TRAINING CURRICULUM 2017 Q2

Transcription

1 TRAINING CURRICULUM 2017 Q2

2 Index 3 Why Security Compass? 4 Discover Role Based Training 6 SSP Suites 7 CSSLP Training 8 Course Catalogue 14 What Can We Do For You?

3 Why Security Compass? Role-Based Training Security Compass provides AppSec focused Training for Developers, Architects, QA, and PM. Theses suites can be tailored to meet your needs. Certificate Security Compass has been selected as the software security training partner of (ISC)². Students have the opportunity to gain an industry recognized certificate, while organizations have the ability to demonstrate their AppSec robustness. Modular Bite-sized modules work around your students busy schedules. They can track their progress to record what they learned and how many more steps to completion. Interactive Experience the most personable teachings. Stimulate the mind with the most relevant and up-to-date material. Adaptive Whether your students are beginners or experts, they can study at their own pace. Our smart learning allows them to skip ahead to the quiz or slow down and focus on key topics. COPYRIGHT SECURITY COMPASS. 3

4 Discover Role-Based Training The Secure Software Practitioner Suites are a series of on-demand learning courses that teach foundational elements of software security and language-specific secure coding. Each suite caters to your specific role, breaking down the learning so users efficiently learn only what they need. At the conclusion of the course, users will validate their skills by passing a certificate exam. Brought to you by: J Java Suite The Java suite covers Java development including fundamental coding concepts, design and implementation. Understand J2EE vulnerabilities common to the OWASP top, and see how these vulnerabilities affect Java web applications. OWASP Top 2013 Secure Software Coding Defending Java.NET.NET Suite The.NET suite is designed to help students learn how to make secure software. Learn.NET 4.5 vulnerabilities common to the OWASP Top and see how these vulnerabilities affect.net applications. Learn defensive coding techniques that can be directly applied to your organization. OWASP Top 2013 Secure Software Coding Defending.NET PHP PHP Suite The PHP suite informs students of PHP vulnerabilities common to the OWASP Top. Students will learn secure coding defenses and techniques for each vulnerability. OWASP Top 2013 Secure Software Coding Defending PHP C++ C++ Suite The C++ suite presents common vulnerabilities in C/C++ software. Students will learn about safe memory management, insecure functions and how to defend against buffer overflow security concerns in unmanaged languages. OWASP Top 2013 Secure Software Coding Defending C++ COPYRIGHT SECURITY COMPASS. 4

5 IOS ios Suite The ios suite teaches students secure ios coding techniques to defend against vulnerabilities such as insecure data storage, weak server side controls, lack of binary protections and more. OWASP Top 2013 Secure Software Coding Defending ios A Android Suite The Android suite teaches secure coding concepts for Android applications. This includes secure Android coding techniques to defend against vulnerabilities such as insecure data storage, weak server side controls, lack of binary protections and more. OWASP Top 2013 Secure Software Coding Defending Android SA Security Architect Suite The Architect suite teaches students the key techniques to reducing risk in the development lifecycle by understanding how to correctly identify threats. Secure Software Requirements OWASP Top 2013 Software Acceptance Threat Model Express QA QA Suite The Q/A suite provides students with the ability to analyzes code and understand the principles of secure testing and testing software from a security perspective. OWASP Top 2013 Secure Software Testing Software Acceptance PM Project Manager Suite The Project Manager suite analyzes the full development lifecycle, depicting secure coding, requirements and design. Students will have the ability to define important security criteria to allow software to be promoted to release. Secure Software Requirements Software Acceptance Supply Chain Risk G General Suite The General Suite provides students with fundamental security education, that they can directly apply to their position. Students will learn the most prevalent web application security issues by OWASP and will have a full understanding of PCI-DSS requirement Security Awarness PCI Compliance OWASP Top COPYRIGHT SECURITY COMPASS. 5

6 SECURE SOFTWARE PRACTITIONER SUITES CERTIFIED SECURE SOFTWARE LIFECYCLE PROFESSIONAL JAVA.NET PHP C++ ios AND. SA QA P. MGR GEN CSSLP Secure Software Requirements OWASP Top } } } } } } } Secure Software Coding Secure Software Testing Software Acceptance Software Development, Operation, Maintenance & Disposal Supply Chain Risk Defending Mobile Security Awareness J.NET PHP C++ IOS A SA QA PM G Defending Series Defending Java Defending.NET Defending PHP Defending C++ Defending ios Defending Android Threat Model Express Request a demo training@securitycompass.com

7 CSSLP Training Following completion of CSSLP elearning, candidates will understand how to reduce the costs of security vulnerabilities throughout all phases of the software development lifecycle. We offer exam certification in our Training Package with included CSSLP courseware. 8 Domains of SDLC Training Domain 1 - Concepts of secure software Principle of security design Privacy Governance, risk and compliance Methodologies of software development Domain 1 Summary Quiz Domain 2 - Secure Software Requirements Policy decomposition Classification and categorization Functional requirements Operational security Domain 2 Summary Quiz Domain 3 - Design Considerations Security Design Principles The Design Process & Threat Modeling Securing Common Technologies Domain 3 Summary Quiz Domain 4 - Secure Software Coding Programming Languages Common Software Vulnerabilities The Design Process & Threat Modeling Secure Software Processes Domain 4 Summary Quiz Domain 5 - Secure Software Testing Components to testing Testing for security and quality assurance Resiliency and reporting Domain 5 Summary Quiz Domain 6 - Software Acceptance Criteria for software acceptance Verification and validation Domain 6 Summary Quiz Domain 7 - Software Deployment, Operation, Maintenance & Disposal Installation and deployment Monitoring and incident response Software disposal Domain 7 Summary Quiz Domain 8 - Supply Chain And Software Acquisition Supplier Risk Assessment Intellectual Property And Legal Compliance Supplier Sourcing Software Development & Test Software Delivery, Operations & Maintenance Supplier Transitioning Domain 8 Summary Quiz COPYRIGHT SECURITY COMPASS. 7

8 Course Catalogue Our focus is on Application Security. We aim to provide business relevant security courses to help your staff champion security and defend your organization s most valuable software.

9 General Awareness # Course Description Time Audience SAW1 Security Awareness Understand common security issues faced around the office environment which includes items such as managing , passwords, mobile devices, and more. 60 mins General Staff SAW2 Security Awareness PCI Compliance Understand payment card compliance including the data security standard and how it affects organizations who manage or process credit card data. This lesson meets PCI-DSS requirement mins General Staff APP1 *NEW Application Security Fundamentals Build a solid understanding of the core concepts of application security. Learn about trending AppSec topics, and discover how AppSec fits into the bigger picture of InfoSec as a whole. General Staff SEC1 OWASP Top Understand the top most prevalent web application security issues in 2013 as defined by OWASP. Students will understand each vulnerability and best practices to defending these risks. This course meets PCI compliance requirement 6.5a. General Staff SEC202 Threat Model Express Students will learn about the attacks that their apps may face and then an informal approach to threat modeling. They will first learn the steps in executing a TME, and then they will engage in a guided fictional exercise. Architect CSSLP # Course Description Time Audience CSP1 Secure Software Concepts Students will understand the fundamentals to creating secure code and basic concepts to secure development. This includes the importance of secure design and understanding regulations such as privacy, governance and compliance. CSP2 Secure Software Requirements Gathering the correct requirements to build secure software is one of the more difficult aspects to ascertain. Students will understand key techniques to reducing risk in the SDLC by understanding how to correctly identify requirements. 50 mins Developers

10 CSSLP # Course Description Time Audience CSP3 Secure Software Design Understand the considerations and compromises that must be made when it comes to designing secure software. Students will learn about techniques to design secure software such as Threat Modeling and best practices to securing third party technologies that are often associated with modern software. 85 mins Developers CSP4 Secure Software Coding Understand the considerations and compromises that must be made when it comes to designing secure software. Students will learn about techniques to design secure software such as Threat Modeling and best practices to securing third party technologies that are often associated with modern software. 40 mins Developers CSP5 Secure Software Testing Understand the principles to secure testing and testing software from a security perspective. Students will understand the fundamentals to setting up testing frameworks to promote software resiliency. 40 mins Developers CSP6 Software Acceptance Understand how to generate criteria for software acceptance. The focus will be acceptance from a security standpoint and how students can define important security criteria being allowing software to be promoted to release. 25 mins Developers CSP7 Software Operations Maintenance and Disposal Understand from an infrastructure perspective, steps to ensure software is secure upon deployment and operation. Students will learn how to monitor software and define procedures to dispose and support software for end-of-life scenarios. 35 mins Developers CSP8 Supply Chain and Software Acquisition Understand how to identify risks when sourcing software from the supply chain. Students will learn about risk management, protecting intellectual property, procurement and best practices when outsourcing software to suppliers. 80 mins Developers

11 Secure Coding # Course Description Time Audience JAV201 Defending Java Understand J2EE vulnerabilities common to the OWASP top, and see how these vulnerabilities affect Java web applications. Students will learn secure coding defenses for each vulnerability. NET201 Defending.NET Understand.NET 4.5 vulnerabilities common to the OWASP top, and see how these vulnerabilities affect.net web applications. Students will learn secure coding defenses for each vulnerability. CPP202 Defending ASP *NEW.NET Core in C# This course covers secure application development using C# in ASP.NET Core. Students will learn about software vulnerabilities and how hackers exploit them, followed by techniques for coding to defend against a variety of attacks. 80 mins Developers PHP201 Defending PHP Understand PHP5 vulnerabilities common to the OWASP top, and see how these vulnerabilities affect PHP web applications. Students will learn secure coding defenses for each vulnerability. CPP201 Defending C Understand desktop software vulnerabilities when it comes to creating software in C/C++. Students will learn about safe memory management, insecure functions and how to defend against buffer overflow security concerns from unmanaged languages. 50 mins Developers HTM201 Defending HTML5 Learn about HTML standards designed to defend against vulnerable JavaScript, AJAX, JSON and iframes. Students learn the new technologies available in HTML5 to safely perform cross-domain requests as well as the use of offline storage, cross-origin resource sharing (CORS), cross-domain messaging (CDM), and iframe sandboxing. Students gain a defensive understanding of the business risks to HTML5 mash-ups. SEC201 Defending Web Application s Understand web application vulnerabilities typically seen during security testing such as brute force attacks, session management concerns, encryption and more. These aspects although not directly part of the OWASP Top, are important to know as they can still lead to security vulnerabilities.

12 Secure Coding # Course Description Time Audience DJA1 *NEW Defending Django Learn about Django s built-in security features and other layers of protection to your app. Learn how to set up your projects securely to prevent attacks at run-time and how to secure the admin console. You will also learn how to identify secure and insecure practices to protect your application against common attacks. 40 mins Developers NOD1 Defending Node.JS *NEW Understand the security risks when developing and deploying applications in Node.js. Implement defensive coding techniques and configurations to support secure coding for Node.js. Mobile Security # Course Description Time Audience MOB1 Defending Mobile In this code-agnostic course, students will understand the risks to creating mobile applications. Students will learn how hackers attack mobile apps through data is stored on the device, data transmitted in the cloud and data in memory. They will learn best practices to securing mobile apps for any mobile operating system. IOS201 Defending ios Students will learn secure coding concepts for the OWASP Mobile Top, for ios apps. This includes understanding the business risks when creating mobile applications and secure ios coding techniques to defend against vulnerabilities such as insecure data storage, weak server side controls, lack of binary protections and more. 90 mins Developers AND201 Defending Android Understand secure coding concepts for the OWASP Mobile Top, for Android apps. Learn the business risks when creating mobile applications and secure Android coding techniques to defend against vulnerabilities such as insecure data storage, weak server side controls, lack of binary protections and more. 90 mins Developers

13 Coming Soon # Course Description JAV301 Defending JSP Learn how to defend your Java web apps against attacks. Using code samples from Java Server Pages, this course covers a variety of techniques for securing against such vulnerabilities as SQL injection, cross-site scripting/request forgery, man-in-the-middle attacks and more. CLO1 Secure Cloud Development Coming Soon DAT1 Secure Database Development Coming Soon

14 What Can We Do For You? We understand application security. We breathe it. We strive to provide you with the best training for your teams. Our experience helping customers research and manage security risks allows us to embed our training material with the latest threats and vulnerabilities. It means that your staff is ready to respond with forward thinking concepts to securing your most sensitive applications - all tailored to you. Reach out to Security Compass advisors who can help. training@securitycompass.com

15