This course is essential for technical leads, project managers, testing/QA personnel, and other stakeholders who need to understand the issues and concepts associated with secure applications. You will learn the best practices for designing, implementing, and deploying secure applications. You will cover current, real examples that illustrate the potential consequences of not following these best practices.

You will leave the course armed with the required skills to understand software vulnerabilities (actual and potential) and defenses for those vulnerabilities. This course quickly introduces you to the various types of threats against software, and provides coverage of many core security-related technologies. You will cover the concept and process of Threat Modeling as a key enabler for implementing effective and appropriate security for software and information assets.

What You'll Learn

• Concepts and terminology behind defensive coding
• Threat Modeling as a tool in identifying software vulnerabilities based on realistic threats against meaningful assets
• Spectrum of threats and attacks that take place against software applications in today's world
• Static code and dynamic application testing used to uncover vulnerabilities in applications
• Vulnerabilities of programming language as well as how to harden installations
• Basics of Cryptography and Encryption and where they fit in the overall security picture
• Fundamentals of XML Digital Signature and XML Encryption as well as how they are used within the web services arena
• Processes and measures associated with the Secure Software Development (SSD)
• Basics of security testing and planning

Who Needs to Attend

Application project stakeholders who wish to develop well defended applications

Prerequisites

• Familiarity with a programming language
• Real world programming experience is highly recommended

Follow-On Courses

• Additional advanced security or secure programming and coding courses
• Service-oriented analysis and design
• Web services courses
• AJAX, XML, or other web development courses
• Java EE courses:
  • EJB3.0
  • Spring
  • Hibernate
  • Design Patterns
• Advanced .Net developer courses
• Architecture and analysis courses
• Software engineering, design, or project management courses

Course Outline

1. Foundation

• Misconceptions
• Security Concepts
• Defensive Coding Principles
• Reality

2. Vulnerabilities

• Unvalidated Input
• Broken Access Control
• Broken Authentication and Session Management
• Cross Site Scripting (XSS) Flaws
• Injection Flaws
• Error Handling and Information Leakage
• Insecure Storage
• Insecure Management of Configuration
• Direct Object Access
• Spoofing and Redirects

3. Security Fundamentals

• Perimeter Defenses
• Security Architectures
• Layered Defenses
• Extending the Defenses

4. Cryptography

• Cryptography
• Strong Encryption
• Ciphers and Algorithms
• Message Digests
• Keys and Key Management
• Certificate Management
• Encryption/Decryption
• Fails in Crypto Applications

5. Transport Layer

• SSL Support
• HTTPS

6. What's Important

• Prioritizing Your Efforts
• Common Vulnerabilities and Exposures for 2011
• OWASP Top Ten for 2010
• CWE/SANS Top 25 Programming Errors
• Monster Mitigations

7. Defending XML Processing

• Defending XML
• Defending Web Services

8. Secure Software Development (SSD)

• SSD Process
• Applying Processes and Practices
• Risk Analysis

9. Security Testing

• Testing Principles
• Reviews as Form of Testing
• Testing
• Tools
• Testing Practices