elearning Course Catalog

Transcription

1 elearning Course Catalog Updated 11/28/ Park Plaza, Suite 1400 Boston, MA

2 GENERAL DISCLAIMER This document presents details about the training offerings from Synopsys at the time of its creation. Synopsys has used reasonable efforts to ensure that the information provided in this document is accurate and up-to-date, but details and offerings are subject to change. This document contains confidential information about Synopsys and its businesses. Copies of this document may only be provided, and disclosure of the information contained in it may only be made, with written prior agreement from Synopsys. Ownership and Disposal The information contained in this document is owned by Synopsys. The recipient shall dispose of the data as confidential waste and/or return the document to Synopsys upon request. The Synopsys difference Synopsys offers the most comprehensive solution for building integrity security and quality into your SDLC and supply chain. We ve united leading testing technologies, automated analysis, and experts to create a robust portfolio of products and services. This portfolio enables companies to develop customized programs for detecting and remediating defects and vulnerabilities early in the development process, minimizing risk and maximizing productivity. Synopsys, a recognized leader in application security testing, is uniquely positioned to adapt and apply best practices to new technologies and trends such as IoT, DevOps, CI/CD, and the Cloud. We don t stop when the test is over. We offer onboarding and deployment assistance, targeted remediation guidance, and a variety of training solutions that empower you to optimize your investment. Whether you re just starting your journey or well on your way, our platform will help ensure the integrity of the applications that power your business. For more information go to Synopsys, Inc. 185 Berry Street, Suite 6500 San Francisco, CA USA U.S. Sales: International Sales: sig-info@synopsys.com 2

3 Synopsys elearning...4 Security Training for Every Role...5 Fundamental Foundations of Software Security... 6 Foundations of Information Security Awareness... 8 OWASP Top Attack and Defense PCI DSS Security Introduction to Cryptography for Developers and Architects...15 Defensive Strategies Secure Password Storage...17 Languages and Platforms Introduction to JavaScript Security...19 Java Security Fundamentals...21 Foundations of.net Platform Security...23 Foundations of PHP Security...25 Foundations of COBOL Security...27 Java Advanced Secure Coding...29 Defensive Programming for Python and Django...31 Defensive Programming for JavaScript and HTML Defensive Programming for JavaEE Web Applications...35 Defensive Programming for PHP...37 Building Security into ASP.NET MVC with C#...39 C/C++ Security Defensive Programming for COBOL...43 Security Enablement Services OAuth 2.0 Security SAML Security OpenID Connect Mobile Foundations of Mobile Security...51 Android Security Fundamentals of ios Secure Programming for ios...58 Requirements, Architecture, and Training Architecture Risk Analysis...60 Foundations of Software Security Requirements...62 Risk-Based Security Testing Strategy...64 Microcourses Hapi.js Security React.js Security Securing MongoDB

4 SYNOPSYS ELEARNING Synopsys offers a hosted elearning curriculum that enables organizations of all sizes to quickly deploy industry-leading training companywide. Synopsys elearning is a subscription-based online training service providing on-demand, unlimited access to Synopsys comprehensive library of hosted elearning courses. With an annual subscription, you get 24/7 access to Synopsys interactive security courses including knowledge checks and final exams, individual and group reporting, and periodic content updates so you can easily meet compliance and contractual training requirements. For companies that deploy their own learning management system (LMS), all elearning courses are SCORM-compliant and can be deployed within your current LMS. The Synopsys difference Synopsys offers the most comprehensive solution for building integrity security and quality into your SDLC and supply chain. We ve united leading testing technologies, automated analysis, and experts to create a robust portfolio of products and services. This portfolio enables companies to develop customized programs for detecting and remediating defects and vulnerabilities early in the development process, minimizing risk and maximizing productivity. Synopsys, a recognized leader in application security testing, is uniquely positioned to adapt and apply best practices to new technologies and trends such as IoT, DevOps, CI/CD, and the Cloud. We don t stop when the test is over. We offer onboarding and deployment assistance, targeted remediation guidance, and a variety of training solutions that empower you to optimize your investment. Whether you re just starting your journey or well on your way, our platform will help ensure the integrity of the applications that power your business. For more information go to Synopsys, Inc. 185 Berry Street, Suite 6500 San Francisco, CA USA U.S. Sales: International Sales: sig-info@synopsys.com 4

5 SECURITY TRAINING FOR EVERY ROLE Synopsys software security curriculum provides valuable knowledge across every role within software development organizations. Synopsys elearning features a broad library of 29 courses and 3 microcourses, so you can design a longterm plan to increase the security knowledge and skills of everyone within your SDLC. Below you ll find some sample learning paths for developers and architects. Pick and choose the courses your developers need, or design your own learning path it s up to you. Front-End Developers Back-End Developers Enterprise Developers Mobile Developers QA Engineers Architects Foundations of Software Security Foundations of Software Security Foundations of Software Security Foundations of Mobile Security Foundations of Software Security Foundations of Software Security OWASP Top 10 OWASP Top 10 Attack and Defense OWASP Top 10 OWASP Top 10 OWASP Top 10 PCI DSS Security PCI DSS Security Introduction to Cryptography PCI DSS Security Foundations of Software Security Requirements PCI DSS Security Introduction to Cryptography Introduction to Cryptography Secure Password Storage Introduction to Cryptography Risk-Based Security Testing Strategy Introduction to Cryptography Secure Password Storage Secure Password Storage Foundations of COBOL Security Fundamentals of ios Secure Password Storage Introduction to JavaScript Security or PHP OAuth 2.0 Security OAuth 2.0 Security OAuth 2.0 Security Android Security SAML Security SAML Security SAML Security Hapi.js Security React.js Security React.js Security Hapi.js Security OpenID Connect Securing MongoDB Securing MongoDB Defensive Programming for JavaScript and HTML5 or PHP Foundations of.net Java Advanced Secure Coding Defensive Programming for COBOL, Java Advanced Secure Coding, C/C++ Security, Building Security into ASP.NET MVC with C# Java Advanced Secure Coding, Secure Programming for ios Introductory Intermediate Advanced Java Advanced Secure Coding, Architecture Risk Analysis 5

6 Foundations of Software Security Fundamental Description Dive into the basics of software security inside the development process. This course introduces the fundamentals of software security problems, risks, and general approaches for producing better software. It also describes an approach to building software security into the development process to help you produce better software. This course was created by the experts who literally wrote the book on software security. The approaches described here are currently being utilized by leading global companies with mature software security initiatives. Course Themes Clearly define the software security problem Describe how and why software is exploited Introduce and describe a set of key software security principles and concepts that can be integrated into any existing software development life cycle Learning Objectives Discuss basic security terminology comfortably when discussing your own development work Confidently contribute to discussions surrounding software security principles Participate in the initial strategy, formation, and role delegation of a software security initiative Confidently begin to contribute to your company s overall design of a software security strategy Intended Audience Developers Development Managers QA Engineers Architects Application Security Specialists Competencies Understanding of the software development life cycle Prerequisites None ¾ Hour Introductory 6

7 Foundations of Software Security Fundamental Course Outline Basic Software Security Concepts The Importance of Software Security Software Security Vocabulary What Is Secure Software? Obstacles to Software Security Building Security In Roles in Software Security Software Security Engineering (Continued) Software Security Intelligence Technical Standards and Reference Frameworks Training Defect Discovery and Management Assessing Software Is Necessary Discovery Method Pros and Cons The Importance of Fixing Software Fundamentals of a Software Security Initiative Goals of a Software Security Initiative Engineering and Governance SSG, Outreach, and Satellites Vendor Management Evolution of a Software Security Initiative Software Security Engineering The Touchpoints Secure Software Development Life Cycle 7

8 Foundations of Information Security Awareness Fundamental Description Security awareness is a process of constant refinement and education. Every person has a key role in keeping their company secure and out of the headlines. This course will walk through what it takes to effectively identify and act upon security risks in your personal and work lives. It will cover a broad range of modern security topics and provide actionable advice for increasing your overall security posture. Course Themes When delivered effectively, a comprehensive information security awareness program can reduce the attack surface and corporate risk of an organization and build a culture of responsibility around information security. A company is only as strong as its weakest link, and this course aims to educate and inform employees about pressing security topics that they can take action on immediately. Learning Objectives Quickly identify potential common security risks in the workplace Assess the security of workstations, mobile devices, and office spaces Build a strong password creation and storage mechanism Recognize the implications of real-world data breaches Identify corporate information assets and understand how to handle them securely Intended Audience Everyone Competencies None Prerequisites None 1 Hour Introductory 8

9 Foundations of Information Security Awareness Fundamental Course Outline Introduction to Information Security Awareness What Exactly Is Security Awareness? Identifying and Understanding Information Assets Boundaries Between Work and Home Workstation Security Overview Physical Security Network Connections Malicious Software Defense Mechanisms User Account Security Introduction: Accounts Rule the Web Password Security Password Managers Multifactor Authentication Social Engineering Introduction: People as a Target Physical Social Engineering Phishing Attacks Voice and SMS Phishing Phishing in the Real World Anatomy of a Breach Introduction The Entry The Foothold The Exploit Fallout and Impact Lessons Learned Mobile Device Security Intro: Mobile Devices in the Workplace Physical Device Security Mobile Device Security Settings 9

10 OWASP Top 10 Fundamental Description This course will help professionals understand the value and limits of the OWASP Top 10. While the OWASP Top 10 is a valuable awareness document about some of the major risks in web applications today, the list is incomplete and largely provides only an attacker perspective. The course will both highlight the good and point out some things that are missing in the OWASP Top 10 that IT professionals still need to be aware of. Course Themes Introduce the most prevalent web application security issues Describe testing methods and applications Provide remediation guidance to help eradicate specific issues Demonstrate how the issues are exploited by attackers Learning Objectives Discuss the role of security in the software development life cycle and how best to create secure applications Recognize how these software security defects are exploited Discuss discovery methods for these issues Implement the practices that help prevent the most common mistakes and lead to more secure software Intended Audience Developers Development Managers QA Engineers Architects Application Security Specialists Competencies Familiarity with at least one web programming language Prerequisites 1 ½ Hours Introductory Foundations of Software Security 10

11 OWASP Top 10 Fundamental Course Outline Introduction to the OWASP Top 10 Injection SQL Injection Command Injection When Injection Gets Serious Broken Authentication and Session Management Session Security Overview Session Security Considerations Authentication Security Lifeboat s Sinking Ship Cross-Site Scripting XSS Protection Checklist Samy and His Friends XSS Protection: Guidelines Insecure Direct Object References Insecure Direct Object References: In a Nutshell Creating Your Own Users for Fun and Profit Sensitive Data Exposure Handling Sensitive Data Securely Source Code Woes Missing Function Level Access Control Strategies Cross-Site Request Forgery Protecting Against CSRF A Sly DNS Swap Using Components With Known Vulnerabilities Securing Third-Party Software Components An Upstream Bug Unvalidated Redirects and Forwards About Redirects About Forwards Preventing Unvalidated Redirects and Forwards Yahoo s Unvalidated Redirect Security Misconfigurations Protection Is Big Brother Watching? 11

12 Attack and Defense Fundamental Description Web applications are becoming an increasingly high-value target for hackers looking to make a quick buck, damage reputations, or just boost their street cred. There is no shortage of publicly known attack tools and techniques, and as software developers we are outnumbered and at the front line of the defense. This course will teach you how vulnerabilities are discovered and exploited in the real world and how to build a strong line of defense. Course Themes Anatomy of a web application attack Exploitation Testing for vulnerabilities Secure development concepts Defending against attacks Monitoring and identifying suspicious behavior Learning Objectives Recognize security flaws in web applications Build defenses against common web application vulnerabilities Use tools and techniques to test your own applications for vulnerabilities Implement application features that will enhance your users security posture Intended Audience Developers System Administrators Architects Security Specialists Competencies Familiarity with at least one programming language General web application knowledge Prerequisites 1 Hour Introductory Foundations of Software Security Foundations of Information Security Awareness 12

13 Attack and Defense Fundamental Course Outline Introduction to Attack and Defense Vulnerabilities Are Here to Stay Security Is a Challenge Impacts of Insecure Software Understanding the Adversary Real-World Impacts Data Protection Protecting Data in Motion Protecting Data at Rest Handling User Input Injection Attacks Authentication and Authorization Authentication and Authorization Attacks Authentication and Authorization Defenses Session Protection Attacking Sessions Session Protection Mechanisms Security Configurations Third-Party Components Default Configurations Debugging and Error Handling Monitoring and Detection Intrusion Detection Honeypots Anomaly Detection (Geolocation and Pattern Matching) 13

14 PCI DSS Security Fundamental Description Developers that work on PCI DSS relevant applications are mandated to complete security training on an annual basis. In this course, developers will learn the PCI DSS training requirements, the current OWASP Top 10 vulnerabilities, coding practices that help prevent them, secure memory handling for application development, attacks that leverage volatile memory, and techniques for protecting sensitive data. Course Themes PCI DSS training requirements for developers OWASP Top 10 vulnerabilities and how to avoid them Secure memory development Impact of memory handling vulnerabilities Learning Objectives Understand the annual development training requirements mandated by the PCI DSS Demonstrate understanding of the OWASP Top 10 web vulnerabilities Understand methods for developing code securely and preventing the OWASP Top 10 vulnerabilities Understand the importance of developing applications that handle sensitive information in memory securely Satisfy requirement 6.5 of the PCI DSS Intended Audience Developers Product Architects Security Architects Competencies Familiarity with web programming environments and technologies Prerequisites OWASP Top 10 ½ Hour Introductory 14

15 Introduction to Cryptography for Developers and Architects Fundamental Description Cryptography is used to address issues of confidentiality, data integrity, data origin, authentication, entity authentication, and nonrepudiation. Although cryptography does not eliminate security issues, it does make them more manageable by reducing the task of protecting a large amount of data to a matter of protecting a relatively small key. This course discusses the use of cryptographic algorithms and techniques as they are typically applied within the practice of information security. Course Themes Examine the security of various cryptographic primitives and protocols Describe important options to consider when choosing such primitives Provide a comprehensive overview of common mistakes and lessons learned when designing and implementing cryptographic controls Learning Objectives Define cryptography and cryptographic primitives as they apply to software security practices Identify the most common cryptographic primitives and respective purposes Identify common cryptography errors and how to avoid them Make appropriate design decisions when implementing cryptographic controls into the information security process Intended Audience Developers Architects Competencies Familiarity with standard software design and development Prerequisites 1 ½ Hours Introductory Foundations of Software Security OWASP Top 10 or Attack and Defense 15

16 Introduction to Cryptography for Developers and Architects Fundamental Course Outline Cryptography and Cryptographic Primitives Uses of Cryptography Common Cryptographic Primitives Encryption Symmetric vs. Asymmetric Encryption Common Types of Encryption Block Ciphers and Stream Ciphers Block Cipher Encryption Modes Initialization Vectors Block Cipher Padding Modes Common Types of Asymmetric Key Encryption Hash Functions Cryptographic Hash Functions Algorithms and Uses Protecting Data Integrity Message Authentication Codes (MAC) Common Functions and Algorithms How It Works Problem and Solution Digital Signatures Digital Signatures Algorithms Problem and Solutions Putting It All Together SSL Security of Cryptographic Primitives and Protocols Cryptographic Primitive/Protocol Security Security of Algorithms Over Time Security Over Time Lessons Learned Choosing Your Cryptographic Primitives Typical Attackers and Attacks Criminals Kiddies/Amateur Hackers Crime/Dedicated Hackers Researchers Government Agencies Common Mistakes and Lessons Learned TI Digital Signature Transponder Case Study GSM Security Content Scrambling System Wired Equivalent Privacy Secure Sockets Layer Cryptographic Algorithms Implementation Case Study Using WEP Using Cryptography Future of Cryptography 16

17 Secure Password Storage Defensive Strategies Description This course introduces popular approaches to user password protection and storage, analyzing their common weaknesses and those properties that help schemes resist attack. By learning to evaluate password storage schemes through the properties of their building blocks (hashes, salts, and algorithms), you will be able to properly evaluate password storage options in your development framework and to articulate the trade-offs between modern schemes. At course end, you will be able to select and harden through configuration your application s password storage scheme or select a suitable replacement that best meets your application s needs. Learning Objectives Evaluate current best practice solutions for secure password storage Recognize that attackers have sophisticated cracking resources Discuss how current adopted password storage solutions are insecure Show why current solutions do not prevent user passwords from being revealed to an attacker Discuss the password security pros and cons of algorithms like bcrypt/scrypt Propose an alternate approach to strengthening current password security solutions Intended Audience Developers QA Engineers Architects Application Security Specialists Competencies None Prerequisites None 1 Hour Intermediate 17

18 Secure Password Storage Defensive Strategies Course Outline Password Storage Overview Introduction Password Storage Defined The Bumpy Road Password Storage Risk Two Basic Rules Risks Revealed Simple Hashes Introduction What Is a Hash Function? Hash Function Properties Example Hash Function Risk of Hash Function Rainbow Tables Rainbow vs. Lookup Tables Conclusion Salted Hashes Introduction Salted Hash Definition Benefits of Salted Hashes Risks of Salted Hashes Salted Hashes Best Practices Conclusion Keyed Hash Functions Introduction Defining HMACS HMAC Password Storage Benefits of HMAC HMAC Considerations Implementation Challenges Implementation Recommendations Conclusion Adaptive Hash Functions Introduction What Is an Adaptive Hash? Benefits of Adaptive Hashes Adaptive Hash Protection Examples of Adaptive Hash Considerations Recommendations Conclusion 18

19 Introduction to JavaScript Security Languages and Platforms Description This course presents an overview of the quirks and features that make JavaScript a flexible, powerful, and popular language. This course covers the security features built into the JavaScript language, as well as the security features provided by browsers that are utilized by JavaScript web applications. Other lesson topics include cross-site scripting, JavaScript execution contexts, dataflow concepts for identifying the issues, protection mechanisms, the clickjacking vulnerability, and mitigation methods. Course Themes JavaScript language specifics Browser security controls JavaScript execution contexts Common vulnerabilities and mitigation techniques JavaScript code analysis Learning Objectives Navigate JavaScript language specifics, like comparisons and scoping, that can cause security issues Identify JavaScript execution contexts Perform manual dataflow analysis with the knowledge of JavaScript sources and sinks Find common XSS issues in JavaScript code and select the best protection method for each case Apply several mitigation techniques against clickjacking vulnerabilities Compare different tools for managing third-party dependencies Intended Audience JavaScript developers with limited security knowledge Competencies 1-2 years experience developing in JavaScript Prerequisites OWASP Top 10 1 ¼ Hours Introductory 19

20 Introduction to JavaScript Security Languages and Platforms Course Outline Introduction to JavaScript JavaScript Basics Strict Mode XSS and Untrusted Data Sources XSS Dataflow Untrusted Data Sources JavaScript Execution Contexts Inline JavaScript External JavaScript Event Handlers Scalable Vector Graphics Uniform Resource Identifier Time Functions XSS Defense Measures Output Encoding HTML Sanitization AngularJS Input Validation JSON Load Resourcing Content Security Policy Hashing and Nonces Content Security Policy Iframes and Clickjacking Content Security Policy X-Frame-Options Frame Busting Managing Third-Party Dependencies and Code Analysis Package Managers Third-Party Dependency Audit Code Analysis 20

21 Java Security Fundamentals Languages and Platforms Description No matter what product or service you re building, understanding Java platform security is an essential foundation. Learn platform security concepts along with practical security knowledge you can immediately apply to your own project. Learners will write secure code using platform APIs and identify common mistakes. This course is beneficial whether you re building desktop applications, web applications, service infrastructure, the Internet of Things (IoT), or embedded applications. Course Themes Platform security concepts, features, and tools Secure platform coding techniques Avoiding common pitfalls Learning Objectives Tackle Java platform security concepts and architecture Implement public key infrastructure (PKI) and Java trust management concepts Write secure code using Java SE APIs Avoid common platform security pitfalls Intended Audience Developers Product Architects Security Architects Competencies Working knowledge of the Java platform and language Prerequisites None 1 Hour Introductory 21

22 Java Security Fundamentals Languages and Platforms Course Outline The Java Security Architecture The Java Security Model The Bytecode Verifier The Class Loader The Security Manager Security Features of the Java Platform Security Advantages of the Language Automatic Memory Management Code Signing Application Sandboxing Code-Centric Access Control Permissions Protection Domains and Security Policies Security Managers and Access Controllers Access Controller Algorithm Cryptography The Java Cryptographic Architecture (JCA) Cryptographic Services The JCA API Other Security Services Java Authentication and Authorization Services Public Key Infrastructure Channel Security Risks Inherent to the Java Platform Immutable Strings The doprivileged() Function The Java Native Interface (JNI) Introspection 22

23 Foundations of.net Platform Security Languages and Platforms Description The.NET platform serves as a powerful framework for developing a wide range of applications, from rich websites and desktop applications to versatile shared libraries and embedded systems. The platform s specific architecture and unique security model set it apart from other environments. While these traits offer developers and architects a variety of enhancements to the capabilities of their applications, they also introduce specific risks from an application security perspective. Course Themes Clearly define the.net platform security model Describe fundamental components of the.net platform and the security implications of each Explain common security issues inherent in key features of the platform along with mitigation strategies for each Learning Objectives Identify the.net framework components and related concepts Identify and strategize the use of.net security features Identify limitations for each security feature Implement security processes into the development of.net applications based on best practices Intended Audience Developers QA Engineers Architects Application Security Specialists Competencies Familiarity with the.net platform and.net programming languages such as C#.NET Prerequisites ¾ Hour Intermediate Foundations of Software Security OWASP Top 10 or Attack and Defense 23

24 Foundations of.net Platform Security Languages and Platforms Course Outline Java Platform Security Overview Platform Security Cryptography Authentication and Access Control Secure Communications Public Key Infrastructure (PKI) Platform Security Strong Data Typing Automatic Memory Management Bytecode Verification Secure Class Loading Exception Handling Operational Concerns Strategic Design for Security Restrict Process Security Privileges Data Validation Logging Logging Concepts Logging for Security, Audit, and Diagnostics Java Logging and Alternatives Advanced Secure Coding Concepts Avoid Strings for Volatile Secrets Avoid Deserializing Objects From Untrusted Sources Java Native Interface (JNI) Bypasses Platform Safety Controls Safe Expansion of ZIP Files 24

25 Foundations of PHP Security Languages and Platforms Description PHP has evolved significantly from its insecure early versions into a robust and trustworthy language. However, many of the fundamentally insecure features remain in common use today. PHP developers must familiarize themselves with common security vulnerabilities and how they can be exploited to damage a web application. This course prepares you for Defensive Programming for PHP by explaining the attack surface so you can easily recognize the errors that can put an overall system at risk. Course Themes Describe the risks inherent to the PHP programming language Explain common vulnerabilities affecting PHP applications and web applications as a whole Demonstrate the risks resulting from insecure PHP configuration Learning Objectives Identify the risks inherent to the PHP programming language Explain the risks resulting from insecure PHP configurations Distinguish between common vulnerabilities that affect PHP applications Intended Audience Developers QA Engineers Architects Application Security Specialists Competencies Familiarity with the PHP programming language Prerequisites ¾ Hour Intermediate Foundations of Software Security OWASP Top 10 25

26 Foundations of PHP Security Languages and Platforms Course Outline General PHP Security Concerns Lack of Sandboxing Local File Inclusion Unsafe PHP Functions Unsafe PHP Configuration NULL Byte Issues PRNG in PHP.inc File Extension Dynamic Code Risk Description Dynamic Variables Dynamic Functions Array Functions Uninitialized Variables Common Web Vulnerabilities in PHP Applications Cross-Site Scripting SQL Injection Cross-Site Request Forgery Other Issues Mail Injection XML Injection LDAP Injection 26

27 Foundations of COBOL Security Languages and Platforms Description There are many risks and myths associated with COBOL programming security. In this course, we ll review COBOL programming best practices, discuss a taxonomy of COBOL system vulnerabilities, and provide guidance on how to avoid or mitigate them. Course Themes COBOL application architecture and implementing security requirements within code and environment configurations Best practices for mitigating common vulnerabilities Increased coverage of secure logging, error handling, secure input validation, and data representation Learning Objectives Recognize common security risks with COBOL programs Identify security vulnerabilities in COBOL code Write secure code to mitigate risk Intended Audience Developers QA Engineers Architects Application Security Specialists Competencies Understanding of COBOL development Prerequisites 1 Hour Introductory Foundations of Software Security OWASP Top 10 or Attack and Defense 27

28 Foundations of COBOL Security Languages and Platforms Course Outline COBOL Ecosystem Introduction OLTP Applications Batch Processing Applications Examples of COBOL Applications Architecture Architecture Exploitation With Middleware Architecture Key Terms Changing Environment Typical COBOL System Assets Introduction Never Disclose Mainframe Software Handling Sensitive Information Unauthorized Access The Cost of (In)Security Security Breaches and COBOL Hacking Critical Business Assets Hacking Insurance Sailing With Pirates COBOL Security Myths The Security Myths of COBOL Myth 1: COBOL Applications Are Not Connected to the Internet Myth 2: Common Attack Techniques Do Not Apply to Batch-Mode Mainframe Applications Myth 3: COBOL Applications Are Not Responsible for Input Validation Myth 4: Hackers Are Not Interested in Targeting COBOL Applications Understand Security Principles Introduction to Security Principles Building an application? Ask These Questions Authentication Overview Achieving Secure Authentication Authorization Overview Authorization Models and Solutions Authorization Check Example Vulnerabilities Identified in z/os Mainframe Systems Further Learning Ensure Secure Input Validation and Data Representation Recognizing Harmful Data SQL Injection and COBOL Prevent Data Leakage: Buffer Overflow Approaching Input Validation Output Encoding Output Encoding Example Secure Database Access Why Databases Are Business- Critical Assuring Access Is Secure Example: Clear Text Example: Insecure Data Access Using BIND Utility Secure Logging Practices Why Logs Are Kept Logs and Attackers Follow Logging Practices Example: Scrubbing Logs of Sensitive Information Secure Error Handling Introduction Security Problems Common Problems Hackers Looking for Messages Error Handling: Mitigation Practices Failure to Handle Errors Detection Next Steps Errors and System Functions Example: Secure Error Handling 28

29 Java Advanced Secure Coding Languages and Platforms Description Java Advanced Secure Coding builds on the concepts introduced in Java Security Fundamentals. In this course, developers will learn advanced coding concepts and platform security features, such as injection attack prevention, platform authentication and access control, cryptography, secure network communications, public key infrastructure, web security, and an introduction to the new features introduced in Java 8/9. Course Themes Common vulnerabilities Platform and third-party security controls Applied defensive techniques Learning Objectives Understand platform authentication and access control libraries, cryptography, and secure communications over untrusted networks Understand PKI concepts and relevant Java platform security controls, such as the CertPath API, PKIX, and OCSP/CRL revocation services Apply practical ideas to defend against SQL injection, XML parser attacks, CSRF, XSS, URL attacks and HTTP response redirect attacks, and more using Java platform and third-party security libraries, such as OWASP Intended Audience Developers Product Architects Security Architects Competencies Understanding of Java language Prerequisites 1 Hour Advanced Java Security Fundamentals 29

30 Java Advanced Secure Coding Languages and Platforms Course Outline Java Advanced Secure Coding Introduction Preventing Injection Authentication and Access Control Cryptography Secure Communications Public Key Infrastructure (PKI) Web Security Important Security Features in Java SE 8/9 Preventing Injection Introduction Defending Against SQL Injection: JDBC Prepared Statements Encoding Reserved Control Sequences Within Untrusted Input XML Parsers Protection From XXE Secure Random Number Generation Authentication and Access Control Introduction Java Authentication and Authorization Service (JAAS) Security Policies Security Manager Sandbox Security Hot Waters: Building Your Own Security Controls Cryptography Introduction Message Digests Ciphers Digital Signatures Heartbleed Bug Secure Communications Introduction Java Secure Socket Extension GSS-API SASL-API Public Key Infrastructure Introduction Java s PKI Model Support Trust Management in Java Java CertPath API Revocation Services Web Security Introduction Cross-Site Request Forgery Defense CSRF Defense Example Advice for Defending Against CSRF Attacks Open Redirect Defense URL Validation HTTP Security Response Headers User Interface Security Important Security Features Introduction Security Changes for Java 8 Security Changes for Java 9 Brief Considerations When Upgrading to Java 9 Java Advanced Secure Coding Assessment 30

31 Defensive Programming for Python and Django Languages and Platforms Description Django is a web framework built on Python that allows developers to quickly build web applications in a familiar MVC architecture. While the Django project treats security as a first-class citizen, there are still pitfalls to be aware of when writing web applications using Django. This course focuses on teaching defensive programming techniques for safely using Python and Django. Course Themes Demonstrate methods to secure dataflow by consistently applying input validation and output encoding techniques Introduce secure methods to ensure permissions are applied at the right level of granularity for authorization Introduce and explain common security assessment approaches Learning Objectives Recognize Django as a web development framework Implement Django configuration in a secure fashion Implement proper authentication and authorization Recognize best practices for secure session management Strategize the prevention of injection attacks Intended Audience Developers QA Engineers Architects Application Security Specialists Competencies 1 ½ Hours Advanced Basic understanding of computer and operating system architecture Basic understanding of the software development life cycle Basic understanding of Python Prerequisites Foundations of Software Security OWASP Top 10 31

32 Defensive Programming for Python and Django Languages and Platforms Course Outline Introduction to Python Python Overview Django Overview Authentication Authentication Overview Missing and Broken Authentication Client-Side Authentication Authentication Factors and Multifactor Authentication Authentication in Django User Authentication and Access Restriction Brute Force Attack Protection Authorization Authorization Overview Vertical and Horizontal Privilege Escalation Forceful Browsing Authorization in Django Django Permissions Session Management Session Management Overview Session ID Attacks: Brute Force and Fixation Network Sniffing Session Management in Django Persistent and Cookie-Based Sessions Cryptographic Signing Validation and Encoding Input Validation and Output Encoding Injection, Path Traversal, and Open Redirect Attacks Best Protection Against Injection Attacks Input Validation and Output Encoding in Django Input, Field, and Form Validation Validation Methods and Errors Object-Role Modeling Object-Role Modeling in Django Adding Permissions to a Model and Modifying Permissions SQL Injection Vulnerabilities in Django Django ORM Protection Insecure SQL Examples: raw(), connection.cursor(), extra() Protection from SQL Injection in Django Stored Procedures and Escaping User Input Configuration Environment/Framework Configuration Environment/Framework for Django Environment-Specific Configuration Configuring Error-Handling Pages and Notifications Password Storage Direct Attack Resistance Direct Attack Overview Cross-Site Request Forgery, Cross-Site Scripting, DOM- Based XSS, and Clickjacking Direct Attack Protection in Django 32

33 Defensive Programming for JavaScript and HTML5 Languages and Platforms Description HTML5 and JavaScript introduce a new set of functionality to help developers create even more dynamic and feature-rich web applications. This functionality introduces its very own set of security risks that needs to be carefully considered. Creating secure modern web applications requires that developers follow a set of defensive programming best practices for clientside storage, cross-domain communications, and secure I/O. This course focuses on teaching defensive programming techniques for safely using JavaScript, HTML5, and associated technologies such as JSON. Course Themes Demonstrate methods to secure dataflow by consistently applying input validation and output encoding techniques Introduce secure methods to store sensitive data and secure cross-domain communications Prescribe the secure usage of features such as cross-origin resource sharing (CORS), iframe sandboxing, and web storage Introduce and explain common security assessment approaches Learning Objectives Confidently apply HTML5, JavaScript, and JSON defensive programming techniques Evaluate common approaches for selecting defensive programming techniques Intended Audience Developers QA Engineers Architects Application Security Specialists Competencies Familiarity with web programming languages, specifically JavaScript or HTML Prerequisites ½ Hour Advanced Foundations of Software Security OWASP Top 10 33

34 Defensive Programming for JavaScript and HTML5 Languages and Platforms Course Outline Storage of Sensitive Data Secure Cross-Domain Communications Validating Message Origin and Data Enforcing a Strict CORS Policy Weak CORS Policy Fixing the CORS Policy Properly Sandboxing Iframes Other Cross-Domain Considerations window.name for Messaging Fragment Identifier Messaging document.domain Property WebSocket Origin Header Implementing Secure Dataflow Understanding Dataflow Performing Input Validation Whitelisting, Blacklisting, and Rostering Encoding Output Additional Strategies for Preventing Malicious JavaScript Setting Cookies as HttpOnly JSON-Related Best Practices Common Assessment Approaches Secure Code Reviewing Dynamic Analysis 34

35 Defensive Programming for JavaEE Web Applications Languages and Platforms Description JavaEE-based applications are prone to vulnerabilities common in all enterprise applications. Due to the characteristics of the platform, JavaEE applications can also be affected by a set of very specific issues that do not apply to other environments. This course focuses on teaching defensive programming techniques for safely using JavaEE to thwart attacks and reduce the risk of information breaches. Course Themes Review the basic constructs of the Java platform as they pertain to software security Outline secure ways of handling errors, data input, and data output Illustrate common security errors and how they might appear in your source code Recommend best practices for engineering security features Learning Objectives Apply best practices when developing software to avoid common security coding errors Identify ways in which JavaEE vulnerabilities can be exploited Identify multiple secure alternatives to fix common security bugs in code Recognize more security errors when reviewing source code either manually or using automated code-scanning tools Eliminate or mitigate security coding errors in your products with increased efficiency Intended Audience Developers QA Engineers Architects Application Security Specialists Competencies Familiarity with Java and JSP programming Prerequisites 2 ½ Hours Advanced Foundations of Software Security OWASP Top 10 or Attack and Defense Java Security Fundamentals 35

36 Defensive Programming for JavaEE Web Applications Languages and Platforms Course Outline Introduction Software Vulnerability Growth The Software Security Challenge Understanding the Platform Language Considerations Memory Management Features Garbage Collection Framework Security Model Java Security Model Dangers of doprivileged() Security Manager Best Practices Identity and Session Management Authentication Authorization Session Management Injection Attacks Data and Control Vectors Command Injection Input Validation Regular Expressions Unicode Mishandling Output Encoding HTML and URL Encoding in Practice Input Validation Theory and Flow Injection Attacks and Remediation SQL Injection Cross-Site Scripting XML Attacks Log Injection Path Manipulation Cross-Site Request Forgery Client-Side Trust Determinism and Concurrency Accessing Resources Understanding TOCTOU Problems Reliable Locking Schemes Random Numbers and Temporary Files Safe Error Handling and Logging Error and Exception Handling Programmatic Checks and Assertions Assertion Schemes Numeric Data Types Audit Logging Information Leakage and Debug Code Cryptography Symmetric and Asymmetric Encryption Secure Hash Functions Message Authentication Codes and Digital Signatures Code Signing Software Security in Operations Java Web Application Configuration Application Packaging Managing Key Material Secrets Inside Code Secret Encryption Key Exposure 36

37 Defensive Programming for PHP Languages and Platforms Description PHP applications are prone to vulnerabilities common in all web applications. Due to the characteristics of the platform, PHP applications can be affected by a set of very specific issues that do not apply to other environments. This course focuses on teaching defensive programming techniques for safely using PHP in your web applications to thwart attacks and reduce the risk of information breaches. Course Themes Introduce defensive programming and configuration techniques for PHPspecific security issues Demonstrate methods to secure web application dataflow Prescribe ways to protect against cross-site request forgery Recommend effective tactics to implement secure SQL access, secure file upload and access, password handling, and secure PHP configuration Learning Objectives Apply defensive programming techniques to mitigate PHP-specific security issues Apply defensive techniques to mitigate common web vulnerabilities Implement system access based on best practices Implement secure configuration based on best practices Confidently architect PHP applications securely Intended Audience Developers QA Engineers Architects Application Security Specialists Competencies Understanding of the PHP programming language Prerequisites 1 Hour Advanced Foundations of Software Security OWASP Top 10 Foundations of PHP Security 37

38 Defensive Programming for PHP Languages and Platforms Course Outline Input Validation Bad Code How to Do It Whitelisting, Blacklisting, and Rostering PHP Functions for Input Validation Better Code Output Encoding Bad Code Implementing Secure Output Encoding Select the Proper Encoding Scheme Encoding Caveats Cross-Site Request Forgery Description Mitigation CSRF Protection Secure SQL Access SQL Injection Issues Mitigation Approach Better Code System Command Handling Error Handling Information Disclosure and Failing Insecurely Mitigation Approach File Upload and File Access Insecure File Handling Secure File Upload Secure File Access Fixing Code Password Handling in PHP PHP Configuration Best Practices Weak Configuration SQL Access Secure Settings Good Configuration 38

39 Building Security into ASP.NET MVC with C# Languages and Platforms Description ASP.NET MVC is the platform of choice for.net developers. The security built into the ASP.NET framework has come a long way in 15 years, but developers must still remain vigilant when guarding their applications from attackers. In this course, learn the ins and outs of identity management, data protection best practices, attack prevention techniques, and other.net security topics. Course Themes Security principles Data protection Identity management Attack prevention Learning Objectives Determine what features of ASP.NET MVC already meet your security requirements Understand where.net leaves security up to the user Understand the weaknesses in the built-in.net security controls Intended Audience Developers Product Architects Security Architects Competencies Familiarity with ASP.NET MVC Prerequisites None 1 Hour Intermediate 39

40 Building Security into ASP.NET MVC with C# Languages and Platforms Course Outline Basics of Application Security Similar to What Is There, More Up-to-Date Rise of the Vulnerability (Stats and Whatnot) Accountability Business Impact Cost of Incidents and Detection Security Principles Defense in Depth Positive Security Model Fail Securely Complexity Is the Enemy of Security Security by Obscurity Least Privilege Separation of Duties Do Not Trust the Client Controls Built Into C# How the CLR Helps With Security System.Security Entity Framework and SQLi XML Protection Handling Input Securely Input Validation Output Encoding Securing Viewstate Template Injection Information Disclosure Anti-Request Forgery Open Redirect Attacks Cross-Site Scripting Enabling Cross-Origin Resource Sharing (CORS) Identity Management Authentication Authorization The Windows File System Directory Traversal File Injection Buffer Overrun Exception Management Fully Managed Exceptions Logging Debugging Data Protection Hashing for Integrity Hashing for Password Protection Encryption of Data at Rest Encryption of Data in Motion Key Management 40

41 C/C++ Security Languages and Platforms Description Writing secure code in C/C++ is far from trivial. This course introduces the complexity of working with the C/C++ family of languages, especially from a security perspective. Learn about major security flaws that can lead to insecure programs and how to combat them. Lesson topics include string handling, memory management, integer overflow and wrapping, format string attacks, and more. Course Themes C/C++ language common pitfalls and security controls Knowing your legacy code and undefined behavior in the context of C/C++ and why it should be avoided Use of deprecated string functions, their replacements, and common patterns that lead to security flaws Concepts such as memory management and string handling, with realworld exploits and code examples Learning Objectives Identify use cases where C/C++ is widely used Apply new best practices for safely manipulating strings Identify unsafe memory handling practices Apply mitigation techniques to common integer mishandling Understand issues with concurrency and parallelism Describe best practices for access controls 1 Hour Advanced Intended Audience Developers QA Engineers Architects Application Security Specialists Code Auditors Competencies Fluency in C or C++ development Understanding of component design Prerequisites Foundations of Software Security OWASP Top 10 Attack and Defense 41

42 C/C++ Security Languages and Platforms Course Outline Introduction to C/C++ Security C/C++ History The Challenge With C/C++ Undefined Behavior String Handling Introduction to String Handling Representation of Strings Improperly Bounded String Copies Off-by-One Errors Null-Termination Errors Truncation Issues Memory Management Introduction to Memory Management Initialization Issues Checking Return Values Writing to Freed Memory Dereferencing Null Pointers Double Free Memory Leaks Zero-Length Allocations C++ Memory Management Checking for Allocation Failures Allocation and Deallocation Functions Exceptions in Destructors Integers Integer Representation Wraparound Truncation Errors Format String Attacks Introduction to Format Strings Crashing Programs Reading From the Stack Reading From Arbitrary Memory Addresses Buffer Overflows Writing to Arbitrary Memory Addresses Concurrency Introduction to Concurrency Race Conditions Race Condition Mitigation With Mutex Value Corruption Volatile Objects Deadlock File I/O Introduction to Interfaces Access Control Overview Elevated Privileges Dropping Privileges Permanently Dropping Privileges Directory Traversal Time of Check to Time of Use (TOCTOU) 42