Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance



Similar documents
Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,

Software Development: The Next Security Frontier

Development Processes (Lecture outline)

Secure Development LifeCycles (SDLC)

elearning for Secure Application Development

A Study on the Secure Software Development Life Cycle for Common Criteria (CC) Certification

Comparison of Secure Development Frameworks for Korean e- Government Systems

LEARNING CURRICULUM SECURITY COMPASS TRAINING 2015 Q3. Copyright Security Compass. 1

A Survey on Requirements and Design Methods for Secure Software Development*

Application Security Testing How to find software vulnerabilities before you ship or procure code

Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center

SAFECode Security Development Lifecycle (SDL)

Software Application Control and SDLC

ISSECO Syllabus Public Version v1.0

Building Security into the Software Life Cycle

Master of Science in Software Engineering Student Guide

Web Application Security

A Security Approach in System Development Life Cycle

90% of data breaches are caused by software vulnerabilities.

How To Understand Software Engineering

Getting Started with Web Application Security

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Software Security Touchpoint: Architectural Risk Analysis

JOURNAL OF OBJECT TECHNOLOGY

What is a life cycle model?

Secure Code Development

Learning Course Curriculum

Information Security and Privacy. Lynn McNulty, CISSP. Advisory Board November 2008

THE HACKERS NEXT TARGET

KEN VAN WYK. Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)

How to Develop Cloud Applications Based on Web App Security Lessons

Software Assurance Competency Model

Effective Software Security Management

FedVTE Training Catalog SPRING advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

Approach to Information Security Architecture. Kaapro Kanto Chief Architect, Security and Privacy TeliaSonera

Seven Practical Steps to Delivering More Secure Software. January 2011

The Security Development Lifecycle

Standard: Web Application Development

How to Build a Trusted Application. John Dickson, CISSP

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Integrating web application security control in the system development lifecycle

IT3203 Fundamentals of Software Engineering (Compulsory) BIT 2 nd YEAR SEMESTER 3

Your Software Quality is Our Business. INDEPENDENT VERIFICATION AND VALIDATION (IV&V) WHITE PAPER Prepared by Adnet, Inc.

SECURE SOFTWARE DEVELOPMENT PROCESS FOR EMBEDDED SYSTEMS CONTROL

It s time we addressed the holes in software development.

Software Security Engineering: A Key Discipline for Project Managers

Security Software Engineering: Do it the right way

VOLUME 4. State of Software Security Report. The Intractable Problem of Insecure Software

Developing Secure Software in the Age of Advanced Persistent Threats

TECHNOLOGY TRANSFER PRESENTS KEN VAN WYK JUNE 8-9, 2015 JUNE 10-11, 2015 VISCONTI PALACE HOTEL - VIA FEDERICO CESI, 37 ROME (ITALY)

DEVELOPING SECURE SOFTWARE

Introduction. Secure Software Development 9/03/2015. Matias starts. Daan takes over. Matias takes over. Who are we? Round of introductions

Integrating Application Security into the Mobile Software Development Lifecycle. WhiteHat Security Paper

Department of Homeland Security Federal Government Offerings, Products, and Services

Developing Secure Software, assignment 1

Agile and Secure Can We Be Both? Chicago OWASP. June 20 th, 2007

CITY UNIVERSITY OF HONG KONG. Information System Acquisition, PUBLIC Development and Maintenance Standard

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Appendix 2-A. Application and System Development Requirements

Coverity White Paper. Reduce Your Costs: Eliminate Critical Security Vulnerabilities with Development Testing

Points of View. CxO s point of view. Developer s point of view. Attacker s point of view

Vulnerability Analysis of Energy Delivery Control Systems

How To Ensure That Your Computer System Is Safe

Secure Development Lifecycle. Eoin Keary & Jim Manico

Plan-Driven Methodologies

SECURITY EDUCATION CATALOGUE

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

Course Modules for Software Security

The introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.

Web application testing

Rising to the Challenge

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Access FedVTE online at: fedvte.usalearning.gov

FedVTE Training Catalog SUMMER advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

VOLUME 3. State of Software Security Report. The Intractable Problem of Insecure Software

HP Application Security Center

Weighted Total Mark. Weighted Exam Mark

Developing secure software A practical approach

Know your enemy. Class Objectives Threat Model Express. and know yourself and you can fight a hundred battles without disaster.

STS Federal Government Consulting Practice IV&V Offering

Learning objectives for today s session

IoT & SCADA Cyber Security Services

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Update on the CSSLP And its Impact on the SDLC Profession. Hart Rossman, CSSLP Member, (ISC) 2 Application Security Advisory Board

Is your business prepared for Cyber Risks in 2016

Microsoft SDL: Agile Development

Contents. Introduction and System Engineering 1. Introduction 2. Software Process and Methodology 16. System Engineering 53

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Panel: SwA Practices - Getting to Effectiveness in Implementation

Your Web and Applications

Agile and Secure: OWASP AppSec Seattle Oct The OWASP Foundation

Software Development Life Cycle (SDLC)

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

A Systems Engineering Approach to Developing Cyber Security Professionals

HP Fortify application security

HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA Enterprise Security

Rapid Security Framework (RSF) Taxonomie, Bewertungsparameter und Marktanalyse zur Auswahl von Fuzzing-Tools

Adobe Systems Incorporated

Continuous???? Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Testing for Security

Transcription:

Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance Sponsored by the U.S. Department of Homeland Security (DHS), the Software Engineering Institute (SEI) at Carnegie Mellon University developed recommendations for a Master of Software Assurance degree program, and college- and community college-level courses specializing in software assurance. By creating course guidelines for teaching software assurance in a university program, SEI aims to support demand for industry practitioners educated in secure software development practices, who can enter the workforce with the knowledge and skills required to protect software systems from vulnerabilities and attacks. Software Development for the Cyber World Requires Security Leaders In today s cybersecurity threat landscape, software applications not only need to function correctly, they must have security built in from the start. There is growing demand in the workforce across corporations, government, and military organizations for software assurance leaders with the knowledge and expertise to build secure, hacker-resistant applications. Build a Team of CSSLP-Certified Software Professionals (ISC) 2 Certified Secure Software Lifecycle Professional (CSSLP ) is the only certification designed to ensure that security is considered throughout the entire software development lifecycle. This industry-leading certification meets the highest standard of education and training, fully consistent with graduate-level course curriculum in software assurance recommended by the Software Engineering Institute (SEI) at Carnegie Mellon University. (ISC)² is the global leader in information and application security credentials. Besides CSSLP certification, (ISC) 2 also offers a realworld training program that maps to the recommendations established by SEI for a master s-level degree in software assurance. The CSSLP CBK (Common Body of Knowledge) education curriculum developed by (ISC) 2 contains the largest, most comprehensive collection of best practices, policies, and procedures to ensure a security initiative across all phases of application development, regardless of methodology. The CSSLP certification provides employers with industry-leading validation of an employee s professional expertise in secure software development practices. For more information on CSSLP, visit www.isc2.org/csslp. For information on the (ISC)² Global Academic Program, visit: www.isc2.org/academic. For more information on the SEI Software Assurance Curriculum Project, visit www.cert.org/mswa.

Carnegie Mellon SEI Recommendations and Alignment With CSSLP Certification The following charts detail how the CSSLP certification program aligns with SEI recommendations for a Master of Software Assurance degree program and undergraduate and community college courses specializing in software assurance. Master of Software Assurance Course Curriculum Assured Software Development 1 (ASD1) Course This course covers the fundamentals of incorporating assurance practices, methods, and technologies into software development and acquisition lifecycle processes and models. With this foundation, the course provides students with rigorous methods for eliciting software and system assurance requirements; using threat identification, characterization, and modeling; assurance risk assessment; and misuse/abuse cases. Students will also learn how to evaluate methods and environments for creating software and systems that meet their functionality and security requirements. ASD1 Course Syllabus Week 1: Software process overview lifecycle processes including spiral, waterfall, agile, and associated activities. Discuss the entire spectrum of lifecycle activities including evolution Week 2: Discuss supply chain, acquisition, and service. Discuss Common Criteria Week 3: Introduce processes that are specific to software assurance, such as CLASP and Secure Tropos Week 4: Teach BSIMM, SAFECode and OWASP best practices Week 5: Methods for evaluation of environments, languages, and tools Week 6: Teach quality factors and quality assessment methods as they relate to early lifecycle activities. Identify the different types of stakeholders and also likely developer roles Week 7: Teach practices that improve assurance at each lifecycle phase. Include requirements engineering, architecture, and design. Include coding, test, evolution, acquisition, and retirement. Teach practices such as threat modeling, assurance risk assessment, attack trees, and misuse and abuse cases (carries into the following week)

ASD1 Course Syllabus Week 8: Teach practices such as threat modeling, assurance risk assessment, attack trees, misuse/abuse cases Week 9: Tools that can be used in the early lifecycle phases, either as part of a larger environment such as Rational or standalone tools such as SQUARE Week 10: Teach a variety of elicitation methods, including those that are generic and those that are specific to security requirements Week 11: Ways of classifying or categorizing security requirements. How to distinguish requirements from architectural and design features, and mechanisms Week 12: Requirements prioritization methods, including group methods, formal cost/benefit tradeoff analysis, and factoring risk into the tradeoff analysis process Week 13: Requirements peer reviews, inspections, and traceability of requirements to assets and security goals Assured Software Development 2 (ASD2) Course This course covers rigorous methods for specifying assurance requirements and for architecting and designing software and systems to meet those requirements. Such methods include requirements specification; applying security principles; threat identification, characterization, and modeling; misuse/ abuse cases; architectural risk analysis; architectural vulnerability assessment; and technology-specific security guidelines. ASD2 Course Syllabus Week 1: Concepts of assured development lifecycle Week 2: Assurance issues in frontend development life cycle (specification, architecture, design) Week 3: Software development environments supporting specification, architecture, and high-level design Week 4: Tools support for assured software development Week 5: Languages review

ASD2 Course Syllabus Week 6: Project constraints aspects: cost, schedule, functionality, and quality factors Week 7: Formal specification languages and technologies Week 8: Improvements in technologies to support specification, architecture, and high-level design Week 9: Architectural models and viewpoints Week 10: Architectural risk and tradeoff analysis Week 11: Methods and technologies for developing assured system and software specifications, architectures, and high-level designs Week 12: Design models and languages Week 13: Design validation and software inspections Assured Software Development 3 (ASD3) Course This course covers rigorous methods, techniques, and tools for developing secure code. Such methods include code analysis for commonly known vulnerabilities, source code review using static analysis tools, and known, language-specific practices for producing secure code. This course also covers rigorous methods and tools for inspecting, testing, verifying, and validating software and systems to demonstrate that they meet functional and security requirements. Students will learn methods for verification and validation for security assurance and how security vulnerabilities can differ from programming errors. Team inspections and correctness verification methods will be covered. Testing techniques will include threat- and attack-based testing, functional testing, risk- and usage-based testing, stress testing, black- and white-box testing, and penetration testing. ASD3 Course Syllabus Week 1: Introduction Overview of vulnerabilities and their costs Properties of secure and resilient software Week 2: Vulnerabilities CWE/SANS top 25 most dangerous programming errors Security concepts

ASD3 Course Syllabus Week 3: General Strategies Security and resilience throughout the life cycle Attack surfaces and security perimeters OWASP best practices Week 4: Development Practices Best practices for requirements, architecture and design (e.g., abuse/misuse cases, threat modeling, risk analysis, design reviews, defense in depth) Week 5: Programming Practices OWASP top 10 security risks OWASP enterprise security API Cross-site scripting Injection attacks Authentication and session management Week 6: Memory Management in C and C++ Common memory management errors (buffer overflow, stack smashing) Input validation Week 7: Strings, Pointers and Integers Common string manipulation errors Integer overflow vulnerabilities Pointer subterfuge Week 8: Other vulnerabilities in C and C++ Formatted I/O operations File I/O race conditions (e.g., Time Of Use, Time Of Check) Other file system exploits Week 9: Inspections, proofs, and code reading Code-reading techniques Formal code inspections Program verification Week 10: Static Analysis Types of static analysis Modern analysis tools (e.g., Coverity, Fortify) Week 11: Testing Best practices for unit testing Penetration testing Fuzzing Overview of Common Criteria Week 12: Insecurities in Java and other languages Runtime environment Coding practices Overview of known vulnerabilities Week 13: Trends and Resources Comprehensive, Lightweight Application Security Process (CLASP) Certificates and courses in security and software assurance CSSLP, Associate of (ISC) 2, Official (ISC) 2 CSSLP Training Seminar

Undergraduate Course Curriculum Software Security Engineering This course covers a range of topics that are relevant and tailored to software security engineering, including properties of secure software, requirements engineering, architecture and design, construction and testing, system integration/assembly, and governance and management. A summary of key practices and guidance on how to get started is provided. These are largely based on and inspired by material from the DHS Build Security In website [DHS 2010a]. Software Security Engineering Syllabus Why is security a software issue? Understanding the problem (threats, sources, assurance versus security), detecting software defects early, introduction to key practices What makes software secure? Properties of secure software, defender and attacker perspectives, attack patterns, introduction to assurance evidence Security of Web applications: consideration of network-level attacks, cross-site scripting, SQL injection Requirements engineering for secure software: importance of requirements engineering, quality Security requirements engineering, Security Quality Requirements Engineering (SQUARE) introduction, two SQUARE case studies, SQUARE extensions, technology transition Secure software architecture and design: architectural risk analysis activities (including application of security principles and guidelines) Considerations for secure coding and testing: introduction to practices (code analysis, code review, coding), software versus software security testing, security testing methods/techniques, testing throughout the software development life cycle (SDLC) Security and complexity system development challenges: security failures, perspectives for security analysis, complexity Governing and managing for more secure software: definitions and characteristics, risk management framework, project management security in the SDLC Getting started: determining where and how to begin, summary of key practices CSSLP Domain

Community College Course Curriculum Introduction to Assured Software Engineering This course covers the basic principles and concepts of assured software engineering; system requirements; secure programming in the large; modeling and testing; object-oriented analysis and design using the UML; design patterns; frameworks and APIs; client-server architecture; user interface technology; and the analysis, design, and programming of extensible software systems. Introduction to Assured Software Engineering Syllabus Introduction to software project management: project planning, estimation, configuration management, risk management; and software security process models: Building Security In Maturity Model (BSIMM), OWASP Software Assurance Maturity Model (SAMM), Microsoft Software Development Lifecycle (SDL) Role of assured software engineering: software engineering for assurance and its place as an engineering discipline Requirements analysis: requirements analysis for functional and quality requirements Introduction to software architecture: introduction to software architecture, including architectural patterns (pipe & filter, MVC), client-server computing Use and misuse cases: use cases, misuse cases, and user-centered design Design patterns: abstraction-occurrence, composite, player-role, singleton, observer, delegation, facade, adapter, etc. UML: review of object-oriented principles, UML class diagrams, and object-oriented analysis Domain modeling: examples of building class diagrams to model various domains Reusable technologies: review of reusable technologies as a basis for software engineering, risks associated with reuse (e.g. Ariane) Software behavior: representing software behavior: sequence diagrams, state machines, activity diagrams, correctness under all conditions of use Verification and validation: inspections and reviews, integration, system, and acceptance testing CSSLP Domain

The cybersecurity workforce needs software assurance professionals with security expertise. Become a CSSLP and get the only certification that validates your application security competency throughout the software development lifecycle. CSSLP training programs are conveniently delivered online and in training locations worldwide. For more information on CSSLP, visit: www.isc2.org/csslp. For information on the (ISC)² Global Academic Program, visit: www.isc2.org/academic. Follow us on Twitter (www.twitter.com/isc2) and Facebook (www.facebook.com/isc2fb).

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information