Fortify Training Services. Securing Your Entire Software Portfolio FRAMEWORK*SSA

Transcription

1 Fortify Training Services Securing Your Entire Software Portfolio FRAMEWORK*SSA Fortify s holistic approach to application security truly safeguards our enterprise against today s ever-changing security threats. Craig Schumard, CISO, CIGNA

2 Framework*SSA Training TeamStart Training Philosophy Fortify s mission is to empower our customers to achieve Software Security Assurance (SSA). As part of a successful SSA initiative, all members of a software development organization need to understand both the fundamentals of software security and the tactical implications on their work. Fortify covers both of these key aspects through the TeamStart methodology, which bridges the gap between theory and practice to provide relevant training with high retention and effectiveness. As part of Framework*SSA, the TeamStart methodology has been developed from training engagements across Fortify s sizable customer base. TeamStart Workshops Our TeamStart training workshops feature proven, hands-on exercises and examples customized for your environment and organizational processes, and using your code. For each application, a member of Fortify s staff of security experts delivers a five-day on-site TeamStart workshop customized using your application source code, your programming language, and your build system. Each TeamStart is targeted at an application s development or security team. TeamStart is the most effective program option for enabling rapid success with Fortify 360. elearning Courses To support and scale a training initiative, Fortify offers a comprehensive elearning program aimed at promoting secure coding practices within all parts of a customer s development and security organizations. These self-paced sessions are rich in content and easy to deploy to large, distributed teams. They also provide a reference and refresher after an instructor-led TeamStart to promote retention, and they are effective in training new team members. Most enterprises lack formal secure development training programs. 57% of organizations don t have systematic training programs addressing application security training for their developers. - Forrester Study Application Risk Management in Business Survey

3 Fortify Training Program A Training Program for Software Security Success Fortify combines instructor-led TeamStart workshops and elearning courses to provide a comprehensive program for educating an application team on software security and use of Fortify 360. The recommended program below establishes a fundamental software security capability within an organization before teaching the organization how to use Fortify 360 to automate many security processes. To maximize the value of the TeamStart, product-focused elearning is recommended. Product-focused elearning courses reinforce learning objectives from the TeamStart while affordably scaling the Fortify 360 training initiative to new and non-critical participants of the development process. Additionally, custom or advanced training can be developed to address the specific software security needs of an organization. Recommended Stages of Learning ASSESS ADOPT MATURE SSA elearning COURSES Application Security Fundamentatals Secure Java or.net Coding FORTIFY TEAMSTART For Fortify 360 SCA or Fortify 360 RTA FORTIFY PRODUCT elearning Fortify 360 SCA with Eclipse or Visual Studio ADVANCED or CUSTOM TRAINING Ex: Advanced Auditing, Custom Rules The Path to Software Security Assurance SSA elearning Courses The SSA elearning Courses are recommended before the TeamStart workshop to ensure members of the development organization - including management, architects, product managers, business analysts, security team members, developers, quality engineers, and auditors - have the fundamental background in application security necessary to understand and appreciate the business impact of security vulnerabilities. The Secure Coding courses provide security team members, developers, and quality engineers the background in secure software development necessary for understanding security issues identified in Fortify 360. Fortify TeamStart The Fortify TeamStart builds on an application team s software security and secure coding knowledge to educate the team on best practices for using Fortify 360 in their specific application environment. A TeamStart workshop is limited to a single application team because a significant portion of the examples and exercises are based on the participant s application, providing a rich, relevant, and productive training experience. Fortify Product elearning Courses Fortify Product elearning Courses keep TeamStart knowledge fresh and actionable. Participants in a TeamStart will find the courses useful as a reference and refresher after completing the TeamStart. Fortify Product elearning courses are also useful for training new team members who will be joining an application team utilizing Fortify 360 or for team members who are not directly responsible for the security of their application. Advanced Custom Training The Fortify training program is the most effective method to educate an application team on developing secure applications with Fortify 360, but some advanced or custom topics may not be covered. For advanced software security concepts and Fortify 360 product usage, Fortify offers custom training classes to mature an application team s software security and Fortify 360 capabilities.

4 Fortify TeamStart Tailored Training Workshops for Software Security Assurance The Intersection of Theory and Practice Combining the benefits of rigorous theory and on-the-job practice, Fortify TeamStart is the most efficient and effective method of adopting Fortify 360 inside your organization. Fortify tailors each TeamStart to a specific application based on your actual source code and software development life cycle (SDLC) processes. Participants learn practical software security coding practices while remediating existing vulnerabilities in their application using Fortify 360. Why TeamStart? Rapid integration of Fortify technology into an SDLC often requires changes to existing SDLC processes as well as education on Fortify products. To accelerate adoption of the new products and processes, Fortify TeamStart training delivers participants the necessary head start with its speedy, proven methods. TeamStart Training Workshops On-the-Job Training Classroom Training Benefits Regardless of an application team s current level of comfort with coding secure software, a TeamStart workshop empowers your team to adopt SSA as an application best practice using Fortify products. To facilitate this learning, TeamStart workshops provide: Maximum training effectiveness through session customization Content focused on your environment, processes, and code Proven methods for rapid adoption of Fortify technology No wasted time, effort, or expense In a TeamStart, You Will Learn: Role-specific Fortify 360 product usage and process deployment Secure programming theory and practical application Common software security vulnerabilities to avoid Integration of Fortify 360 Server into SDLC workflows and processes Remediation and prevention using Fortify 360 Development techniques and practices for secure coding, in your language of choice

5 Fortify F200 TeamStart F200: Securing Software Using Fortify 360 SCA F200 TeamStart Workshop Benefits Completion of this course will empower your application teams to become operational with Fortify in the context of your unique environment. Throughout the course, participants are taught methods of developing secure code using Fortify 360 SCA. Each workshop features an expert instructor, hands-on exercises and custom training materials. This course is the fastest and most effective way to begin the process of identification and remediation of vulnerabilities within your applications source code. Programming Languages Offered: Java,.NET, and C/C++. Who Should Take this Class Developers, software architects, security professionals, and project managers who will use Fortify 360 SCA. There are no prerequisites,but to maximize value from this course, participants should have development experience in the course programming languages, build experience and some exposure to application security. This course is also intended for practitioners interested in Fortify s Associate Certification. In This Course, You Will Learn Secure programming theory and applications Development techniques and practices for secure coding Common software security vulnerabilities to avoid Language-specific techniques for writing secure software Identification and remediation of software vulnerabilities using Fortify 360 SCA Integration of Fortify 360 into software development workflows and processes Fortify 360 audit and remediation interfaces including Audit Workbench (AWB) and IDE Plug-ins Remediation processes using Fortify 360 Sample F200 TeamStart Workshop Outline Introduction to Software Security Need for risk management Basic vocabulary of application security How to locate relevant resources Understanding the OWASP Top 10 Impact of common vulnerabilities Strategies to address application security Current and future trends Demonstration of Common Vulnerabilities Review of sample code and its vulnerabilities Examples of common intrusions and hacks Remediation techniques, including Fortify 360 SCA Overview of Fortify 360 Source Code Analyzer (SCA) Review of SCA s functionality Walkthrough of translation, analysis, and scan models In-depth presentation of SCA s analyzers Customizing SCA scans using rule packs Understanding the value of FPR files Using Audit Workbench (AWB) Advantages of using AWB Primary features of this GUI environment Walkthrough of functionality Fortify 360 SCA with Command Line Interface (CLI) Tapping into features not available in AWB Creating scripts using SCA within a CLI environment Apache ANT integration Using IDE Plug-ins Review of language-specific IDE plug-ins Advantages of using plug-ins Building and interpreting Fortify Project (FPR) files Half-day exercise using your source code to perform an indepth analysis and interpretation of FPR files Putting product knowledge to the test in your development environment Hands-On Exercises Participants receive hands-on instruction using Fortify 360 SCA in their software environment. Exercises include: Identifying vulnerabilities in the participants software Installing and using IDE Plug-ins on developer machines Integrating Fortify 360 into the build environment Using Audit Workbench to diagnose results

6 Fortify elearning Courses Computer-Based Training for Reinforcement and Scale Fortify offers a comprehensive elearning program aimed at promoting secure coding practices within customers entire development and security organizations. These self-paced sessions are rich in content and easy to deploy to large, distributed teams. At the lowest cost per participant for training, Fortify s elearning courses are the most efficient option for training large teams. They also provide a education reinforcement after instructor-led TeamStarts, and are effective in training new team members. The Value of elearning Learning to write secure code and to effectively use Fortify 360 SCA to identify and prevent vulnerabilities can be challenging and time consuming. elearning is the most value-focused method of scaling your Fortify training initiative to the entire organization. Our best-in-class courses will affordably help your development and security teams understand software security problems and how to address them using Fortify products. Quick and easy to deploy, these courses fit the needs of all Fortify students at their own pace and schedule.we maximize your investment by addressing the root cause of vulnerabilities with pragmatic remediation methods. Fortify elearning courses are also valuable in reinforcing previous instructor-led training. As retention declines, a computer-based refresher keeps skills sharp by reintroducing advanced concepts and features.

7 Software Security Assurance (SSA) Courses Completion of this bundle of elearning courses empowers participants to reduce the security vulnerabilities in the software that they write and maintain. Participants will develop an improved understanding of application security and learn how to use this knowledge in their environment. Who should take these courses? Developers, software architects, security professionals, and project managers interested in developing secure applications. SSA COURSES F301: Application Security Fundamentals F302N: Secure.NET Coding F302J: Secure Java Coding This course opens participants eyes to the world of software security. Participants will learn the basics of software security, the vulnerabilities and threats that can attack applications, strategies for designing and building secure applications, and how to manage risk in their code and their SDLC. This course will educate participants to develop secure.net applications while avoiding common coding errors. Participants will learn leading practices in the eight security categories of authentication, authorization, auditing & logging, exception handling, session and state management, input validation, cryptography, and testing approaches. Similar to the Secure.NET Coding course, this course will educate participants on developing secure Java software while avoiding common vulnerabilities. Fortify Product Courses Upon completion of these courses, participants understand how Fortify 360 addresses their security problems and how to audit, analyze, and interpret the results of Fortify 360 SCA in their environment. Who should take these courses? All users of Fortify 360 SCA. FORTIFY PRODUCT COURSES F310E: Fortify 360 SCA with Eclipse F310V: Fortify 360 SCA with Visual Studio This course shows students how to install the Eclipse plug-in and use the plug-in to secure their code. Topics include how to audit, organize, and customize issues, how to use collaboration features, how to generate and customize reports, and how to troubleshoot problems during scanning. This course shows students how to install the Visual Studio plug-in and use the plug-in to secure their code. Similar to the Fortify 360 SCA with Eclipse module, topics in this module include how to audit, organize, and customize issues, how to use collaboration features, how to generate and customize reports, and how to troubleshoot problems during scanning.

8 In February 2009, Gartner positioned Fortify in the Leaders Quadrant in the Magic Quadrant for Static Application Security Testing (SAST). The report is available at Custom and Advanced Training Fortify offers custom and advanced training to meet your organization s specific software security needs. Fortify s team of software security specialists have taught a number of custom and advanced training sessions including Custom Rules training, Advanced SCA Auditing, and Advanced Enterprise Integration. Contact Fortify to develop a course plan for your specific needs. Fortify Certification Program Fortify has developed a certification process to ensure that your employees have mastered the basics of software security and understand how to use Fortify 360 SCA. Fortify reinforces the lessons taught in instructor-led training and elearning courses with a practical exam at either the Associate or Professional Levels. A Fortify Certification puts your team in position to deliver exceptional results. Talk to a Fortify Security Practice Manager to include the certification process in your training program. About Framework*SSA Framework*SSA provides the knowledge and practices necessary to achieve success with Software Security Assurance. It includes methodology, metrics, and assets that help organizations maximize the value of their Fortify investment. About Fortify Fortify s Software Security Assurance solutions protect companies and organizations from today s greatest security risk: the software that runs their businesses. Fortify reduces the threat of catastrophic financial loss and damage to reputation as well as ensuring timely compliance with government and industry mandates. Fortify s customers include government agencies and Global 2000 leaders in financial services, healthcare, e-commerce, telecommunications, publishing, insurance, systems integration and information technology. FORTIFY SOFTWARE INC. MORE INFORMATION IS AVAILABLE AT 2215 BRIDGEPOINTE PKWY. TEL: (650) SUITE 400 FAX: (650) SAN MATEO, CALIFORNIA CONTACT@FORTIFY.COM