tp course catalog

7/29/2019 TP Course Catalog

1/9

Course Catalog

BOSTON | SEATTLE

187 Ballardvale St. Suite A195 Wilmington, MA 01887 Ph: +1.978.694.1008

[email protected]
mailto:[email protected]://www.securityinnovation.com/http://www.securityinnovation.com/http://www.securityinnovation.com/http://www.securityinnovation.com/mailto:[email protected]


2/9

187 Ballardvale St. Wilmington, MA 018

Ph: (978) 694-1008 F: (978) 694-16

www.securityinnovation.co

Page 1

TTaabbllee ooffCCoonntteennttssSecurity Awareness and Process Courses ..................................................................................................... 2

Security Awareness Courses ................................................................................................................................................................. 2

AWA 101. Fundamentals of Application Security (2 hours) ................................................................................................... 2

AWA 102. Software Security Awareness (1 hour) .................................................................................................................. 2AWA 103. Six Fundamentals of Information Security (1 hour) .............................................................................................. 2

Security Engineering Courses .............................................................................................................................................................. 3

ENG 101. Microsoft SDL for Managers (1 hour) ..................................................................................................................... 3

ENG 102. Introduction to the Microsoft SDL (1 hour) ............................................................................................................ 3

ENG 111. How to Define Software Security Requirements and Design (1 hour) ................................................................... 3

ENG 201. SDLC Gap Analysis and Remediation Techniques (45 min) ..................................................................................... 3

ENG 301. Introduction to Threat Modeling (1 hour) ............................................................................................................. 4

ENG 311. Attack Surface Analysis and Reduction (1 hour) ..................................................................................................... 4

Development Courses .......................................................................................................................................... 4

Design ............................................................................................................................................ .................................................................. 4

DES 101. Fundamentals of Secure Architecture (1 hour) ....................................................................................................... 4

DES 212. Architecture Risk Analysis and Remediation (1 hour) ............................................................................................. 5DES 301. Introduction to Cryptography (1 hour) ................................................................................................................... 5

DES 311. Creating Secure Application Architecture (2 hours) ................................................................................................ 5

Code ................................................................................................................................................................................................................. 5

COD 101. Fundamentals of Secure Development (1 hour) .................................................................................................... 5

COD 211. Understanding Secure Code JRE (1 hour) ............................................................................................................ 5

COD 212. Understanding Secure Code C/C++ (75 min) ....................................................................................................... 6

COD 213. Understanding Secure Code - Windows 7 (2 hours) .............................................................................................. 6

COD 214. Understanding Secure Code - Windows Vista (2 hours) ......................................................................................... 6

COD 215. Understanding Secure Code - .NET 4.0 (2 hours) .................................................................................................. 6

COD 221. Web Vulnerabilities Threats and Mitigations (1 hour) ........................................................................................ 6

COD 231. Introduction to Cross-Site Scripting with JSP Examples (20 min) ........................................................................ 6

COD 232. Introduction to Cross-Site Scripting with ASP.NET Examples (20 min) ................................................................ 6COD 311. Creating Secure Code ASP.NET (4 hours) ............................................................................................................ 7

COD 312. Creating Secure Code C/C++ (90 min) ................................................................................................................. 7

COD 313. Creating Secure Code J2EE Web Applications (2 hours) ...................................................................................... 7

COD 411. Integer Overflows Attacks and Countermeasures (1 hour) ................................................................................. 7

COD 412. Buffer Overflows Attacks and Countermeasures (2 hours) ................................................................................. 7

Test ................................................................................................................................................. .................................................................. 8

TST 101. Fundamentals of Security Testing (2 hours) ............................................................................................................ 8

TST 201. Classes of Security Defects (3 hours) ....................................................................................................................... 8

TST 311. How to Break Software Security (15 hours) ............................................................................................................. 8

TST 411. Exploiting Buffer Overflows (2 hours) ...................................................................................................................... 8


3/9


Ph: (978) 694-1008 F: (978) 694-16


Page 2

Activity

Security Awareness Requirements & Design Response

Implementation ReleaseSecurity

Engineering

Verification

Compliance/Standard

OWASP PCI DSS MS SDL

Application Type

Web Applications Client/Server

SS

ee

cc

uu

rr

iittyy

AA

ww

aa

rr

ee

nn

ee

ss

ss

aa

nn

dd

PP

rr

oo

cc

ee

ss

ss

CC

oo

uu

rr

ss

ee

ss

Security Awareness Courses

AWA 101. Fundamentals of Application Security (2 hours)

This course starts off describing the various risks that software vulnerabilities carry, and proceeds to lay

the foundation for secure software development by presenting specific security controls and principles

that teams can implement immediately to reduce software risk. Upon course completion, students will

be able to understand and recognize threats to applications, leverage the OWASP top 10 list to create

more secure Web applications, and conduct specific activities at each development phase to ensure

maximum hardening of your applications. Prerequisite: understanding of the software development

lifecycle and technologies; basic understanding of software security.

AWA 102. Software Security Awareness (1 hour)

Similar to functionality, performance, and reliability, security is another crucial component of an

applications quality. Recognizing the risk that software vulnerabilities represent, understanding their

root causes, and addressing these issues early in the software development lifecycle are essential for

being able to help your organization build secure software. By the end of this course, students will be

familiar with the main characteristics of a secure software development lifecycle and the activities that

an organization should perform to develop secure software. Additionally, students will recognize the

need to address software security in their everyday work. Prerequisite: basic knowledge of software

development processes and technologies.

AWA 103. Six Fundamentals of Information Security (1 hour)

This awareness course is intended to allow individuals to recognize information security concerns and

respond accordingly using a set of best practices provided in this course. Upon completion of this

course, students will be able to recognize the importance of protecting an organizations information

and follow appropriate security best practices. Prerequisite: basic computer skills.


4/9


Ph: (978) 694-1008 F: (978) 694-16


Page 3

Security Engineering Courses

ENG 101. Microsoft SDL for Managers (1 hour)

This course introduces students to the Microsoft SDL, an industry leading software-security assurance

process, developed by Microsoft to build trustworthy software products. The goal of this course is to

help students understand and identify the Security Development Life Cycle (SDL) requirements for

building and deploying secure software applications. The course demonstrates the benefits teams gain

by following the SDL, and it provides managers with information regarding their role and responsibilities

in ensuring the team follows the SDL. Additionally, this course describes common problems that can

delay or stop product shipping. Prerequisite: knowledge of the software development lifecycle.

ENG 102. Introduction to the Microsoft SDL (1 hour)

This course introduces the Security Development Lifecycle (SDL), a key security engineering process that

was spawned from Microsofts Trustworthy Computing Initiative. Students will learn how to design and

implement products that meet an organizations security needs. Upon completion of this course, the

participant will be able to identify the benefits of the Security Development Lifecycle, recognize the

importance of the Final Security Review, follow the necessary steps to meet SDL requirements, andidentify the appropriate tools required by the SDL. Prerequisite: basic knowledge of the software

development lifecycle.

ENG 111. How to Define Software Security Requirements and Design (1 hour)

Security is an important component of an applications quality. To preserve the confidentiality, integrity,

and availability of application data, software applications must be engineered with security in mind

beginning with the design phase. Without defined security requirements, design choices will be made

without security guidance and security testing cannot be effective. This course provides technical and

non-technical personnel with the tools to understand, create and articulate security requirements as

part of a software requirement documents. In this course, students will learn to apply the applicationsecurity maturity (ASM) model to the development process, understand the security-engineering

process, and describe the key security-engineering activities to integrate security in the development life

cycle. Students will also be able to determine software security objectives, apply security design

guidelines, and create threat models that identify threats, attacks, vulnerabilities, and countermeasures,

in addition to learning to conduct security architecture and design reviews that help identify potential

security problems, and minimize the applications attack surface. Prerequisite: Fundamentals of

Application Security (AWA 101)

ENG 201. SDLC Gap Analysis and Remediation Techniques (45 min)

Whether an organization is implementing its first Security Development Lifecycle program or working to

optimize its SDLC, periodic review of the SDLC to identify areas for improvement is a recommended best

practice. This course reviews key Security Engineering activities and instructs students on identifying

measurable goals and appropriate standards, assessing existing development processes, building an

activity matrix, and creating a remediation roadmap. This course provides an understanding of the

goals, processes, and best practices for auditing software security processes within the context of the

Microsoft Security Development Life Cycle. Prerequisite: Introduction to the Microsoft SDL (ENG 102),

Fundamentals of Application Security (AWA 101)


5/9


Ph: (978) 694-1008 F: (978) 694-16


Page 4

ENG 301. Introduction to Threat Modeling (1 hour)

Secure software starts with thinking about security and the potential threats to an application. Threats

differ from vulnerabilities. Threats represent attackers. Threat modeling begins with understanding

what an attackers goals might be; what information would be valuable to an attacker? How would an

attacker go about gaining access to that information? In this course, students will learn to identify the

goals of threat modeling and the corresponding SDL requirements, identify the roles and responsibilities

involved in the threat modeling process, recognize when and what to threat model, and identify the

tools that help with threat modeling. Students will also learn to use the threat modeling process to

accurately identify, mitigate, and validate threats. Prerequisite: Fundamentals of Secure Development

(COD 101), Architecture Risk Analysis and Remediation (DES 212)

ENG 311. Attack Surface Analysis and Reduction (1 hour)

Attack surface analysis and reduction is an exercise in risk reduction. The attack surface of an

application represents the number of entry points exposed to a potential attacker of the software. The

larger the attack surface, the larger the set of methods that can be used by an adversary to attack. The

smaller the attack surface, the smaller the chance of an attacker finding a vulnerability and the lowerthe risk of a high impact exploit in the system. This course provides an understanding of the goals and

methodologies of attackers, identification of attack vectors, and how to minimize the attack surface of

an application. In this course, students will learn to define the attack surface of an application, and how

to reduce the risk to an application by minimizing the applications attack surface. Prerequisite:

Fundamentals of Secure Development (COD 101), Architecture Risk Analysis and Remediation (DES 212)

DDeevveellooppmmeennttCCoouurrsseess

Design

DES 101. Fundamentals of Secure Architecture (1 hour)

In the past, software applications were created with little thought to the importance of security. In

recent times, businesses have become more rigorous about how they buy software. When looking at

applications and solutions, companies dont just look at features, functionality, and ease of use. They

focus on the total cost of ownership (TCO) of what they purchase. Security is a large and visible part of

the TCO equation. In this course, students will examine the state of the industry from a security

perspective. They will then look at some of the biggest security disasters in software design and what

lessons can be learned from them. Finally, participants will understand and use confidentiality, integrity,

and availability as the three main tenets of information security. Upon completion of this course,

participants will understand the state of the software industry with respect to security by learning frompast software security errors and will avoid repeating those mistakes, and they will understand and use

confidentiality, integrity, and availability (CIA) as the three main tenets of information security.

Prerequisite: Fundamentals of Application Security (AWA 101), How to Define Software Security

Requirements and Design (ENG 111)


6/9


Ph: (978) 694-1008 F: (978) 694-16


Page 5

DES 212. Architecture Risk Analysis and Remediation (1 hour)

This course defines concepts, methods, and techniques for analyzing the architecture and design of a

software system for security flaws. Special attention is given to analysis of security issues in existing

applications; however, the principles and techniques are applicable to systems under development.

Techniques include accurately capturing application architecture, threat modeling with attack trees,

attack pattern analysis, and enumeration of trust boundaries. Prerequisite: Fundamentals of Secure

Architecture (DES 101)

DES 301. Introduction to Cryptography (1 hour)

This course provides students with the knowledge to understand cryptography and an opportunity to

investigate the threats that affect two communicating parties, and an understanding of how these

threats can be mitigated using a proper cryptographic solution. Upon completion of this course,

students will be able to identify the problems that cryptography can address, recognize threats that

apply to two communicating parties, select appropriate cryptographic solutions to mitigate these

threats, and describe the mechanisms behind cryptographic protocols. Participants will also be able to

follow cryptographic best practices and locate cryptography resources. Prerequisite: Fundamentals ofSecure Development (COD 101), Architecture Risk Analysis and Remediation (DES 212)

DES 311. Creating Secure Application Architecture (2 hours)

This course covers a set of key security principles that students can use to improve the security of

application architecture and design. Principles of this course include applying defense to harden

applications and make them more difficult for intruders to breach, reducing the amount of damage an

attacker can accomplish, compartmentalizing to reduce the impact of exploits, using centralized input

and data validation to protect applications from malicious input, and reducing the risk in error code

paths.

Code

COD 101. Fundamentals of Secure Development (1 hour)

In this course, students will learn an overview of software security and its latest trends, as well as the

importance of software security for business. Students will also learn to perform threat modeling to

identify threats proactively, create threat trees for application components, use threat trees to find

vulnerabilities, classify vulnerabilities, and perform risk analysis and prioritize security fixes.

Prerequisite: Fundamentals of Application Security (AWA 101), How to Define Software Security

Requirements and Design (ENG 111)

COD 211. Understanding Secure Code

JRE (1 hour)In this course, students will learn to recognize and remediate common Java Web software security

vulnerabilities. After completing this course, students will be able to recognize data leakage, injection

attacks, client/server protocol manipulation attacks, and authentication exploitations, and mitigate

these security vulnerabilities. Prerequisite: Fundamentals of Secure Development (COD 101)


7/9


Ph: (978) 694-1008 F: (978) 694-16


Page 6

COD 212. Understanding Secure Code C/C++ (75 min)

In this course, students will learn how to write secure code in C/C++ for Windows and Unix platforms,

robust code development, and secure socket programming, and learn to apply time-tested defensive

coding principles to develop secure applications. Students will also learn the nine defensive coding

principles and how to use them to prevent common security vulnerabilities. Prerequisite:

Fundamentals of Secure Development (COD 101)

COD 213. Understanding Secure Code - Windows 7 (2 hours)

This course provides students with knowledge and skills needed to understand Windows 7 security

features and build applications that leverage Windows 7s built-in security mechanisms. Prerequisite:

basic knowledge of Windows programming and memory management, and knowledge of basic security

features of Windows versions prior to Windows 7.

COD 214. Understanding Secure Code - Windows Vista (2 hours)

This course provides students with knowledge and skills needed to understand Windows Vista security

features and build applications that leverage Windows Vistas built-in security mechanisms.

Prerequisite: basic knowledge of Windows programming and memory management, and knowledge of

basic security features of Windows versions prior to Windows Vista.

COD 215. Understanding Secure Code - .NET 4.0 (2 hours)

This course describes .NET security features, including concepts such as Code Access Security (CAS) and

.NET cryptographic technologies. It also provides secure coding best practices that will enable students

to build more secure applications in .NET. Prerequisite: Fundamentals of Secure Development (COD

101)

COD 221. Web Vulnerabilities Threats and Mitigations (1 hour)

This course provides all the information needed to understand, avoid, and mitigate the risks posed byWeb vulnerabilities. Students are first provided with a detailed background on the most common and

recent attacks against Web-based applications, such as cross-site scripting attacks and cross-site request

forgery attacks. The course then delves into practical recommendations on how to avoid and/or mitigate

Web vulnerabilities. Real-world examples are provided throughout the course to help students

understand and defend against Web vulnerabilities. Prerequisite: Creating Secure Code J2EE Web

Applications (COD 313) OR Creating Secure Code ASP.NET (COD 311)

COD 231. Introduction to Cross-Site Scripting with JSP Examples (20 min)

In this course, students will learn to understand the mechanisms behind cross-site scripting

vulnerabilities, describe cross-site scripting vulnerabilities and their consequences, and apply secure

coding best practices to prevent cross-site scripting vulnerabilities. Prerequisite: Basic knowledge of

Web technologies, and Java Server Pages (JSP).

COD 232. Introduction to Cross-Site Scripting with ASP.NET Examples (20 min)

In this course, students will learn to understand the mechanisms behind cross-site scripting

vulnerabilities, describe cross-site scripting vulnerabilities and their consequences, and apply secure


8/9


Ph: (978) 694-1008 F: (978) 694-16


Page 7

coding best practices to prevent cross-site scripting vulnerabilities. Prerequisite: Basic knowledge of

Web technologies, ASP.NET, and C# programming language.

COD 311. Creating Secure Code ASP.NET (4 hours)

This course examines in depth the development of secure web applications in C#. It provides an

overview of common web application vulnerabilities and presents ways to avoid those vulnerabilities inC# code. In the hands-on section, students will discover the vulnerabilities for themselves and find ways

to address them, greatly enhancing the security of their code. Upon completion of this class, participants

will be able to recognize the need to follow secure coding best practices, follow secure coding best

practices, and locate additional resources on secure coding best practices for ASP.NET. Prerequisite:

Understanding Secure Code - .Net 4.0 (COD 214)

COD 312. Creating Secure Code C/C++ (90 min)

This course provides a deep understanding of application security risks and secure coding standards for

C and C++ applications, and the different types of errors that can be introduced while coding. The course

discusses the importance of detecting these errors and remediating them as early as possible to avoid

security issues. It also illustrates real-world best practices and techniques, and provides static analysis

tools to detect and resolve security vulnerabilities in code. Prerequisite: Understanding Secure Code

C/C++ (COD 212)

COD 313. Creating Secure Code J2EE Web Applications (2 hours)

This course examines in depth the development of secure web applications in Java. It provides an

overview of common web application vulnerabilities and presents ways to avoid those vulnerabilities in

Java code. In the hands-on section, students will discover the vulnerabilities themselves and find ways to

address them, greatly enhancing the security of their code. Upon completion of this course, participants

will be able to identify why software security matters to their business, recognize the root causes of the

more common vulnerabilities, identify the symptoms of common vulnerabilities, and use security best

practices to prevent common vulnerabilities. Prerequisite: Understanding Secure Code JRE (COD 211)

COD 411. Integer Overflows Attacks and Countermeasures (1 hour)

An integer overflow is a programming error that can severely impact a computer systems security. Due

to the subtlety of this bug, integer overflows are often overlooked during development. This course

covers the security concepts, testing techniques, and best practices that will enable students to develop

robust applications that are secure against integer overflow vulnerabilities. Prerequisite: basic

understanding of the C, C++, and C# programming languages.

COD 412. Buffer Overflows Attacks and Countermeasures (2 hours)

This course provides all the required information to understand, avoid and mitigate the risks posed by

buffer overflows. The students are first provided with a detailed background on the mechanisms of

exploit of stack-based and heap-based buffer overflows. The course then delves into the protections

provided by the Microsoft compiler and the Windows operating system, such as the /GS flag and

Address Space Layout Randomization (ASLR), followed by practical advice on how to avoid buffer

overflows during the design, development, and verification phases of the software development life

cycle. Practical examples are provided throughout the course to help students understand and defend


9/9


Ph: (978) 694-1008 F: (978) 694-16


Page 8

against buffer overflows. Prerequisite: basic knowledge of Windows programming and memory

management in Windows.

Test

TST 101. Fundamentals of Security Testing (2 hours)This course introduces security-testing concepts and processes that will help students analyze an

application from a security perspective and to conduct effective security testing. The course focuses on

the different categories of security vulnerabilities and the various testing approaches that target these

classes of vulnerabilities. Several manual and automated testing techniques are presented which will

help identify common security issues during testing and uncover security vulnerabilities. Prerequisite:

Fundamentals of Application Security (AWA 101), How to Define Software Security Requirements and

Design (ENG 111)

TST 201. Classes of Security Defects (3 hours)

This course equips students with the knowledge needed to create a robust defense against common

security defects. Students will learn why and how security defects are introduced into software, and will

be presented with common classes of attacks, which will be discussed in detail. Along with examples of

real life security bugs, students will be shown techniques and best practices that will enable the team to

identify, eliminate, and mitigate each class of security defects. Additional mitigation techniques and

technologies are described for each class of security defect. Prerequisite: Fundamentals of Application

Security (AWA 101), Software Security Awareness (AWA 102)

TST 311. How to Break Software Security (15 hours)

This course is designed to give testers and developers the tools and techniques they need to help find

security problems before their application is released. It lays the foundation needed to effectively

recognize and expose security flaws in software and it introduces a fault model to help testersconceptualize these types of bugs. Prerequisite: functional testing knowledge as well as a basic

understanding of how applications work.

TST 411. Exploiting Buffer Overflows (2 hours)

This course provides students with all the required information to help understand and mitigate buffer-

overflow exploits. It first introduces the concepts necessary to recognize the threats posed by these

exploits, and to comprehend the mechanisms behind exploitation of stack-based and heap-based buffer

overflows. The course then delves into the different challenges faced by exploit code and how different

exploitation techniques overcome environmental limitations. Prerequisite: Creating Secure Code

C/C++ (COD 312)

tp course catalog

Documents