90% of data breaches are caused by software vulnerabilities.

Transcription

1 90% of data breaches are caused by software vulnerabilities. Get the skills you need to build secure software applications Secure Software Development (SSD) Offered in partnership with

2 Secure Software Development (SSD) Certificate Program Benefits Individuals Be a real influencer in CyberSecurity Learn skills that increase your marketability Take courses at your convenience Earn CPE/CEU credits Corporations Secure mission critical applications Reduce IT and data risk Comply with mandates for security training Demonstrate commitment to customers An SSD certificate is highly-regarded because it addresses the root cause of data breaches application layer vulnerabilities. The knowledge attained is not general purpose; it is specialized and critical to thwarting cybercrime. The SSD Certificate Program provides assurance that an individual has demonstrated mastery of real-world software security skills. The knowledge and techniques learned in this certificate program is based on and developed by experts in application security field - and offer both defensive techniques as well as awareness as to how a hacker will attack software applications. Certificate Course Work Course hours: 8 Creating Secure Code - C C++ Foundations OR Creating Secure Code JRE Foundations OR Understanding Secure Code for.net 4.0 Architecture Risk Analysis How to Create an Application Security Threat Model Attack Surface Analysis & Reduction Choice: How to test for the OWASP top Ten or Classes of Security Defects Choice: Creating Secure Code iphone Foundations OR Creating Secure Code Android Foundations About UCF Second largest university in the nation Top 10 among U.S. universities for the power and impact of its patents Ranked fifth, Top Up-andcoming national university by U.S. News & World Report UCF Stands for Opportunity

3 Creating Secure Code C/C++ Foundations This course will provide an overview of the threat modeling process and describe the ways to collect information for your application, build the activity-matrix and threat profile, and analyze risks. It will also teach you the nine defensive coding principles and how to use these principles to prevent common security vulnerabilities. Threat Modeling After completing this module, you will be able to: Identify threats proactively Create threat trees for your components Use threat trees to find vulnerabilities Classify vulnerabilities Perform risk analysis and prioritize security fixes. Defensive Coding Principles This module provides an overview of nine defensive coding principles that can be used in any programming language. After completing this module, you will be able to: List the time-tested defensive coding principles Use the coding principles to prevent common security vulnerabilities Perform threat modeling to identify vulnerabilities and analyze risks Leverage time-tested defensive coding principles to design and develop secure applications

4 Creating Secure Code JRE Foundations In this course, you will learn to recognize and remediate common Java Web software security vulnerabilities. This course has three modules, which introduce you to these vulnerabilities and help you to identify and remediate them. Common Java Web Software Security Vulnerabilities: Part 1 This module covers common vulnerabilities, including data leakage, and client or server protocol manipulation attacks. These attacks evade code reviews and test teams, including decisions based on a referrer tags, information disclosure, and failure to validate user input. You will learn what these vulnerabilities look like in code and see how you can fix them. After completing this module, you will be able to recognize and mitigate common Java Web software security vulnerabilities. Common Java Web Software Security Vulnerabilities: Part 2 This module will cover: Injection Attacks: o SQL Injection o Cross-site Scripting (XSS) Common Java Web Software Security Vulnerabilities: Part 3 This module will cover: Exploiting Authentication: o Session Hijacking o Session Fixation o Cross-site Request Forgery (CSRF)

5 Understanding Secure Code -.NET 4.0 This course describes.net security features, including concepts such as Code Access Security (CAS) and.net cryptographic technologies. It also provides secure coding best practices that will enable you to build more secure applications in.net. Explaining.NET Security Features In order to build secure applications in.net, it is important that you first understand the.net Framework and the security features it offers. This module provides you with the knowledge you need to understand the foundation of.net, the CLR s native security infrastructure (Code Access Security), cryptographic technologies, and the ASP.NET security infrastructure. After completing this module participants will be able to: Describe the Origins and Impact of Web vulnerabilities Recognize the dangers of ActiveX control misuse Recognize the dangers of cross-site scripting, canonicalization, SQL Injection, HTTP response splitting, and cross-site request forgery vulnerabilities Applying.NET Secure Coding Best Practices This module introduces several protections and best practices which if implemented properly, help mitigate the risk of web vulnerabilities in applications. Topics covered include the limitations of common mitigations, truly effective mitigations such as allow lists and frame restrictions, and SDL requirements aimed at mitigating Web vulnerabilities. After completing this module you will be able to: Recognize the limitations of common mitigations for Web vulnerabilities Recognize effective mitigations for Web vulnerabilities Recognize the SDL requirements aimed at mitigating Web vulnerabilities Identify the differences between managed and un-managed code Recognize the interactions between Windows access control and CAS Describe how cryptography is handled in.net Recognize the main aspects of ASP.NET security and security improvements brought by.net 2.0 Avoid common.net security pitfalls Write defensive code that protects your application from common threats Recognize when code is required to be reviewed for security vulnerabilities

6 Architecture Risk Analysis & Remediation Extract architecture views of a software system suitable for security analysis Apply a number of complementary techniques to find security vulnerabilities that cannot be easily discovered through tools This course defines concepts, methods, and techniques for analyzing the architecture and design of a software system for security flaws. Special attention is given to analysis of security issues in existing applications; however, the principles and techniques are applicable to systems under development. You will be shown various analyses that enable effective architecture risk analysis including accurately capturing application architecture, threat modeling with attack trees, attack pattern analysis, and enumeration of trust boundaries. Weigh the comparative impact of design-level security Apply techniques and methodologies to model threats, trust, and data sensitivity Build abuse cases and use them to explore how your software might be attacked Integrate Architecture Risk Analysis with the management of security knowledge in your organization A multiple-choice exam is taken at the end of the course.

7 Creating an Application Security Threat Model This course introduces the technique of Threat Modeling, its primary goals, and its role within software development. Once you are familiar with the concepts behind Threat Modeling, the entire Threat Modeling process is demonstrated giving you the knowledge you need to apply Threat Modeling to your own products and design/develop more secure code. Defining Threat Modeling This module equips you with the necessary information to help you understand the importance of Threat Modeling and the role it plays in identifying and mitigating threats. After completing this module you will be able to: Identify the goals of Threat Modeling Recognize the relation between Threat Modeling and the SDL Identify the roles involved in the Threat Modeling process Understand what and when to Threat Model Applying the Threat Modeling Process This module identifies in detail each step in the Threat Modeling process, outlines each step s purpose, and demonstrates the procedure to follow in order to apply each step. This module includes a lab to help you apply what you have learned in a real-world scenario. After completing this module you will be able to: Describe the application using diagrams Identify Threat Types by using STRIDE Identify appropriate mitigation techniques Recognize the role of the Threat Model document Understand the various threat modeling tools available to you Identify the goals of Threat Modeling and the corresponding SDL requirements Identify the roles and responsibilities involved in the Threat Modeling process Use the Threat Modeling process to accurately identify, mitigate, and validate threats Leverage various tools that help with Threat Modeling

8 Attack Surface Analysis & Reduction Define attack surface of an application Learn how to reduce application risk by reducing the attack surface Your system s attack surface represents the number of entry points you expose to a potential attacker - for example, user interfaces, Web services, database access, and so on. Fewer entry points means less chance of an attacker finding a vulnerability in your code. Therefore, it is important that you understand what an attack surface is and then see how you can measure and reduce the attack surface of your application. Understanding Attack Surface This module provides details that help you understand the attack surface of an application. After you understand how an attack surface affects application risk, you use the attack surface reduction goals to minimize the attack surface of your application. After completing this module, you will be able to: Describe what an attack surface is Understand how the attack surface impacts application risk Measuring and Reducing Attack Surface This module discusses the common metrics you can use, including attack surface, to measure application security. Measuring the attack surface of an application helps you measure the relative risk and its trends. This module also discusses best practices that you can use to reduce the attack surface of your application. Reducing the attack surface helps you reduce the possibility of undiscovered vulnerabilities that can impact the security of your application. After completing this module, you will be able to measure and reduce the attack surface of your application.

9 How to Test for the OWASP Top Ten The Open Web Application Security Project (OWASP) Top Ten is a listing of critical security flaws found in web applications. Organizations that address these flaws greatly reduce the risk of a web application being compromised, and testing for these flaws is a requirement of the Payment Card Industry Standards (PCI-DSS) as well as other regulatory bodies. This course explains how these flaws occur and provides testing strategies to identify the flaws in web applications. Testing OWASP Top 10: Part 1 Topics covered in this module: A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) Testing OWASP Top 10: Part 2 Topics covered in this module: A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards Determine if a web application is vulnerable to the top five security vulnerabilities identified in the OWASP Top 10 list. Determine if a web application is vulnerable to the last five security vulnerabilities identified in the OWASP Top 10 list. Explain how to protect the application against these security vulnerabilities

10 Classes of Security Defects Understand and outline the common classes of security defects Recognize the potential impact that common security defects can have Identify the programming errors that are responsible for common security defects Apply coding best practices in order to avoid common security vulnerabilities Find common security defects in an application s source code Map common security defects with specific technologies Test software in order to detect common security bugs Locate additional resources on common security defects This course equips you with the knowledge you need to create a robust defense against common security defects. You will learn why and how security defects are introduced into software, and will be presented with common classes of attacks, which will be discussed in detail. Along with examples of real life security bugs, you will be shown techniques and best practices that will enable you and your team to identify, eliminate, and mitigate each class of security defects. Additional mitigation techniques and technologies are described for each class of security defect. Classes of Security Defects This module presents the underlying root causes of security defects, explains the difference between functional and security bugs, and describes the inherent insecure nature of software. Defending against Common Security Defects This module offers best practice tips for defending against common security defects such as: buffer and integer overflows format string problems integer overflow SQL and command injection improper error handling cross-site scripting unprotected network traffic lack of server-side authorization poor usability weak authentication and data protection information leakage improper file access spoofing race conditions unauthenticated key exchange weak random number generation improper use of SSL and TLS

11 Creating Secure Code - iphone Foundations In this 1-hour course, you will learn to develop and deploy secure iphone applications by leveraging Apple s security services and following web application secure coding best practices. iphone Application Vulnerabilities iphone security breaches are a growing problem with serious financial consequences, particularly when those breaches affect enterprise networks. Many iphone application security vulnerabilities are fundamentally the same as those of other applications. iphone attack vectors include web-based malware, SQL injection, session hijacking, theft of data at rest and in transit, and jailbreaking. Your development strategy for protecting your applications should include data encryption, access control, code signing, itunes store validation, sandboxing, and securing network connections. This module helps you understand iphone security vulnerabilities, attack vectors, and the costs associated with security breaches. Additionally, this module covers each type of vulnerability, its root cause, and the best method for protection. Applie ios and SDK Developer Security Tools In this module, we will discuss all of the ios security services available to iphone application developers. You will learn how to use each of these components to protect against the attacks covered in Module one. The ios security services discussed in this module include encryption, isolation, secure connection, input validation, and authentication. Identify iphone application security risks and the costs associated with a successful attack Explain the role of Apple ios and SDK tools in providing security to iphone applications Protect sensitive data from theft or compromise, both at rest and in transit Integrate secure coding best practices into your C and Objective-C iphone applications iphone Secure Development Best Practices This module provides language- and tool-specific instruction on how to integrate Apple security services into your own secure coding best practices to fully protect against all major vulnerabilities.

12 Creating Secure Code - Android Foundations Identify common security issues and attack vectors in Android applications Identify security features of the Android OS, SDK, and NDK Identify applicationbased permissions, data protection methods, and code signing, packaging, and updating techniques used to secure Android applications Identify best practices for securely developing Android applications and protecting sensitive data This 90-minute course will help you develop secure Android applications by applying Android-specific secure development best practices and techniques. The course emphasizes key Android security features that can help you prevent common application vulnerabilities. Android Application Vulnerabilities One reason for the enormous popularity of Android phones is the wide variety and number of applications being published each year. Because Android provides an open development platform, and developers have full access to APIs and frameworks, there are far fewer constraints on how developers create their applications than in competing environments, such as Apple s ios. However, the open platform and the freedom developers have also increases the number of potential vulnerabilities. This module gives you an overview of Android application security and various risks associated with the platform. Security Features of the Android OS, SDL, and NDK In this module, you will learn how to integrate security services of Android s Linux kernel, SDK, and hardware into your application. Android Secure Development Best Practices In this module, you will learn how to protect your Android application by following secure coding best practices.

13 Secure Software Development (SSD) Certificate Program REGISTER ONLINE NOW Offered in partnership with