Software insecurity has become one of the biggest security concerns facing organizations today. As hackers turn their attention to the software and applications that make up an organization's IT infrastructure, people are realizing that the best way to protect that infrastructure is building secure software at the onset.

Learn the practical techniques and technologies that are needed to design and build secure software. This course discusses a variety of software models with a special focus on web applications. Students will learn how to secure each stage of the Software Development Lifecycle (SDLC) by understanding the foundational concepts for securing software.

What You'll Learn

• The process and techniques of building secure software
• Data protection in storage and transit
• Authentication and authorization techniques
• Client-side security
• Secure user management systems
• Data validation strategies
• Error handling and exception management
• Logging and auditing mechanisms
• Major security features of Java, .NET, and web services
• Security design patterns
• Threat modeling

Who Needs to Attend

Software professionals who define, design, and architect solutions; those who manage software development projects and teams; those who audit the security of applications.

Prerequisites

Basic knowledge of software development methodologies and tools

Follow-On Courses

• Foundstone Writing Secure Code: Java (J2EE)
• Foundstone Writing Secure Code - ASP.NET (C#)

Course Outline

1. Introduction

• Software Security Overview

2. Cryptography

• Common Mistakes
• Random Numbers
• Symmetric/Asymmetric Cryptography
• Hashing Algorithms
• Key Management
• Cryptography Application
• McAfee Application Control
• Digital Signatures and Certificates
• XML Encryption and Digital Signaturs

3. Authentication

• Common Mistakes
• Types (HTTP, Form, and Others)
• Kerberos
• Federated Authentication
• Microsoft Windows CardSpace
• SAML

4. Authorization

• Common Mistakes
• Least Privilege
• Access Control
• Role Based Access Control (RBAC)
• Modeling Authorization
• Common Vulnerabilities
• Extensible Access Control Markup Language (XACML)

5. User Management

• Common Mistakes
• Passwords
• Password Storage
• Account Lockout
• Password Resets

6. Client-Side Security

• Common Mistakes
• Code Obfuscation
• Anti-Tampering Measures
• Anti-Debugging Measures

7. Data Validation

• Common Mistakes
• Trust Boundaries
• Data Validation Design
• Validation Strategies and Tactics
• Input and Output Validation
• Common Data Validation Attacks
• Validating Non-Textual Data

8. Error Handling and Exception Management

• Common Mistakes
• Designing for Failure
• Failing Securely
• Structured Exception Handling
• Designing Error Messages

9. Event Logging

• Common Mistakes
• Effective Logging

10. Architecture and Design Patterns

• Architecture Versus Design Patterns
• Building Reusable Security Components
• Securing the Infrastructure
• OWSAP Enterprise Security API (ESAPI)
• Architecture Patterns

11. Web Application Security

• NET Framework Security
• Java Security
• Web Services Attack and Defenses
• WS-Security

12. Threat Modeling

• Tools and Methodologies
• Choosing a Methodology
• Threat Modeling Tools and Resources
• The McAfee Foundstone Methodology
• Security Requirements
• System
• Threats
• Countermeasures
• Post-Threat Modeling
• Analyzing and Managing Risk
• Incremental Threat Modeling
• Driving Security Testing
• Root Cause Analysis