tp course catalog
TRANSCRIPT
-
7/29/2019 TP Course Catalog
1/9
Course Catalog
BOSTON | SEATTLE
187 Ballardvale St. Suite A195 Wilmington, MA 01887 Ph: +1.978.694.1008
mailto:[email protected]://www.securityinnovation.com/http://www.securityinnovation.com/http://www.securityinnovation.com/http://www.securityinnovation.com/mailto:[email protected] -
7/29/2019 TP Course Catalog
2/9
187 Ballardvale St. Wilmington, MA 018
Ph: (978) 694-1008 F: (978) 694-16
www.securityinnovation.co
Page 1
TTaabbllee ooffCCoonntteennttssSecurity Awareness and Process Courses ..................................................................................................... 2
Security Awareness Courses ................................................................................................................................................................. 2
AWA 101. Fundamentals of Application Security (2 hours) ................................................................................................... 2
AWA 102. Software Security Awareness (1 hour) .................................................................................................................. 2AWA 103. Six Fundamentals of Information Security (1 hour) .............................................................................................. 2
Security Engineering Courses .............................................................................................................................................................. 3
ENG 101. Microsoft SDL for Managers (1 hour) ..................................................................................................................... 3
ENG 102. Introduction to the Microsoft SDL (1 hour) ............................................................................................................ 3
ENG 111. How to Define Software Security Requirements and Design (1 hour) ................................................................... 3
ENG 201. SDLC Gap Analysis and Remediation Techniques (45 min) ..................................................................................... 3
ENG 301. Introduction to Threat Modeling (1 hour) ............................................................................................................. 4
ENG 311. Attack Surface Analysis and Reduction (1 hour) ..................................................................................................... 4
Development Courses .......................................................................................................................................... 4
Design ............................................................................................................................................ .................................................................. 4
DES 101. Fundamentals of Secure Architecture (1 hour) ....................................................................................................... 4
DES 212. Architecture Risk Analysis and Remediation (1 hour) ............................................................................................. 5DES 301. Introduction to Cryptography (1 hour) ................................................................................................................... 5
DES 311. Creating Secure Application Architecture (2 hours) ................................................................................................ 5
Code ................................................................................................................................................................................................................. 5
COD 101. Fundamentals of Secure Development (1 hour) .................................................................................................... 5
COD 211. Understanding Secure Code JRE (1 hour) ............................................................................................................ 5
COD 212. Understanding Secure Code C/C++ (75 min) ....................................................................................................... 6
COD 213. Understanding Secure Code - Windows 7 (2 hours) .............................................................................................. 6
COD 214. Understanding Secure Code - Windows Vista (2 hours) ......................................................................................... 6
COD 215. Understanding Secure Code - .NET 4.0 (2 hours) .................................................................................................. 6
COD 221. Web Vulnerabilities Threats and Mitigations (1 hour) ........................................................................................ 6
COD 231. Introduction to Cross-Site Scripting with JSP Examples (20 min) ........................................................................ 6
COD 232. Introduction to Cross-Site Scripting with ASP.NET Examples (20 min) ................................................................ 6COD 311. Creating Secure Code ASP.NET (4 hours) ............................................................................................................ 7
COD 312. Creating Secure Code C/C++ (90 min) ................................................................................................................. 7
COD 313. Creating Secure Code J2EE Web Applications (2 hours) ...................................................................................... 7
COD 411. Integer Overflows Attacks and Countermeasures (1 hour) ................................................................................. 7
COD 412. Buffer Overflows Attacks and Countermeasures (2 hours) ................................................................................. 7
Test ................................................................................................................................................. .................................................................. 8
TST 101. Fundamentals of Security Testing (2 hours) ............................................................................................................ 8
TST 201. Classes of Security Defects (3 hours) ....................................................................................................................... 8
TST 311. How to Break Software Security (15 hours) ............................................................................................................. 8
TST 411. Exploiting Buffer Overflows (2 hours) ...................................................................................................................... 8
-
7/29/2019 TP Course Catalog
3/9
187 Ballardvale St. Wilmington, MA 018
Ph: (978) 694-1008 F: (978) 694-16
www.securityinnovation.co
Page 2
Activity
Security Awareness Requirements & Design Response
Implementation ReleaseSecurity
Engineering
Verification
Compliance/Standard
OWASP PCI DSS MS SDL
Application Type
Web Applications Client/Server
SS
ee
cc
uu
rr
iittyy
AA
ww
aa
rr
ee
nn
ee
ss
ss
aa
nn
dd
PP
rr
oo
cc
ee
ss
ss
CC
oo
uu
rr
ss
ee
ss
Security Awareness Courses
AWA 101. Fundamentals of Application Security (2 hours)
This course starts off describing the various risks that software vulnerabilities carry, and proceeds to lay
the foundation for secure software development by presenting specific security controls and principles
that teams can implement immediately to reduce software risk. Upon course completion, students will
be able to understand and recognize threats to applications, leverage the OWASP top 10 list to create
more secure Web applications, and conduct specific activities at each development phase to ensure
maximum hardening of your applications. Prerequisite: understanding of the software development
lifecycle and technologies; basic understanding of software security.
AWA 102. Software Security Awareness (1 hour)
Similar to functionality, performance, and reliability, security is another crucial component of an
applications quality. Recognizing the risk that software vulnerabilities represent, understanding their
root causes, and addressing these issues early in the software development lifecycle are essential for
being able to help your organization build secure software. By the end of this course, students will be
familiar with the main characteristics of a secure software development lifecycle and the activities that
an organization should perform to develop secure software. Additionally, students will recognize the
need to address software security in their everyday work. Prerequisite: basic knowledge of software
development processes and technologies.
AWA 103. Six Fundamentals of Information Security (1 hour)
This awareness course is intended to allow individuals to recognize information security concerns and
respond accordingly using a set of best practices provided in this course. Upon completion of this
course, students will be able to recognize the importance of protecting an organizations information
and follow appropriate security best practices. Prerequisite: basic computer skills.
-
7/29/2019 TP Course Catalog
4/9
187 Ballardvale St. Wilmington, MA 018
Ph: (978) 694-1008 F: (978) 694-16
www.securityinnovation.co
Page 3
Security Engineering Courses
ENG 101. Microsoft SDL for Managers (1 hour)
This course introduces students to the Microsoft SDL, an industry leading software-security assurance
process, developed by Microsoft to build trustworthy software products. The goal of this course is to
help students understand and identify the Security Development Life Cycle (SDL) requirements for
building and deploying secure software applications. The course demonstrates the benefits teams gain
by following the SDL, and it provides managers with information regarding their role and responsibilities
in ensuring the team follows the SDL. Additionally, this course describes common problems that can
delay or stop product shipping. Prerequisite: knowledge of the software development lifecycle.
ENG 102. Introduction to the Microsoft SDL (1 hour)
This course introduces the Security Development Lifecycle (SDL), a key security engineering process that
was spawned from Microsofts Trustworthy Computing Initiative. Students will learn how to design and
implement products that meet an organizations security needs. Upon completion of this course, the
participant will be able to identify the benefits of the Security Development Lifecycle, recognize the
importance of the Final Security Review, follow the necessary steps to meet SDL requirements, andidentify the appropriate tools required by the SDL. Prerequisite: basic knowledge of the software
development lifecycle.
ENG 111. How to Define Software Security Requirements and Design (1 hour)
Security is an important component of an applications quality. To preserve the confidentiality, integrity,
and availability of application data, software applications must be engineered with security in mind
beginning with the design phase. Without defined security requirements, design choices will be made
without security guidance and security testing cannot be effective. This course provides technical and
non-technical personnel with the tools to understand, create and articulate security requirements as
part of a software requirement documents. In this course, students will learn to apply the applicationsecurity maturity (ASM) model to the development process, understand the security-engineering
process, and describe the key security-engineering activities to integrate security in the development life
cycle. Students will also be able to determine software security objectives, apply security design
guidelines, and create threat models that identify threats, attacks, vulnerabilities, and countermeasures,
in addition to learning to conduct security architecture and design reviews that help identify potential
security problems, and minimize the applications attack surface. Prerequisite: Fundamentals of
Application Security (AWA 101)
ENG 201. SDLC Gap Analysis and Remediation Techniques (45 min)
Whether an organization is implementing its first Security Development Lifecycle program or working to
optimize its SDLC, periodic review of the SDLC to identify areas for improvement is a recommended best
practice. This course reviews key Security Engineering activities and instructs students on identifying
measurable goals and appropriate standards, assessing existing development processes, building an
activity matrix, and creating a remediation roadmap. This course provides an understanding of the
goals, processes, and best practices for auditing software security processes within the context of the
Microsoft Security Development Life Cycle. Prerequisite: Introduction to the Microsoft SDL (ENG 102),
Fundamentals of Application Security (AWA 101)
-
7/29/2019 TP Course Catalog
5/9
187 Ballardvale St. Wilmington, MA 018
Ph: (978) 694-1008 F: (978) 694-16
www.securityinnovation.co
Page 4
ENG 301. Introduction to Threat Modeling (1 hour)
Secure software starts with thinking about security and the potential threats to an application. Threats
differ from vulnerabilities. Threats represent attackers. Threat modeling begins with understanding
what an attackers goals might be; what information would be valuable to an attacker? How would an
attacker go about gaining access to that information? In this course, students will learn to identify the
goals of threat modeling and the corresponding SDL requirements, identify the roles and responsibilities
involved in the threat modeling process, recognize when and what to threat model, and identify the
tools that help with threat modeling. Students will also learn to use the threat modeling process to
accurately identify, mitigate, and validate threats. Prerequisite: Fundamentals of Secure Development
(COD 101), Architecture Risk Analysis and Remediation (DES 212)
ENG 311. Attack Surface Analysis and Reduction (1 hour)
Attack surface analysis and reduction is an exercise in risk reduction. The attack surface of an
application represents the number of entry points exposed to a potential attacker of the software. The
larger the attack surface, the larger the set of methods that can be used by an adversary to attack. The
smaller the attack surface, the smaller the chance of an attacker finding a vulnerability and the lowerthe risk of a high impact exploit in the system. This course provides an understanding of the goals and
methodologies of attackers, identification of attack vectors, and how to minimize the attack surface of
an application. In this course, students will learn to define the attack surface of an application, and how
to reduce the risk to an application by minimizing the applications attack surface. Prerequisite:
Fundamentals of Secure Development (COD 101), Architecture Risk Analysis and Remediation (DES 212)
DDeevveellooppmmeennttCCoouurrsseess
Design
DES 101. Fundamentals of Secure Architecture (1 hour)
In the past, software applications were created with little thought to the importance of security. In
recent times, businesses have become more rigorous about how they buy software. When looking at
applications and solutions, companies dont just look at features, functionality, and ease of use. They
focus on the total cost of ownership (TCO) of what they purchase. Security is a large and visible part of
the TCO equation. In this course, students will examine the state of the industry from a security
perspective. They will then look at some of the biggest security disasters in software design and what
lessons can be learned from them. Finally, participants will understand and use confidentiality, integrity,
and availability as the three main tenets of information security. Upon completion of this course,
participants will understand the state of the software industry with respect to security by learning frompast software security errors and will avoid repeating those mistakes, and they will understand and use
confidentiality, integrity, and availability (CIA) as the three main tenets of information security.
Prerequisite: Fundamentals of Application Security (AWA 101), How to Define Software Security
Requirements and Design (ENG 111)
-
7/29/2019 TP Course Catalog
6/9
187 Ballardvale St. Wilmington, MA 018
Ph: (978) 694-1008 F: (978) 694-16
www.securityinnovation.co
Page 5
DES 212. Architecture Risk Analysis and Remediation (1 hour)
This course defines concepts, methods, and techniques for analyzing the architecture and design of a
software system for security flaws. Special attention is given to analysis of security issues in existing
applications; however, the principles and techniques are applicable to systems under development.
Techniques include accurately capturing application architecture, threat modeling with attack trees,
attack pattern analysis, and enumeration of trust boundaries. Prerequisite: Fundamentals of Secure
Architecture (DES 101)
DES 301. Introduction to Cryptography (1 hour)
This course provides students with the knowledge to understand cryptography and an opportunity to
investigate the threats that affect two communicating parties, and an understanding of how these
threats can be mitigated using a proper cryptographic solution. Upon completion of this course,
students will be able to identify the problems that cryptography can address, recognize threats that
apply to two communicating parties, select appropriate cryptographic solutions to mitigate these
threats, and describe the mechanisms behind cryptographic protocols. Participants will also be able to
follow cryptographic best practices and locate cryptography resources. Prerequisite: Fundamentals ofSecure Development (COD 101), Architecture Risk Analysis and Remediation (DES 212)
DES 311. Creating Secure Application Architecture (2 hours)
This course covers a set of key security principles that students can use to improve the security of
application architecture and design. Principles of this course include applying defense to harden
applications and make them more difficult for intruders to breach, reducing the amount of damage an
attacker can accomplish, compartmentalizing to reduce the impact of exploits, using centralized input
and data validation to protect applications from malicious input, and reducing the risk in error code
paths.
Code
COD 101. Fundamentals of Secure Development (1 hour)
In this course, students will learn an overview of software security and its latest trends, as well as the
importance of software security for business. Students will also learn to perform threat modeling to
identify threats proactively, create threat trees for application components, use threat trees to find
vulnerabilities, classify vulnerabilities, and perform risk analysis and prioritize security fixes.
Prerequisite: Fundamentals of Application Security (AWA 101), How to Define Software Security
Requirements and Design (ENG 111)
COD 211. Understanding Secure Code
JRE (1 hour)In this course, students will learn to recognize and remediate common Java Web software security
vulnerabilities. After completing this course, students will be able to recognize data leakage, injection
attacks, client/server protocol manipulation attacks, and authentication exploitations, and mitigate
these security vulnerabilities. Prerequisite: Fundamentals of Secure Development (COD 101)
-
7/29/2019 TP Course Catalog
7/9
187 Ballardvale St. Wilmington, MA 018
Ph: (978) 694-1008 F: (978) 694-16
www.securityinnovation.co
Page 6
COD 212. Understanding Secure Code C/C++ (75 min)
In this course, students will learn how to write secure code in C/C++ for Windows and Unix platforms,
robust code development, and secure socket programming, and learn to apply time-tested defensive
coding principles to develop secure applications. Students will also learn the nine defensive coding
principles and how to use them to prevent common security vulnerabilities. Prerequisite:
Fundamentals of Secure Development (COD 101)
COD 213. Understanding Secure Code - Windows 7 (2 hours)
This course provides students with knowledge and skills needed to understand Windows 7 security
features and build applications that leverage Windows 7s built-in security mechanisms. Prerequisite:
basic knowledge of Windows programming and memory management, and knowledge of basic security
features of Windows versions prior to Windows 7.
COD 214. Understanding Secure Code - Windows Vista (2 hours)
This course provides students with knowledge and skills needed to understand Windows Vista security
features and build applications that leverage Windows Vistas built-in security mechanisms.
Prerequisite: basic knowledge of Windows programming and memory management, and knowledge of
basic security features of Windows versions prior to Windows Vista.
COD 215. Understanding Secure Code - .NET 4.0 (2 hours)
This course describes .NET security features, including concepts such as Code Access Security (CAS) and
.NET cryptographic technologies. It also provides secure coding best practices that will enable students
to build more secure applications in .NET. Prerequisite: Fundamentals of Secure Development (COD
101)
COD 221. Web Vulnerabilities Threats and Mitigations (1 hour)
This course provides all the information needed to understand, avoid, and mitigate the risks posed byWeb vulnerabilities. Students are first provided with a detailed background on the most common and
recent attacks against Web-based applications, such as cross-site scripting attacks and cross-site request
forgery attacks. The course then delves into practical recommendations on how to avoid and/or mitigate
Web vulnerabilities. Real-world examples are provided throughout the course to help students
understand and defend against Web vulnerabilities. Prerequisite: Creating Secure Code J2EE Web
Applications (COD 313) OR Creating Secure Code ASP.NET (COD 311)
COD 231. Introduction to Cross-Site Scripting with JSP Examples (20 min)
In this course, students will learn to understand the mechanisms behind cross-site scripting
vulnerabilities, describe cross-site scripting vulnerabilities and their consequences, and apply secure
coding best practices to prevent cross-site scripting vulnerabilities. Prerequisite: Basic knowledge of
Web technologies, and Java Server Pages (JSP).
COD 232. Introduction to Cross-Site Scripting with ASP.NET Examples (20 min)
In this course, students will learn to understand the mechanisms behind cross-site scripting
vulnerabilities, describe cross-site scripting vulnerabilities and their consequences, and apply secure
-
7/29/2019 TP Course Catalog
8/9
187 Ballardvale St. Wilmington, MA 018
Ph: (978) 694-1008 F: (978) 694-16
www.securityinnovation.co
Page 7
coding best practices to prevent cross-site scripting vulnerabilities. Prerequisite: Basic knowledge of
Web technologies, ASP.NET, and C# programming language.
COD 311. Creating Secure Code ASP.NET (4 hours)
This course examines in depth the development of secure web applications in C#. It provides an
overview of common web application vulnerabilities and presents ways to avoid those vulnerabilities inC# code. In the hands-on section, students will discover the vulnerabilities for themselves and find ways
to address them, greatly enhancing the security of their code. Upon completion of this class, participants
will be able to recognize the need to follow secure coding best practices, follow secure coding best
practices, and locate additional resources on secure coding best practices for ASP.NET. Prerequisite:
Understanding Secure Code - .Net 4.0 (COD 214)
COD 312. Creating Secure Code C/C++ (90 min)
This course provides a deep understanding of application security risks and secure coding standards for
C and C++ applications, and the different types of errors that can be introduced while coding. The course
discusses the importance of detecting these errors and remediating them as early as possible to avoid
security issues. It also illustrates real-world best practices and techniques, and provides static analysis
tools to detect and resolve security vulnerabilities in code. Prerequisite: Understanding Secure Code
C/C++ (COD 212)
COD 313. Creating Secure Code J2EE Web Applications (2 hours)
This course examines in depth the development of secure web applications in Java. It provides an
overview of common web application vulnerabilities and presents ways to avoid those vulnerabilities in
Java code. In the hands-on section, students will discover the vulnerabilities themselves and find ways to
address them, greatly enhancing the security of their code. Upon completion of this course, participants
will be able to identify why software security matters to their business, recognize the root causes of the
more common vulnerabilities, identify the symptoms of common vulnerabilities, and use security best
practices to prevent common vulnerabilities. Prerequisite: Understanding Secure Code JRE (COD 211)
COD 411. Integer Overflows Attacks and Countermeasures (1 hour)
An integer overflow is a programming error that can severely impact a computer systems security. Due
to the subtlety of this bug, integer overflows are often overlooked during development. This course
covers the security concepts, testing techniques, and best practices that will enable students to develop
robust applications that are secure against integer overflow vulnerabilities. Prerequisite: basic
understanding of the C, C++, and C# programming languages.
COD 412. Buffer Overflows Attacks and Countermeasures (2 hours)
This course provides all the required information to understand, avoid and mitigate the risks posed by
buffer overflows. The students are first provided with a detailed background on the mechanisms of
exploit of stack-based and heap-based buffer overflows. The course then delves into the protections
provided by the Microsoft compiler and the Windows operating system, such as the /GS flag and
Address Space Layout Randomization (ASLR), followed by practical advice on how to avoid buffer
overflows during the design, development, and verification phases of the software development life
cycle. Practical examples are provided throughout the course to help students understand and defend
-
7/29/2019 TP Course Catalog
9/9
187 Ballardvale St. Wilmington, MA 018
Ph: (978) 694-1008 F: (978) 694-16
www.securityinnovation.co
Page 8
against buffer overflows. Prerequisite: basic knowledge of Windows programming and memory
management in Windows.
Test
TST 101. Fundamentals of Security Testing (2 hours)This course introduces security-testing concepts and processes that will help students analyze an
application from a security perspective and to conduct effective security testing. The course focuses on
the different categories of security vulnerabilities and the various testing approaches that target these
classes of vulnerabilities. Several manual and automated testing techniques are presented which will
help identify common security issues during testing and uncover security vulnerabilities. Prerequisite:
Fundamentals of Application Security (AWA 101), How to Define Software Security Requirements and
Design (ENG 111)
TST 201. Classes of Security Defects (3 hours)
This course equips students with the knowledge needed to create a robust defense against common
security defects. Students will learn why and how security defects are introduced into software, and will
be presented with common classes of attacks, which will be discussed in detail. Along with examples of
real life security bugs, students will be shown techniques and best practices that will enable the team to
identify, eliminate, and mitigate each class of security defects. Additional mitigation techniques and
technologies are described for each class of security defect. Prerequisite: Fundamentals of Application
Security (AWA 101), Software Security Awareness (AWA 102)
TST 311. How to Break Software Security (15 hours)
This course is designed to give testers and developers the tools and techniques they need to help find
security problems before their application is released. It lays the foundation needed to effectively
recognize and expose security flaws in software and it introduces a fault model to help testersconceptualize these types of bugs. Prerequisite: functional testing knowledge as well as a basic
understanding of how applications work.
TST 411. Exploiting Buffer Overflows (2 hours)
This course provides students with all the required information to help understand and mitigate buffer-
overflow exploits. It first introduces the concepts necessary to recognize the threats posed by these
exploits, and to comprehend the mechanisms behind exploitation of stack-based and heap-based buffer
overflows. The course then delves into the different challenges faced by exploit code and how different
exploitation techniques overcome environmental limitations. Prerequisite: Creating Secure Code
C/C++ (COD 312)