Fundamentals of Secure Application Development
Fundamentals of Secure Application Development Course Details:
The best security investment you can make is deploying secure code.
The rules of information security aren’t what they used to be. Hackers aren’t kids in basements–they’re professionals and organized criminal groups around the world. They seek to break into systems and steal data any way they can.
Unfortunately, the vast majority of hacks are not due to insecure networks or misconfigured firewalls. They are a result of common software flaws coded into applications. Even with a good information security policy, the reality is that software developers are often underserved when it comes to having a security strategy. If your applications get built without attention to software security practices, risk gets passed downstream and by the time an incident occurs, it’s too late.
From proactive requirements to coding and testing, this course covers the best practices you need to avoid opening up your users, customers, and organization to attack at the application layer. We share only the most recent best practices, and our experts will answer your questions live in class. You’ll return to work ready to build higher quality and more robustly protected applications.
Call (919) 283-1674 to get a class scheduled online or in your area!
Secure Software Development
- Assets, Threats and Vulnerabilities
- Security Risk Analysis (Bus and Tech)
- Secure Dev Processes (MS, BSI…)
- Defense in Depth
- Approach for this course
The Context for Secure Development
- Assets to be protected
- Threats Expected
- Security Imperatives (internal and external)
- Organization’s Risk Appetite
- Security Terminology
- Organizational Security Policy
- Security Roles and Responsibilities
- Security Training for Roles
- Generic Security Goals and Requirements
Security Requirements
- Project-Specific Security Terms
- Project-Related Assets and Security Goals
- Product Architecture Analysis
- Use Cases and Miscellaneous Use/Abuse Cases
- Dataflows with Trust Boundaries
- Product Security Risk Analysis
- Elicit, Categorize, Prioritize SecRqts
- Validate Security Requirements
Designing Secure Software
High-Level Design
- Architectural Risk Analysis
- Design Requirements
- Analyze Attack Surface
- Threat Modeling
- Trust Boundaries
- Eliminate Race Objects
Detail-Level Design
- Secure Design Principles
- Use of Security Wrappers
- Input Validation
- Design Pitfalls
- Validating Design Security
- Pairing Mem Mgmt Functions
- Exclude User Input from format strings
- Canonicalization
- TOCTOU
- Close Race Windows
- Taint Analysis
Writing Secure Code
Coding
- Developer guidelines and checklists
- Compiler Security Settings (per)
- Tools to use
- Coding Standards (per language)
- Common pitfalls (per language)
- Secure/Safe functions/methods
- Integer type selection
- Synchronization Primitives
Early Verifications
- Static Analysis (Code Review w/tools)
- Unit and Dev Team Testing
- Risk-Based Security Testing
- Taint Analysis
Testing for Software Security
- Assets to be protected
- Threats Expected
- Security Imperatives (internal and external)
- Organization’s Risk Appetite
- Static Analysis
- Dynamic Analysis
- Risk-Based Security testing
- Fuzz Testing (Whitebox vs. Blackbox)
- Penetration Testing (Whitebox vs. Blackbox)
- Attack Surface Review
- Code audits
- Independent Security Review
Releasing and Operating Secure Software
- Incident Response Planning
- Final Security Review
- Release Archive
- OS Protections
- Monitoring
- Incident Response
- Penetration Testing
Making Software Development More Secure
- Process Review
- Getting Started
- Priorities
*Please Note: Course Outline is subject to change without notice. Exact course outline will be provided at time of registration.
- Understand assets, threats, vulnerabilities, and risks
- The content around secure development
- Gathering and understanding security requirements
- How to design secure software
- How to write secure code
- How to test your software
- Releasing secure software
- Application Developer
- Software Engineers
- Software Tester
- Technical Leadership
- Security Administrators