1 elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security Testing Series 10 Leaders and Managers Series Aspect Security, Inc.
2 Application Security Awareness Series This series covers fundamental application security principles. Modules cover specific security controls Input Validation, Access Control, Authenticating Users, Protecting Sensitive Data and more giving learners a solid foundation in application security essentials. 100 Introduction to Application Security [12:01 minutes] Understand software application risks and review the outline of a practical application security program. Learn to cost-effectively produce and deploy secure applications. Additionally, uncover the common challenges an organization faces when it starts to address application security. 110 Input Validation [15:57 minutes] This module defines input validation, provides basics for verifying whether an application is vulnerable to input validation attacks, and discusses common techniques for defending against these attacks. To benefit fully from this module, students should be familiar with the basic workings of web applications, including HTML and HTTP. 120 Access Control [18:41 minutes] Learn how to limit the access of authenticated users to the resources and functions in your web application. Basic techniques to verify that an application is free from access control vulnerabilities are provided, along with attack defense methods. To benefit fully from this module, students should understand the basics of authentication. 130 Authenticating Users [27:26 minutes] User authentication is defined, common attacks and vulnerabilities are discussed, and strategies to defend against attacks and avoid vulnerabilities are provided. Credentials, cookies, sessions, and user management are covered. To benefit fully from this module, students should be familiar with the basics workings of web applications, including HTML and HTTP. 140 Error Handling and Security Logging [14:08 minutes] Learn about basic error handling patterns to prevent information leakage and denial of service. Proper logging techniques are described to ensure a complete security record. Understand how to implement simple intrusion detection techniques to make your applications more resistant to attack. 150 Protecting Sensitive Data [17:11 minutes] Basic techniques for protecting particularly sensitive or regulated data, such as credit card information, social security numbers, and healthcare data are addressed. Learn how to verify that your applications protect the sensitive data that they process. The basics of key management, encryption algorithms, hashing, and secure random number generation are covered Aspect Security, Inc. elearning for Secure Application Development Curriculum 1
3 160 Securing Communications [19:22 minutes] Security concerns related to transporting data across a network, both on the front end and with backend services are discussed. We introduce basic security controls for these connections, including: SSL, authentication, access control, and data encryption. To benefit fully from this module, students should be familiar with the basic workings of web applications, including HTML and HTTP, and understand the basics of session management. 180 Buffer Overflows [41:35 minutes] Buffer Overflows, sometimes called Buffer Overruns, are one of the most common and dangerous software vulnerabilities. Verify if an application is vulnerable to buffer overflow attacks and learn common techniques for defending against this category of attacks. To fully benefit from this module, students should have an advanced understanding of Input Validation as well as a basic understanding of programming languages that can suffer from buffer overflow vulnerabilities, primarily C and C Mobile Application Security Top 5 Risks [15:10 minutes] Mobile application backends may, at times, be easier to attack than their standard web counterparts because their entire user interface is on the mobile device, making it harder for developers to recognize what must be protected. This module will provide an understanding of the Top 5 categories of risks against mobile applications, as well as how to defend against, reduce or eliminate risks. Areas of focus include protecting sensitive data; server side controls; device authentication and authorization controls; session management; and cryptography. Secure Software Development Series This series covers the OWASP Top Ten 2013 and fulfills the training requirement mandated by PCI/DSS. Vulnerability areas Cross-Site Scripting (XSS), SQL Injection, Clickjacking, and others are reviewed. Prevention and removal techniques for each vulnerability area are covered as well. We teach the most cost-effective testing, prevention and remediation techniques. Specific platforms and technologies are addressed, including Java,.NET, Mobile, AJAX, Rich Internet Applications and Web Services. Validating User Input 211 Input Validation Strategy [30:42 minutes] Receive an overview of basic defenses against input manipulation and injection attacks. Strategies discussed include: minimizing input to the application, validating incoming data, and sanitizing outgoing data. A review of the common pitfalls of input validation (such as relying on client-side validation, missing canonicalization, and inconsistent application of input validation) provides students with insight to facilitate exploring new strategies. To benefit fully from the module, students should be familiar with the basic workings of web applications, including HTML and HTTP. elearning for Secure Application Development Curriculum 2
4 212 Preventing Injection Attacks [20:28 minutes] Students are introduced to injection flaws, examples of common injection attacks, and basic defenses against injection. Key concepts including interpreters, common injection vulnerability patterns, injection attacks and defenses, utilizing static commands, and more are explained. Basic knowledge of SQL, HTML, XML, and command line shells is helpful but not required. 213 Preventing XSS Vulnerabilities [20:56 minutes] This module details different types of Cross-Site Scripting (XSS) vulnerabilities and how they can be exploited. Discover how to find XSS flaws and evaluate their exploitability. Learn prevention strategies, including how to properly escape output in different contexts in HTML. 214 Using Canonicalization and Encoding [23:22 minutes] This introduction to canonicalization and encoding covers why proper decoding and encoding is critical to performing effective input validation and identifying attacks. To benefit fully from this module, students should be familiar with the basics of input validation and defending against injection attacks. 215 Performing Secure File Uploads and Downloads [12:11 minutes] The complexities of implementing file upload and download securely in a web application are addressed. Validating upload requests, storing files carefully, and testing file and upload features for vulnerabilities are covered. Students should be familiar with HTTP and basic input validation techniques. 216 Preventing Header Injection [18:06 minutes] Problems related to HTTP header injection and attack consequences are presented. We discuss techniques to verify whether an application is vulnerable to header injection and how to defend against these attacks. To fully benefit from this module, students should be familiar with HTTP and injection techniques. 226 Unsafe Redirects and Forwards [17:29 minutes] Common security weaknesses related to sending redirect responses through the browser, such as using untrusted information in the location and disclosing sensitive information, are illustrated. Access control concerns associated with performing server side forwards are covered. Students should understand the basics of HTTP and input validation. 331 Understanding DOM-Based XSS [14:38 minutes] Understand DOM-Based XSS, a specific type of Cross-Site Scripting (XSS) vulnerability. Learn how to recognize this vulnerability and prevent it from appearing in your code. For maximum understanding of this module, students should be familiar with Reflected and Stored XSS. elearning for Secure Application Development Curriculum 3
5 Controlling Access 221 Access Control Strategy [16:56 minutes] Approaches for defining and enforcing access control policies are introduced. Access control core concepts are discussed and applied to typical web application architectures, including enforcing access control at the URL, business logic, data, and presentation layers. Techniques for verifying application access control implementations are also discussed. To fully benefit from this module, students should be familiar with the basics of authentication. 222 Presentation Layer Access Control [12:35 minutes] Understanding that presentation layer access control does not provide protection against attack is a critical concept for developers. Learn to identify potential holes in the presentation layer that can be exploited and defend against those attacks. Topics covered include forced browsing and direct object references. To fully benefit from this module, students should be familiar with access control strategy. 223 URL Access Control [19:10 minutes] Effective strategies for performing access control at the URL layer are presented. Techniques are demonstrated for verifying that your application s URL based access control implementation is robust. Common attacks like forced browsing are shown. To fully benefit from this module, students should be familiar with HTTP and access control strategy. 224 Business Layer Access Control [17:26 minutes] Techniques to enforce access control for business functions are presented. Students will learn how to verify business layer access control through testing and code review. In addition, learn to implement business layer protections in a simple, structured way. To fully benefit from this module, students should be familiar with access control strategy. 225 Implementing Data Layer Access Control [12:02 minutes] Learn to secure sensitive data stored by your application from attackers. Data access control is a security mechanism that ensures that users are only allowed to access authorized data based on the user s identity, roles, and/or permissions. Common attacks on application data and strategies for defending against them are discussed. Students should be familiar with access control strategy. 227 Clickjacking [14:03 minutes] Learn various approaches for defending against Clickjacking (a common attack where attackers frame pages from other sites to trick users into unwittingly clicking on those pages). Prevent your pages from being framed with framebreaking scripts and a X-Frame-Options header. elearning for Secure Application Development Curriculum 4
6 Authenticating Users 231 Authentication Strategy [17:26 minutes] Understand the various techniques used by web applications to authenticate users and handle identity. Strengths and weaknesses associated with different authentication schemes are examined, recommendations to minimize authentication vulnerabilities are provided, and techniques to verify authentication schemes are shown. To benefit fully from this module, students should be familiar with the basic workings of web applications, HTTP, and sessions. 232 Understanding HTTP Authentication Schemes [17:50 minutes] This module explores BASIC authentication, form-based authentication, and the proper use of sessions. Prevalent attacks on these authentication schemes including brute force attacks, session hijacking, and session fixation are discussed. Students will learn best practices to protect authentication schemes from attack. To fully benefit from this module, students should understand HTTP and sessions. 233 Secure Session Management [16:36 minutes] Session hijacking allows user sessions to be completely taken over by an attacker. Students will learn how to determine if applications are vulnerable to session attacks and how to defend against these attacks. To fully benefit from this module, students should be familiar with HTTP and authentication strategy. 234 Protecting Credentials [17:43 minutes] Understand how to protect authentication credentials that are used by users, applications, and even systems. Learn attack techniques as well as how to defend your application against improper credential protection. 235 Managing Identity within an Application [13:03 minutes] Information about users must be managed correctly both in the application and in security controls. This module will review identity management and implementation. To benefit fully from this module, students should have a basic understanding of authentication strategy. 236 Preventing Forged Requests (CSRF) [14:17 minutes] Cross-Site Request Forgery (CSRF) allows an attacker to trick a victim s browser into issuing requests to a vulnerable web application. Learn basic techniques to check applications for CSRF vulnerabilities and defend against attacks. To benefit fully from this module, students should be familiar with the basic workings of web applications, including HTML and HTTP. They should also understand the basics of authentication and session management. elearning for Secure Application Development Curriculum 5
7 Error Handling and Security Logging 241 Handling Security Errors and Detecting Attacks [11:20 minutes] This module provides guidance on how to securely handle exceptions (including security exceptions) as well as how to avoid leaking implementation details to attackers. Learn to establish a security exception hierarchy and a general error handling scheme, as well as strategies for generating safe error messages and detecting intrusions. 242 Effective Security Logging [15:30 minutes] Create effective security logs that can be used to identify and triage attacks. Learn which events to log, what to log for each event and how to verify proper logging implementation. Ensuring accountability and using logs for forensics and are discussed. Protecting Sensitive Data 251 Introduction to Cryptography [15:48 minutes] Cryptography basics are presented including: the fundamentals of using keys and algorithms to securely encrypt data; key management; hashing; digital signatures; and random numbers. This module provides a foundation for the Using Cryptography Securely module (252). 252 Using Cryptography Securely [16:04 minutes] Basic cryptographic techniques to encrypt and hash data for security purposes are addressed with a focus on using standard approved cryptographic libraries securely, rather than creating custom cryptographic code. Common vulnerabilities associated with the use of encryption are discussed including credential handling, failure to encrypt sensitive data, algorithm choice, and more. 253 X.509 Certificates [25:35 minutes] X.509 Certificates are the most common type of digital certificate. Learn the structure and key elements of X.509 certificates, understand the Key and Certificate lifecycle, install and properly protect certificates, and more. 261 Using SSL [18:07 minutes] While the concepts of SSL/TLS are known to many, the details and security specific decisions of implementation are often poorly understood, leading to insecure deployments. Learn to properly implement, test and verify SSL/TLS in an application to protect data in transit. Particular focus is given to the transitions between secure and insecure parts of an application. To benefit fully from this module, students should be familiar with the basic workings of HTTP, cryptography, and certificates. elearning for Secure Application Development Curriculum 6
8 262 Securing Cookie Use [21:38 minutes] A cookie is a short text string sent by web applications to maintain state in the browser. Protecting this state and understanding the limitations of cookie protection are critical to web application security. This module covers common attacks against cookies and details the use of protection mechanisms such as the Secure and HttpOnly flags as well as encryption and integrity seals. To benefit fully from this module, students should be familiar with the basic workings of web applications, including HTML and HTTP. 263 Using Services Securely [20:57 minutes] Understand the risks and necessary controls to use backend services from a web application securely. Topics include the importance of securing services; handling authentication and access control with services; and performing input validation with services. Additionally, learn to securely transmit and store data via services and verify that service use is secure. Students should have some background in security fundamentals. 264 Using SSL with Java &.NET [22:48 minutes] Understand the relationship between server and client side certificates and private keys. Get acquainted with commonly used, publicly available SSL libraries for Java and.net as well as how to properly use them. Learn how to install and protect client and server side certificates and private keys in both Java and.net. Platform Specific 281 Introduction to Secure Coding for Rich Internet Applications [13:31 minutes] Understand the security threats to all stakeholders (server to client, client to server, client to client) in an RIA. Learn the guidelines for developing and deploying safer code for your applications. Students should have a basic background in RIA technology and foundational knowledge of security. 282 Introduction to Secure Coding for AJAX Applications [15:54 minutes] Understand the challenges of securing AJAX-enabled web applications. In addition to securing the server using traditional web security techniques, the AJAX interface (which fields XML HTTP requests) must be protected. Learn how to minimize attack surfaces, control access to data and functions, protect against injection, and prevent forged requests. To benefit fully from this module, students should be familiar with the basic workings of AJAX applications including XHR and HTTP. 283 Introduction to Secure Coding for Java EE Applications [17:36 minutes] Secure Java applications by using a set of standard security controls to avoid the five most critical security vulnerabilities. Additionally, learn to test the security of these applications. To benefit fully from this module, students should be familiar with the basic workings of web applications, including HTML and HTTP. Knowledge of Java web technology is also required. elearning for Secure Application Development Curriculum 7
9 284 Introduction to Secure Coding for.net Applications [26:35 minutes] Understand the risks associated with.net software applications, basic methods of secure coding, and how to test applications. Focus areas include: the need for security controls, the five most critical security areas for.net applications, and how to verify the security of those applications. To benefit fully from this module, students should be familiar with the basic workings of web applications, including HTML and HTTP. Knowledge of.net web technology is also required. Web Services 291 Introduction to Web Services Security [17:41 minutes] Web services, common web service architectural styles, and the security standards available to each style of web service are introduced. WSDLs and the security issues surrounding their use and dissemination are explained in detail. Recommended architectures for providing security services within a web service are provided. To benefit fully from this module, students should be familiar with the basic workings of web applications and web services including XML and HTTP. An understanding of the basics of authentication, access control, and session management are also required. 292 Web Services Authentication and Authorization [20:03 minutes] Understand the challenges of authenticating and authorizing web service requests. Web authentication models are discussed along with how to leverage WS-Security to include practically any kind of authentication token. Learn how to use the same techniques for providing access control as in a typical web application. Additionally, understand how to use WS-Security to include authorization tokens, typically SAML assertions, in SOAP requests to provide access control. Mobile Application Secuirty 313 Top 5 ios Application Risks [28:31 minutes] Learn to implement the security controls necessary to mitigate the top five critical security risks facing ios applications. Mobile applications can be especially vulnerable, as most utilize typical web application technologies that routinely have significant vulnerabilities. And while ios applications may share a backend server with more traditional web applications, client-side concerns are different. In this module, understand ios development and security models to deliver the most secure native mobile applications possible. 314 Top 5 Android Application Risks [26:42 minutes] Mitigate the top five critical security risks facing Android applications. Mobile applications can be especially vulnerable, as most utilize typical web application technologies that routinely have significant vulnerabilities. And while Android applications may share a backend server with more traditional web applications, client-side concerns are different. In this module, understand Android development and security models to deliver the most secure native mobile applications possible. elearning for Secure Application Development Curriculum 8
10 Secure Architectures and Threat Modeling Series Designed for developers and security architects, we teach a structured approach to threat modeling that enables you to identify, quantify and address the security risks associated with an application. This enables teams to map to business requirements and secure application architectures. We also demonstrate how to harden web and application servers, development platforms and frameworks. 170 Hardening Application Platforms and Frameworks [27:33 minutes] Get a high-level understanding of the techniques used to harden application platforms, including the application framework, application server, web server and host layers. Students should be familiar with the basic workings of web applications, particularly in the deployment environment. 271 Hardening Web Servers [11:51 minutes] Understand hardening concepts and how to determine when and what hardening changes to make to your web server. Consider how to adapt to the requirements, risks and constraints of your situation with a prioritized, risk-management approach to hardening changes. 272 Hardening Application Servers [09:07 minutes] Actions required to harden a web application server, including configuration options, are addressed with a focus on when and what hardening changes to make to your application server. Consider how to adapt to the requirements, risks and constraints of your situation. 273 Using Components Securely [11:29 minutes] The use of components during application development has surged. Minimize your security risks when using libraries and learn to identify components with known vulnerabilities. Understand how to develop a component inventory to use across applications and update components with known vulnerabilities. 311 Understanding Mobile Application Threats [13:00 minutes] Learn the threats to mobile computing and how to apply existing application security principles to the mobile environment. We explore vectors like location-based attacks, SMS, Bluetooth, contacts, photos, purchasing, and calls. Designed for mobile developers, testers, and architects, this module will get you started on managing the security of your mobile applications. 420 Threat Modeling and Security Architecture Review [17:29 minutes] Threat modeling and security architecture reviews are efficient and effective methods to identify vulnerabilities throughout the software development lifecycle. We provide a framework to organize security controls, threat agents, business functions and more in order to make security visible. Students should have a high-level understanding of application security attack vectors as well as security verification processes and techniques. elearning for Secure Application Development Curriculum 9
11 Application Security Testing Series Designed for testers and application security staff, we explain how to leverage the strengths of static, dynamic and runtime testing tools in conjunction with manual code review and penetration testing. 101 Introduction to Application Security Verification [10:06 minutes] Get an introduction to application security verification, the process of ensuring that an application (or group of applications) uses appropriate security controls properly and does not contain vulnerabilities. Learn the benefits of a positive approach to application security verification. Understand the differences between security verification and penetration testing, the techniques used in security verification, and how tools can be incorporated into your process. 410 Security Verification Methodology [13:22 minutes] Understand various techniques for verifying the security of an application. Compare automated tools and manual approaches, as well as the differences between Static, Dynamic and Runtime verification. Learn to mix and match these techniques, using automation when possible, to verify the security of an application effectively. Students will also learn what s involved in scoping reviews, rating risks and writing findings. Students should have a working understanding of common application security issues. 411 Effective Security Testing [13:49 minutes] Learn a proven, repeatable process for scoping, structuring, executing, and documenting an application security test. Understand how to plan the resources and access you need, identify application security testing targets, design your tests, and report on the results. Consider time and resource constraints, where tools can be leveraged and more. To benefit fully from this module, students should understand common vulnerabilities and security verification methodologies. 412 Effective Security Code Review [19:42 minutes] Understand the goals of an effective code review and how to plan a tailored code review strategy. Learn how tools complement manual processes. Hear strategies to effectively review large-scale enterprise applications. To get the most out of this module, students should also have completed prior modules on or have an advanced understanding of authentication strategy, enforcing access control, and input validation. elearning for Secure Application Development Curriculum 10
12 Leaders and Managers Series With security breaches on the rise, engineering management and software development leaders must learn about the reality of today s threat landscape. We discuss the software development life cycle (SDLC) and how to infuse secure application development into your processes. 102 Introduction to the Secure Development Lifecycle [12:48 minutes] Approaches to integrate security into the software development lifecycle (SDLC) are discussed. Consider how to reduce your risk to an acceptable level, deploy applications securely and use standard security controls. Key foundations and activities that development teams can use during design and development to produce secure code are introduced. Topics include security architecture, standard controls, secure delivery and more. 103 Introduction to Managing Application Security [23:02 minutes] Learn to manage application security using a balanced approach. Aimed at technical leaders and managers, this module introduces the key areas of application security: foundation, implementation, verification, and management. Build security into the development lifecycle, manage ongoing improvements to the process and enable your developers to procure and produce secure software. 421 Application Security Risk Management [14:58 minutes] Application Security Risk Management is the cornerstone of a successful application security program. Learn to identify key application risk management standards so that your organization stakeholders agree on the fundamentals. Understand how to identify and prioritize your application portfolio. Finally, understand how to produce compelling dashboards that make application security visible within your organization. To fully benefit from this module, you should have a basic understanding of Security Verification and the Software Development Lifecycle. 450 Integrating Security into Waterfall Projects [22:18 minutes] Explore methods of integrating security activities into a waterfall-style project. Understand how to integrate key security activities throughout the development lifecycle, from threat modeling to secure deployment and operation. Learn efficient approaches to reduce security risks to an acceptable level and build assurance evidence of an application s security posture. To fully benefit from this module, students should have a working understanding of application security issues and software development processes. 460 Integrating Security into Agile Projects [19:09 minutes] The sprint structure of Agile projects makes them challenging for traditional approaches to application security, which track the stages in waterfall-style. Understand how to integrate security into Agile projects: learn how to establish agile secure foundations, integrate security activities into sprints, and develop job aids to expedite the process. Students should have a working understanding of application security issues and Agile software methods. elearning for Secure Application Development Curriculum 11
13 IT S TIME TO LEARN Contact a Training Specialist Today Call or About Aspect Security Aspect Security protects the software that runs your business. Let us help your organization establish enterprise-wide application security strategies, from risk modeling to regulatory compliance to automation, that are tailored to your needs. We ve worked with organizations worldwide, protecting critical applications in the government, defense, financial, healthcare, services and retail sectors. Let us bring that experience to bear on your environment. We deliver on time, on budget and with an exceptional level of commitment. Contact us today to discuss how we can help you. Aspect Security, Inc Guilford Road, Suite 300 Columbia, MD Aspect Security, Inc.