| Course |
Description |
| Fundamentals of Software Security |
Provides the varying depth of security knowledge necessary to improve your software development processes. |
Awareness for Executives
(2 hours) |
Aimed at managers and executives, this overview demonstrates the importance of software security activities in modern software development lifecycles. |
Foundations and Core Principles
(1 day) |
An overview of software security that provides a foundation for more in-depth security courses. Explains attack patterns and the software security touchpoints necessary to improve your software development lifecycle. |
Foundations and Detailed Principles
(2 days) |
A standalone, detailed course that explains all the software security touchpoints in depth. Begins with a comprehensive overview of the software security problem, walks through the software security touchpoints, and explains the Seven Pernicious Kingdoms of Software Security Errors and discusses ways of addressing and avoiding them. |
SOA, Web Services, and XML Security
(1 day) |
A pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, and identity servers and related software. Includes a focused case study exploring risks, standards, and solutions. |
| Requirements, Architecture and Design |
Explains how to develop requirements to define the security of an application, and then use those to review new or existing architectures for security flaws. |
Software Security Requirements
(1/2 day) |
Walks through the process of expanding functional software requirements to include security requirements. Teaches students how to draw on experience and external resources to generate security requirements for their software. Includes several interactive, participatory exercises to reinforce learning. |
Architecture Risk Analysis
(1 day) |
Examines the architecture and design of software systems to expose security risk. Teaches students how to model threats, trust and data sensitivity to help identify abuse cases that are applicable to your software. Approach focuses on three component analyses: Attack Resistance Analysis, Ambiguity Analysis, and Weakness Analysis. |
| Software Security Coding Errors & Defensive Programming |
Presented in context of specific languages and development platforms and includes advice on defensive programming to prevent errors from occurring. |
Attack and Defense
(1 day) |
Features a deep-dive into the mechanics of common attacks on software along with guidance on mitigation, prevention, and test strategies. Topics include input injection attacks, web vulnerabilities, and business logic abuse. |
Defensive Programming: Java EE
(1 day) |
Focuses on common mistakes made in web applications built on the Java Enterprise Edition (J2EE) platform. Includes relevant coding errors for Java that present themselves in Java Enterprise architectures. |
Defensive Programming: C/C++
(1 day) |
Focuses on common mistakes made in C/C++ applications in client/server and distributed systems on Windows and Unix platforms. |
Defensive Programming: C#
(1 day) |
Focuses on common mistakes made when building .NET applications with C#. |
Defensive Programming: VB.NET
(1 day) |
Focuses on common mistakes made when building .NET applications with Visual Basic. |
| Software Security Code Review |
Explains how to use automated tools and manual inspection techniques to understand and evaluate source code in the context of security problems. |
Secure Code Review and Static Analysis
(1/2 day) |
Explains the technical approach to security code review using a combination of manual processes, code navigation tools, and automated code scanners. |
Fortify SCA Add-ons
(1/2 day to 2 days) |
Detailed discussion of the various Fortify SCA modules, their use, and their customization. |
| Security Testing |
Explains how to "think like a bad guy" and add security testing into existing test strategies. |
Risk-Based Security Testing Strategy
(1 day) |
Teaches how to augment test strategy and test plans to properly expose security risk during development using results from architecture analysis and abuse cases. Helps test planners "think like an attacker" during analysis. |
Web Security Testing
(1 day) |
Teaches how to test web applications interactively in a lab setting using free software and well-known resources to create repeatable, automatable tests. Begins with an introduction to web concepts. |
Cigital is also transforming its entire ILT curriculum into eLearning modules for computer-based training. Please contact us for availability of the modules that fit your needs.
