LEARNING CURRICULUM SECURITY COMPASS TRAINING 2015 Q3. Copyright 2015. Security Compass. 1



Similar documents
Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,

Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance

elearning for Secure Application Development

Enterprise Application Security Workshop Series

TEAM Academy Catalog. 187 Ballardvale Street, Wilmington, MA

WEB APPLICATION SECURITY

UIIPA - Security Risk Management. June 2015

Software Development: The Next Security Frontier

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

THE OPEN UNIVERSITY OF TANZANIA

Information Security Services

Mobile Application Security Report 2015

Juniper Networks Secure

PCI Data Security Standard 3.0

Projectplace: A Secure Project Collaboration Solution

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA Enterprise Security

Managing Web & Application Security with OWASP bringing it all together. Tobias Gondrom (OWASP Project Leader)

NSFOCUS Web Vulnerability Scanning System

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Bring Your Own Device (BYOD) & Customer Data Protection Are You Ready?

How Security Testing can ensure Your Mobile Application Security. Yohannes, CEHv8, ECSAv8, ISE, OSCP(PWK) Information Security Consultant

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Web App Security Audit Services

IoT & SCADA Cyber Security Services

Application Security 101. A primer on Application Security best practices

How to Build a Trusted Application. John Dickson, CISSP

Secure Code Development

InfoSec Academy Application & Secure Code Track

Logging In: Auditing Cybersecurity in an Unsecure World

SAFECode Security Development Lifecycle (SDL)

Effective Software Security Management

PCI Compliance Updates

Professional Services Overview

KEN VAN WYK. Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

Developing Secure Software in the Age of Advanced Persistent Threats

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

7 VITAL FACTS ABOUT HEALTHCARE BREACHES.

Logical Operations CyberSec First Responder: Threat Detection and Response (CFR) Exam CFR-110

Web Application Security

The Top Web Application Attacks: Are you vulnerable?

ITAR Compliance Best Practices Guide

Web Application Security

OWASP AND APPLICATION SECURITY

OWASP Mobile Top Ten 2014 Meet the New Addition

Security-as-a-Service (Sec-aaS) Framework. Service Introduction

Web Application Security

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Integrating Application Security into the Mobile Software Development Lifecycle. WhiteHat Security Paper

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Cisco Advanced Services for Network Security

Strategic Information Security. Attacking and Defending Web Services

Security Services. 30 years of experience in IT business

IT Security Conference Romandie - Barracuda Securely Publishing Web Application a field dedicated to expert only?

Franchise Data Compromise Trends and Cardholder. December, 2010

Application Intrusion Detection

Click to edit Master title style

SECURITY EDUCATION CATALOGUE

ISSECO Syllabus Public Version v1.0

CYBER SECURITY TRAINING SAFE AND SECURE

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Application Security Testing

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Application Backdoor Assessment. Complete securing of your applications

Network Security Audit. Vulnerability Assessment (VA)

Software Application Control and SDLC

VOLUME 4. State of Software Security Report. The Intractable Problem of Insecure Software

Secure Web Applications. The front line defense

Hackers are here. Where are you?

BlackBerry 10.3 Work and Personal Corporate

Approach to Information Security Architecture. Kaapro Kanto Chief Architect, Security and Privacy TeliaSonera

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Rational AppScan & Ounce Products

State of Oregon. State of Oregon 1

SAST, DAST and Vulnerability Assessments, = 4

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Passing PCI Compliance How to Address the Application Security Mandates

CONTENTS. PCI DSS Compliance Guide

A PRACTICAL APPROACH TO INCLUDE SECURITY IN SOFTWARE DEVELOPMENT

Integrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis

Integrated Threat & Security Management.

SECURITY. Risk & Compliance Services

Transcription:

LEARNING CURRICULUM SECURITY COMPASS TRAINING 2015 Q3 Copyright 2015. Security Compass. 1

CONTENTS WHY SECURITY COMPASS...3 RECOMMENDED LEARNING PATHs...4 TECHNICAL LEARNING PATHS...4 BUSINESS / SUPPORT LEARNING PATHS...5 COURSE OVERVIEW...7 PROGRAM METHODOLOGY... 12 TRAINING PROGRAM MATURITY... 12 Copyright 2015. Security Compass. 2

WHY SECURITY COMPASS Security Compass is an industry-leading information security firm that provides professional services and training to security-conscious companies. We bring extensive, internationally recognized, cross-industry experience to every client engagement. To our clients, we're not simply an information security company - we are trusted partners in the development of secure software. Security Compass is partnered with industry certification leader (ISC) 2. We are the exclusive, sole provider of (ISC) 2 s CSSLP e, that covers 8 domains of secure software lifecycle development for industry certification. Copyright 2015. Security Compass. 3

RECOMMENDED LEARNING PATHS We understand that it can be challenging to identify which courses are right for you - so we ve recommended learning paths based on our enterprise catalogue that lead all the way to industry certification. TECHNICAL LEARNING PATHS Copyright 2015. Security Compass. 4

BUSINESS / SUPPORT LEARNING PATHS Copyright 2015. Security Compass. 5

COURSE CATALOGUE Our focus is on application security. We aim to provide business relevant security courses to help your staff champion security and defend your organization s most valuable software. Copyright 2015. Security Compass. 6

COURSE OVERVIEW GENERAL AWARENESS # COURSE DESCRIPTION TIME OBJECTIVES SAW101 Security Awareness Understand common security issues faces around the office environment that may include items such as managing e-mail, passwords, mobile devices, and more. 30 m Office security awareness Achieve awareness audit compliance SAW102 Security Awareness: PCI Compliance Understand payment card compliance including the data security standard and how it affects organizations who manage or process credit card data. This lesson meets PCI-DSS requirement 12.6.1. 10 m Achieve PCI compliance SECURE APPLICATION DEVELOPMENT (CODE AGNOSTIC) # COURSE DESCRIPTION TIME OBJECTIVES SEC101 OWASP Top 10-2013 Understand the top 10 most prevalent web application security issues in 2013 as defined by OWASP. Students will understand each vulnerability and best practices to defending these risks. This course meets PCI compliance requirement 6.5a. Understand each category of the OWASP Top 10 Achieve PCI Compliance SEC201 Defending Web Applications Understand an additional set of common web application vulnerabilities typically seen during security testing such as brute force attacks, session management concerns, encryption and more. Students understand how hackers exploit these issues and important defenses. This course is meant as a LEVEL200 course to the OWASP Top 10. Understand authorization, authentication, data validation and session management concepts. Exploit a vulnerable web application using our TrueLabs CSP101 Secure Software Concepts Students will understand the fundamentals to creating secure code and basic concepts to secure development. This includes the importance of secure design and understanding regulations such as privacy, governance and compliance. 30 min Understand fundamental concepts Regulations and security Development methodologies Copyright 2015. Security Compass. 7

CSP102 Secure Software Requirements Gathering the correct requirements to build secure software is one of the more difficult aspects to ascertain. Students will understand key techniques to reducing risk in the SDLC by understanding how to correctly identify requirements. 30 min Understand policy decomposition Classification of data Identifying functional and operational security requirements. CSP103 Secure Software Design Understand the considerations and compromises that must be made when it comes to designing secure software. Students will learn about techniques to design secure software such as Threat Modeling and best practices to securing third party technologies that are often associated with modern software. CSP104 Secure Software Coding Understand the principles of coding software securely. Students will see the security implications of choosing programming languages and the top vulnerabilities affecting software designed for the web and for desktops. Students will understand how to implement processes around secure software implementation. CSP105 Secure Software Testing Understand the principles to secure testing and testing software from a security perspective. Students will understand the fundamentals to setting up testing frameworks to promote software resiliency. CSP106 Software Acceptance Understand how to generate criteria for software acceptance. The focus will be acceptance from a security standpoint and how students can define important security criteria being allowing software to be promoted to release. 60min Understand security design Design process & threat modeling Integration of common technologies 120min Understand programming languages Software vulnerabilities for CWE & OWASP Implementing secure software processes 30min Areas of software testing Testing software for security issues Test resiliency and test reporting 30min Criteria for acceptance Performing verification Software validation CSP107 Software Operations Maintenance and Disposal Understand from an infrastructure perspective, steps to ensure software is secure upon deployment and operation. Students will learn how to monitor software and define procedures to dispose and support software for end-of-life scenarios. 30min Deployment and configuration Monitoring and incident response Disposal of software CSP108 Supply Chain and Software Acquisition Understand how to identify risks when sourcing software from the supply chain. Students will learn about risk management, protecting intellectual property, procurement and best practices when outsourcing software to suppliers. 60min Supplier risk management IP and Contracts Supplier sourcing and management Copyright 2015. Security Compass. 8

SECURE CODING (LANGUAGE SPECIFIC) # COURSE DESCRIPTION TIME OBJECTIVES JAV201 Defending Java Understand J2EE vulnerabilities common to the OWASP top 10, and see how these vulnerabilities affect Java web applications. Students will learn secure coding defenses for each vulnerability. Understand how Java vulnerabilities occur Securely code in Java J2EE NET201 Defending.NET 4.5 Understand.NET 4.5 vulnerabilities common to the OWASP top 10, and see how these vulnerabilities affect.net web applications. Students will learn secure coding defenses for each vulnerability. Understand how Microsoft.NET vulnerabilities occur Securely code in Microsoft.NET PHP201 Defending PHP Understand PHP5 vulnerabilities common to the OWASP top 10, and see how these vulnerabilities affect PHP web applications. Students will learn secure coding defenses for each vulnerability. Understand how PHP vulnerabilities occur Securely code in PHP CPP201 Defending C Understand desktop software vulnerabilities when it comes to creating software in C/C++. Students will learn about safe memory management, insecure functions and how to defend against buffer overflow security concerns from unmanaged languages. Understand how C / C++ vulnerabilities occur Understand buffer overflows Securely code in C HTM201 Defending HTML5 Learn about HTML standards designed to defend against vulnerable JavaScript, AJAX, JSON and iframes. Students learn the new technologies available in HTML5 to safely perform crossdomain requests as well as the use of offline storage, cross-origin resource sharing (CORS), cross-domain messaging (CDM), and iframe sandboxing. Students gain a defensive understanding of the business risks to HTML5 mash-ups. 60m Proactive techniques to managing and storing offline user data using HTML5 Best practices to performing cross-origin requests without hacks such as JSONP Understanding how third-party iframes can introduce vulnerabilities to your site How hackers can hijack your JSON Copyright 2015. Security Compass. 9

MOBILE SECURITY # COURSE DESCRIPTION TIME OBJECTIVES MOB101 Defending Mobile In this code-agnostic course, students will understand the risks to creating mobile applications. Students will learn how hackers attack mobile apps through data is stored on the device, data transmitted in the cloud and data in memory. They will learn best practices to securing mobile apps for any mobile operating system. Understand fundamental risks to mobile apps OWASP Mobile Top 10 Defenses to protecting mobile storage, communication and memory. IOS201 Defending ios Students will learn secure coding concepts for the OWASP Mobile Top 10 2014, for ios applications. This includes understanding the business risks when creating mobile applications and secure ios coding techniques to defend against vulnerabilities such as insecure data storage, weak server side controls, lack of binary protections and more. 60m Secure coding techniques for OWASP Mobile Top 10 2014 Business risks and how insecure ios applications are created Prerequisite is Defending Mobile CERTIFICATION # COURSE DESCRIPTION TIME OBJECTIVES CSP301 CSSLP e Bundle Following completion of CSSLP e, candidates will understand how to reduce the costs of security vulnerabilities throughout all phases of the software development lifecycle. Students will learn about fundamentals to software security, identifying regulations, secure requirements, secure design, secure implementation, testing, operations and supplier sourcing. Students can perform additional self-study and review using the e to get certified with (ISC) 2 for the Certified Secure Software Lifecycle Professional (CSSLP). 10 hours Understand the 8 domains to software security as it relates to the software development lifecycle. Become an expert on advising security in the SDLC. CSSLP Certification with (ISC) 2 Copyright 2015. Security Compass. 10

ROADMAP (COMING SOON IN 2015) # COURSE DESCRIPTION TIME OBJECTIVES AND201 Defending Android Students will learn secure coding concepts for the OWASP Mobile Top 10 2014, for Android applications. This includes understanding the business risks when creating mobile applications and secure Android coding techniques to defend against vulnerabilities such as insecure data storage, weak server side controls, lack of binary protections and more. 60m Secure coding techniques for OWASP Mobile Top 10 2014 Business risks and how insecure Android applications are created Prerequisite is Defending Mobile SEC202 Threat Model Express Students will learn about the attacks that their applications may face and then an informal approach to threat modeling. They will first learn the steps in executing a Threat Model Express, and then they will engage in a guided fictional exercise. Understand the benefits of a traditional threat model vs. a threat model express exercise Engage in asking valuable questions that will effectively identify potential threats within an application Learn who should be involved in a Threat Model Express exercise and how to apply the model within your organization Copyright 2015. Security Compass. 11

PROGRAM METHODOLOGY Security Compass promotes security training by tailoring courses to your enterprise. Our catalogue is designed to specifically target areas of risk when it comes to building secure software. We keep our courses modular and concise to provide a clear track towards helping your developers become industry certified professionals. It is common in our industry to be buried under numerous courses with little training guidance. Security Compass promotes training program management to help you mature your training, year over year to gain the traction needed to manage a complete security program through all of Security Compass s services. TRAINING PROGRAM MATURITY Required Optional Certification Copyright 2015. Security Compass. 12

WHAT CAN WE DO FOR YOU? We understand application security. We breathe it. We strive to provide you with the best training for your teams. Our experience helping customers research and manage security risks allows us to embed our training material with the latest threats and vulnerabilities. It means that your staff is ready to respond with forward thinking concepts to securing your most sensitive applications - all tailored to you. Reach out to Security Compass advisors who can help. OLIVER NG Director oliver@securitycompass.com MICHELLE DIZON Manager michelle@securitycompass.com http://www.securitycompass.com Copyright 2015. Security Compass. 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information