90% of data breaches are caused by software vulnerabilities.

Transcription

1 90% of data breaches are caused by software vulnerabilities. Get the skills you need to build secure software applications Secure Software Development (SSD) Certificate Program ssd.ucf.edu Offered in partnership with

2 Secure Software Development (SSD) Certificate Program Benefits Individuals Be a real influencer in CyberSecurity Learn skills that increase your marketability Take courses at your convenience Earn CPE/CEU credits Corporations Secure mission critical applications Reduce IT and data risk Comply with mandates for security training Demonstrate commitment to customers About UCF Second largest university in the nation Top 10 among U.S. universities for the power and impact of its patents Ranked fifth, Top Up-andcoming national university by U.S. News & World Report UCF Stands for Opportunity An SSD certificate is highly-regarded because it addresses the root cause of data breaches application layer vulnerabilities. The knowledge attained is not general purpose; it is specialized and critical to thwarting cybercrime. The SSD Certificate Program provides assurance that an individual has demonstrated mastery of real-world software security skills. The knowledge and techniques learned in this certificate program is based on and developed by experts in application security field - and offer both defensive techniques as well as awareness as to how a hacker will attack software applications. Certificate Course Work Foundation Level Certificate Page 3 Fee: $1,995 Course hours: 8 Fundamentals of Application Security Fundamentals of Secure Architecture Fundamentals of Secure Development Fundamentals of Secure DB Development Choice of: PCI-DSS for Developers or Web Vulnerabilities: Threats & Mitigations Advanced Level Certificate Page 9 Fee: $1,995 Course hours: 8 Understanding Secure Code for C/C++ or J2EE or.net 4.0 Architecture Risk Analysis Introduction to Threat Modeling Attack Surface Analysis & Reduction Choice: How to test for the OWASP top Ten or Classes of Security Defects Expert Level Certificate Page 17 Fee: $1,995 Course hours: 8 Choice: Creating Secure Code for C/C++ or J2EE or.net 4.0 Integer Overflows: Attacks and Counter Measures Buffer Overflows: Attacks and Counter Measures How to Perform a Security Code Review Introduction to Cryptography Instructor Bios Page 24

3 Fundamentals of Application Security Foundation Level Certificate This two-part course is ideal for security and development practitioners that want to understand software security risk and seek specific implementation guidance on how to build and deploy more secure software applications. It starts off describing why software security is critical and the risk that software vulnerabilities represent, and proceeds to lay the foundation for secure software development by presenting specific security controls and principles that development teams can implement immediately to reduce software risk. Introduction to Software Security This module presents trends in the attack landscape, the attacker mindset, the concept of software security risk and the need to manage this risk as an organization. Challenging Security Misconceptions This module presents common and dangerous misconceptions that lead to a false sense of security, including: Client-side security does not exist QA is not security testing The application is not the network Tools are not solutions Patches do not guarantee security All software applications have bugs Recognize the need for managing application security risk Understand and leverage the OWASP top 10 list Learn how to implement specific software security controls Learn principles to reduce software risk This course concludes with an assessment that contains 15 questions aimed at measuring the effectiveness of the training Security Principles This module describes specific principles that help guide design, coding and implementation decisions. Layered security/defense in depth Segmentation Structural security Principle of least privilege Default to deny all Handling input and output The OWASP Top Ten List This module explains the OWASP Top Ten Threats, how each threat works, its impact and the best way to mitigate. Security Goals and Controls This module presents the goal of secure software design and security controls that will help mitigate software risk. Confidentiality, Integrity, Availability Error/exception handling Authentication, Authorization/access control Cryptography and encryption Security in the Software Development Lifecycle (SDLC) This module prescribes specific activities for each phase of the SDLC: Requirements, Design, Development, Testing, Production, and Maintenance.

4 Foundation Level Certificate Fundamentals of Secure Architecture Understand the state of the software industry with respect to security Learn from past software security errors and avoid repeating those mistakes Understand and use confidentiality, integrity, and availability (CIA) as the three main tenets of information security In the past, software applications were created with little thought to the importance of security. In recent times, businesses have become more rigorous about how they buy software. When looking at applications and solutions, companies don t just look at features, functionality, and ease of use. They focus on the total cost of ownership (TCO) of what they purchase. Security is a large and visible part of the TCO equation. State of the Industry This module explains how software has matured in an insecure world, the historical perspective, and the current state of software industry from a security perspective. It also discusses the deteriorating condition of software security and what you can do about it. After completing this module, you will understand the state of the software industry with respect to security. Learn from past mistakes This module discusses some of the biggest security disasters in software design, their expensive and sometimes tragic consequences. In this module, we will focus on what lessons can be learned from these mistakes. After completing this module, you will see how to avoid repeating mistakes of the past. Information Security Tenets The CIA triad - Confidentiality, Integrity, and Availability - are the information security tenets. You can use the CIA as a means of analyzing and improving the security of your application and its data. After completing this module, you will understand and use confidentiality, integrity, and availability as the three main tenets of information security.

5 Fundamentals of Secure Development Foundation Level Certificate In this course, students will learn an overview of software security and its latest trends, as well as the importance of software security for business. Students will also learn to perform threat modeling to identify threats proactively, create threat trees for application components, use threat trees to find vulnerabilities, classify vulnerabilities, and perform risk analysis and prioritize security fixes. Upon completion of this course, you will be able to: Explain why software security matters to your business. Describe how to write secure code on Windows and *nix platforms. Explain why software security matters to your business. Describe how to write secure code on Windows and *nix platforms. Introduction to Software Security This module will provide an overview of software security and its latest trends. It will also explain the importance of software security to your business. After completing this module, you will be able to Identify the latest trends in software security Explain why software security matters to your business This course concludes with an assessment that contains 15 questions aimed at measuring the effectiveness of the training OS Security This module discusses the implementation of security features to develop secure code and avoid OS-specific security pitfalls. It also talks about implementing code assumptions to heighten reliability and security. Finally, this module guides you about using networking facilities to avoid security vulnerabilities. After completing this module, you will be able to: Employ platform-provided security features to write secure code Avoid OS-specific security pitfalls Implement code assumptions to enhance reliability and security Use networking facilities to avoid common security vulnerabilities

6 Foundation Level Certificate Fundamentals of Secure Database Development Describe fundamental database concepts and the purpose of a database Gain a basic understanding of common database attacks Describe secure database development best practices List the database development practices that should be avoided Review sample software scenarios to understand database attacks and apply corresponding mitigation This course introduces developers to the fundamentals of secure database development. The course begins with a discussion on the role of databases and how they are used in today s software systems. It also discusses the common database attacks that could be used to cause significant loss to organizations. Next, it reviews the best practices that developers should incorporate to mitigate the risks from database attacks, including practices that developers should avoid. Finally, the course concludes with a walk-through of a software system scenario that allows you to apply the database attacks and developer best practices discussed. Introduction to Introduction to Database Security In this module, you will learn how to store, retrieve, and manage data using databases and database management systems or DBMSs. You will also learn about the various scenarios where a database can be used in software applications. This module also describes structured query language (SQL) and how it is used to manage data in the databases. Finally, this module discusses some database attacks that have been in the news. Common Database Attacks This module discusses common database attacks and vulnerabilities, including SQL injection, information disclosure, weak account passwords, exploitation of extra functionality, unprotected database backups, poorly patched databases, and unprotected communications. It also explains how privilege escalation adds to the severity of these attacks and vulnerabilities. Relevant attack examples and scenarios are included in the discussion. This module also describes how these attacks are perpetrated, and methods you can use to prevent these attacks or reduce their likelihood. Secure Database Development Best Practices In this module, you will learn about various secure database development best practices. Best practices like input validation and SQL statement parameterization check for valid database inputs and mitigate risks from common database attacks respectively. You can also increase database security by suppressing database error messages, reducing the attack surface of the database application, using the least privilege principle to deploy databases, and employing defense in depth.

7 PCI Best Practices for Developers Foundation Level Certificate Payment Card Industry Data Security Standards (PCI-DSS) provide minimum requirements for addressing the security of software systems handling credit card information. Addressing the requirements during the design and build stages of the development life cycle improves application security and simplifies compliance. This course will provide software developers with an in-depth understanding of application security issues within the PCI-DSS and best practices for addressing each requirement. Understand the PCI DSS 2.0 requirements that are applicable to developers. Know how to apply PCI DSS 2.0 implementation best practices for secure software development. Introduction to PCI DSS This module provides an introduction to PCI DSS and helps you understand its security framework. It also explains why you need to follow the standards and the benefits of doing so. Finally, it discusses the application types that are most likely to be subject to PCI DSS. After completing this module, you will be able to describe PCI DSS, its benefits, and the application types that are subject to this PCI standard. This course concludes with an assessment that contains 15 questions aimed at measuring the effectiveness of the training PCI DSS 2.0 Requirements & Implementation Best Practices To comply with PCI DSS, you implement proven information security technologies in your applications. Understanding PCI DSS requirements is a step towards better security. By adhering to PCI DSS requirements, you apply comprehensive security framework that results in higher information assurance.

8 Foundation Level Certificate Web Vulnerabilities: Threats & Mitigations Understand and identify the most common and recent attacks against Web-based applications Describe the mechanisms of exploitation of Web vulnerabilities Apply best coding practices to avoid Web vulnerabilities Perform code reviews that detect Web vulnerabilities Locate additional Web vulnerabilities resources This course provides all the information you need to understand, avoid, and mitigate the risks posed by Web vulnerabilities. You are first provided with a detailed background on the most common and recent attacks against Webbased applications, such as cross-site scripting attacks and cross-site request forgery attacks. The course then delves into practical recommendations on how to avoid and/or mitigate Web vulnerabilities. Real-world examples are provided to help students understand and defend against Web vulnerabilities. Recognizing the Dangers of Web Vulnerabilities In order for you to effectively mitigate Web vulnerabilities, it is important that you understand the impact of these dangers. This module provides a historical perspective on the damage these types of vulnerabilities have caused and presents detailed mechanics of major web vulnerabilities and how they lead to serious security issues. After completing this module you will be able to: Describe the Origins and Impact of Web vulnerabilities Recognize the dangers of ActiveX control misuse Recognize the dangers of cross-site scripting, canonicalization, SQL Injection, HTTP response splitting, and cross-site request forgery vulnerabilities Challenging Security Misconceptions This module introduces several protections and best practices which if implemented properly, help mitigate the risk of web vulnerabilities in applications. Topics covered include the limitations of common mitigations, truly effective mitigations such as allow lists and frame restrictions, and SDL requirements aimed at mitigating Web vulnerabilities. After completing this module you will be able to: Recognize the limitations of common mitigations for Web vulnerabilities Recognize effective mitigations for Web vulnerabilities Recognize the SDL requirements aimed at mitigating Web vulnerabilities

9 Understanding Secure Code -.NET 4.0 Advanced Level Certificate This course describes.net security features, including concepts such as Code Access Security (CAS) and.net cryptographic technologies. It also provides secure coding best practices that will enable you to build more secure applications in.net. Note: Understanding Secure Code -.Net 2.0 (COD 216) is also available. Explaining.NET Security Features In order to build secure applications in.net, it is important that you first understand the.net Framework and the security features it offers. This module provides you with the knowledge you need to understand the foundation of.net, the CLR s native security infrastructure (Code Access Security), cryptographic technologies, and the ASP.NET security infrastructure. After completing this module participants will be able to: Describe the Origins and Impact of Web vulnerabilities Recognize the dangers of ActiveX control misuse Recognize the dangers of cross-site scripting, canonicalization, SQL Injection, HTTP response splitting, and cross-site request forgery vulnerabilities Applying.NET Secure Coding Best Practices This module introduces several protections and best practices which if implemented properly, help mitigate the risk of web vulnerabilities in applications. Topics covered include the limitations of common mitigations, truly effective mitigations such as allow lists and frame restrictions, and SDL requirements aimed at mitigating Web vulnerabilities. After completing this module you will be able to: Recognize the limitations of common mitigations for Web vulnerabilities Recognize effective mitigations for Web vulnerabilities Recognize the SDL requirements aimed at mitigating Web vulnerabilities Identify the differences between managed and un-managed code Recognize the interactions between Windows access control and CAS Describe how cryptography is handled in.net Recognize the main aspects of ASP.NET security and security improvements brought by.net 2.0 Avoid common.net security pitfalls Write defensive code that protects your application from common threats Recognize when code is required to be reviewed for security vulnerabilities

10 Advanced Level Certificate Understanding Secure Code JRE 15 questions aimed at measuring the effectiveness of the training In this course, you will learn to recognize and remediate common Java Web software security vulnerabilities. This course has three modules, which introduce you to these vulnerabilities and help you to identify and remediate them. Common Java Web Software Security Vulnerabilities: Part 1 This module covers common vulnerabilities, including data leakage, and client or server protocol manipulation attacks. These attacks evade code reviews and test teams, including decisions based on a referrer tags, information disclosure, and failure to validate user input. You will learn what these vulnerabilities look like in code and see how you can fix them. After completing this module, you will be able to recognize and mitigate common Java Web software security vulnerabilities. Common Java Web Software Security Vulnerabilities: Part 2 This module will cover: Injection Attacks: o SQL Injection o Cross-site Scripting (XSS) Common Java Web Software Security Vulnerabilities: Part 3 This module will cover: Exploiting Authentication: o Session Hijacking o Session Fixation o Cross-site Request Forgery (CSRF)

11 Understanding Secure Code C/C++ Advanced Level Certificate This course will provide an overview of the threat modeling process and describe the ways to collect information for your application, build the activity-matrix and threat profile, and analyze risks. It will also teach you the nine defensive coding principles and how to use these principles to prevent common security vulnerabilities. Threat Modeling After completing this module, you will be able to: Identify threats proactively Create threat trees for your components Use threat trees to find vulnerabilities Classify vulnerabilities Perform risk analysis and prioritize security fixes. Defensive Coding Principles This module provides an overview of nine defensive coding principles that can be used in any programming language. After completing this module, you will be able to: List the time-tested defensive coding principles Use the coding principles to prevent common security vulnerabilities Perform threat modeling to identify vulnerabilities and analyze risks Leverage time-tested defensive coding principles to design and develop secure applications

12 Advanced Level Certificate Architecture Risk Analysis & Remediation Extract architecture views of a software system suitable for security analysis Apply a number of complementary techniques to find security vulnerabilities that cannot be easily discovered through tools This course defines concepts, methods, and techniques for analyzing the architecture and design of a software system for security flaws. Special attention is given to analysis of security issues in existing applications; however, the principles and techniques are applicable to systems under development. You will be shown various analyses that enable effective architecture risk analysis including accurately capturing application architecture, threat modeling with attack trees, attack pattern analysis, and enumeration of trust boundaries. Weigh the comparative impact of design-level security Apply techniques and methodologies to model threats, trust, and data sensitivity Build abuse cases and use them to explore how your software might be attacked Integrate Architecture Risk Analysis with the management of security knowledge in your organization A multiple-choice exam is taken at the end of the course.

13 Introduction to Threat Modeling Advanced Level Certificate This course introduces the technique of Threat Modeling, its primary goals, and its role within software development. Once you are familiar with the concepts behind Threat Modeling, the entire Threat Modeling process is demonstrated giving you the knowledge you need to apply Threat Modeling to your own products and design/develop more secure code. Defining Threat Modeling This module equips you with the necessary information to help you understand the importance of Threat Modeling and the role it plays in identifying and mitigating threats. After completing this module you will be able to: Identify the goals of Threat Modeling Recognize the relation between Threat Modeling and the SDL Identify the roles involved in the Threat Modeling process Understand what and when to Threat Model Applying the Threat Modeling Process This module identifies in detail each step in the Threat Modeling process, outlines each step s purpose, and demonstrates the procedure to follow in order to apply each step. This module includes a lab to help you apply what you have learned in a real-world scenario. After completing this module you will be able to: Describe the application using diagrams Identify Threat Types by using STRIDE Identify appropriate mitigation techniques Recognize the role of the Threat Model document Understand the various threat modeling tools available to you Identify the goals of Threat Modeling and the corresponding SDL requirements Identify the roles and responsibilities involved in the Threat Modeling process Use the Threat Modeling process to accurately identify, mitigate, and validate threats Leverage various tools that help with Threat Modeling

14 Advanced Level Certificate Attack Surface Analysis & Reduction Define attack surface of an application Learn how to reduce application risk by reducing the attack surface Your system s attack surface represents the number of entry points you expose to a potential attacker - for example, user interfaces, Web services, database access, and so on. Fewer entry points means less chance of an attacker finding a vulnerability in your code. Therefore, it is important that you understand what an attack surface is and then see how you can measure and reduce the attack surface of your application. Understanding Attack Surface This module provides details that help you understand the attack surface of an application. After you understand how an attack surface affects application risk, you use the attack surface reduction goals to minimize the attack surface of your application. After completing this module, you will be able to: Describe what an attack surface is Understand how the attack surface impacts application risk Measuring and Reducing Attack Surface This module discusses the common metrics you can use, including attack surface, to measure application security. Measuring the attack surface of an application helps you measure the relative risk and its trends. This module also discusses best practices that you can use to reduce the attack surface of your application. Reducing the attack surface helps you reduce the possibility of undiscovered vulnerabilities that can impact the security of your application. After completing this module, you will be able to measure and reduce the attack surface of your application.

15 How to Test for the OWASP Top Ten Advanced Level Certificate The Open Web Application Security Project (OWASP) Top Ten is a listing of critical security flaws found in web applications. Organizations that address these flaws greatly reduce the risk of a web application being compromised, and testing for these flaws is a requirement of the Payment Card Industry Standards (PCI-DSS) as well as other regulatory bodies. This course explains how these flaws occur and provides testing strategies to identify the flaws in web applications. Testing OWASP Top 10: Part 1 Topics covered in this module: A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) Testing OWASP Top 10: Part 2 Topics covered in this module: A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards Determine if a web application is vulnerable to the top five security vulnerabilities identified in the OWASP Top 10 list. Determine if a web application is vulnerable to the last five security vulnerabilities identified in the OWASP Top 10 list. Explain how to protect the application against these security vulnerabilities

16 Advanced Level Certificate Classes of Security Defects Understand and outline the common classes of security defects Recognize the potential impact that common security defects can have Identify the programming errors that are responsible for common security defects Apply coding best practices in order to avoid common security vulnerabilities Find common security defects in an application s source code Map common security defects with specific technologies Test software in order to detect common security bugs Locate additional resources on common security defects This course equips you with the knowledge you need to create a robust defense against common security defects. You will learn why and how security defects are introduced into software, and will be presented with common classes of attacks, which will be discussed in detail. Along with examples of real life security bugs, you will be shown techniques and best practices that will enable you and your team to identify, eliminate, and mitigate each class of security defects. Additional mitigation techniques and technologies are described for each class of security defect. Classes of Security Defects This module presents the underlying root causes of security defects, explains the difference between functional and security bugs, and describes the inherent insecure nature of software. Defending against Common Security Defects This module offers best practice tips for defending against common security defects such as: buffer and integer overflows format string problems integer overflow SQL and command injection improper error handling cross-site scripting unprotected network traffic lack of server-side authorization poor usability weak authentication and data protection information leakage improper file access spoofing race conditions unauthenticated key exchange weak random number generation improper use of SSL and TLS

17 Creating Secure Code ASP.NET Expert Level Certificate This elearning course targets development teams working on ASP.Net applications. It will help developers define and code more secure applications as they learn at their own pace. As a result, organizations can keep their training costs down while improving the speed and quality of their software development efforts. This in-depth course examines the development of secure Web applications in ASP.Net. It provides developers and testers with an overview of common Web application vulnerabilities and a set of nine best practices and techniques to follow in order to avoid them. Throughout the course, students are provided with interactive games and simulations designed to reinforce the secure design and coding concepts that were introduced. Understand the principles of secure coding and design of ASP.Net Web applications. In the, Course Laboratory, sections, hands-on activities allow students to discover the vulnerabilities for themselves and find ways to address them, greatly enhancing the security of their code. The Need for Secure Coding Best Practices This topic explains the consequences of not following best practices; it also provides an overview of the advantages of addressing security issues at the implementation phase, rather than later in the software development life cycle. Nine Best Practices This topic details each of the nine best practices listed below; for each, it defines the best practice, outlines the vulnerabilities that could arise should the best practice not be followed, and provides the students with multiple handson exercises. 1. Perform Input and Data Validation 2. Err and Fail Securely 3. Practice Defense in Depth 4. Handle Sensitive Data with Care 5. Follow Secure Account Management Policies 6. Follow Secure Auditing and Logging Procedures 7. Implement Proper Authorization 8. Do Not Reinvent the Wheel 9. Do Not Reveal Too Much Information

18 Expert Level Certificate Creating Secure Code J2EE Web Applications List the time-tested defensive coding principles Use the coding principles to prevent common security vulnerabilities A multiple-choice exam is taken at the end of the course. This course introduces and explains the precautionary measures you can use to avoid Web software security vulnerabilities, such as data leakage attacks, client/server protocol manipulation, injection attacks, and exploiting authentication. At the end of this course, you will have learned about timetested defensive coding principles and how to use them to increase the security of your application, and prevent common security vulnerabilities. This course features 3 modules, and each provides an overview of the best practices for securing your application using Java programming. Using these best practices, you will learn how to prevent common security vulnerabilities. Secure Java Programming Best Practices: Part 1 The best practices discussed in this module are fundamental to the design and implementation of security mechanisms. By using time-tested best practices, you can protect your application from common vulnerabilities and harden your application against attack. Secure Java Programming Best Practices: Part 2 The topics covered in this module are: Handle sensitive data with care Compartmentalize users, processes, and data Follow the account management policy in place Follow the audit and logging procedure in place Secure Java Programming Best Practices: Part 3 The topics covered in this module are: Implement the principle of least privilege Keep an open and simple design Limit the number of entry points to your application Do not reinvent the wheel Do not reveal too much information

19 Creating Secure Code C/C++ Expert Level Certificate In this course, you will learn to detect common coding errors that lead to vulnerabilities. You will learn to effectively remediate the most common security vulnerabilities, and use the right tools to secure your code and detect security vulnerabilities early in the project lifestyle. This course has one module. Common Coding Errors This module discusses common coding errors that result in security vulnerabilities. By avoiding these common coding errors, you can focus on the tricky security problems unique to your application. Additionally, this module introduces you to the tools used to detect common coding errors. Recognize common coding errors that lead to vulnerabilities Apply techniques to effectively remediate common security vulnerabilities Select the right tools to secure your code

20 Expert Level Certificate Integer Overflows: Attacks & Countermeasures Recognize integer overflows in your existing code base Apply best practices in order to prevent integer overflows Perform specialized testing that detects integer overflows An integer overflow is a programming error that can severely impact a computer system s security. Due to the subtlety of this bug, integer overflows are often overlooked during development. This course covers the security concepts, testing techniques, and best practices that will enable you to develop robust applications that are secure against integer overflow vulnerabilities. Introduction to Integer Overflows This module will cover all the information required to understand the mechanisms that lead to integer overflows, while showing the potential damage that they can cause to an application. The goal of this module is to enable you to explain why integer overflows occur and to correctly identify the threats posed by them. Preventing Integer Overflows This module will provide you the necessary information and best practices to prevent integer overflows. Specifically, this module will illustrate how to use integer overflow countermeasures such as checked expressions, how to choose correct integral types, and how to use existing libraries and classes that have been designed to be safe from integer overflows. Additionally, this module will provide you with proper code review and testing techniques that will enable you to identify and eliminate existing integer overflows.

21 Buffer Overflows: Attacks & Countermeasures Expert Level Certificate This course introduces the security concepts, testing techniques, and best practices that will help you recognize and better defend against buffer overflow exploits. The students are first provided with a detailed background on the mechanisms of exploit of stack-based and heap-based buffer overflows. The course then delves into the protections provided by the Microsoft compiler and the Windows operating system, and wraps up with practical advice on how to avoid buffer overflows during the design, development, and verification phases of the software development life cycle. Recognizing the Threats Posed by Exploitation Buffer overflows are one of the most commonly known types of security vulnerabilities. While they can be easily remediated, past events have shown that they have often been overlooked and widely exploited. After completing this module, you will have a strong understanding of how buffer overflows can be exploited on both stack and on the heap and what the consequences of that attack are to overall application and system security. Mitigating Buffer Overflows This module introduces several Windows features that mitigate the dangers posed by buffer overflows such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). Also discussed are several best practices to avoid and detect buffer overflows at different phases of the software development lifecycle. These practices include the /GS flag, SAFE API s, and fuzz testing. Identify the dangers posed by buffer overflows Describe the exploitation techniques for stackbased and heap-based buffer overflows Leverage built-in system defenses that protect against buffer overflow exploits Apply best practices to avoid buffer overflows Perform testing that detects buffer overflows

22 Expert Level Certificate How to Perform a Security Code Review Application developers may use a variety of tools to identify flaws in their software. Many of these tools, however, cannot be deployed until late in the development life cycle; dynamic analysis tools require a staging site and sample data, and some static analysis tools require a compiled build. Manual code reviews, in contrast, can begin at any time and require no specialized tools only secure coding knowledge. Manual code reviews can also be laborious if every line of source code is reviewed. This course provides students with guidance on how to best organize code reviews, prioritize those code segments that will be reviewed, best practices for reviewing source code and maximize security resources. Security Code Review This module introduces you to security code review. It describes the methodology to perform a security code review and various activities associated with the review. This module also describes post code review activities. After completing this module, you will be able to describe the methodology for performing a security code review, conduct a security code review, and describe the key activities that should occur after the review.

23 Introduction to Cryptography Expert Level Certificate This course provides you with the knowledge to understand cryptography and an opportunity to investigate the threats that affect two communicating parties. It also helps you understand how these threats can be mitigated using a proper cryptographic solution. The Foundations of Cryptography Explaining the Foundations of Cryptography Identifying the Aspects of Security That Cryptography Addresses Authentication Symmetric Ciphers Asymmetric Cryptographic Ciphers Explaining Hash Functions Choosing Appropriate Cryptographic Methods Considering Symmetric Ciphers for Message Encryption Considering HMAC to Provide Tamper Detection Considering Asymmetric Ciphers for Message Encryption Considering Asymmetric Ciphers to Encrypt Cryptographic Keys Considering Asymmetric Cryptography to Provide Authentication Applying Cryptographic Best Practices Selecting the Proper Cryptographic Algorithm Designing Cryptographically Agile Applications Applying Cryptographic Agility Using Proper Cryptographic Solutions Selecting a Proper Key Management Scheme Securely Storing, Exchanging and Using Secret Keys Identify the problems that cryptography can address Recognize threats that apply to two communicating parties Select appropriate cryptographic solutions to mitigate these threats Describe the mechanisms behind cryptographic protocols Follow cryptographic best practices A 15-question multiple-choice exam is taken at the end of the course. Locating Cryptography Resources

24 Instructors Joe Basirico Director of Security Services Joe s deep knowledge of application risk, coupled with his hands-on experience assessing a plethora of commercial software, makes him a trusted advisor and is often a go to resource for specialized training and critical consulting services. He has worked on projects directly for Microsoft, Symantec, OWASP, HP, US Courts, and many others during his 8+ year tenure with the company. Joe holds a B.S in Computer Science from Montana State University. Areas of Expertise: Microsoft Technologies - ASP.Net, Windows, Azure, C/C++, SQL server Secure SDLC, application Risk, security testing methodologies, attacker techniques Web Application Security: code review, Web services, Cloud, SaaS, Firewalls Software Development: TeamMentor - led the development efforts for the company s secure development guidance system YASAT developed a static analysis tool that uses regular expression based rules on a code base to quickly find potential security vulnerabilities WhatTheFuzz developed an open-source, easy to use and run fuzzer for Web sites Transform developed an open-source, easy to use encoder/decoder RegexMatcher developed a simple Regular Expression Matcher and tester Training & Speaking: Security Innovation Customers - Microsoft, Tyco, Harris, Liberty Mutual, HP, Amazon.com, Symantec, Credit Suisse, Adobe, ING, Sony, and T2 Systems Industry Events - OWASP USA, OWASP Europe, EMC World, Microsoft Professional Developers Conference (PDC), Compuware OJ.X, Nationwide Testing Symposium, ISSA, Software Security Summit, Secure World Media - CSO Magazine, SC Magazine, Dr. Dobbs, ComputerWorld, CIO Update, Software Test & Performance, DM Review, SearchSoftwareQuality.com

25 Instructors Ian Gallagher Principal Security Engineer Ian is one of Security Innovation s most senior security engineers. He is well versed in all layers of the OSI model and the security implications of each. Ian has been involved with the security community since He has spoken at several Seattle user groups about various open source and security topics and regularly attends Linux Fest Northwest. He leads neg9, a security researching group, and is a member of other local groups including Seattle Wireless, the National Association of Information Security Groups (NAISG), and the Greater Seattle Linux User s Group. Ian studied Computer Science and Psychology with an interest in Artificial Intelligence and Security. Highlights of Ian s work include: U.S. Courts secure Kiosk design and development Misys Content Management Solution assessment (Website, ASP.NET, C#) Symantec NIS - low level reverse engineering and pen testing Nuance - application pen testing; audio fuzzing, corruption, and file format corruption NWEA - application pen testing Skills: Open Source Technologies: Linux (Ubuntu, Debian, Slackware, CentOS, RHEL), OpenBSD, FreeBSD, NetBSD, DragonFly BSD, and Apache Programming: C, C#, Java, Python, Ruby, Perl, PHP, SQL, and Korn/BASH shell scripting, in both UNIX and Windows environments. MySQL, ISC Bind, ISC DHCPD, OpenVPN, qmail, vpopmail, Dovecot, SSH/Rsync, SILC, and cpanel/whm

26 Instructors Marcus Hodges Sr. Security Engineer Marcus utilizes his extensive knowledge in computer systems, programming skills, and information security to conduct thorough technology and SDLC process assessments for large technology vendors and enterprise IT organizations. Software security engineer with 8 years practical experience in threat modeling, software security testing, infrastructure penetration testing, security code auditing and IT security training. Skilled in evaluating the security of critical IT systems against industry best practices and secure system design. Proficient in C/C++, Java, C#, ASP.NET, Phython, and Perl programming languages as well as both Windows, Unix, and embedded operating systems. Extensive knowledge of security issues as they relate to defensive coding and threat analysis. Highlights include: Certified Microsoft s Secure Development Life cycle (SDL) Pro Network Practice Manager Certified Secure Development Lifecycle (SDL) Trainer Marcus studied advanced topics in mathematics at the University of Washington where he developed a deep understanding of cryptology and the role it plays in the security field. While there, he researched Stochastic Differential Equations, a graduate level topic in mathematics. Marcus has been active in the SAGE (Software for Algebra and Geometry Experimentation) project, with the goal of making SAGE the leading cryptography research and experimentation environment. Marcus holds a B.S. in Mathematics from the University of Washington, Seattle.

27 Instructors Jason Taylor Chief Technology Officer Mr. Taylor has spent his career focused on application development and testing with a primary focus on application security and technology. His unrivaled understanding of application behavior provided the impetus for Security Innovation s industry pioneering fault injection tool, Holodeck Enterprise Edition, and critical enhancements to the company s internal testing and development tools. Mr. Taylor was the visionary and designer of the Company s Creating Secure Code methodology and course which has been taught to several of the world s largest technology organizations. Mr. Taylor has served in a variety of professional roles including VP of Product Development and VP of Security Services. In these capacities, he led all engineering projects in the United States and launched new lines of business in the areas of code review, design review, threat modeling, secure implementation training and custom technology development. His accomplishments there include: Grew the Internet Explorer security test team from a solitary operation to the leading application security test team at Microsoft Helped build early stages of security response process as described in SDL Co-created STRIDE, a vulnerability classification system and DREAD, a technique to qualify risk Created a Microsoft Best Practice award winning tool Test Model Toolkit for State Based Testing Patent pending for reverse debugging technology that is compatible with all development languages and integrates with Visual Studio Mr. Taylor has published and co-authored several whitepapers, guides and books including: Web Services Risk and Recommendations Security Threats: Risks, Protection & Limitations for CIO Update Team Development with Visual Studio Team Foundation Server with J.D. Meier of Microsoft Improving Web Services Security with Microsoft Patterns & Practices Application Architecture Guide 2.0 with Microsoft Patterns & Practices Security Engineering Explained with Microsoft Patterns & Practices Mr. Taylor received his C.S. degree from Montana State University.

28 Secure Software Development (SSD) Certificate Program REGISTER ONLINE NOW ssd.ucf.edu Offered in partnership with