ISSECO Syllabus Public Version v1.0



Similar documents
05.0 Application Development

Effective Software Security Management

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Application Security Testing

Penetration Testing in Romania

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Development Processes (Lecture outline)

Pentests more than just using the proper tools

Pentests more than just using the proper tools

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

Agile and Secure Can We Be Both? Chicago OWASP. June 20 th, 2007

Secure Web Applications. The front line defense

Threat Modeling: The Art of Identifying, Assessing, and Mitigating security threats

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

Seven Practical Steps to Delivering More Secure Software. January 2011

Security Testing. How security testing is different Types of security attacks Threat modelling

Reducing Application Vulnerabilities by Security Engineering

BEST PRACTICES FOR SECURITY TESTING TOP 10 RECOMMENDED PRACTICES

Software Development: The Next Security Frontier

Threat Modeling. 1. Some Common Definition (RFC 2828)

Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

white SECURITY TESTING WHITE PAPER

Web application testing

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

Building Security into the Software Life Cycle

Secure By Design: Security in the Software Development Lifecycle

Agile and Secure: OWASP AppSec Seattle Oct The OWASP Foundation

G- Cloud Specialist Cloud Services. Security and Penetration Testing. Overview

Passing PCI Compliance How to Address the Application Security Mandates

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

ensuring security the way how we do it

Is Penetration Testing recommended for Industrial Control Systems?

Procuring Penetration Testing Services

Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

Practitioner Certificate in Information Assurance Architecture (PCiIAA)

Managing IT Security with Penetration Testing

Juniper Networks Secure

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

Learning objectives for today s session

Hacking Book 1: Attack Phases. Chapter 1: Introduction to Ethical Hacking

Adobe Systems Incorporated

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Enterprise Application Security Program

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

Information Security Services

CESG Certification of Cyber Security Training Courses

Software Application Control and SDLC

INTERMEDIATE QUALIFICATION

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Preventive Approach for Web Applications Security Testing OWASP 10/30/2009. The OWASP Foundation

Comprehensive Approach to Database Security

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013

Securing Enterprise Web Applications at the Source: An Application Security Perspective

INTERMEDIATE QUALIFICATION

ITIL v3 Qualification Scheme

Functional vs. Load Testing

Integrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Security Testing and Vulnerability Management Process. e-governance

INTERMEDIATE QUALIFICATION

Network Test Labs (NTL) Software Testing Services for igaming

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Cenzic Product Guide. Cloud, Mobile and Web Application Security

Matt Bartoldus

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

Using Foundstone CookieDigger to Analyze Web Session Management

SECURITY CHAPTER 24 (6/E) CHAPTER 23 (5/E)

IoT & SCADA Cyber Security Services

Application Code Development Standards

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Web Application Security

3 Web Services Threats, Vulnerabilities, and Countermeasures

Rational AppScan & Ounce Products

Data Loss Prevention Program

Security-as-a-Service (Sec-aaS) Framework. Service Introduction

CYBERTRON NETWORK SOLUTIONS

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Web App Security Audit Services

Information Security. Training

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

Design Authorization Systems Using SecureUML

Transcription:

ISSECO Syllabus Public Version v1.0 ISSECO Certified Professional for Secure Software Engineering Date: October 16th, 2009 This document was produced by the ISSECO Working Party Syllabus

Introduction to this Syllabus Purpose of this Document This syllabus forms the basis for the Certified Professional for Secure Software Engineering. Training providers will produce courseware and determine appropriate teaching methods for accreditation, and the syllabus will help candidates in their preparation for the examination. In the accreditation process, the training material will be checked against this syllabus. This version represents a public, short version of the syllabus. The full version is available to accredited training providers. Certified Professional for Secure Software Engineering The qualification scheme is aimed at anyone involved in software engineering. This includes people in roles such as security professionals, project managers, software designers, programmers and consultants. Certificate holders will be able to control and design security aspects across the entire software development lifecycle. Learning Objectives All terms listed under right below the chapter headings shall be understood, even if not explicitly mentioned in the learning objectives. Cognitive levels are given for each section in this syllabus: K1: remember, recognize, recall K2: understand, explain, give reasons, compare, classify, summarize K3: apply The Examination The examination will be based on this syllabus. Answers to examination questions may require the use of material based on more than one section of this syllabus. All sections of the syllabus can be subject to examination. The format of the examination is multiple choice. Exams may be taken as part of an accredited training course or independently (e.g. at an examination center). Accreditation Training providers whose course material follows this syllabus may be accredited by an accreditation board. Accreditation guidelines can be obtained from the board that performs the accreditation. An accredited course is recognized as conforming to this syllabus, and is allowed to perform an examination as part of the course. 2

Level of Detail The level of detail in this syllabus allows internationally consistent teaching and examination. In order to achieve this goal, the full version of the syllabus consists of: General instructional objectives describing the intention of the syllabus A list of terms that students must have understood and be able to recall A description of the key concepts to teach, including sources such as accepted literature or standards This syllabus does not contain a description of the entire knowledge in the areas it covers; it merely reflects the level of detail to be covered in training courses. How this Syllabus is Organized The syllabus is split up into 16 major chapters. The top-level heading names the covered topic, and specifies the allotted time for the chapter. This time is a guideline for training providers and also reflects the relative importance of the chapter. Subareas are specified as part of the major chapter without any time allottments. Each major chapter contains the most important terms of the area covered. These terms are subject of the final examination. 3

1. Introduction & Motivation 45 mins Understand why security is an important topic. To design and build secure IT systems, all elements of the system need to be secure. The focus on perimeter and infrastructure security is not sufficient in coping with rapidly spreading attacks against the data and information stored and processed by IT systems. Today, as more and more security breaches are explored due to insecure software systems, secure software applications are urgently needed. This course gives an insight into the design, development and testing of secure software systems and will answer the following questions: Why is secure software urgently needed? Why is secure software development often neglected? What are the consequences of shipping insecure software to customers? Why is security often neglected during software development? How important is the security of software systems to their stakeholders? This course enables software architects, developers, quality managers, testers, project managers and other software development stakeholders to understand the principles of secure software engineering and to apply them in their company. 4

2. View of the Attacker 45 mins Understand the differences between hacker and cracker, their motivation, skill level and how they gather information. Meaning Hacker vs. Cracker, Historical Background, Hardware and Software Knowledge, Skill Level, Mode of Ethical Hacking, Hacker Motive, Reaching, Gathering Information Explain the Definition of the Hacker, Cracker and Ethical Hacker (K2) Show Examples of Famous Hackers and their Attacks (K1) Point Out the Different Skill Levels (K2) Explain Different Modes of Hacking (K2) Recall Motives of Hackers (K1) Explain the Process of Hacking (K2) Outline Common Hacking Tools (K2) 5

3. View of the Customer 45 mins Understand customers' expectations regarding software security and be able to classify requirements accordingly. Secure Software, Compliance Requirements, C-Level Language, Assets, Threats and Risks, Security Requirements, Confidentiality, Integrity, Availability Recall how important the security of software systems is to different stakeholders (K1) Explain Why Customers Expect Secure Software (K2) Recall What Customers Expect in of Software Security (K1) Classify the Customer's Security Requirements (K3) Describe Assets, Threats and Corresponding Risks (K2) Recall Customer's Compliance Requirements with Regards to Software Security (K1) Map Customer-Specific Security Needs to Technical Requirements (K3) Help Customers Understand What They Want to Protect (K3) 6

4. Methodologies 90 mins Understand the reasoning and approaches for different secure software development methodologies; apply them in participant's company / project context. Secure Software Development Lifecycle (SDLC), Secure Development Lifecycle (SDL), Security Practices, OWASP, ISO 15408, Common Criteria (CC), build-insecurity Recall the typical elements of a Methodology for Developing Secure Software (K2) Describe an Overview of Development Methodologies or Life Cycle Models (K2) Explain Security Practices (K2) Describe Existing Models (K2) 7

5. Requirements Engineering 45 mins Understand how to develop security requirements for technologies and applications. Availability; Authenticity; Confidentiality; Efficiency; Integrity; Maintainability; Portability; Reliability; Requirement; Requirements Engineering; Requirements Management; Trustworthiness; Usability; Asset; Actor Recall what is a Requirement (K1) Describe How to Define "Good" Requirements (K2) Identify Security Requirements (K2) Know Requirement Areas Relevant to Security (K1) 8

6. Threat Modeling 45 mins Understand threat modeling. Asset, Threat, Attack, Dataflow Diagram (DFD), Threat Tree (Attack Tree), STRIDE, DREAD. Recall Reasons for Threat Modeling (K1) Execute the Threat Modeling Stages (K3) Identify Threats (K3) Perform Attack Classification (K3) Rate Threats (K3) 9

7. Secure Design 90 mins Understand the principles for secure design; be able to apply them in context. Threat Modeling, STRIDE, Security Principles, Guidelines for Secure Software Development, Security Architecture, Software Attack Surface, Secure Software Development Lifecycle (SDLC), Mandatory Access Control (MAC), Discretionary Access Control (DAC), Role-based Access Control (RBAC), Access Matrix Recall the role of architecture and design in creating a secure system (K1) Explain important Security Design Principles (K2) Explain General Concept of Security Design Patterns (K2) Recall Some Important Security Patterns (K1) Describe the Need for an Overall Security Architecture (K2) Recall Access Control Models (K1) Explain Trust Models (K2) Explain Security Architecture and Design Reviews (K2) 10

8. Secure Coding 90 mins Participants shall understand vulnerabilities in coding, identify, and remediate them. Vulnerabilities, Vulnerability Patterns, Secure Coding Practices, Code Checking Tools, Cross Site Scripting, Injection Flaws, Cross Site Request Forgery, Denial of Service. Recall vulnerability classification patterns (K1) Explain basic vulnerability patterns (K2) Explain Secure Coding Practices (K2) Assign the most important vulnerabilities to vulnerability patterns and identify the correct remediation (K3) Recall Helper Tools for Secure Coding (K1) Identify examples of vulnerabilities in code samples (K3) Recall online resources for secure coding (K1) 11

9. Security Testing 90 mins Understand how to coordinate and perform security testing, understand the basic principles and how to interpret security testing results. Test Cases, Security Test Plan, White Box Test, Black Box Test, Penetration Testing, Code Review, Test Report Recall different Cases of Tests (K1) Recall the parts of a test case specification (K1) Develop a Security Test Plan from Threat Models (K2) Explain Hacking Techniques as Test Methods (K2) Explain test patterns (K2) Explain Code Review (K2) Recall Tools for Code Analysis (K1) Writing Test Reports (K3) 12

10. Secure Deployment 45 mins Understand why and how secure deployment is important and how this impacts development practices. Secure Default Configuration, Product Life Cycle, Automated Deployment Process, Secure Target Environment, Secure Delivery of Code, Trusted Origin, Code Signing, Least Privilege Permissions, ITIL Release and Deployment Management Recall productive IT operations and related security activities (K1) Explain the Phases that are part of Software Deployment (K2) Describe Security Activities in Release Phase (K2) Recall Secure Software Configuration in Target Environments (K2) Describe Activities during Software Activation (K2) Describe activities during adaptation and update (K2) 13

11. Security Response 45 mins Understand and be able to implement a security response process, making sure that security issues in software installations are fixed and communicated responsibly. Security Response, Security Bulletins, Vulnerabilities, Security Patches, Disclosure, Full Disclosure, Responsible Disclosure, Patch Tuesday, Security Response Policy, Security Response Process, Common Vulnerability Scoring System, CVSS Explain the Difficulties of Fixing Security Issues via Standard Maintenance Processes (K2) Explain why Security Patches Should be Different from Standard Software Patches (K2) Recall the Dangers of Trading Vulnerability Information (K1) Describe Success Criteria for Vulnerability Communication (K2) Discuss Vulnerability Disclosure Strategies (K2) Recall Standards for Vulnerability Description and Their Main Elements (K1) Develop Patch and Security Response Policies (K3) Define and Implement a Security Response Process (K3) 14

12. Security Metrics 45 mins Understand how to measure software security across the life cycle. Measuring Security, Security Metrics, Software Development Lifecycle, Categories of Software Metrics, Quality Criteria of Metrics, Goal Question Metrics method (GQM Explain the Need for Measuring Security (K2) What is a Software Metric? (K2) Recall Limitations of Software Metrics (K1) Where Can You Measure Security? (K2) Categorize Software Metrics (K2) Recall Quality Criteria of Metrics (K2) Developing Security Metrics (K2) Apply Existing Software Metrics to Security (K3) Use Examples for Software Security Metrics (K3) 15

13. Code & Resource Protection 45 mins Understand how to protect code against malicious behavior from developers or intruders; code assurance, vs. software assurance. Back Door, Time Bomb, Four-Eyes Principle, Confidentiality Classification, Background Screening, Security Clearance, Offline and Online Licensing Mechanisms, Code Obfuscation Recall Reasons for Code and Resource Protection (K1) Recall the Technical Types of Risks in the Product (K1) Recall the risk of configuration manipulation (K1) Explain Basic Protection Measures Against the Malicious Manipulation of Software Code (K2) Apply Additional Procedural Security Measures Due to Political Risks (K3) Recall technical Security Measures (K1) Explain Usage Protection (K2) Recall how to protect sensitive pieces of code (K1) Explain Code Obfuscation Techniques (K2) 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information