announced that it has passed an independent security audit. The audit was sponsored
More informationUnit Level Secure by Design Approach
Unit Level Secure by Design Approach Abstract Authors: Vasantharaju MS & Joshua Cajetan Rebelo Vasantharaju_MS@McAfee.com Joshua.Rebelo@Siemens.com With cyber-attacks on the rise and high-profile breaches
More informationThreat Modeling. Bart De Win Secure Application Development Course, Credits to
Threat Modeling Bart De Win bart.dewin@ascure.com Secure Application Development Course, 2009 Credits to Frank Piessens (KUL) for the slides 2 1 Overview Introduction Key Concepts Threats, Vulnerabilities,
More informationDefend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title
Defend Your Web Applications Against the OWASP Top 10 Security Risks Speaker Name, Job Title Application Security Is Business Continuity Maintain and grow revenue Identify industry threats Protect assets
More informationEmbedded/Connected Device Secure Coding. 4-Day Course Syllabus
Embedded/Connected Device Secure Coding 4-Day Course Syllabus Embedded/Connected Device Secure Coding 4-Day Course Course description Secure Programming is the last line of defense against attacks targeted
More informationEn partenariat avec CA Technologies. Genève, Hôtel Warwick,
SIGS Afterwork Event in Geneva API Security as Part of Digital Transformation Projects The role of API security in digital transformation Nagib Aouini, Head of Cyber Security Services Defense & Cyber Security
More informationAguascalientes Local Chapter. Kickoff
Aguascalientes Local Chapter Kickoff juan.gama@owasp.org About Us Chapter Leader Juan Gama Application Security Engineer @ Aspect Security 9+ years in Appsec, Testing, Development Maintainer of OWASP Benchmark
More informationManaged Application Security trends and best practices in application security
Managed Application Security trends and best practices in application security Adrian Locusteanu, B2B Delivery Director, Telekom Romania adrian.locusteanu@telekom.ro About Me Adrian Locusteanu is the B2B
More informationTIBCO Cloud Integration Security Overview
TIBCO Cloud Integration Security Overview TIBCO Cloud Integration is secure, best-in-class Integration Platform as a Service (ipaas) software offered in a multi-tenant SaaS environment with centralized
More informationHacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK
Hacker Academy Ltd COURSES CATALOGUE Hacker Academy Ltd. LONDON UK TABLE OF CONTENTS Basic Level Courses... 3 1. Information Security Awareness for End Users... 3 2. Information Security Awareness for
More informationImproving Security in the Application Development Life-cycle
Improving Security in the Application Development Life-cycle Migchiel de Jong Software Security Engineer mdejong@fortifysoftware.com March 9, 2006 General contact: Jurgen Teulings, 06-30072736 jteulings@fortifysoftware.com
More informationPND at a glance: The World s Premier Online Practical Network Defense course. Self-paced, online, flexible access
The World s Premier Online Practical Network Defense course PND at a glance: Self-paced, online, flexible access 1500+ interactive slides (PDF, HTML5 and Flash) 5+ hours of video material 10 virtual labs
More informationA (sample) computerized system for publishing the daily currency exchange rates
A (sample) computerized system for publishing the daily currency exchange rates The Treasury Department has constructed a computerized system that publishes the daily exchange rates of the local currency
More informationMARCH Secure Software Development WHAT TO CONSIDER
MARCH 2017 Secure Software Development WHAT TO CONSIDER Table of Content Introduction... 2 Background... 3 Problem Statement... 3 Considerations... 4 Planning... 4 Start with security in requirements (Abuse
More informationHP 2012 Cyber Security Risk Report Overview
HP 2012 Cyber Security Risk Report Overview September 2013 Paras Shah Software Security Assurance - Canada Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject
More informationIs Your Web Application Really Secure? Ken Graf, Watchfire
Is Your Web Application Really Secure? Ken Graf, Watchfire What we will discuss today Pressures on the application lifecycle Why application security defects matter How to create hacker resistant business
More informationThreat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved
Threat Modeling for System Builders and System Breakers!! Dan Cornell! @danielcornell Dan Cornell Dan Cornell, founder and CTO of Denim Group Software developer by background (Java,.NET, etc) OWASP San
More informationYour Turn to Hack the OWASP Top 10!
OWASP Top 10 Web Application Security Risks Your Turn to Hack OWASP Top 10 using Mutillidae Born to Be Hacked Metasploit in VMWare Page 1 https://www.owasp.org/index.php/main_page The Open Web Application
More informationAndrew van der Stock OWASP Foundation
Andrew van der Stock is among the many contributors to the OWASP project over the years. Andrew has presented at many conferences, including BlackHat USA, linux.conf.au, and AusCERT, and is a leading Australian
More informationPresentation Overview
Presentation Overview Basic Application Security (AppSec) Fundamentals Risks Associated With Vulnerable Applications Understanding the Software Attack Surface Mean Time to Fix (MTTF) Explained Application
More informationTrustwave Managed Security Testing
Trustwave Managed Security Testing SOLUTION OVERVIEW Trustwave Managed Security Testing (MST) gives you visibility and insight into vulnerabilities and security weaknesses that need to be addressed to
More informationSAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0
Welcome BIZEC Roundtable @ IT Defense, Berlin SAP Security BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0 February 1, 2013 Andreas Wiegenstein CTO, Virtual Forge 2 SAP Security SAP security is a complex
More informationGUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.
Report on IRONWASP Software Product: IronWASP Description of the Product: IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing.
More informationSymlink attacks. Do not assume that symlinks are trustworthy: Example 1
Symlink attacks Do not assume that symlinks are trustworthy: Example 1 Application A creates a file for writing in /tmp. It assumes that since the file name is unusual, or because it encodes A's name or
More informationApplication Layer Security
Application Layer Security General overview Ma. Angel Marquez Andrade Benefits of web Applications: No need to distribute separate client software Changes to the interface take effect immediately Client-side
More information