---

Software insecurity has become one of the biggest security concerns facing organizations today. As hackers turn their attention to the software and applications that make up an organization's IT infrastructure, people are realizing that the best way to protect that infrastructure is building secure software at the onset.

Learn the practical techniques and technologies that are needed to design and build secure software. This course discusses a variety of software models with a special focus on web applications. Students will learn how to secure each stage of the Software Development Lifecycle (SDLC) by understanding the foundational concepts for securing software.

Continuing Education Credit

This course qualifies for up to 32 hours of CPE for CISSP/SSCP and 28 hours of CE for CISA/CISM holders.

Highlights

• The process and techniques of building secure software
• Data protection in storage and transit
• Authentication and authorization techniques
• Client-side security
• Secure user management systems
• Data validation strategies
• Error handling and exception management
• Logging and auditing mechanisms
• Major security features of Java, .NET, and web services
• Security design patterns
• Threat modeling

Course Outline

Day 1 - Introduction, Cryptography, Authentication, and Authorization

1. Introduction

• Software Security Overview

2. Cryptography

• Common Mistakes
• Cryptographic Building Blocks
• Achieving Security Properties using Cryptography
• Key Management
• Transport Security
• Cryptography Lab

3. Authentication

• Common Mistakes
• Authentication Protocols
• Assembly Authentication
• Advanced User Authentication
• Single Sign On
• Authentication Lab

4. Authorization

• Common Mistakes
• Least Privilege
• Discretionary Access Control
• Role Based Access Control
• Modeling Authorization
• User Impersonation
• Horizontal Privilege
• Authorization Workshop

Day 2 - User Management, Data Validation, Client-Side Security, Error Handling and Exception Management, and Event Logging

1. User Management

• Common Mistakes
• Defending Against Common Attacks
• Good Usernames and Strong Passwords
• Secure Password Storage
• Handling Password Resets

2. Data Validation

• Common Mistakes
• Trust Boundaries
• Data Validation Design
• Validation Strategies and Tactics
• Common Data Validation Attacks
• Validating Non-textual Data
• Data Validation Lab

3. Client-Side Security

• Common Mistakes
• Code Obfuscation
• Anti-Tampering Measures
• Anti-Debugging Measures
• Client-Side Security Demo

4. Error Handling and Exception Management

• Common Mistakes
• Designing for Failure
• Structured Exception Handling
• Failing Securely
• Designing Error Messages
• Error Handling Workshop

5. Event Logging

• Common Mistakes
• What To Log?
• Where To Log?
• Effective Logging
• Event Logging Workshop

Day 3 - .NET Security, Java Security, Web Services Security, Web Hacking, Architecture & Design Patterns

5. .NET Security

• Managed vs. Unmanaged Code
• Code Security
• Advanced .NET Security
• Resources

6. Java Security

• Java SE Security Packages
• Java SE Code Safety
• Java SE Cryptography
• Java SE Authentication & Authorization
• Java EE Authentication & Authorization
• Resources

7. Web Services Security

• Web Services Primer
• Web Services Attacks & Countermeasures
• XML Encryption
• XML Digital Signatures
• XML Key Management
• Security Assertion Markup Language
• Extensible Access Control Markup Language
• WS-Security

8. Web Hacking Lab

9. Architecture & Design Patterns

• Securing the Infrastructure
• Enterprise Security API (ES-API)
• Architecture Patterns

Day 4 - Threat Modeling

10. Threat Modeling

• Threat Modeling and The Software Development Life Cycle
• Building A Threat Model
• Using A Threat Model
• Threat Modeling Workshop

Space is limited. Register today to save your space!