LEARNING CURRICULUM SECURITY COMPASS TRAINING 2015 Q3. Copyright Security Compass. 1

Transcription

1 LEARNING CURRICULUM SECURITY COMPASS TRAINING 2015 Q3 Copyright Security Compass. 1

2 CONTENTS WHY SECURITY COMPASS...3 RECOMMENDED LEARNING PATHs...4 TECHNICAL LEARNING PATHS...4 BUSINESS / SUPPORT LEARNING PATHS...5 COURSE OVERVIEW...7 PROGRAM METHODOLOGY TRAINING PROGRAM MATURITY Copyright Security Compass. 2

3 WHY SECURITY COMPASS Security Compass is an industry-leading information security firm that provides professional services and training to security-conscious companies. We bring extensive, internationally recognized, cross-industry experience to every client engagement. To our clients, we're not simply an information security company - we are trusted partners in the development of secure software. Security Compass is partnered with industry certification leader (ISC) 2. We are the exclusive, sole provider of (ISC) 2 s CSSLP e, that covers 8 domains of secure software lifecycle development for industry certification. Copyright Security Compass. 3

4 RECOMMENDED LEARNING PATHS We understand that it can be challenging to identify which courses are right for you - so we ve recommended learning paths based on our enterprise catalogue that lead all the way to industry certification. TECHNICAL LEARNING PATHS Copyright Security Compass. 4

5 BUSINESS / SUPPORT LEARNING PATHS Copyright Security Compass. 5

6 COURSE CATALOGUE Our focus is on application security. We aim to provide business relevant security courses to help your staff champion security and defend your organization s most valuable software. Copyright Security Compass. 6

7 COURSE OVERVIEW GENERAL AWARENESS # COURSE DESCRIPTION TIME OBJECTIVES SAW101 Security Awareness Understand common security issues faces around the office environment that may include items such as managing , passwords, mobile devices, and more. 30 m Office security awareness Achieve awareness audit compliance SAW102 Security Awareness: PCI Compliance Understand payment card compliance including the data security standard and how it affects organizations who manage or process credit card data. This lesson meets PCI-DSS requirement m Achieve PCI compliance SECURE APPLICATION DEVELOPMENT (CODE AGNOSTIC) # COURSE DESCRIPTION TIME OBJECTIVES SEC101 OWASP Top Understand the top 10 most prevalent web application security issues in 2013 as defined by OWASP. Students will understand each vulnerability and best practices to defending these risks. This course meets PCI compliance requirement 6.5a. Understand each category of the OWASP Top 10 Achieve PCI Compliance SEC201 Defending Web Applications Understand an additional set of common web application vulnerabilities typically seen during security testing such as brute force attacks, session management concerns, encryption and more. Students understand how hackers exploit these issues and important defenses. This course is meant as a LEVEL200 course to the OWASP Top 10. Understand authorization, authentication, data validation and session management concepts. Exploit a vulnerable web application using our TrueLabs CSP101 Secure Software Concepts Students will understand the fundamentals to creating secure code and basic concepts to secure development. This includes the importance of secure design and understanding regulations such as privacy, governance and compliance. 30 min Understand fundamental concepts Regulations and security Development methodologies Copyright Security Compass. 7

8 CSP102 Secure Software Requirements Gathering the correct requirements to build secure software is one of the more difficult aspects to ascertain. Students will understand key techniques to reducing risk in the SDLC by understanding how to correctly identify requirements. 30 min Understand policy decomposition Classification of data Identifying functional and operational security requirements. CSP103 Secure Software Design Understand the considerations and compromises that must be made when it comes to designing secure software. Students will learn about techniques to design secure software such as Threat Modeling and best practices to securing third party technologies that are often associated with modern software. CSP104 Secure Software Coding Understand the principles of coding software securely. Students will see the security implications of choosing programming languages and the top vulnerabilities affecting software designed for the web and for desktops. Students will understand how to implement processes around secure software implementation. CSP105 Secure Software Testing Understand the principles to secure testing and testing software from a security perspective. Students will understand the fundamentals to setting up testing frameworks to promote software resiliency. CSP106 Software Acceptance Understand how to generate criteria for software acceptance. The focus will be acceptance from a security standpoint and how students can define important security criteria being allowing software to be promoted to release. 60min Understand security design Design process & threat modeling Integration of common technologies 120min Understand programming languages Software vulnerabilities for CWE & OWASP Implementing secure software processes 30min Areas of software testing Testing software for security issues Test resiliency and test reporting 30min Criteria for acceptance Performing verification Software validation CSP107 Software Operations Maintenance and Disposal Understand from an infrastructure perspective, steps to ensure software is secure upon deployment and operation. Students will learn how to monitor software and define procedures to dispose and support software for end-of-life scenarios. 30min Deployment and configuration Monitoring and incident response Disposal of software CSP108 Supply Chain and Software Acquisition Understand how to identify risks when sourcing software from the supply chain. Students will learn about risk management, protecting intellectual property, procurement and best practices when outsourcing software to suppliers. 60min Supplier risk management IP and Contracts Supplier sourcing and management Copyright Security Compass. 8

9 SECURE CODING (LANGUAGE SPECIFIC) # COURSE DESCRIPTION TIME OBJECTIVES JAV201 Defending Java Understand J2EE vulnerabilities common to the OWASP top 10, and see how these vulnerabilities affect Java web applications. Students will learn secure coding defenses for each vulnerability. Understand how Java vulnerabilities occur Securely code in Java J2EE NET201 Defending.NET 4.5 Understand.NET 4.5 vulnerabilities common to the OWASP top 10, and see how these vulnerabilities affect.net web applications. Students will learn secure coding defenses for each vulnerability. Understand how Microsoft.NET vulnerabilities occur Securely code in Microsoft.NET PHP201 Defending PHP Understand PHP5 vulnerabilities common to the OWASP top 10, and see how these vulnerabilities affect PHP web applications. Students will learn secure coding defenses for each vulnerability. Understand how PHP vulnerabilities occur Securely code in PHP CPP201 Defending C Understand desktop software vulnerabilities when it comes to creating software in C/C++. Students will learn about safe memory management, insecure functions and how to defend against buffer overflow security concerns from unmanaged languages. Understand how C / C++ vulnerabilities occur Understand buffer overflows Securely code in C HTM201 Defending HTML5 Learn about HTML standards designed to defend against vulnerable JavaScript, AJAX, JSON and iframes. Students learn the new technologies available in HTML5 to safely perform crossdomain requests as well as the use of offline storage, cross-origin resource sharing (CORS), cross-domain messaging (CDM), and iframe sandboxing. Students gain a defensive understanding of the business risks to HTML5 mash-ups. 60m Proactive techniques to managing and storing offline user data using HTML5 Best practices to performing cross-origin requests without hacks such as JSONP Understanding how third-party iframes can introduce vulnerabilities to your site How hackers can hijack your JSON Copyright Security Compass. 9

10 MOBILE SECURITY # COURSE DESCRIPTION TIME OBJECTIVES MOB101 Defending Mobile In this code-agnostic course, students will understand the risks to creating mobile applications. Students will learn how hackers attack mobile apps through data is stored on the device, data transmitted in the cloud and data in memory. They will learn best practices to securing mobile apps for any mobile operating system. Understand fundamental risks to mobile apps OWASP Mobile Top 10 Defenses to protecting mobile storage, communication and memory. IOS201 Defending ios Students will learn secure coding concepts for the OWASP Mobile Top , for ios applications. This includes understanding the business risks when creating mobile applications and secure ios coding techniques to defend against vulnerabilities such as insecure data storage, weak server side controls, lack of binary protections and more. 60m Secure coding techniques for OWASP Mobile Top Business risks and how insecure ios applications are created Prerequisite is Defending Mobile CERTIFICATION # COURSE DESCRIPTION TIME OBJECTIVES CSP301 CSSLP e Bundle Following completion of CSSLP e, candidates will understand how to reduce the costs of security vulnerabilities throughout all phases of the software development lifecycle. Students will learn about fundamentals to software security, identifying regulations, secure requirements, secure design, secure implementation, testing, operations and supplier sourcing. Students can perform additional self-study and review using the e to get certified with (ISC) 2 for the Certified Secure Software Lifecycle Professional (CSSLP). 10 hours Understand the 8 domains to software security as it relates to the software development lifecycle. Become an expert on advising security in the SDLC. CSSLP Certification with (ISC) 2 Copyright Security Compass. 10

11 ROADMAP (COMING SOON IN 2015) # COURSE DESCRIPTION TIME OBJECTIVES AND201 Defending Android Students will learn secure coding concepts for the OWASP Mobile Top , for Android applications. This includes understanding the business risks when creating mobile applications and secure Android coding techniques to defend against vulnerabilities such as insecure data storage, weak server side controls, lack of binary protections and more. 60m Secure coding techniques for OWASP Mobile Top Business risks and how insecure Android applications are created Prerequisite is Defending Mobile SEC202 Threat Model Express Students will learn about the attacks that their applications may face and then an informal approach to threat modeling. They will first learn the steps in executing a Threat Model Express, and then they will engage in a guided fictional exercise. Understand the benefits of a traditional threat model vs. a threat model express exercise Engage in asking valuable questions that will effectively identify potential threats within an application Learn who should be involved in a Threat Model Express exercise and how to apply the model within your organization Copyright Security Compass. 11

12 PROGRAM METHODOLOGY Security Compass promotes security training by tailoring courses to your enterprise. Our catalogue is designed to specifically target areas of risk when it comes to building secure software. We keep our courses modular and concise to provide a clear track towards helping your developers become industry certified professionals. It is common in our industry to be buried under numerous courses with little training guidance. Security Compass promotes training program management to help you mature your training, year over year to gain the traction needed to manage a complete security program through all of Security Compass s services. TRAINING PROGRAM MATURITY Required Optional Certification Copyright Security Compass. 12

13 WHAT CAN WE DO FOR YOU? We understand application security. We breathe it. We strive to provide you with the best training for your teams. Our experience helping customers research and manage security risks allows us to embed our training material with the latest threats and vulnerabilities. It means that your staff is ready to respond with forward thinking concepts to securing your most sensitive applications - all tailored to you. Reach out to Security Compass advisors who can help. OLIVER NG Director oliver@securitycompass.com MICHELLE DIZON Manager michelle@securitycompass.com Copyright Security Compass. 13