|
iast |
Interactive Application Security Testing (IAST) |
14 hours |
Interactive Application Security Testing (IAST) is a form of application security testing that combines Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) or Runtime Application Self-protection (RASP) techniques. IAST is able to report the specific lines of code responsible for a security exploit and replay the behaviors leading to and following such an exploit.
In this instructor-led, live training, participants will learn how to secure an application by instrumenting runtime agents and attack inducers to simulate application behavior during an attack.
By the end of this training, participants will be able to:
Simulate attacks against applications and validate their detection and protection capabilities
Use RASP and DAST to gain code-level visibility into the data path taken by an application under different runtime scenarios
Quickly and accurately fix the application code responsible for detected vulnerabilities
Prioritize the vulnerability findings from dynamic scans
Use RASP real-time alerts to protect applications in production against attacks.
Reduce application vulnerability risks while maintaining production schedule targets
Devise an integrated strategy for overall vulnerability detection and protection
Audience
DevOps engineers
Security engineers
Developers
Format of the course
Part lecture, part discussion, exercises and heavy hands-on practice
To request a customized course outline for this training, please contact us. |
|
cl-jwe |
Advanced Java, JEE and Web Application Security |
28 hours |
Beyond a solid knowledge in using Java components, even for experienced Java programmers it is essential to have a deep knowledge in web-related vulnerabilities both on server and client side, the different vulnerabilities that are relevant for web applications written in Java, and the consequences of the various risks.
General web-based vulnerabilities are demonstrated through presenting the relevant attacks, while the recommended coding techniques and mitigation methods are explained in the context of Java with the most important aim to avoid the associated problems. In addition, a special focus is given to client-side security tackling security issues of JavaScript, Ajax and HTML5.
The course introduces security components of Standard Java Edition, which is preceded with the foundations of cryptography, providing a common baseline for understanding the purpose and the operation of the applicable components. Security issues of Java Enterprise Edition are presented through various exercises explaining both declarative and programmatic security techniques in JEE.
Finally, the course explains the most frequent and severe programming flaws of the Java language and platform. Besides the typical bugs committed by Java programmers, the introduced security vulnerabilities cover both language-specific issues and problems stemming from the runtime environment. All vulnerabilities and the relevant attacks are demonstrated through easy-to-understand exercises, followed by the recommended coding guidelines and the possible mitigation techniques.
Participants attending this course will
Understand basic concepts of security, IT security and secure coding
Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them
Learn client-side vulnerabilities and secure coding practices
Learn to use various security features of the Java development environment
Have a practical understanding of cryptography
Understand security concepts of Web services
Understand security solutions of Java EE
Learn about typical coding mistakes and how to avoid them
Get information about some recent vulnerabilities in the Java framework
Get practical knowledge in using security testing tools
Get sources and further readings on secure coding practices
Audience
Developers
IT security and secure coding
Web application security
Client-side security
Client-side security
Foundations of Java security
Practical cryptography
Java security services
Security of Web services
XML security
JSON security
Java EE security
Common coding errors and vulnerabilities
Principles of security and secure coding
Knowledge sources
|
|
seccode |
How to Write Secure Code |
35 hours |
After the major attacks against national infrastructures, Security Professionals found that the majority of the vulnerabilities that caused the attacks came from poor and vulnerable code that the developers write.
Developers now need to master the techniques of how to write Secure Code, because we are in a situation where anyone can use availble tools to write a script that can effectivly disable a large organization's systems because the developers have written poor code.
This Course aims to help in the following:
Help Developers to master the techniques of writing Secure Code
Help Software Testers to test the security of the application before publishing to the production environment
Help Software Architects to understand the risks surrounding the applications
Help Team Leaders to set the security base lines for the developers
Help Web Masters to configure the Servers to avoid miss-configurations
In this course you will also see details of the latest cyber attacks that have been used and the countermeasures used to stop and prevent these attacks.
You will see for yourself how developers mistakes led to catastrophic attacks, and by participatig in the labs during the course you will be able to put into practise the security controls and gain the experience and knowledge to produce secure coding.
Who should Attend this Course?
This Secure Code Training is ideal for those working in positions such as, but not limited to:
Web Developers
Mobile Developers
Java Developers
Dot Net Developers
Software Architects
Software Tester
Security Professionals
Web Masters
Module1 Introduction to Secure Coding
Module2 Web, Windows and Mobile Application bases
Module3 Applications Attacks and Exploits, XSS, SQL injection
Module4 Servers Attacks and Exploits, DOS, BOF
Module5 Validation And Verification
Module6 Security Controls and Countermeasures
Module7 Mobile Application Secure Coding
Module8 Security Standards and Testing
|
|
cl-osc |
The Secure Coding Landscape |
14 hours |
The course introduces some common security concepts, gives an overview about the nature of the vulnerabilities regardless of the used programming languages and platforms, and explains how to handle the risks that apply regarding software security in the various phases of the software development lifecycle. Without going deeply into technical details, it highlights some of the most interesting and most aching vulnerabilities in various software development technologies, and presents the challenges of security testing, along with some techniques and tools that one can apply to find any existing problems in their code.
Participants attending this course will
Understand basic concepts of security, IT security and secure coding
Understand Web vulnerabilities both on server and client side
Realize the severe consequences of unsecure buffer handling
Be informated about some recent vulnerabilities in development environments and frameworks
Learn about typical coding mistakes and how to avoid them
Understand security testing approaches and methodologies
Audience
Managers
Agenda
Introduction
IT security and secure coding
Security challenges of various platforms – highlights –
C/C++ (native code) secure coding
Web application security
Java platform security
Challenges of security testing
|
|
devopssecurity |
DevOps Security: Creating a DevOps security strategy |
7 hours |
DevOps is a software development approach that aligns application development with IT operations. Some of the tools that have emerged to support DevOps include: automation tools, containerization and orchestration platforms. Security has not kept up with these developments.
In this course, participants will learn how to formulate the proper security strategy to face the DevOps security challenge.
Audience
Devops engineers
Security engineers
Format of the course
Part lecture, part discussion, some hands-on practice
Introduction
How DevOps creates more security risk for organizations
The price of agility, speed and de-centralized control
Inadequacies of traditional security tools
Security policies
Firewall rules
Lack of APIs for integration
Lack of visualization tools
Implementing a DevOps-ready security program
Aligning security with business goals
Removing the security bottleneck
Implementing detailed visibility
Standardizing security configurations
Adding sensors into the application
Interactive Application Security Testing
Runtime Application Self-Protection
Providing security data to DevOps tools through RESTful APIs
On-demand scaling, micro-perimeterization of security controls
Per-resource granular security policies
Automating attacks against pre-production code
Continually testing the production environment
Protecting web applications from an Agile/DevOps perspective
Securing containers and clouds
Embracing next generation automated security tools
The future of DevOps and its strategic role in security
Closing remarks |
|
embeddedsecurity |
Embedded systems security |
21 hours |
This training introduces the system architectures, operating systems, networking, storage, and cryptographic issues that should be considered when designing secure embedded systems.
By the end of this course, participants will have a solid understanding of security principles, concerns, and technologies. More importantly, participants will be equipped with the techniques needed for developing safe and secure embedded software.
Audience
Embedded systems professionals
Security professionals
Format of the course
Part lecture, part discussion, hands-on practice
Introduction
Security vs embedded systems security
Characteristics of embedded application security
Embedded network transactions
Automotive security
Android devices
Next-generation software-defined radio
Critical aspects of an embedded system
Microkernel vs monolith
Independent security levels
Core security requirements
Access control
I/O virtualization
Performing threat modeling and assessment
Attackers and assets
Attack surface
Attack trees
Establishsing a security policy
Developing secure embedded software
Secure coding principles
Secure program design
Minimal Implementation
Component architecture
Least privilege
Secure development process
Independent expert validation
Model-driven design
Code review and static analysis
Security testing
Peer code reviews
Understanding and implementing cryptography
Cryptographic modes
Cryptographic hashes
Cryptographic certifications
Managing keys
Block ciphers
Message Authentication Codes
Random Number Generation
Data protection
Data-in-motion protocols
Securing data in motion
Data-at-rest protocols
Securing data at rest
Mitigating attacks
Common software attacks
Preventing side-channel attacks
Retrofitting security in existing projects
Securing bootloaders and firmware updates
Closing remarks |
