Security Innovation Application Security Education Curriculum. Courses to Help Build and Deploy more Secure Software and Information Systems

Transcription

1 Security Innovation Application Security Education Curriculum Courses to Help Build and Deploy more Secure Software and Information Systems

2 Table of Contents 1.0 Security Education Curriculum Map Information and Application Security Awareness Attacker Techniques Exposed: Threats, Vulnerabilities and Exploits Architecting Secure Solutions Creating Secure Code Creating Secure Code C/C Creating Secure Code Java Creating Secure Code ASP.NET Creating Secure Code J2EE Applications Web Application Security Testing How to Break Software Security How to Break Web Software Security Testing Boot camp Introduction to the Microsoft Security Development Lifecycle (SDL) Introduction to Microsoft SDL Threat Modeling Privacy in Software Development Quarterly Security Brown-Bag PCI Boot Camp for Software Development Teams

3 1.0 Security Education Curriculum Map EXECUTIVES, MANAGERS, DEVELOPMENT TEAMS INTRODUCTORY CLASSES Title: Information and Application Security Awareness Duration: 2 hours Title: Attacker Techniques Exposed Duration: 1 day ARCHITECT DEVELOPER TESTER Title: Architecting secure solutions Duration: 2 days Title: Creating Secure Code Duration: 2 days Title: How to break software security Duration: 2 days Title: How to break web software security Duration: 2 days CORE CLASSES EXAM Number of questions: 15 Format: Multiple choice questions EXAM Number of questions: 15 Format: Multiple choice questions EXAM Number of questions: 15 Format: Multiple choice questions EXAM Number of questions: 15 Format: Multiple choice questions MANAGER / ARCHITECT, DEVELOPER, TESTER Title: Quarterly Security Brown Bag Duration: 2 hours DEVELOPER TESTER SPECIALIZED CLASSES Title: Creating Secure Code Java Duration: 2 days EXAM Number of questions: 15 Title: Creating Secure Code ASP.NET Duration: 2 days Title: Creating Secure Code C/C++ Duration: 3 days Number of questions: 15 Title: Creating Secure Code J2EE Applications Duration: 2 days EXAM EXAM EXAM Number of questions: 15 Number of questions: 15 Title: Security Testing Bootcamp Duration: 2 days Format: Multiple choice questions Format: Multiple choice questions Format: Multiple choice questions Format: Multiple choice questions 3

4 2.0 Information and Application Security Awareness Duration: 2 hours This course is intended for all audiences (from marketing managers to testers) : None This course explores the consequences of failure, examines the root cause of software vulnerabilities, assesses the true cost of software vulnerability and presents a model to integrate security into the organization. Upon completion of this class, participants will be able to: discuss why application security is critical list the main drivers for application security recognize that they (as well as everyone else in the organization) play a role in security Modules Covered Series of Case Studies/Examples This module introduces a series of case studies where security vulnerabilities have resulted in huge financial losses. These studies look beyond IT losses to broader consequences such as impact on stock value, remediation expense, reputation loss, liability, etc. The Increasing Reliance of Software to Manage Sensitive Data and Systems In this module we assess the true reliance of businesses and critical systems on software and explore the consequences of failure. Most System Vulnerabilities Have Their Roots in Software This module examines the threats that can be mitigated at the network layer as opposed to those that must be addressed in software. Software Vulnerabilities Have Real Costs and Consequences to Customers and Vendors This module addresses the true cost of software vulnerability. Legislative requirements are also examined and attendees will take a tour through current and looming regulation challenges. Getting to the Root of Software Vulnerabilities This module will demonstrate that most security problems are not in security-specific components; rather they are errors in general software routines and functions. Illustrative examples are shown. Looking Forward: Balancing Security Security is a major concern, but principles must be applied in the context of other organizational goals. Security is also more than just technology. It spans policy, procedure, people and technology. This section looks forward to what can be done to integrate security into the organization and discusses strategies to build a culture of security. This course is supported by a PowerPoint presentation, a hand-out of which is presented to the students at the beginning of the course. Assessments: No assessment is provided for this course Corporate Requirements: Classroom setup 4

5 3.0 Attacker Techniques Exposed: Threats, Vulnerabilities and Exploits This course is intended for all technical/development team audiences. There are no prerequisites for this class. Duration: 1 day This course examines trends in software vulnerabilities, demonstrates examples of security breaches, explores a wide range of live software vulnerabilities and introduces threat modeling techniques. Upon completion of this class, participants will be able to: recognize the need for integrating security at each phase of the Software Development Lifecycle identify missing processes that are needed to improve the security of their systems create a high-level map of needs for the organization s people, processes and technology Modules Covered The Potential Attacker Discusses the different genres of attackers, their different skill sets and their different goals. The Anatomy of an Attack Examines the different steps of an attack, from information gathering to the attack s consequences. Attacks and Defenses Goes over the layered security model and the different defenses that will help mitigate security risks. Live Vulnerability and Exploit Tour The core of the course. Attendees will go through a wide range of software vulnerabilities and will be shown live example exploits for these vulnerabilities. Attendees will gain awareness and key insights into these vulnerability types as well as the ease with which the attacker community can exploit them. Tools and Threats The threat is growing and so is the number of tools that lower the bar for attackers. This section takes the audience inside the underground world of the attacker and illustrates the range of tools available to adversaries. Thinking like the Attacker: Threat Modeling A critical step in securing an application or system is to methodically think through threats. Presents several techniques for threat modeling, and walks through the process of modeling threats against several systems. Incorporating Threats into Software/System Design, Development, Testing and Deployment By thinking about threats at each stage of the development lifecycle, we can make software and systems that are more resilient to attack. Attendees will walk away with an introduction to tools and techniques to build security. This course is supported by a PowerPoint presentation, a hand-out of which is presented to the students at the beginning of the course. Assessments: No assessment is provided for this course Corporate Requirements: Classroom setup 5

6 4.0 Architecting Secure Solutions Duration: 2 days This course is intended for developers, architects and testers. This course requires software design/programming knowledge and experience. This course illustrates the importance of deploying secure solutions and describes the main secure design principles, what purpose they serve, how to apply them, and what technologies can be used to support these principles. Upon completion of this class, participants will be able to: Modules Covered design software with security in mind use technologies pertaining to networks, encryption, anti-virus, and authentication to increase system security discuss and utilize the different technologies available to create secure systems integrate missing methodologies to improve the security of enterprise level computing and management Security Goals This section discusses the four basic tenets of software security: Integrity, Availability, Privacy and Confidentiality. It highlights the need for them in the development process and sets the stage for specific techniques and technologies that enable secure software development. The Business Context This section discusses the role that security concerns and technologies play in product business decisions. Some of the tradeoffs are highlighted, and topics such as security estimation and metrics, along with quantifiable risk assessment, are touched on. Security Principles The fundamental principles of secure design/implementation are outlined. The content is sprinkled with not only code examples, but also with live demonstrations of the critical issues and failures. Technologies This section is designed to educate developers and testers on the technologies available to create more secure systems. The thrust of this section is to impart knowledge on constituent technologies that can essentially be plugged in to obtain a particular level of assurance. Methodologies and Techniques This section broadly discusses fundamental principles of secure design. This section will also provide background information to better frame the technologies section. This course is supported by a PowerPoint presentation, a hand-out of which is presented to the students at the beginning of the course. Assessments: A 15 question multiple choice exam is taken at the end of the course. Corporate Requirements: Classroom setup 6

7 5.0 Creating Secure Code Duration: 2 days This course is intended for developers (and testers with programming experience). This course requires software design/programming knowledge and experience. Secure coding is the process of reducing the susceptibility of code to vulnerabilities. It includes items that are classed as defensive in nature (e.g. checking error return codes before using handles and other data structures that should have been created, or protecting against using a pointer after it has been released). It also includes items that may be more normally associated with cryptographic procedures (e.g. random number generation, encryption algorithms, etc.) This course examines vulnerabilities that are common across language implementations (C, C++ and Java) and covers realworld examples illustrated in code - of failures along with methods to find, fix and prevent each type of flaw. Students are presented with a set of security coding best practices and practical recommendations. Upon completion of this class, participants will be able to: Modules Covered identify why Software Security matters to their business proactively recognize and remediate common coding errors that lead to vulnerabilities perform threat modeling to identify vulnerabilities and analyze risks design and develop secure applications leveraging time-tested defensive coding principles Introduction to Software Security This section provides insight into software security, why it is needed, and what the consequences of security vulnerabilities can be. Common Coding Errors in C/C++ This section teaches how to recognize and remediate common coding errors and what tools can support this effort. Threat Modeling This section will show how threat modeling is a great technique to find, classify and prioritize security vulnerabilities. Defensive Coding Principles This section educates the students on 19 time-tested defensive coding principles and how to use them to effectively prevent common security vulnerabilities. Web Vulnerabilities The web is different! This section will address common web vulnerabilities, how to find them, how to prevent them. Security Testing and Quality Assurance This section is optional and designed to educate both developers and testers on the differentiating factors between functional and security testing, the three classes of security bugs and how to spot them. Training labs will be used to provide practical experience 7

8 This course is supported by a PowerPoint presentation, a hand-out of which is presented to the students at the beginning of the course. Assessments A 15 question multiple choice exam is taken at the end of the course. Corporate Requirements Classroom setup with: At least one PC for every 2 students Internet connection with ports 8080 to 8085 open preferred, or isolated network where the instructor can plug in his/her laptop (with DHCP settings for all workstations). Please let us know which option you will accommodate at time of booking. Windows 2000 / XP.net framework 2.0 Visual Studio a free version of Visual Studio can be found at Note: When VS Express is installed, the user is asked to choose a programming language, and VS will be installed for that language only. C++ should be chosen as the language. 8

9 6.0 Creating Secure Code C/C++ Duration: 3 days This course is intended for developers and testers with C/C++ programming experience. This course requires software C/C++ programming knowledge and experience. Secure coding is the process of reducing the susceptibility of code to vulnerabilities. It includes items that are classed as defensive in nature (e.g. checking error return codes before using handles and other data structures that should have been created, or protecting against using a pointer after it has been released). It also includes items that may be more normally associated with cryptographic procedures (e.g. random number generation, encryption algorithms, etc.) This course examines vulnerabilities that are specific to C/C++ and covers real-world examples illustrated in code - of failures along with methods to find, fix and prevent each type of flaw. Students are provided with a set of security coding best practices and practical recommendations. Upon completion of this class, participants will be able to: Modules Covered identify why software security matters to their business write secure code on Windows and *nix platforms proactively recognize and remediate common coding errors that lead to vulnerabilities perform threat modeling to identify vulnerabilities and analyze risks design and develop secure applications leveraging time-tested defensive coding principles Introduction to Software Security This section provides insight into software security, why it is needed, and what the consequences of security vulnerabilities can be. OS Security This section goes deep into Windows and *nix security and the programming caveats that they present. It then describes best practices to write robust code (exception handling, etc). Finally, it describes the risks of socket programming and identifies secure practices. Common Coding Errors in C/C++ This section teaches how to recognize and remediate common C/C++ coding errors and what tools can support this effort. Threat Modeling This section will show how threat modeling is a great technique to find, classify and prioritize security vulnerabilities. Defensive Coding Principles This section educates the students on 12 time-tested defensive coding principles, and how to use them to effectively prevent common security vulnerabilities. Training labs will be used to provide practical experience 9

10 This course is supported by a PowerPoint presentation, a hand-out of which is presented to the students at the beginning of the course. Assessments A 15 question multiple choice exam is taken at the end of the course. Corporate Requirements Classroom setup with: At least one PC for every 2 students Internet connection with ports 8080 to 8085 open preferred, or isolated network where the instructor can plug in his/her laptop (with DHCP settings for all workstations). Please let us know which option you will accommodate at time of booking. Windows 2000 / XP.net framework 2.0 Visual Studio a free version of Visual Studio can be found at Note: When VS Express is installed, the user is asked to choose a programming language, and VS will be installed for that language only. C++ should be chosen as the language. 10

11 7.0 Creating Secure Code Java Duration: 2 days This course is intended for developers and testers with Java programming experience. This course requires software Java programming knowledge and experience. Secure coding is the process of reducing the susceptibility of code to vulnerabilities. It includes items that are classed as defensive in nature (e.g. checking error return codes before using handles and other data structures that should have been created, or protecting against using a pointer after it has been released). It also includes items that may be more normally associated with cryptographic procedures (e.g. random number generation, encryption algorithms, etc.) This course deals specifically with Java. The course will describe platform-provided security features, threat modeling techniques and will then provide the students with a set of security coding best practices and practical recommendations. Upon completion of this class, participants will be able to: Modules Covered identify why software security matters to their business write secure Java code by taking advantage of platform-provided security features create and use threat trees to find threats and vulnerabilities perform risk analysis and prioritize security fixes design and develop secure applications leveraging time-tested Java best practices Introduction to Software Security This section provides insight into software security, why it is needed, and what the consequences of security vulnerabilities can be. Java Virtual Machine This section provides an overview of the Java Virtual Machine. Java Security In this section the students will learn platform-provided security features that should be leveraged to minimize the number of security vulnerabilities. Threat Modeling This section will show how threat modeling is a great technique to find, classify and prioritize security vulnerabilities. Coding Best Practices This section educates the students on 16 time-tested best practices, what the consequences are of not following them, and how to use them to effectively prevent common security vulnerabilities. Training labs will be used to provide practical experience 11

12 This course is supported by a PowerPoint presentation, a hand-out of which is presented to the students at the beginning of the course. Assessments A 15 question multiple choice exam is taken at the end of the course. Corporate Requirements Classroom setup with: At least one PC for every 2 students Internet connection with ports 8080 to 8085 open preferred, or isolated network where the instructor can plug in his/her laptop (with DHCP settings for all workstations). Please let us know which option you will accommodate at time of booking. Windows 2000 with J2SE Developer Kit of at least and Eclipse

13 8.0 Creating Secure Code ASP.NET Duration: 2 days This course is intended for developers with ASP.NET programming experience. This course requires ASP.NET programming knowledge and experience. This course gives developers an in-depth immersion into secure coding practices with an emphasis on solutions built around ASP.NET code. We will discuss in-depth the principles of secure development; common coding errors for ASP.NET code and web apps; secure coding best practices and how they can be used to develop more secure applications. Upon completion of this class, participants will be able to: Modules Covered identify why software security matters to their business recognize the root causes of the more common vulnerabilities write secure ASP.NET code by taking advantage of Windows-provided security features identify the symptoms of common vulnerabilities design and develop secure applications leveraging time-tested ASP.NET code best practices The Need for Security This section describes the need for application security and provides a high-level description of application-based attacks. Common Web Software Security Vulnerabilities This section describes the most common security vulnerabilities and how to uncover them in your software. Secure Programming Best Practices This section educates the students on 13 time-tested best practices, how the ASP.NET framework can support following them, what the consequences are of not following them, and how to use them to effectively prevent common security vulnerabilities. Suggested Readings and Sites References are provided in this section Training labs will be used to provide practical experience This course is supported by a PowerPoint presentation; a hand-out of which is presented to the students at the beginning of the course. Assessments A 15 question multiple choice exam is taken at the end of the course. 13

14 Corporate Requirements Classroom setup with: At least one PC for every 2 students Internet connection with ports 8080 to 8085 open preferred, or isolated network where the instructor can plug in his/her laptop (with DHCP settings for all workstations). Please let us know which option you will accommodate at time of booking. Windows 2000 / XP.NET framework 2.0 Visual Studio (or other ASP development environment) a free version of Visual Studio can be found at Note: When VS Express is installed, the user is asked to choose a programming language, and VS will be installed for that language only. Please select C# 14

15 9.0 Creating Secure Code J2EE Applications This course is intended for developers and testers with Java web programming experience. This course requires Java programming knowledge and experience. Duration: 2 days This class dives deep into developing secure web applications in Java. It provides an overview of common web application vulnerabilities, and presents ways to avoid those vulnerabilities in Java code. In the hands-on section students will discover vulnerabilities for themselves and find ways to deal with them, greatly enhancing the security of their code. Upon completion of this class, participants will be able to: identify why software security matters to their business recognize the root causes of the more common vulnerabilities write secure J2EE code by taking advantage of Java-provided security features identify the symptoms of common vulnerabilities design and develop secure applications leveraging time-tested J2EE code best practices Modules Covered The Need for Security This section describes the need for application security and provides a high-level description of application-based attacks. Common Web Software Security Vulnerabilities This section describes the most common security vulnerabilities and how to uncover them in your software. Secure Programming Best Practices This section educates students on 13 time-tested best practices, how the J2EE framework can support following them, what the consequences are of not following them, and how to use them to effectively prevent common security vulnerabilities. Suggested Readings and Sites References are provided in this section. Training labs will be used to provide practical experience This course is supported by a PowerPoint presentation, a hand-out of which is presented to the students at the beginning of the course. Assessments A 15 question multiple choice exam is taken at the end of the course. 15

16 Corporate Requirements Classroom setup with: At least one PC for every 2 students Internet connection with ports 8080 to 8085 open preferred, or isolated network where the instructor can plug in his/her laptop (with DHCP settings for all workstations). Please let us know which option you will accommodate at time of booking. Windows 2000 with J2SE Developer Kit of at least and Eclipse

17 10.0 Web Application Security Testing Duration: 5 Day Course including hands-on labs Web Testers Functional testing knowledge as well as a basic understanding of how applications work. No prior security testing experience is required. This course is an intensive deep dive into the world of web application security testing. It is designed to walk testers through every step of web application penetration testing, arming them with the knowledge and tools they will need to begin conducting their own security testing. The course will teach the participants how to think like a security engineer by creating and executing a security test plan. Participants will be exposed to common web application vulnerabilities, testing techniques and tools by a professional security tester. The course will culminate in a full-day, guided penetration test in which the students will execute security test cases on one of their own applications with the help of the instructor. The use of one of the organization s applications has the benefit of easing the transition of knowledge and techniques from classroom back into every day practice for the participants, as well as providing the organization with a partial penetration test of an application. Upon completion of this class, participants will be able to: identify why software security matters to their business build a threat model driven security test plan quickly Identify the riskiest areas of an application perform a high-level security assessment on their application. integrate security test cases and tools as part of their test suites report findings in a comprehensive manner in order to enable timely remediation Detailed Course Outline Introduction to Software Security Security in the System Development Lifecycle Thinking Like a Security Engineer Enumerating the Attack Surface What is an Attack Surface? Standard Application Attack Vectors GET and POST Header Cookies Tools: Man-in-the-Middle Proxies Extending the Application Web 2.0 and Web Services Beyond the Application Server Fingerprinting Port Scanning Tools: HTTPrint, NMap, etc. 17

18 More Tools and Techniques Google Hacking Nessus TamperData Spidering Scripting (Python) Common Weaknesses Data Leakage Attacks Sniffing Decompiling of Client-side code Probing the Application through Error Reporting WSDL Scanning Modification of Assumed Immutable Data (MAID) Direct Request (Forced Browsing) Path Traversal Parameter Tampering (Hands On!) Incorrect Resource Transfer Between Spheres Bypassing Client-side Enforcement of Security Unrestricted File Upload Injection Attacks SQL Injection (Hands On!) Cross-site Scripting (XSS) (Hands On!) HTTP Response Splitting XPath, XQuery and XML Injection (Hands On!) AJAX Code Injection Recursive XML Payload Buffer Overflow Exploiting Authentication Insufficient Session Timeout Session Hijacking/Replaying Session Fixation Session Riding/Cross-site Request Forgery (XSRF) Threat Based Testing Threat Modeling Decomposing the Application Identifying Threats and Building Threat Trees Identifying Mitigations and Vulnerabilities Threat Based Test Plans Building Test Plans from the Threat Tree Test Execution and Coverage Issue Reporting and Tracking Reproducing Vulnerabilities Reporting Business Impact Defining Criticality Boot Camp Participants will spend the last day of the course putting what they have learned to use on a test version of the application on which they work daily. The instructor will act as a mentor and experienced resource as they embark on their first security test engagement. The use of the organization s application rather than a demonstration application has been proven to help students more easily assimilate what they have learned into their daily testing activities. It also has the added benefit of discovering issues which need to be addressed by the organization. 18

19 11.0 How to Break Software Security Duration: 2 Day Course including hands-on labs 1 Day Course, Lecture Only This course is intended for testers. This course requires functional testing knowledge as well as a basic understanding of how applications work. Learn how to recognize potential security holes before attackers do. This course is designed to give testers and developers the tools, techniques and mindset they need to find security problems before their application is released. Upon completion of this class, participants will be able to: Modules Covered identify why software security matters to their business conduct attacks to uncover security vulnerabilities recognize where attacks are applicable identify the symptoms of security vulnerabilities Introduction This section describes why security bugs are different from functional bugs in software; the students will gain an understanding as to why security bugs are usually missed during functional testing and learn to recognize symptoms of insecure software behavior. The Four Classes of Security Vulnerabilities In this section participants learn what a security bug really is and the four basic classifications of security vulnerabilities. Assessing Risk This section will help the students learn to identify the threats to their application. An Overview of the Methodology of How to Break Software Security This section describes how to determine which security attacks apply to an application, and learn how to quickly develop security test cases for each attack, tailored to that application. Attacking Dependencies In this section the students will learn different techniques allowing them to test and ensure the secure response of their application under different simulated dependency failures. Attacking through the User Interface In this section the students will learn testing techniques to expose security vulnerabilities in their software through the user interface. Attacking Design This section will provide the students with techniques to expose vulnerabilities that can creep into an application at the design stage. Attacking Implementation In this section students will learn techniques that can be used to expose vulnerabilities that exist because of implementation errors. 19

20 Training labs will be used to provide practical experience (in the 2-day version of this class) This course is supported by a PowerPoint presentation, a hand-out of which is presented to the students at the beginning of the course. Assessments A 15 question multiple choice exam is taken at the end of the course. Corporate Requirements Classroom setup with: At least one PC for every 2 students Internet connection with ports 8080 to 8085 open preferred, or isolated network where the instructor can plug in his/her laptop (with DHCP settings for all workstations). Please let us know which option you will accommodate at time of booking. Windows XP (preferred) or 2000 with.net frameworks v2.0 and MS Office 20

21 12.0 How to Break Web Software Duration: 2 Day Course including hands-on labs 1 Day Course, Lecture Only This course is intended for web application testers. This course requires functional testing knowledge as well as a basic understanding of how applications work. This course outlines a model for web application testing as well as web application concerns including accountability, availability, confidentiality and integrity. We will go well beyond the OWASP top 10, looking at 19 specific web application attacks, including attacking the client, state, data and the server. Upon completion of this class, participants will be able to: Modules Covered identify why software security matters to their business conduct attacks to uncover security web application vulnerabilities recognize where attacks are applicable identify the symptoms of security vulnerabilities for web applications Gathering Information on the Target In this section the students will learn how web applications are built and what attacks are applicable for this type of application. Attacking the Client In this section students will learn different client-based attacks such as bypass and client-side validation. Attacking State In this section students will learn why state is important and about different state-based attacks such as CGI parameters and cookie poisoning. Attacking Data In this section students will learn different data-based attacks such as cross-site scripting and SQL injection. Attacking the Server In this section students will learn different server-based attacks such as SQL injection II stored procedures and command injection. Privacy This section provides the students with an introduction to privacy: who you are, where you have been; as well as different data gathering methods. Web Services In this section we introduce participants to web services and discuss common attacks. Training labs will be used to provide practical experience (in the 2-day version of this class) 21

22 This course is supported by a PowerPoint presentation, a hand-out of which is presented to the students at the beginning of the course. Assessments A 15 question multiple choice exam is taken at the end of the course. Corporate Requirements Classroom setup with: At least one PC for every 2 students Internet connection with ports 8080 to 8085 open preferred, or isolated network where the instructor can plug in his/her laptop (with DHCP settings for all workstations). Please let us know which option you will accommodate at time of booking. No OS requirements. Text editor of choice Localhost proxy: paros, or webscarab 22

23 13.0 Security Testing Boot camp Delivery Method: Instructor led Duration: 2 Day practical session This course is intended for testers. This course can only be followed after the successful completion of one of the following courses: - How to Break Software Security - How to Break Web Software This course is unique in the security industry. Rather than learning through lecture and general hands-on labs, this course walks the students through the security issues of one of the applications they are responsible for testing on a daily basis. Upon completion of this class, participants will be able to: quickly Identify the riskiest areas of an application perform a high-level security assessment on their application integrate security test cases as part of their test suites Boot Camp Set-up Pre-Course Self Study and Nightly Assignments Students must complete required reading and analyze how specific security issues correspond to their area of testing. Security Briefings Each morning will start with a briefing on the security issues specific to the application. Application-specific security testing issues are discussed every morning and then immediately implemented against the application and throughout the day-long deep security testing sessions. Application-specific Security Testing Several days of intense hands-on assessment of the application is performed by the students. The class is broken into two-person teams who compete to find the most security defects by performing specific attacks on the sections of the product on which they typically perform QA testing. No specific deliverables are provided for this class Assessments No assessment is provided for this class Corporate Requirements To achieve the desired results, your company should provide access to a developer knowledgeable about the entire application: the complete threat model as well as details on past defects discovered in the application. This will enable a strategic attack plan to be created prior to the course that will be discussed and explained during the class. Additionally, your company should make sure the students do all pre-course reading and all nightly assignments. This will be an intense several days of security education and testing that will push each student as they evolve from top quality assurance testers into lead security testers. Prizes should be provided to the students for each security defect discovered with special prizes to the top three teams based on the number and severity of the security bugs they find. 23

24 14.0 Introduction to the Microsoft Security Development Lifecycle (SDL) Duration: 1 hour This course is designed for all members of development teams which are adopting Microsoft s Security Development Lifecycle. This course requires some understanding about general software development lifecycles. In order to help teams adopt the best practices that are parts of the Security Development Lifecycle (SDL), this course provides an overview of what the SDL is and how it can be used by your team to produce solutions which meet a higher security quality standard. Upon completion of this seminar participants will be able to: Modules Covered understand the need to address security at all phases of software development understand the benefits of adopting the SDL be able to identify the best practices from the SDL not currently in place at the organization Applications under Attack This section describes the need for application security and provides a look at the impact of application vulnerabilities. Origins of the Microsoft SDL This section describes the evolution of security at Microsoft and how the SDL came to be. What is Microsoft Doing about the Threat? This section describes Microsoft s process improvement initiative as well as the best practices associated with each phase of the lifecycle in the SDL. Measurable Improvements at Microsoft This section provides evidence of the positive impact the SDL has had internally at Microsoft. This course is supported by a PowerPoint presentation, a hand-out of which is presented to the students at the beginning of the course. Assessments No assessment is provided for this course Corporate Requirements Classroom setup 24

25 15.0 Introduction to Microsoft SDL Threat Modeling Duration: 2 hour This course is designed for members of development teams adopting Microsoft s Security Development Lifecycle and looking to add the threat modeling exercise to their design phase activities. This course requires some understanding of how applications are designed. In order to help teams adopt the best practice of threat modeling which is part of the Security Development Lifecycle (SDL) this course provides an overview of what Threat Modeling means in the context of the SDL. It is designed to teach how to create a threat model using the Microsoft process which is part of the SDL. Upon completion of this seminar participants will be able to: Modules Covered understand the importance of early lifecycle security best practices such as threat modeling understand the benefits of creating threat models of your software be able effectively produce a threat model of your software Introduction and Goals This section explains the importance of the threat modeling activity and how it relates to creating secure software. The SDL Approach to Threat Modeling This section walks the participant through the process of threat modeling as it is defined in the SDL. This step-by-step instruction will allow participants to quickly gain an understanding of how to go about building threat models of their software. Exercise The exercise module allows participants to attempt creation of a threat model using the newly learned techniques from this course. Demo The demo module is an opportunity for the instructor to introduce the participants to Microsoft s Threat Modeling Tool. This free tool makes the process of building threat models more efficient. This course is supported by a PowerPoint presentation, a hand-out of which is presented to the students at the beginning of the course. Assessments No assessment is provided for this course Corporate Requirements Classroom setup 25

26 16.0 Privacy in Software Development Duration: 2 hours This course is designed for anyone involved in the development of software or services. This course requires some understanding about general software development. This course is designed to provide an introduction to privacy guidelines for developing software and services. Upon completion of this seminar participants will be able to: Modules Covered understand the basics of privacy understand the need to address privacy in software development be able to effectively drive privacy compliance within the software development team Privacy Basics This section builds an understanding of the basic concepts associated with privacy. This includes a comparison and contrasting between privacy and security. Privacy Guidelines for Developing Software and Services This section provides definition of common privacy concepts such as notice and consent. This is done through the use of nine common software scenarios. This course is supported by a PowerPoint presentation, a hand-out of which is presented to the students at the beginning of the course. Assessments No assessment is provided for this course Corporate Requirements Classroom setup 26

27 17.0 Quarterly Security Brown-Bag Duration: 2 hours This seminar can be tailored to managers or technical teams depending on teams. This seminar requires a reasonable level of application security awareness. To ensure that security awareness remains foremost in employees minds, that development and testing techniques have been internalized, and to enable any ongoing questions to be answered, we offer a quarterly brown-bag web, live presentation or conference call session. Upon completion of this seminar participants will be able to: apply new knowledge about a specific current security issue, technology or compliance standard strengthen the ongoing security development process strengthen ongoing testing efforts Modules Covered The content from this course is based on current security issues, technologies or standards based on customer needs. This course is supported by a PowerPoint presentation, a hand-out of which is presented to the students at the beginning of the course. Assessments No assessment is provided for this course Corporate Requirements Classroom setup 27

28 18.0 PCI Boot Camp for Software Development Teams Duration: 4 Days This course is intended for software development teams (architects, developers, testers/qa, and managers) who build software applications that need to comply with the PCI-DSS (Payment Card Industry Data Security Standard.) Also appropriate for PCI / PA DSS Auditors, PCI Compliance Consultants and Researchers, Project Managers, IT Security Consultants, and anyone who is involved with the Application Development Lifecycle This course requires functional development and testing knowledge as well as a basic understanding of how applications work. No prior security experience is required, nor do the members need to know about PCI-DSS. This course is an intensive deep-dive into the world of application security and PCI. It is designed to walk architects, developers, testers, and managers through application security as it pertains to the PCI-DSS. Topics covered include: software applications - common threats overview of OWASP top ten vulnerabilities secure coding principles (web and non-web) best practices for input and output validation web application security primer and software testing best practices hands-on labs and simulation of web application attack scenarios The course will teach the participants how to think like a security engineer by creating and executing a security test plan. Participants will be exposed to common software application vulnerabilities as well as secure development and testing techniques. The course introduces tools (both commercial and free) and is taught by a professional security expert and PCI QSA (Qualified Security Assessor.) The course can be customized for specific audiences, e.g., software developers, testing/deployment, etc. Each segment culminates with instructor-led lab exercises in which the students will execute security coding and/or test cases on sample applications. For a customization twist, clients can also choose to have one of their own applications as the application under test. The use of an organization-chosen application has the benefit of easing the transition of knowledge and techniques from classroom back into every day practice for the participants. Upon completion of this class, participants will be able to: identify why software security matters to their business build a threat model driven security test plan quickly Identify the riskiest areas of an application perform security assessments on software applications (code white box and/or as-built black box testing) map security activities to PCI requirements and understand how to validate compliance to the standard(s) This course is supported by a PowerPoint presentation and course material which is handed to students in class. Corporate Requirements Classroom setup with: A projector and whiteboard for the instructor One PC per participant VMware Player on each participant machine to run provided VirtualMachine Connection to a test version of an application with which the participants are familiar for final day of course 28

29 Detailed Course Outline Introduction to Software Security What is Security? Why Security Matters Thinking Like a Security Engineer Introduction to PCI-DSS Overview of the PCI requirements Overview of the PCI audit procedures relevant to software applications Deep dive into requirements 3 and 6 Understanding and applying testing techniques to validate compliance Challenging Security Misconceptions All software applications have bugs Client-side security does not exist QA is not security testing Tools are not solutions Patches do not guarantee security Compliance does not equate to security Fundamentals of Security in the SDLC The anatomy of an attack Thinking like the attacker: Threat Modeling Common coding errors and how to exploit them Defensive design and coding principles Examples of security for C, C++,.NET, and Java applications Common Weaknesses and Vulnerabilities OWASP TOP 10 Threat-model-driven testing Threat Based Test Plans Issue Reporting and Tracking: Reproducing Vulnerabilities, Reporting Business Impact, and Defining Criticality Going Beyond OWASP Logic flaws and non-web Applications Data Protection Mechanisms (crypto and more) Injection Attacks (not just SQL!) Fuzz Testing and other Tools Exploiting Authentication Putting it all together Mapping PCI to your day-to-day activities as an Architect, Developer and/or Tester Understanding the business impact of insecure software (beyond just PCI compliance) Boot Camp The participants will spend time putting what they have learned to use on a test version of the selected application. The instructor will act as a mentor and experienced resource as they embark on an interactive security test engagement. The use of the organization s application rather than a demonstration application has been proven to help students more easily assimilate what they have learned into their daily testing activities. It also has the added benefit of discovering issues which need to be addressed by the organization. 29