HP ESP Partner Enablement Fortify Proof of Concept Boot Camp Training

Transcription

1 HP ESP Partner Enablement Fortify Proof of Concept Boot Camp Training HP and HP Enterprise Security Products are committed to your success as an HP Partner. In the Fortify Proof of Concept Boot Camp Training, our ESP partner presales and architecture team members can build the skills that will equip them to represent and position HP Fortify solutions and effectively deliver Fortify solution proof of concept engagements. Participants in the Boot Camp typically are partner resources who engineer solutions for their customers and are capable and experienced in the delivery of demonstrations and proof of concepts. HP Fortify Partner Enablement training allows HP Partners to effectively deliver compelling and effective security solutions for their customers. This two day training course covers technical presales and architecture components of the Fortify portfolio including SAST, DAST, RAST, and FOD via classroom content and real world examples. For more information about HP Fortify portfolio, visit Course Overview This training event consists of distinct sessions, each with its own registration to allow for flexibility in attendance. More information about each session can be found below: Session Day HP ExpertOne Fortify Security Solutions ATP Prep Day The first day of the Fortify Boot camp is focused on Partner s pre-sales and architect team members and provides a single day of intensive preparation for the HP ExpertOne Fortify Security Solutions HP0-A0 ExpertOne ATP examination. Through lectures and hand-on activities the student will validate they have the competencies to implement HP Fortify Static Code Analyzer, Software Security Center, WebInspect and Fortify Runtime After completing this course, the student should be able to determine if they are sufficiently skilled to sit the HP0-A0 ExpertOne Examination. Attendees of this day will receive a voucher to take the HP0-A0 Fortify Security Solutions ATP ExpertOne examination. Session Day - HP Fortify Proof of Concept Boot Camp The next three days are the Fortify Proof of Concept boot camp focused on Partner s pre-sales and architect team members. On the first day we will lay down the foundations of addressing strategic and winning proposals for HP Fortify where a Proof of Concept is requested or required. Using two PoC examples as the basis, we will exercise all necessary activities which drive a PoC that has an optimum result PoC including: Guidance to conduct PoC with HP Fortify Solution Products Give attendees a base understanding of HP Fortify product suite and the goals of a Proof of Value/Concept with HP Fortify solution products versus a demo. Outlining the PoV concept - Prerequisites and things to know before a PoV Dramatization of Value / Benefits (demonstration of common use cases / work flows tailored to Prospect circumstances) Understanding the Technical considerations - What's essential to successfully conduct a PoV HP Fortify SCA and HP WebInspect specifics

2 On the second day, of the Boot Camp we will build additional product awareness through POC practice including HP Fortify: Hands-on with configuration and use cases Ability to Troubleshoot Common Problems HP WebInspect: Hands-on with configuration and use cases Introduction to RASP - Application Defender Fortify on Demand PoC & On-boarding Presenting the results - What's good to show to customers The third day of the Boot Camp addresses advanced POC topics including: Advanced Auditing Best Practice Intro to Custom Rules - when to use and when not to Basic scan debugging and troubleshooting Basic security remediation Intro to custom rules Deep dive with various common languages FoD Deep-dive Static and Dynamic Analysis Objection handling Session Day HP Fortify Day with Product Management The last day of the Fortify boot camp is the Fortify Day with Product Management and is focused on a partner s Sales and Pre Sales team members. Attendees are presented with the Fortify Solution Products portfolio and will learn how HP Fortify fits in the bigger HP Enterprise Security Products (ESP) picture and how to deliver the right messages about Fortify to potential customers. By attending the session the attendees will learn about customers use cases and key selling points when facing customers with Application Security requirements. In addition, Fortify Product Managers will introduce new solution products as well as packaging and licensing. Pre requisites Day ATP Prep Day: months HP Fortify experience, or completion of Fortify Security Solutions - ATP course - Day - PoC Boot Camp is technical in nature, frequently addressing complex topics and materials. It is expected that attendees: Are familiar with the processes for SDLC. Are familiar with the Fortify solution set and general scope Have a good understanding of software risks, including what are XSS, SQLi, forceful browsing, invalidated inputs, Buffer Overflows/Overruns. (See OWASP site) SAST: Understanding of programming processes and toolsets including the use of IDE and Build servers. Basic working knowledge of the Fortify SAST products, particularly SCA (multiple OS) and SSC Server (multiple OS, Java app) DAST: Basic working knowledge of the Fortify DAST products, particularly WebInspect (desktop). Understanding of vulnerability scanning techniques including Crawling (Discovery) and Auditing (Attacks) as well as Manual methods. Working knowledge on networks and their general operation, including proxies, intercept proxy tools, and the uses and effects of IPS/IDS RAST: Basic working knowledge of the Fortify RAST products, particularly Runtime (RTAL/RTAP) Day Day with Product Management session requires some knowledge and some experience with Application Security technologies. Sales and Pre Sales should record skills in understanding customer requirements considering security monitoring and cyber defense. Technical Requirements What Attendees Need to Bring Most training content is delivered as slides, hand outs and white boarding. For hands on labs, please bring a lap top computer. We will have an installation of Fortify software for you to use during the session. Use of a tablet in these sessions is not recommended unless you have keyboard and mouse. Web browser requirements:

3 Chrome + Firefox + Safari HTML Important: Your HP Learner ID Along with your name and address, your HP Learning Center Learner ID will be used to register and track your attendance and recognize your partner organization for your training. If you do not have a HP Learner ID, please visit the HP Learner ID for Partners page to request your learner ID at: esstolc-upp-gpp.pdf A quick reference card with the steps to obtain the learner ID can also be found via a link at the bottom of that page. Please note that it can take up to three days for this to be processed, so start this activity early.

4 Course Modules Overview Below is a short overview of the modules covered during the different Boot Camp sessions. Breaks are organized every 90mn and lunch will be in the middle of the day. DAY---- Fortify Security Solutions ATP Prep Day Welcome Introduction Session presentation and objectives HP ESP & Fortify Overview Overview of HP ESP, the current state of Software Security, and the entire Fortify product suite static, dynamic, and run-time protection and purpose of each Common Software Development Application Security Methodologies OWASP Top 0 FSIMM OpenSAMM Microsoft SDL Implementation of Fortify Products Architecture of the Fortify Solution Software Security Center (SSC) Static Code Analyser (SCA) WebInspect Enterprise (WIE) Application Defender Software Security Threat Agents Insider threats vs. Outsider threats Day Fortify PoC Boot camp Session Introduction and goals An introduction to the team, discuss expectations and set goals HP ESP & Fortify Overview Overview of HP ESP, the current state of Software Security, and the entire Fortify product suite static, dynamic, and run-time protection and purpose of each Outlining HP Fortify Proof of Value/Concept This module will focus on the POC aspect from a business, sales, and troubleshooting perspective. PoC Best Practices & Common Mistakes & Software Security Assurance Deeper dive into the overall components of a POC and SSA process to include troubleshooting tactics, common mistakes made, and recommendations for success. Operational Proficiency: Issue Triage & Lab This is a hands-on Static Analysis module series. In this session, individuals will learn how to use Fortify SCA, Audit Workbench, Command-line Utility, and Software Security Center. During this module, the installation of the demonstration environment will take place and static analysis will be performed on sample source code to assess, triage, and promote vulnerability findings within the SDLC. SCA, SSC, AWB, IDE POC & Workflows 7 8 Operational Proficiency: Project configuration This module extends the Issue Triage & Lab session. This is a hands-on learning session on how to manage and maintain vulnerability findings through custom filters, folders, and tags. Operational Proficiency: Collaboration This module extends the Issue Triage & Lab session. This is a hands-on learning session on how to leverage SSC Governance and integrate with the IDE plugin. Day Fortify POC Boot camp Intro to Dynamic & Integrated Analysis - WebInspect Overview of HP WebInspect Standalone, Real-Time, and Enterprise versions and purpose of each Operational Proficiency: Blackbox & Ops A deep dive module on Dynamic Analysis security testing to address security concerns in web sites, web services, and mobile application components. This module is feature rich and will cover the most important aspects to help you deliver meaningful results to prospects and customers.

5 Intro to SaaS - FoD & Application Defender SaaS is a major differentiator for HP Fortify. This module series is a hands-on deep dive into Fortify on Demand and Application Defender. Operational Proficiency: RASP This module will involve the installation, verification, and configuration of Application Defender. This is a deep-dive hands-on session to introduce the newest Gartner Magic Quadrant category Real-time Application Self-Protection. Operational Proficiency: SaaS This module will go into the details of Static, Dynamic, and Mobile Application Testing methodologies in the Cloud. This module will cover the differences and similarities of an on premise vs. in-the-cloud solution. Back-office operations and complexity and scale of the overall solution will also be discussed. Intro to Advanced Auditing Best Practices Practical Custom Rules Day Fortify POC Boot camp Deep Dive with.net & Java Deep Dive with C & C++ Deep Dive with Objective-C, Ruby & Others Fortify on Demand Deep Dive Build Integration Bug-tracker Integration Integration with FoD on Premise Data export to GRC or other management information systems FoD API Playbook Overview Day Day with Product Management Fortify Security Strategy Fortify Architecture and Design How to Sell the Fortify Product suite Facing our competitors Competitive update Product Roadmap and Updates SCA/SSC/tools WI/WIE Runtime products FoD/SaaS upgrades and migrations, obsolescence 7 Marketing campaigns, SPIFFs, programs Learn more at arrowecs.de