Is your salary on par with others in your field? Learn more in Skillsoft's 2024 IT Skills and Salary Report. Click Here.

Checkout

Cart () Loading...

    • Quantity:
    • Delivery:
    • Dates:
    • Location:

    $

Contact Sales

Secure Software Design (TT8600)

In this intense hands-on workshop, software application designers and architects will learn to build secure applications. You will be introduced to the concept and process of Threat Modeling as a key enabler for architecting effective and appropriate security for software and information assets. You will get an-depth review of the various types of threats against your software, and you will leave the course armed with the skills required to recognize software vulnerabilities (actual and potential) and design defenses for those vulnerabilities.

Please also note that secure coding training is PCI Compliant, as it addresses common coding vulnerabilities in software development processes. This training is used by one of the principle participants in the PCI DSS. Having passed multiple PCI audits, this course has been shown to meet the PCI requirements. The specification of those training requirements are detailed in 6.5.1 through 6.5.10 on pages 55 through 59 of the PCI DSS Requirements 3.0 document dated November 2013.

Throughout the course, you will learn the best practices for designing and architecting secure programs. You will take an application from requirements to implementation, analyzing and testing for software vulnerabilities and building appreciation for why software needs to be designed from the ground up in a secure fashion.

GK# 1128 Vendor# TT8600
Vendor Credits:
No matching courses available.
Start learning as soon as today! Click Add To Cart to continue shopping or Buy Now to check out immediately.
Access Period:
Scheduling a custom training event for your team is fast and easy! Click here to get started.

Who Should Attend?

This is an intermediate-level software design course designed for architects and stakeholders who wish to get up and running on building well-defended software applications.

What You'll Learn

  • Concepts and terminology behind defensive coding
  • Use Threat Modeling as a tool in identifying software vulnerabilities based on threats against assets
  • Learn the entire spectrum of threats and attacks that take place against software applications in today's world
  • Threat Modeling for identifying potential vulnerabilities in a real life case study
  • Implement the processes and measures associated with the security development lifecycle (SDL)
  • Skills, tools, and best practices for design reviews as well as testing initiatives
  • Basics of security testing and planning
  • Work through a comprehensive testing plan for recognized vulnerabilities and weaknesses

Course Outline

1. Introduction: Misconceptions

  • Security: The Complete Picture
  • TJX: Anatomy of a Disaster?
  • Causes of Data Breaches
  • Heartland - Slipping Past PCI Compliance
  • Target's Painful Christmas
  • Meaning of Being Compliant
  • Verizon's 2013 Data Breach Report

2. Foundation

  • Security Concepts
  • Motivations: Costs and Standards
  • Open Web Application Security Project
  • Web Application Security Consortium
  • CERT Secure Coding Standards
  • Assets are the Targets
  • Security Activities Cost Resources
  • Threat Modeling
  • System/Trust Boundaries
  • Principles of Information Security
  • Security Is a Lifecycle Issue
  • Minimize Attack Surface Area
  • Layers of Defense: Tenacious D
  • Compartmentalize
  • Consider All Application States
  • Do NOT Trust the Untrusted

3. Vulnerabilities

  • Vulnerabilities
    • Unvalidated Input
    • Broken Authentication
    • Cross Site Scripting (XSS/CSRF)
    • Injection Flaws
    • Error Handling, Logging, and Information Leakage
    • Insecure Storage
    • Direct Object Access
    • XML Vulnerabilities
    • Web Services Vulnerabilities
    • Ajax Vulnerabilities
  • Understanding What's Important
    • Common Vulnerabilities and Exposures
    • OWASP Top Ten for 2013
    • CWE/SANS Top 25 Most Dangerous SW Errors
    • Monster Mitigations
    • Strength Training: Project Teams/Developers
    • Strength Training: IT Organizations
  • Security Design Patterns
    • Authentication Enforcer
    • Authorization Enforcer
    • Intercepting Validator
    • Secure Base Action
    • Secure Logger
    • Secure Pipe
    • Secure Service Proxy
    • Intercepting Web Agent

4. Secure Development Lifecycle (SDL)

  • SDL Process Overview
    • Software Security Axioms
    • Security Lifecycle - Phases
  • Applying Processes and Practices
    • Awareness
    • Application Assessments
    • Security Requirements
    • Secure Development Practices
    • Security Architecture/Design Review
    • Security Code Review
    • Configuration Management and Deployment
    • Vulnerability Remediation Procedures
  • Risk Analysis
    • Threat Modeling Process
      1. Identify Security Objectives
      2. Describe the System
      3. List Assets
      4. Define System/Trust Boundaries
      5. List and Rank Threats
      6. List Defenses and Countermeasures

5. Security Testing

  • Testing Tools and Processes
    • Security Testing Principles
    • Black Box Analyzers
    • Static Code Analyzers
    • Criteria for Selecting Static Analyzers
  • Testing Practices
    • OWASP Web App Penetration Testing
    • Authentication Testing
    • Session Management Testing
    • Data Validation Testing
    • Denial of Service Testing
    • Web Services Testing
    • Ajax Testing

Labs Outline

Hands- on Learning: Throughout the course students will be led through a series of progressively advanced topics, where each topic consists of lecture, group discussion, comprehensive hands-on lab exercises, and lab review. This course is "skills-centric", designed to train attendees in essential secure coding and development skills, coupling the most current, effective techniques and best practices with the soundest coding practices.

This course is about 50% hands-on lab and 50% lecture, with extensive programming exercises designed to reinforce fundamental skills and concepts learned in the lessons. Our courses include ample materials and labs to ensure all students are either appropriately challenged, or assisted, at all times - no matter their skill level.

Follow-On Courses