Learning Course Curriculum

(1)

Learning Course Curriculum

(2)

It has long been discussed that

identifying and resolving software

vulnerabilities at an early stage is one

of the best ways to reduce the costs,

and risks present in any software

application.

(3)

Training Options

At Security compass, we offer a variety of training options to meet your needs:

On-site Instructor led training

• Live instructor on-site at your location delivering training to your staff

• Our instructors are seasoned pen-testers arming your staff with best practices to securing your information and the latest threat vectors

• Our instructors draw on scenarios that are relevant to your organization to help students connect with the risks in your own organization

• Ability for your staff to mingle, meet and embrace IT Security concepts as a team, fostering growth and networking with peers

• Training to address PCI compliance is offered with some of our courses

• Eligibility for CPE credits for students who have certifications (CISSP, CISA, etc.)

Remote Instructor led training

• Training performed through a remote WebEx session with a live instructor • Training courses are divided into 4 hour sessions to improve learning experience • Access to the same Security Compass instructors that teach on-site

• Ability to have each student learn from the comfort of their own desk using collaboration tools • Ease of planning, each student will be provided with an access to a WebEx portal to which they

can join in and work with their colleagues, no infrastructure needed at your location • Eligibility for CPE credits for students who have certifications (CISSP, CISA, etc.)

Computer based training (CBT)

• Training module shipped to your organization for deployment into LMS or local student’s desktop

• On demand training, take the course at your own pace and convenience • Integrated Quiz options and certifications available

• Full narration by a real person, varying voices start-stop functionality.

• Fast forward, rewind, and resume sections as they desire and all our courses are fully SCORM compliant, making LMS integration a breeze.

(4)

TrueLabs Hands-on Lab Exercises

TrueLabs is Security Compass’ set of hands-on lab exercises for students. Depending on the course, our TrueLabs exercises allow students to better understand the security issues taught within the course. For instance, in our Exploiting and Defending Web Applications course, students have hands on exercises relating to common web application exploits. For our Mobile Hacking and Securing, students hack a vulnerable Android and iPhone application. For our Securing Applications series, students see and learn to fix insure code. These exercises are all performed in a virtual machine provided to the students during the course.

The following courses currently support TrueLabs: • Exploiting and Defending Web Applications • Securing Applications in .NET

• Securing Applications in JAVA • Securing Applications in C++ • Mobile Hacking and Securing

(5)

Security Learning Paths

All our courses offer a certification track through Security Compass. Those that complete the required courses outlined below in their roles will receive a certificate of completion for their subject matter expertise.

Some courses below will show the expected date of completion as we work hard to expand our course offerings and curriculum.

(6)

Our focus is on application security. We

aim to provide technically relevant

courses and tools to help your staff

understand secure development and

defend your organizations applications.

(7)

Available Courses

Application Security for Managers

Developers and security analysts are increasingly becoming involved in application security initiatives. Managers need to understand both the technical nature of their teams’ involvement with security initiatives as well as the business case for performing activities. This class arms managers with the knowledge necessary to make effective, risk-based decisions about application projects that balance business needs with security requirements.

Length: 1 day

Audience: Managers, CIO, Project Managers

Key Concepts:

• The importance of application security vs. traditional security

• The most common application security vulnerabilities including the OWASP top 10 • Understanding the risks to application security vulnerabilities

• Understanding and implementing a secure software development lifecycle (SDLC) • Understanding the needs for secure design, development and testing

(8)

Threat Model Express

Threat modeling is gaining traction as a fundamental application security activity. In this class students learn about the attacks that their applications may face and then both formal and informal approaches to threat modeling. Using a fictional scenario, students perform all the activities of a threat model on a complex application – including analyzing design documents and role-playing interviews.

Students learn about the industry standard formal threat modeling process as well as Facilitated Application Threat Modeling: a 1-day approach to threat modeling pioneered by Security Compass.

Days: 1 day

Audience: Architects, Project Managers, Administrators

Key Concepts:

• What is threat modeling and what does it achieve • What the steps are to a traditional threat model

• How to gather useful information for a threat model including interviewing staff • Establishing threats, vulnerabilities and countermeasures to your applications • Ranking the threats based on its perceived risk to your application

(9)

OWASP Top 10

Students will learn about the latest OWASP top 10 including how each of the vulnerabilities can impact your applications. We include a number of real-world examples where students discover the impacts to organization that have fallen victim to these vulnerabilities. Students will be able to describe best practices to defending against the OWASP Top 10 from a code agnostic standpoint and bring back this learning in to their organizations.

CBT Available: Yes, 60 minutes

Days: 1 day

Audience: General Staff, Developers, Testers, Managers, Administrators

Key Concepts:

• Understand common web application vulnerabilities (XSS, XSRF, SQL injection, Parameter manipulation, etc.) including the OWASP Top 10 2010

• Describe how hackers exploit these weaknesses to take advantage of your users

• See real world examples of breaches and how these vulnerabilities have impacted organizations • Describe best practices to defending against each of the OWASP Top 10 from a code agnostic

(10)

Exploiting and Defending Web Applications

This course includes the OWASP Top 10 course and expands upon it to include a number of additional vulnerabilities commonly exploited in web applications today. It also introduces high level concepts of Authorization, Authentication, Data validation and Cryptography in the context of today’s modern web applications.

Students will perform hands on exercises to understand how exploits are performed and executed using our interactive TrueLabs solution.

TrueLabs: Yes, both Instructor led and CBT

Days: 3 days

Audience: Developers, Architects, QA, Testers, Project Managers

Key Concepts:

• Understand common web application vulnerabilities (XSS, XSRF, SQL injection, Parameter manipulation, etc.) including the OWASP Top 10 plus many more.

• Describe how hackers exploit these weaknesses to take advantage of your users

• Describe weaknesses in authentication, authorization, session management and data validation • View examples of how hackers have breached systems using these vulnerabilities

• Perform TrueLabs exercises to see hands-on how hackers take advantage of these web application vulnerabilities

(11)

Securing Web Applications in Java

After taking this class students will be able to develop secure Java Enterprise Edition (J2EE) applications. Students will learn to define and identify secure code, differentiate between secure coding methods, employ secure code in practice and design and judge effectiveness of secure coding practice. The class focuses on learning by doing. Concepts are presented in short lecture-demonstration sessions, and then students are challenged in hands-on labs to make reasoned choices and implement secure code. Students are required to execute various real world solutions including fixing broken applications, adding security functionality, replacing poorly written code, finding vulnerabilities and doing runtime testing.

Days: 3 days

Audience: Java Developers, Web Developers

Key Concepts:

• Understand how to program Java securely to defend against common web application vulnerabilities

• Learn about libraries and techniques that can help developers protect their applications against insecure coding practices

• Identify best practices to secure Java programming for each of the OWASP top 10 by viewing bad insecure code examples vs. good secure code

• Hands-on TrueLabs exercises where students write real Java code to fix broken applications and defend against the OWASP Top 10

(12)

Securing Web Applications in .NET

Students will learn to define and identify secure .NET 4.0 code, differentiate between secure coding methods, employ secure code in practice and design and judge effectiveness of secure coding practice. The class focuses on learning by doing. Concepts are presented in short lecture-demonstration sessions, and then students are challenged in hands-on labs to make reasoned choices and implement secure code.

Students are required to execute various real world solutions including fixing broken applications, adding security functionality, replacing poorly written code, finding vulnerabilities and doing runtime testing.

Days: 3 days

Audience: .NET Developers, Web Developers

Key Concepts:

• Understand how to program .NET securely to defend against common web application vulnerabilities with the latest techniques (.NET 4.0)

• Learn about libraries and techniques that can help developers protect their applications against insecure coding practices

• Identify best practices to secure .NET programming for each of the OWASP top 10 by viewing bad insecure code examples vs. good secure code

• Hands-on TrueLabs exercises where students write real .NET code to fix broken applications and defend against the OWASP Top 10

(13)

Securing C/C++

This class will prepare students to develop secure applications in C or C++. Students will learn to define and identify secure code, differentiate between secure coding methods, employ secure code in practice, and design and judge effectiveness of secure coding practice. Students completing this class will find their secure coding abilities materially sharpened.

The course focuses on learning by demonstrations. Throughout the course, vulnerability categories are explained, followed by examples of real world examples in popular applications. Risk is analyzed, and defense techniques are identified for each vulnerability presented.

TrueLabs: Yes, Instructor led only

Day: 2 days

Audience: Programmers, Code reviewers, QA

Key Concepts:

• Hands-on TrueLabs exercises include performing a buffer overflow labs and how overflows can lead to exploited code execution.

• Understand secure allocation of memory, including memory organization and stacks.

• Discuss secure use of pointers, including pointer arithmetic and how incorrect use of pointers can cause vulnerability.

• Communicate how buffer overflows occur in addition to how they can get exploited by hackers. • Learn about format string vulnerabilities and defenses to using format strings.

(14)

Mobile Hacking and Securing

Students will discover mobile hacking techniques for Android and iPhone. They will understand the platform security models, device security models, app analysis, file system analysis and runtime analysis for these popular mobile operating systems. We will demonstrate insecure coding practices in Android and iPhone environments.

Students will perform hands-on TrueLabs exercises against our insecure app ExploitMe Mobile for both Android / iPhone. They will learn to attack this vulnerable mobile application and learn about the pitfalls to mobile programming. Knowing this will arm them with the tools necessary to developing better, more secure mobile apps.

TrueLabs: Yes, Instructor led

Day: 1 day

Audience: Mobile App Developers, Testers

Key Concepts:

• Hands-on TrueLabs exercises include hacking a vulnerable mobile iPhone and Android app we’ve created called ExploitMe Mobile.

• Learn about the two popular iPhone and Android device security architectures, and how they differ when it comes to their security

• Understand how hackers analyze mobile application protocols and reversing techniques • Identify file storage issues including sensitive file storage and how to securely store data • Perform decompilation of mobile apps to see the inner workings of the application itself • Performing memory dumps and run-time analysis

(15)

Free OWASP Top 10 Course

We’re happy to give back to the community by providing our OWASP Top 10 course free of charge (contains brief delays with promotions for our Training). The course will outline the fundamentals of the OWASP Top 10 and allows you to experience our high quality computer based training formats.

If you are enjoy the course, contact us about the Premium version that can be hosted in your organization’s LMS systems.

Access the course immediately by signing up: http://freecbt.securitycompass.com

(16)

What can we do for you?

We understand application security. We breathe it. We strive to provide you with the best training experience for your staff.

Our experience helping our clients research and manage real world security risks allows us to drive our training material with the latest threats and vulnerabilities seen in every day engagements.

What does that mean? It means that your staff is ready to respond to with forward thinking concepts to securing your business’ most sensitive applications.

Here to help.

Reach out to Security Compass’ advisors who can help. Oliver Ng

Director of Training

[email protected] 1-888-777-2211 ext. 125 Sahba Kazerooni

Director of Professional Services [email protected] 1-888-777-2211 ext. 103