Fundamentals of Secure Application Development

2 Day Classroom  •  3 Day Live Online
2 Day Training at your location.
Adjustable to meet your needs.
Individual:
$1395.00
Group Rate:
$1195.00
GSA Discount:
$1018.35
When training eight or more people, onsite team training offers a more affordable and convenient option.
Register Now
Request Quote
Individual
Onsite
Overview

The rules of information security aren’t what they used to be. Hackers aren’t kids in basements–they’re state sponsored professionals and organized criminal groups all around the world. They break into systems and steal data any way they can.

Unfortunately, the vast majority of hacks are not due to insecure networks or misconfigured firewalls; they are a result of common software flaws that get coded into applications. Even with good information security policy and staff, the reality is that software developers are often underserved when it comes to security strategy. If their applications get built without attention to good software security practices, risk gets passed downstream and by the time an incident occurs it’s too late to be proactive.

From proactive requirements to coding and testing, this course covers the best practices any software developer needs to avoid opening up their users, customers and organization to attack at the application layer. We teach only constantly updated best practices, and our experts answer your questions live in class. Return to work ready to build higher quality, more robustly protected applications.

Upcoming Dates and Locations
Guaranteed To Run
Nov 27, 2017 – Nov 28, 2017    8:30am – 4:30pm Dallas, Texas

Microtek Dallas
5430 Lyndon B Johnson Fwy
Three Lincoln Centre, Suite 300
Dallas, TX 75240
United States

Register
Nov 27, 2017 – Nov 28, 2017    9:30am – 5:30pm Live Online
9:30am – 5:30pm
Register
Jan 8, 2018 – Jan 9, 2018    8:30am – 4:30pm Philadelphia, Pennsylvania

Hyatt Place
440 American Avenue
King Of Prussia, PA 19406
United States

Register
Feb 5, 2018 – Feb 6, 2018    10:30am – 5:30pm Live Online
10:30am – 5:30pm
Register
Mar 5, 2018 – Mar 6, 2018    8:30am – 4:30pm Atlanta, Georgia

Microtek Atlanta
1000 Abernathy Rd. NE Ste 194
Northpark Bldg 400
Atlanta, GA 30328
United States

Register
Apr 4, 2018 – Apr 5, 2018    10:30am – 5:30pm Live Online
10:30am – 5:30pm
Register
May 1, 2018 – May 2, 2018    8:30am – 4:30pm San Diego, California

San Diego Training and Conference Center
350 Tenth Avenue
Suite 950
San Diego, CA 92101
United States

Register
Jun 4, 2018 – Jun 5, 2018    10:30am – 5:30pm Live Online
10:30am – 5:30pm
Register
Jul 9, 2018 – Jul 10, 2018    8:30am – 4:30pm Raleigh, North Carolina

ASPE Training
114 Edinburgh South Dr
Suite 200
Cary, NC 27511
United States

Register
Aug 1, 2018 – Aug 2, 2018    10:30am – 5:30pm Live Online
10:30am – 5:30pm
Register
Sep 4, 2018 – Sep 5, 2018    8:30am – 4:30pm Columbia, Maryland

Homewood Suites by Hilton
8320 Benson Drive
Columbia, MD 21045
United States

Register
Oct 1, 2018 – Oct 2, 2018    10:30am – 5:30pm Live Online
10:30am – 5:30pm
Register
Nov 5, 2018 – Nov 6, 2018    8:30am – 4:30pm New York, New York

Microtek New York City
180 Maiden Lane
Suite 1102
New York, NY 10038
United States

Register
Dec 3, 2018 – Dec 4, 2018    10:30am – 5:30pm Live Online
10:30am – 5:30pm
Register
Course Outline

Introduction

1. Secure Software Development

  • Assets, Threats & Vulnerabilities
  • Security Risk Analysis (Bus & Tech)
  • Secure Dev Processes (MS, BSI…)
  • Defense in Depth
  • Approach for this course

Introductory Case Study

2. The Context for Secure Development

  • Assets to be protected
  • Threats Expected
  • Security Imperatives (int&external)
  • Organization's Risk Appetite
  • Security Terminology
  • Organizational Security Policy
  • Security Roles and Responsibilities
  • Security Training for Roles
  • Generic Security Goals & Requirements

Exercise: Our Own Security Context

3. Security Requirements

  • Project-Specific Security Terms
  • Project-Related Assets & Security Goals
  • Product Architecture Analysis
  • Use Cases & MisUse/Abuse Cases
  • Dataflows with Trust Boundaries
  • Product Security Risk Analysis
  • Elicit, Categorize, Prioritize SecRqts
  • Validate Security Requirements

Exercise: Managing Security Requirements

4. Designing Secure Software

  • High-Level Design
    • Architectural Risk Analysis
    • Design Requirements
    • Analyze Attack Surface
    • Threat Modeling
    • Trust Boundaries
    • Eliminate Race Objects
  • Detail-Level Design
    • Secure Design Principles
    • Use of Security Wrappers
    • Input Validation
    • Design Pitfalls
    • Validating Design Security
    • Pairing Mem Mgmt Functinos
    • Exclude User Input from format strings
    • Canonicalization
    • TOCTOU
    • Close Race Windows
    • Taint Analysis

Exercise: A Secure Software Design, Instructor Q and A

5. Writing Secure Code

  • Coding
    • Developer guidelines & checklists
    • Compiler Security Settings (per)
    • Tools to use
    • Coding Standards (per language)
    • Common pitfalls (per language)
    • Secure/Safe functions/methods
      • Stack Canaries
      • Encrypted Pointers
      • Memory Initialization
      • Function Retrun Checking (e.e. malloc)
      • Dereferencing Pointers
    • Integer type selection
      • Range Checking
      • Pre/post checking
    • Synchronization Primatives
  • Early Verification
    • Static Analysis (Code Review w/tools)
    • Unit & Dev Team Testing
    • Risk-Based Security Testing
    • Taint Analysis

Exercise: Secure Coding Q and A

6. Testing for Software Security

  • Assets to be protected
  • Threats Expected
  • Security Imperatives (int&external)
  • Organization's Risk Appetite
  • Static Analysis
  • Dynamic Analysis
  • Risk-Based Security testing
  • Fuzz Testing (Whitebox vs Blackbox)
  • Penetration Testing (Whitebox vs Blackbox)
  • Attack Surface Review
  • Code audits
  • Independent Security Review

Exercise: Testing Software for Security

7. Releasing & Operating Secure Software

  • Incident Response Planning
  • Final Security Review
  • Release Archive
  • OS Protections:
    • Address Space Layout Randomization
    • Non-Executable Stacks
    • W^X
    • Data Execution Prevention
  • Monitoring
  • Incident Response
  • Penetration Testing

Exercise: A Secure Software Release

8. Making Software Development More Secure

  • Process Review
  • Getting Started
  • Priorities

Exercise: Your Secure Software Plan

Who should attend
  • Application Development Managers
  • Software Engineers and Developers
  • CISOs, CISAs and Security Professionals
  • Software Testers
  • QA Managers, Directors and Staff
  • Test Management
  • Business Analysts
  • Project Managers
  • IT Specialists (Security, Capacity Management, Networking…)