I liked he was passionate about the subject and very convincing too.
Diana Vladulescu - Zype TV Limited
Secure Code Schulungen
Erfahrungsberichte
Secure Code Schulungsübersicht
| Code | Name | Dauer | Übersicht |
|---|---|---|---|
| cl-aan | Android Java and Native Code Security | 21 hours | Android is an open platform for mobile devices such as handsets and tablets. It has a large variety of security features to make developing secure software easier; however, it is also missing certain security aspects that are present in other hand-held platforms. The course gives a comprehensive overview of these features, and points out the most critical shortcomings to be aware of related to the underlying Linux, the file system and the environment in general, as well as regarding using permissions and other Android software development components. Typical security pitfalls and vulnerabilities are described both for native code and Java applications, along with recommendations and best practices to avoid and mitigate them. In case of native code applications we go into more details, discussing memory management related issues, protection techniques as well as their circumvention (such as Return Oriented Programming). Finally, the most important cryptographic algorithms in symmetric cryptography, hashing, asymmetric cryptography and PKI are also discussed and put into the context of Android. In many cases discussed issues are supported with real-life examples and case studies. Finally, we give a brief overview on how to use security testing tools to reveal any programming bugs. Participants attending this course will Understand basic concepts of security, IT security and secure coding Learn the security solutions on Android Learn to use various security features of the Android platform Have a practical understanding of cryptography Get understanding on native code vulnerabilities on Android Realize the severe consequences of unsecure buffer handling in native code Understand the architectural protection techniques and their weaknesses Get information about some recent vulnerabilities in Java on Android Learn about typical coding mistakes and how to avoid them Get sources and further readings on secure coding practices Audience Professionals IT security and secure coding Android security overview Application security Practical cryptography Android native code security Principles of security and secure coding Android and Java vulnerabilities Knowledge sources |
| cl-ans | Comprehensive C# and .NET Application Security | 21 hours | A number of programming languages are available today to compile code to .NET and ASP.NET frameworks. The environment provides powerful means for security development, but developers should know how to apply the architecture- and coding-level programming techniques in order to implement the desired security functionality and avoid vulnerabilities or limit their exploitation. The aim of this course is to teach developers through numerous hands-on exercises how to prevent untrusted code from performing privileged actions, protect resources through strong authentication and authorization, provide remote procedure calls, handle sessions, introduce different implementations for certain functionality, and many more. A special section is devoted to configuration and hardening of the .NET and ASP.NET environment for security. A brief introduction to the foundations of cryptography provides a common practical baseline for understanding the purpose and the operation of various algorithms, based on which the course presents the cryptographic features that can be used in .NET. This is followed by the introduction of some recent crypto vulnerabilities both related to certain crypto algorithms and cryptographic protocols, as well as side-channel attacks. Introduction of different vulnerabilities starts with presenting some typical programming problems committed when using .NET, including bug categories of input validation, error handling or race conditions. A special focus is given to XML security, while the topic of ASP.NET-specific vulnerabilities tackles some special issues and attack methods. like attacking the ViewState, or the string termination attacks. Participants attending this course will Understand basic concepts of security, IT security and secure coding Learn to use various security features of the .NET development environment Have a practical understanding of cryptography Understand some recent attacks against cryptosystems Get information about some recent vulnerabilities in .NET and ASP.NET Learn about typical coding mistakes and how to avoid them Get practical knowledge in using security testing tools Get sources and further readings on secure coding practices Audience Developers IT security and secure coding .NET security architecture and services Practical cryptography ASP.NET security architecture Cryptographic vulnerabilities RSA timing attack Features and vulnerabilities Denial of service ASP.NETconfiguration and hardening XML security Common coding errors and vulnerabilities Principles of security and secure coding Knowledge sources |
| cl-and | Android Security | 14 hours | Android is an open platform for mobile devices such as handsets and tablets. It has a large variety of security features to make developing secure software easier; however, it is also missing certain security aspects that are present in other hand-held platforms. The course gives a comprehensive overview of these features, and points out the most critical shortcomings to be aware of related to the underlying Linux, the file system and the environment in general, as well as regarding using permissions and other Android software development components. Typical security pitfalls and vulnerabilities are described both for native code and Java applications, along with recommendations and best practices to avoid and mitigate them. In many cases discussed issues are supported with real-life examples and case studies. Finally, we give a brief overview on how to use security testing tools to reveal any security relevant programming bugs. Participants attending this course will Understand basic concepts of security, IT security and secure coding Learn the security solutions on Android Learn to use various security features of the Android platform Get information about some recent vulnerabilities in Java on Android Learn about typical coding mistakes and how to avoid them Get understanding on native code vulnerabilities on Android Realize the severe consequences of unsecure buffer handling in native code Understand the architectural protection techniques and their weaknesses Get sources and further readings on secure coding practices Audience Professionals IT security and secure coding Android security overview Application security Android and Java vulnerabilities Android native code security Knowledge sources |
| cl-nsc | .NET, C# and ASP.NET Security Development | 14 hours | A number of programming languages are available today to compile code to .NET and ASP.NET frameworks. The environment provides powerful means for security development, but developers should know how to apply the architecture- and coding-level programming techniques in order to implement the desired security functionality and avoid vulnerabilities or limit their exploitation. The aim of this course is to teach developers through numerous hands-on exercises how to prevent untrusted code from performing privileged actions, protect resources through strong authentication and authorization, provide remote procedure calls, handle sessions, introduce different implementations for certain functionality, and many more. Introduction of different vulnerabilities starts with presenting some typical programming problems committed when using .NET, while the discussion of vulnerabilities of the ASP.NET also deals with various environment settings and their effects. Finally, the topic of ASP.NET-specific vulnerabilities not only deals with some general web application security challenges, but also with special issues and attack methods like attacking the ViewState, or the string termination attacks. Participants attending this course will Understand basic concepts of security, IT security and secure coding Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them Learn to use various security features of the .NET development environment Get practical knowledge in using security testing tools Learn about typical coding mistakes and how to avoid them Get information about some recent vulnerabilities in .NET and ASP.NET Get sources and further readings on secure coding practices Audience Developers IT security and secure coding Web application security .NET security architecture and services Common coding errors and vulnerabilities Knowledge sources |
| cl-vip | Voice Over IP Security | 14 hours | As voice over IP (VoIP) systems are vulnerable to the same threats as data networks – like viruses, identity theft, spam, fraud, privacy invasion, and denial of service attacks –, aim of this training is to teach programmers, software architects, network engineers and project managers to the VoIP security features, the various security issues of VoIP, and most importantly the best practices to support risk mitigation. VoIP security is introduced at the raw protocol level, concentrating on attack methodologies that are used against the most popular VoIP protocols. Participants will not only be able to choose and use the appropriate standards and best practices, but will also be prepared to fix the occurring vulnerabilities by applying the relevant countermeasures. Audience Professionals |
| cl-jwe | Advanced Java, JEE and Web Application Security | 28 hours | Beyond a solid knowledge in using Java components, even for experienced Java programmers it is essential to have a deep knowledge in web-related vulnerabilities both on server and client side, the different vulnerabilities that are relevant for web applications written in Java, and the consequences of the various risks. General web-based vulnerabilities are demonstrated through presenting the relevant attacks, while the recommended coding techniques and mitigation methods are explained in the context of Java with the most important aim to avoid the associated problems. In addition, a special focus is given to client-side security tackling security issues of JavaScript, Ajax and HTML5. The course introduces security components of Standard Java Edition, which is preceded with the foundations of cryptography, providing a common baseline for understanding the purpose and the operation of the applicable components. Security issues of Java Enterprise Edition are presented through various exercises explaining both declarative and programmatic security techniques in JEE. Finally, the course explains the most frequent and severe programming flaws of the Java language and platform. Besides the typical bugs committed by Java programmers, the introduced security vulnerabilities cover both language-specific issues and problems stemming from the runtime environment. All vulnerabilities and the relevant attacks are demonstrated through easy-to-understand exercises, followed by the recommended coding guidelines and the possible mitigation techniques. Participants attending this course will Understand basic concepts of security, IT security and secure coding Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them Learn client-side vulnerabilities and secure coding practices Learn to use various security features of the Java development environment Have a practical understanding of cryptography Understand security concepts of Web services Understand security solutions of Java EE Learn about typical coding mistakes and how to avoid them Get information about some recent vulnerabilities in the Java framework Get practical knowledge in using security testing tools Get sources and further readings on secure coding practices Audience Developers IT security and secure coding Web application security Client-side security Client-side security Foundations of Java security Practical cryptography Java security services Security of Web services XML security JSON security Java EE security Common coding errors and vulnerabilities Principles of security and secure coding Knowledge sources |
| cl-pcr | Practical Cryptography for Software Engineers | 21 hours | Implementing a secure networked application can be difficult, even for developers who may have used various cryptographic building blocks (such as encryption and digital signatures) beforehand. In order to make the participants understand the role and usage of these cryptographic primitives, first a solid foundation on the main requirements of secure communication – secure acknowledgement, integrity, confidentiality, remote identification and anonymity – is given, while also presenting the typical problems that may damage these requirements along with real-world solutions. After establishing the basics, the typical elements of cryptosystems and the most widely-used cryptographic algorithms in symmetric cryptography, hashing, asymmetric cryptography, and key agreement are detailed. Instead of presenting an in-depth mathematical background, these elements are discussed from a developer's perspective, showing typical use-case examples and practical considerations related to the use of crypto, such as public key infrastructures. Security protocols in many different areas of secure communication are introduced, with an in-depth discussion on the most widely-used protocol families such as IPSEC and SSL/TLS. Finally, typical crypto vulnerabilities are discussed – both related to certain crypto algorithms and cryptographic protocols, such as BEAST, CRIME, TIME, BREACH, FREAK, Logjam, Padding oracle, Lucky Thirteen, POODLE and similar, as well as the RSA timing attack. In each case, the practical considerations and potential consequences are described for each problem, again, without going into deep mathematical details. Participants attending this course will Understand basic concepts of security, IT security and secure coding Understand the requirements of secure communication Have a practical understanding of cryptography Understand essential security protocols Understand some recent attacks against cryptosystems Get information about some recent implementation problems Get sources and further readings on secure coding practices Audience Developers, Professionals IT security and secure coding Requirements of secure communication Practical cryptography Security protocols Cryptographic vulnerabilities Knowledge sources |
| cl-jad | Advanced Java Security | 21 hours | Even experienced Java programmers are not mastering by all means the various security services offered by Java, and are likewise not aware of the different vulnerabilities that are relevant for web applications written in Java. The course – besides introducing security components of Standard Java Edition – deals with security issues of Java Enterprise Edition (JEE) and web services. Discussion of specific services is preceded with the foundations of cryptography and secure communication. Various exercises deal with declarative and programmatic security techniques in JEE, while both transport-layer and end-to-end security of web services is discussed. The use of all components is presented through several practical exercises, where participants can try out the discussed APIs and tools for themselves. The course also goes through and explains the most frequent and severe programming flaws of the Java language and platform and web-related vulnerabilities. Besides the typical bugs committed by Java programmers, the introduced security vulnerabilities cover both language-specific issues and problems stemming from the runtime environment. All vulnerabilities and the relevant attacks are demonstrated through easy-to-understand exercises, followed by the recommended coding guidelines and the possible mitigation techniques. Participants attending this course will Understand basic concepts of security, IT security and secure coding Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them Understand security concepts of Web services Learn to use various security features of the Java development environment Have a practical understanding of cryptography Understand security solutions of Java EE Learn about typical coding mistakes and how to avoid them Get information about some recent vulnerabilities in the Java framework Get practical knowledge in using security testing tools Get sources and further readings on secure coding practices Audience Developers IT security and secure coding Web application security Security of Web services XML security Foundations of Java security Practical cryptography Java security services Java EE security Common coding errors and vulnerabilities Knowledge sources |
| CL-CHS | Crypto Chip-Set Security | 14 hours | The biggest challenge for professionals working on design and development of crypto chip-sets is to be continuously up-to-date regarding the attack methods and their mitigation. Serving them, this course explains various physical and logical attacks on security chips, possible countermeasures and best practices. Regarding physical attacks, the passive attacks are detailed through optical reverse engineering and various side channel analysis methods, while active attacks are discussed with special emphasis on fault injection, Focused Ion Beams and hardware Trojans. The very powerful passive and active combined attack (PACA) type is introduced through the practical example of RSA implementations. Discussion of logical attacks not only covers practical attacks against specific cryptographic algorithm implementations, but also the relevant programming bugs and mitigation techniques like buffer overflow or integer problems are introduced. Finally, a set of guidelines is assembled to follow by engineers working in this field, and the testing methods are presented that can help to find and avoid the discussed security flaws and vulnerabilities. Participants attending this course will Understand basic concepts of security, IT security and secure coding Understand the requirements of secure communication Have a practical understanding of cryptography Understand essential security protocols Audience Professionals IT security and secure coding Requirements of secure communication Practical cryptography Security protocols Simple physical attacks and protections Passive physical attacks Active attacks Active physical attacks Passive and active combined attacks Special security functions – Requirements and solutions |
| cl-jwa | Java and Web Application Security | 21 hours | Description Beyond a solid knowledge in using Java components, even for experienced Java programmers it is essential to have a deep knowledge in web-related vulnerabilities both on server and client side, the different vulnerabilities that are relevant for web applications written in Java, and the consequences of the various risks. General web-based vulnerabilities are demonstrated through presenting the relevant attacks, while the recommended coding techniques and mitigation methods are explained in the context of Java with the most important aim to avoid the associated problems. In addition, a special focus is given to client-side security tackling security issues of JavaScript, Ajax and HTML5. The course introduces security components of Standard Java Edition, which is preceded with the foundations of cryptography, providing a common baseline for understanding the purpose and the operation of the applicable components. The use of all components is presented through practical exercises, where participants can try out the discussed APIs and tools for themselves. Finally, the course explains the most frequent and severe programming flaws of the Java language and platform. Besides the typical bugs committed by Java programmers, the introduced security vulnerabilities cover both language-specific issues and problems stemming from the runtime environment. All vulnerabilities and the relevant attacks are demonstrated through easy-to-understand exercises, followed by the recommended coding guidelines and the possible mitigation techniques. Participants attending this course will Understand basic concepts of security, IT security and secure coding Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them Learn client-side vulnerabilities and secure coding practices Learn to use various security features of the Java development environment Have a practical understanding of cryptography Learn about typical coding mistakes and how to avoid them Get information about some recent vulnerabilities in the Java framework Get practical knowledge in using security testing tools Get sources and further readings on secure coding practices Audience Developers IT security and secure coding Web application security Client-side security Foundations of Java security Practical cryptography Java security services XML security Common coding errors and vulnerabilities Principles of security and secure coding Knowledge sources |
| cl-beh | Beyond Ethical Hacking - Advanced Software Security | 35 hours | Beyond a solid knowledge in using security solutions of the applied technologies, even for experienced programmers it is essential to have a deep understanding of the typical attack techniques that are possible due the various vulnerabilities, i.e. security-relevant programming mistakes. This course approaches secure coding from the stand point of the attack techniques, but with the same purpose as any other course of SCADEMY Secure Coding Academy: to learn software security best practices. General web-based vulnerabilities are demonstrated through presenting the relevant attacks, while the recommended coding techniques and mitigation methods are explained with the most important aim to avoid the associated problems. Besides server side issues (basically following the OWASP Top Ten), a special focus is given to client-side security tackling security issues of JavaScript, Ajax and HTML5, which is followed by discussing web services and XML security. A brief introduction to the foundations of cryptography provides a common practical baseline for understanding the purpose and the operation of various algorithms. Specifically for C and C++, we go into more details regarding the exploitation of buffer overflows on the stack and on the heap. After showing the attack techniques, we give an overview of practical protection methods that can be applied at different levels (hardware components, the operating system, programming languages, the compiler, the source code or in production) to prevent the occurrence of the various bugs, to detect them during development and before market launch, or to prevent their exploitation during system operation. Finally, we discuss counter attacks, and then counter-protection measures, highlighting the cat-and-mouse nature of hacking and protection. Finally, the course explains the most frequent and severe programming flaws in general, by bringing examples in Java, .NET, C and C++ languages and platforms. Besides the typical bugs committed by the programmers, the introduced security vulnerabilities cover both language-specific issues and problems stemming from the runtime environment or the used libraries. All vulnerabilities and the relevant attacks are demonstrated through easy-to-understand exercises, followed by the recommended coding guidelines and the possible mitigation techniques. Finally, we present security testing techniques and tools that can be applied to reveal the discussed vulnerabilities, along with the various techniques for reconnaissance, configuration and hardening of the environment. Participants attending this course will Understand basic concepts of security, IT security and secure coding Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them Learn client-side vulnerabilities and secure coding practices Understand security concepts of Web services Have a practical understanding of cryptography Realize the severe consequences of unsecure buffer handling Understand the architectural protection techniques and their weaknesses Learn about typical coding mistakes and how to exploit them Be informed about recent vulnerabilities in various platforms, frameworks and libraries Learn essential vulnerability analysis and testing techniques and tools Get sources and further readings on secure coding practices Audience Developers IT security and secure coding Web application security Client-side security Client-side security Security of Web services XML security Practical cryptography x86 machine code, memory layout, stack operations Exploitation of typical coding mistakes Time and state problems Code quality problems Vulnerability testing and analysis Knowledge sources |
| cl-jsc | Standard Java Security | 14 hours | Description The Java language and the Runtime Environment (JRE) was designed to be free from the most problematic common security vulnerabilities experienced in other languages, like C/C++. Yet, software developers and architects should not only know how to use the various security features of the Java environment (positive security), but should also be aware of the numerous vulnerabilities that are still relevant for Java development (negative security). The introduction of security services is preceded with a brief overview of the foundations of cryptography, providing a common baseline for understanding the purpose and the operation of the applicable components. The use of these components is presented through several practical exercises, where participants can try out the discussed APIs for themselves. The course also goes through and explains the most frequent and severe programming flaws of the Java language and platform, covering both the typical bugs committed by Java programmers and the language- and environment-specific issues. All vulnerabilities and the relevant attacks are demonstrated through easy-to-understand exercises, followed by the recommended coding guidelines and the possible mitigation techniques. Participants attending this course will Understand basic concepts of security, IT security and secure coding Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them Learn to use various security features of the Java development environment Have a practical understanding of cryptography Learn about typical coding mistakes and how to avoid them Get information about some recent vulnerabilities in the Java framework Get sources and further readings on secure coding practices Audience Developers IT security and secure coding Web application security Foundations of Java security Practical cryptography Java security services Common coding errors and vulnerabilities Knowledge sources |
| cl-jpw | Combined JAVA, PHP and Web Application Security | 28 hours | Even experienced programmers do not master by all means the various security services offered by their development platforms, and are likewise not aware of the different vulnerabilities that are relevant for their developments. This course targets developers using both Java and PHP, providing them essential skills necessary to make their applications resistant to contemporary attacks through the Internet. Levels of Java security architecture are walked through by tackling access control, authentication and authorization, secure communication and various cryptographic functions. Various APIs are also introduced that can be used to secure your code in PHP, like OpenSSL for cryptography or HTML Purifier for input validation. On server side, best practices are given for hardening and configuring the operating system, the web container, the file system, the SQL server and the PHP itself, while a special focus is given to client-side security through security issues of JavaScript, Ajax and HTML5. General web vulnerabilities are discussed by examples aligned to the OWASP Top Ten, showing various injection attacks, script injections, attacks against session handling, insecure direct object references, issues with file uploads, and many others. The various Java- and PHP-specific language problems and issues stemming from the runtime environment are introduced grouped into the standard vulnerability types of missing or improper input validation, improper use of security features, incorrect error and exception handling, time- and state-related problems, code quality issues and mobile code-related vulnerabilities. Participants can try out the discussed APIs, tools and the effects of configurations for themselves, while the introduction of vulnerabilities are all supported by a number of hands-on exercises demonstrating the consequences of successful attacks, showing how to correct the bugs and apply mitigation techniques, and introducing the use of various extensions and tools. Participants attending this course will Understand basic concepts of security, IT security and secure coding Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them Learn client-side vulnerabilities and secure coding practices Learn to use various security features of the Java development environment Have a practical understanding of cryptography Learn to use various security features of PHP Understand security concepts of Web services Get practical knowledge in using security testing tools Learn about typical coding mistakes and how to avoid them Be informed about recent vulnerabilities in Java and PHP frameworks and libraries Get sources and further readings on secure coding practices Audience Developers IT security and secure coding Web application security Web application vulnerabilities Client-side security Foundations of Java security Practical cryptography Java security services PHP security services PHP Environment Security of Web services Common coding errors and vulnerabilities Knowledge sources |
| cl-csc | C/C++ Secure Coding | 14 hours | Description The training explains in details the mechanisms underlying typical C/C++ security relevant programming bugs – the common security vulnerabilities. The root causes of the problems are explained through a number of easy-to-understand source code examples, which at the same time make clear how to find and correct these problems in practice. The real strength of the course lays in numerous hands-one exercises, which help the participants understand how easy it is to exploit these vulnerabilities by the attackers. The course also gives an overview of practical protection methods that can be applied at different levels (hardware components, the operating system, programming languages, the compiler, the source code or in production) to prevent the occurrence of the various bugs, to detect them during development and before market launch, or to prevent their exploitation during system operation. Through exercises specially tailored to these mitigation techniques participants can learn how simple – and moreover cheap – it is to get rid of various security problems. Participants attending this course will Understand basic concepts of security, IT security and secure coding Realize the severe consequences of unsecure buffer handling Understand the architectural protection techniques and their weaknesses Learn about typical coding mistakes and how to avoid them Be informed about recent vulnerabilities in various platforms, frameworks and libraries Get sources and further readings on secure coding practices Audience Developers IT security and secure coding x86 machine code, memory layout, stack operations Common coding errors and vulnerabilities Principles of security and secure coding Knowledge sources |
| cl-cna | Combined C/C++/C#, ASP.NET and Web Application Security | 28 hours | Serving teams that use managed code (.NET and ASP.NET typically written in C#) together with native code development (typically C/C++), this training gives a comprehensive overview of the security issues in both environments. Concerning C/C++, common security vulnerabilities are discussed, backed by practical exercises about the attacking methods that exploit these vulnerabilities, with the focus on the mitigation techniques that can be applied to prevent the occurrences of these dangerous bugs, detect them before market launch or prevent their exploitation. The course also covers both the various general (like web services) and specific security solutions and tools, and the most frequent and severe security flaws of managed code, dealing with both language-specific issues and the problems stemming from the runtime environment. The vulnerabilities relevant to the ASP.NET platform are detailed along with the general web-related vulnerabilities following the OWASP Top Ten list. The course consists of a number of exercises through which attendees can easily understand and execute attacks and protection methods. Participants attending this course will Understand basic concepts of security, IT security and secure coding Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them Learn client-side vulnerabilities and secure coding practices Learn to use various security features of the .NET development environment Have a practical understanding of cryptography Get information about some recent vulnerabilities in .NET and ASP.NET Realize the severe consequences of unsecure buffer handling in native code Understand the architectural protection techniques and their weaknesses Learn about typical coding mistakes and how to avoid them Get practical knowledge in using security testing tools Get sources and further readings on secure coding practices Audience Developers IT security and secure coding Web application security Client-side security Client-side security .NET security architecture and services Practical cryptography Security relevant C/C++ programming bugs and flaws Buffer overflow Some additional native code-related vulnerabilities Common coding errors and vulnerabilities Knowledge sources |
| cl-sdw | Web Application Security with SDL | 21 hours | Description The course gives an insight into secure software design, development and testing through Microsoft Secure Development Lifecycle (SDL) with a focus on web application security. It provides a level 100 overview of the fundamental building blocks of SDL, followed by design techniques to apply to detect and fix flaws in early stages of the development process of web applications. Dealing with the development phase, the course gives an overview of the typical security relevant programming bugs in web applications. In this it follows the OWASP Top Ten, but also introduces some client-side issues tackling Javascript security, Ajax and HTML5. Attack methods are presented for the discussed vulnerabilities along with the associated mitigation techniques, all explained through a number of hands-on exercises providing live hacking fun for the participants. Introduction of different security testing methods is followed by demonstrating the effectiveness of various testing tools. Participants can understand the operation of these tools through a number of practical exercises by applying the tools to the already discussed vulnerable code. Participants attending this course will Understand basic concepts of security, IT security and secure coding Get known to the essential steps of Microsoft Secure Development Lifecycle Learn secure design and development practices Learn about secure implementation principles Learn client-side vulnerabilities and secure coding practices Understand security testing methodology Get sources and further readings on secure coding practices Audience Developers, Managers IT security and secure coding Introduction to the Microsoft® Security Development Lifecycle (SDL) Secure design principles Secure implementation principles Secure implementation principles Client-side security XML security JSON security Secure verification principles SDL in Application Lifecycle Management with TFS Principles of security and secure coding Knowledge sources |
| cl-cjw | Combined C/C++, JAVA and Web Application Security | 28 hours | To serve in the best way heterogeneous development groups that are using various platforms simultaneously during their everyday work, we have merged various topics into a combined course that presents diverse secure coding subjects in didactic manner on a single training event. This course combines C/C++ and Java platform security to provide an extensive, cross-platform secure coding expertise. Concerning C/C++, common security vulnerabilities are discussed, backed by practical exercises about the attacking methods that exploit these vulnerabilities, with the focus on the mitigation techniques that can be applied to prevent the occurrences of these dangerous bugs, detect them before market launch or prevent their exploitation. Security components and service of Java are discussed by presenting the different APIs and tools through a number of practical exercises where participants can gain hands-on experience in using them. The course also covers security issues of web services and the related Java services that can be applied to prevent the most aching threats of the Internet based services. Finally, web- and Java-related security vulnerabilities are demonstrated by easy-to-understand exercises, which not only show the root cause of the problems, but also demonstrate the attack methods along with the recommended mitigation and coding techniques in order to avoid the associated security problems. Participants attending this course will Understand basic concepts of security, IT security and secure coding Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them Learn client-side vulnerabilities and secure coding practices Learn to use various security features of the Java development environment Have a practical understanding of cryptography Realize the severe consequences of unsecure buffer handling Understand the architectural protection techniques and their weaknesses Learn about typical coding mistakes and how to avoid them Be informed about recent vulnerabilities in various platforms, frameworks and libraries Get sources and further readings on secure coding practices Audience Developers IT security and secure coding Web application security Client-side security Foundations of Java security Practical cryptography Java security services x86 machine code, memory layout, stack operations Common coding errors and vulnerabilities Common coding errors and vulnerabilities Knowledge sources |
| cl-sdl | Microsoft SDL Core | 14 hours | The Combined SDL core training gives an insight into secure software design, development and testing through Microsoft Secure Development Lifecycle (SDL). It provides a level 100 overview of the fundamental building blocks of SDL, followed by design techniques to apply to detect and fix flaws in early stages of the development process. Dealing with the development phase, the course gives an overview of the typical security relevant programming bugs of both managed and native code. Attack methods are presented for the discussed vulnerabilities along with the associated mitigation techniques, all explained through a number of hands-on exercises providing live hacking fun for the participants. Introduction of different security testing methods is followed by demonstrating the effectiveness of various testing tools. Participants can understand the operation of these tools through a number of practical exercises by applying the tools to the already discussed vulnerable code. Participants attending this course will Understand basic concepts of security, IT security and secure coding Get known to the essential steps of Microsoft Secure Development Lifecycle Learn secure design and development practices Learn about secure implementation principles Understand security testing methodology Get sources and further readings on secure coding practices Audience Developers, Managers Day 1 IT security and secure coding Nature of security IT security related terms Definition of risk Different aspects of IT security Requirements of different application areas IT security vs. secure coding From vulnerabilities to botnets and cybercrime Nature of security flaws Reasons of difficulty From an infected computer to targeted attacks Classification of security flaws Landwehr’s taxonomy The Seven Pernicious Kingdoms OWASP Top Ten 2013 OWASP Top Ten comparison 2003 – 2013 Introduction to the Microsoft® Security Development Lifecycle (SDL) Agenda Applications under attack... Cybercrime Evolution Attacks are focusing on applications Most vulnerabilities are in smaller ISV apps Origins of the Microsoft SDL... Security Timeline at Microsoft... Which apps are required to follow SDL? Microsoft Security Development Lifecycle (SDL) Microsoft Security Development Lifecycle (SDL) Pre-SDL Requirements: Security Training Phase One: Requirements Phase Two: Design Phase Three: Implementation Phase Four: Verification Phase Five: Release – Response Plan Phase Five: Release – Final Security Review Phase Five: Release – Archive Post-SDL Requirement: Response SDL Process Guidance for LOB Apps SDL Guidance for Agile Methodologies Secure Software Development Requires Process Improvement Secure design principles Attack surface Attack surface reduction Attack surface – an example Attack surface analysis Attack surface reduction – examples Privacy Privacy Understanding Application Behaviors and Concerns Defense in depth SDL Core Principle: Defense In Depth Defense in depth – example Least privilege principle Least privilege – example Secure defaults Secure defaults – examples Secure implementation principles Agenda Microsoft Security Development Lifecycle (SDL) Buffer overflow basics Intel 80x86 Processors – main registers The memory address layout The function calling mechanism in C/C++ on x86 The local variables and the stack frame Stack overflow Buffer overflow on the stack Exercises – introduction Exercise BOFIntro Exercise BOFIntro – determine the stack layout Exercise BOFIntro – a simple exploit Input validation Input validation concepts Integer problems Representation of negative integers Integer overflow Arithmetic overflow – guess the output! Exercise IntOverflow What is the value of Math.Abs(int.MinValue)? Integer problem mitigation Integer problem mitigation Avoiding arithmetic overflow – addition Avoiding arithmetic overflow – multiplication Detecting overflow with the checked keyword in C# Exercise – Using the checked keyword in C# Exceptions triggered by overflows in C# Case study –Integer overflow in .NET A real-world integer overflow vulnerability Exploiting the integer overflow vulnerability Path traversal vulnerability Path traversal mitigation Day 2 Secure implementation principles Injection Typical SQL Injection attack methods Blind and time-based SQL injection SQL Injection protection methods Command injection Broken authentication - password management Exercise – Weakness of hashed passwords Password management and storage Special purpose hash algorithms for password storage Cross-Site Scripting (XSS) Cross-Site Scripting (XSS) CSS injection Exploitation: injection through other HTML tags XSS prevention Missing function level access control Filtering file uploads Practical cryptography Providing confidentiality with symmetric cryptography Symmetric encryption algorithms Block ciphers – modes of operation Hash or message digest Hash algorithms Message Authentication Code (MAC) Providing integrity and authenticity with a symmetric key Providing confidentiality with public-key encryption Rule of thumb – possession of private key Typical mistakes in password management Exercise – Hard coded passwords Conclusion Secure verification principles Functional testing vs. security testing Security vulnerabilities Prioritization Security testing in the SDLC Steps of test planning (risk analysis) Scoping and information gathering Stakeholders Assets The attack surface Security objectives for testing Threat modeling Threat modeling Attacker profiles Threat modeling based on attack trees Threat modeling based on misuse/abuse cases Misuse/abuse cases – a simple Web shop example STRIDE per element approach to threat modeling – MS SDL Identifying security objectives Diagramming – examples of DFD elements Data flow diagram – example Threat enumeration – MS SDL’s STRIDE and DFD elements Risk analysis – classification of threats The DREAD threat/risk ranking model Security testing techniques and tools General testing approaches Techniques for various steps of the SDLC Code review Code review for software security Taint analysis Heuristics Static code analysis Static code analysis Static code analysis Exercise – Using static code analysis tools Testing the implementation Manual run-time verification Manual vs. automated security testing Penetration testing Stress tests Fuzzing Automated security testing - fuzzing Challenges of fuzzing Web vulnerability scanners Exercise – Using a vulnerability scanner Checking and hardening the environment Common Vulnerability Scoring System – CVSS Vulnerability scanners Public databases Case study – Forms Authentication Bypass NULL byte termination vulnerability The Forms Authentication Bypass vulnerability in the code Exploiting the Forms Authentication Bypass Knowledge sources Secure coding sources – a starter kit Vulnerability databases .NET secure coding guidelines at MSDN .NET secure coding cheat sheets Recommended books – .NET and ASP.NET |
| cl-jnw | Combined JAVA, .NET and Web Application Security | 21 hours | Both Java and .NET development environments provide powerful means for security development, but developers should know how to apply the various architecture- and coding-level programming techniques in order to implement the desired security functionality and avoid vulnerabilities. Providing hands-on knowledge, the course contains numerous exercises on how to use various APIs and tools to prevent untrusted code from performing privileged actions, protect resources through strong authentication and authorization, provide secured remote procedure calls, handle sessions, introduce different implementations for certain functionality, and many more. Most importantly, the course explains the most frequent and severe programming flaws typically committed by programmers. General web-based vulnerabilities are demonstrated through presenting the relevant attacks, while the recommended coding techniques and mitigation methods are explained in the context of both development platforms. Besides the typical security-relevant Java and .NET bugs, the introduced security vulnerabilities cover both language-specific issues and problems stemming from the runtime environments one should be aware of. All vulnerabilities and the relevant attacks are demonstrated through easy-to-understand exercises, followed by the recommended coding guidelines and the possible mitigation techniques. Participants attending this course will Understand basic concepts of security, IT security and secure coding Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them Have a practical understanding of cryptography Learn to use various security features of the Java development environment Learn to use various security features of the .NET development environment Get information about some recent vulnerabilities in .NET and ASP.NET Learn about typical coding mistakes and how to avoid them Get information about some recent vulnerabilities in the Java framework Get sources and further readings on secure coding practices Audience Developers IT security and secure coding Web application security Practical cryptography Foundations of Java security Java security services .NET security architecture and services ASP.NET security architecture Common coding errors and vulnerabilities Knowledge sources |
| cl-osc | The Secure Coding Landscape | 14 hours | The course introduces some common security concepts, gives an overview about the nature of the vulnerabilities regardless of the used programming languages and platforms, and explains how to handle the risks that apply regarding software security in the various phases of the software development lifecycle. Without going deeply into technical details, it highlights some of the most interesting and most aching vulnerabilities in various software development technologies, and presents the challenges of security testing, along with some techniques and tools that one can apply to find any existing problems in their code. Participants attending this course will Understand basic concepts of security, IT security and secure coding Understand Web vulnerabilities both on server and client side Realize the severe consequences of unsecure buffer handling Be informated about some recent vulnerabilities in development environments and frameworks Learn about typical coding mistakes and how to avoid them Understand security testing approaches and methodologies Audience Managers Agenda Introduction IT security and secure coding Security challenges of various platforms – highlights – C/C++ (native code) secure coding Web application security Java platform security Challenges of security testing |
| cl-sdm | Management Overview on Microsoft SDL | 4 hours | The course provides a brief management level overview on Microsoft Security Development Lifecycle (SDL) by introducing essential concepts, tackling secure design and the nature of the most common vulnerabilities. Selected secure coding topics of various platforms show the importance of proper design and implementation. Test methodologies and most important concepts regarding privacy are also addressed. Audience Managers |
| cl-psc | Secure coding in PHP | 21 hours | The course provides essential skills for PHP developers necessary to make their applications resistant to contemporary attacks through the Internet. Web vulnerabilities are discussed through PHP-based examples going beyond the OWASP top ten, tackling various injection attacks, script injections, attacks against session handling of PHP, insecure direct object references, issues with file upload, and many others. PHP-related vulnerabilities are introduced grouped into the standard vulnerability types of missing or improper input validation, incorrect error and exception handling, improper use of security features and time- and state-related problems. For this latter we discuss attacks like the open_basedir circumvention, denial-of-service through magic float or the hash table collision attack. In all cases participants will get familiar with the most important techniques and functions to be used to mitigate the enlisted risks. A special focus is given to client-side security tackling security issues of JavaScript, Ajax and HTML5. A number of security-related extensions to PHP are introduced like hash, mcrypt and OpenSSL for cryptography, or Ctype, ext/filter and HTML Purifier for input validation. Hardening best practices are given in connection with PHP configuration (setting php.ini), Apache and the server in general. Finally, an overview is given to various security testing tools and techniques which developers and testers can use, including security scanners, penetration testing and exploit packs, sniffers, proxy servers, fuzzing tools and static source code analyzers. Both the introduction of vulnerabilities and the configuration practices are supported by a number of hands-on exercises demonstrating the consequences of successful attacks, showing how to apply mitigation techniques and introducing the use of various extensions and tools. Participants attending this course will Understand basic concepts of security, IT security and secure coding Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them Learn client-side vulnerabilities and secure coding practices Have a practical understanding of cryptography Learn to use various security features of PHP Learn about typical coding mistakes and how to avoid them Be informed about recent vulnerabilities of the PHP framework Get practical knowledge in using security testing tools Get sources and further readings on secure coding practices Audience Developers IT security and secure coding Web application security Web application vulnerabilities Client-side security Client-side security Practical cryptography PHP security services PHP Environment Principles of security and secure coding Common coding errors and vulnerabilities Security testing techniques and tools Knowledge sources |
| devopssecurity | DevOps Security: Creating a DevOps security strategy | 7 hours | DevOps is a software development approach that aligns application development with IT operations. Some of the tools that have emerged to support DevOps include: automation tools, containerization and orchestration platforms. Security has not kept up with these developments. In this course, participants will learn how to formulate the proper security strategy to face the DevOps security challenge. Audience Devops engineers Security engineers Format of the course Part lecture, part discussion, some hands-on practice Introduction How DevOps creates more security risk for organizations The price of agility, speed and de-centralized control Inadequacies of traditional security tools Security policies Firewall rules Lack of APIs for integration Lack of visualization tools Implementing a DevOps-ready security program Aligning security with business goals Removing the security bottleneck Implementing detailed visibility Standardizing security configurations Adding sensors into the application Interactive Application Security Testing Runtime Application Self-Protection Providing security data to DevOps tools through RESTful APIs On-demand scaling, micro-perimeterization of security controls Per-resource granular security policies Automating attacks against pre-production code Continually testing the production environment Protecting web applications from an Agile/DevOps perspective Securing containers and clouds Embracing next generation automated security tools The future of DevOps and its strategic role in security Closing remarks |
| cl-anw | Network Security and Secure Communication | 21 hours | Implementing a secure networked application can be difficult, even for developers who may have used various cryptographic building blocks (such as encryption and digital signatures) beforehand. In order to make the participants understand the role and usage of these cryptographic primitives, first a solid foundation on the main requirements of secure communication – secure acknowledgement, integrity, confidentiality, remote identification and anonymity – is given, while also presenting the typical problems that may damage these requirements along with real-world solutions. As a critical aspect of network security is cryptography, the most important cryptographic algorithms in symmetric cryptography, hashing, asymmetric cryptography, and key agreement are also discussed. Instead of presenting an in-depth mathematical background, these elements are discussed from a developer's perspective, showing typical use-case examples and practical considerations related to the use of crypto, such as public key infrastructures. Security protocols in many different areas of secure communication are introduced, with an in-depth discussion on the most widely-used protocol families such as IPSEC and SSL/TLS. Typical crypto vulnerabilities are discussed both related to certain crypto algorithms and cryptographic protocols, such as BEAST, CRIME, TIME, BREACH, FREAK, Logjam, Padding oracle, Lucky Thirteen, POODLE and similar, as well as the RSA timing attack. In each case, the practical considerations and potential consequences are described for each problem, again, without going into deep mathematical details. Finally, as XML technology is central for data exchange by networked applications, the security aspects of XML are described. This includes the usage of XML within web services and SOAP messages alongside protection measures such as XML signature and XML encryption – as well as weaknesses in those protection measures and XML-specific security issues such as XML injection, XML external entity (XXE) attacks, XML bombs, and XPath injection. Participants attending this course will Understand basic concepts of security, IT security and secure coding Understand the requirements of secure communication Learn about network attacks and defenses at different OSI layers Have a practical understanding of cryptography Understand essential security protocols Understand some recent attacks against cryptosystems Get information about some recent related vulnerabilities Understand security concepts of Web services Get sources and further readings on secure coding practices Audience Developers, Professionals IT security and secure coding Requirements of secure communication Network security Network security Practical cryptography Security protocols Cryptographic vulnerabilities Security of Web services XML security Knowledge sources |
| cl-wdt | Secure Web Application Development and Testing | 21 hours | Protecting applications that are accessible via the web requires well-prepared security professional who are at all time aware of current attack methods and trends. Plethora of technologies and environments exist that allow comfortable development of web applications. One should not only be aware of the security issues relevant to these platforms, but also of all general vulnerabilities that apply regardless of the used development tools. The course gives an overview of the applicable security solutions in web applications, with a special focus on understanding the most important cryptographic solutions to be applied. The various web application vulnerabilities are presented both on the server side (following the OWASP Top Ten) and the client side, demonstrated through the relevant attacks, and followed by the recommended coding techniques and mitigation methods to avoid the associated problems. The subject of secure coding is wrapped up by discussing some typical security-relevant programming mistakes in the domain of input validation, improper use of security features and code quality. Testing plays a very important role in ensuring security and robustness of web applications. Various approaches – from high level auditing through penetration testing to ethical hacking – can be applied to find vulnerabilities of different types. However if you want to go beyond the easy-to-find low-hanging fruits, security testing should be well planned and properly executed. Remember: security testers should ideally find all bugs to protect a system, while for adversaries it is enough to find one exploitable vulnerability to penetrate into it. Practical exercises will help understanding web application vulnerabilities, programming mistakes and most importantly the mitigation techniques, together with hands-on trials of various testing tools from security scanners, through sniffers, proxy servers, fuzzing tools to static source code analyzers, this course gives the essential practical skills that can be applied on the next day at the workplace. Participants attending this course will Understand basic concepts of security, IT security and secure coding Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them Learn client-side vulnerabilities and secure coding practices Have a practical understanding of cryptography Understand security testing approaches and methodologies Get practical knowledge in using security testing techniques and tools Be informed about recent vulnerabilities in various platforms, frameworks and libraries Get sources and further readings on secure coding practices Audience Developers, Testers IT security and secure coding Web application security Client-side security Client-side security Practical cryptography XML security JSON security Denial of service Security testing Security testing techniques Principles of security and secure coding Knowledge sources |
| iast | Interactive Application Security Testing (IAST) | 14 hours | Interactive Application Security Testing (IAST) is a form of application security testing that combines Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) or Runtime Application Self-protection (RASP) techniques. IAST is able to report the specific lines of code responsible for a security exploit and replay the behaviors leading to and following such an exploit. In this instructor-led, live training, participants will learn how to secure an application by instrumenting runtime agents and attack inducers to simulate application behavior during an attack. By the end of this training, participants will be able to: Simulate attacks against applications and validate their detection and protection capabilities Use RASP and DAST to gain code-level visibility into the data path taken by an application under different runtime scenarios Quickly and accurately fix the application code responsible for detected vulnerabilities Prioritize the vulnerability findings from dynamic scans Use RASP real-time alerts to protect applications in production against attacks. Reduce application vulnerability risks while maintaining production schedule targets Devise an integrated strategy for overall vulnerability detection and protection Audience DevOps engineers Security engineers Developers Format of the course Part lecture, part discussion, exercises and heavy hands-on practice To request a customized course outline for this training, please contact us. |
| cl-nws | Network Security | 14 hours | Since all applications today heavily rely on communication and networks, there is no application security without network security. This course focuses on network security with a software security viewpoint, and discusses common network attacks and defenses on different OSI layers, with an emphasis on application layer issues, tackling topics like session management or denial of service. As cryptography is a critical aspect of network security, the most important cryptographic algorithms in symmetric cryptography, hashing, asymmetric cryptography, and key agreement are also discussed. Instead of presenting an in-depth mathematical and theoretical background, these elements are discussed from a merely practical, engineering perspective, showing typical use-case examples and practical considerations related to the use of crypto, such as public key infrastructures. Security protocols in many different areas of secure communication are introduced, with an in-depth discussion on the most widely-used protocol families such as IPSEC and SSL/TLS. Finally, typical crypto vulnerabilities are discussed – both related to certain crypto algorithms and cryptographic protocols, such as BEAST, CRIME, TIME, BREACH, FREAK, Logjam, Padding oracle, Lucky Thirteen, POODLE and similar, as well as the RSA timing attack. In each case, the practical considerations and potential consequences are described for each problem, again, without going into deep mathematical details. Participants attending this course will Understand basic concepts of security, IT security and secure coding Learn about network attacks and defenses at different OSI layers Have a practical understanding of cryptography Understand essential security protocols Understand some recent attacks against cryptosystems Get information about some recent related vulnerabilities Get sources and further readings on secure coding practices Audience Developers, Professionals IT security and secure coding Network security Practical cryptography Security protocols Cryptographic vulnerabilities Knowledge sources |
| cl-sts | Security Testing | 14 hours | After getting familiar with the vulnerabilities and the attack methods, participants learn about the general approach and the methodology for security testing, and the techniques that can be applied to reveal specific vulnerabilities. Security testing should start with information gathering about the system (ToC, i.e. Target of Evaluation), then a thorough threat modeling should reveal and rate all threats, arriving to the most appropriate risk analysis-driven test plan. Security evaluations can happen at various steps of the SDLC, and so we discuss design review, code review, reconnaissance and information gathering about the system, testing the implementation and the testing and hardening the environment for secure deployment. Many different security testing techniques are introduced in details, like taint analysis and heuristics-based code review, static code analysis, dynamic web vulnerability testing or fuzzing. Various types of tools are introduced that can be applied in order to automate security evaluation of software products, which is also supported by a number of exercises, where we execute these tools to analyze the already discussed vulnerable code. Many real life case studies support better understanding of various vulnerabilities. This course prepares testers and QA staff to adequately plan and precisely execute security tests, select and use the most appropriate tools and techniques to find even hidden security flaws, and thus gives essential practical skills that can be applied on the next day working day. Participants attending this course will Understand basic concepts of security, IT security and secure coding Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them Learn client-side vulnerabilities and secure coding practices Understand security testing approaches and methodologies Get practical knowledge in using security testing techniques and tools Get sources and further readings on secure coding practices Audience Developers, Testers IT security and secure coding Web application security Client-side security Security testing Security testing techniques and tools Code review Common coding errors and vulnerabilities Reconnaissance and information gathering Testing the implementation Checking and hardening the environment Case study - Double bug in Java Case study - Shellshock Case study - Heartbleed Knowledge sources |
| cl-cls | Application Security in the Cloud | 21 hours | Migrating to the cloud introduces immense benefits for companies and individuals in terms of efficiency and costs. With respect to security, the effects are quite diverse, but it is a common perception that using cloud services impacts security in a positive manner. Opinions, however, diverge many times even on defining who is responsible for ensuring the security of cloud resources. Covering IaaS, PaaS and SaaS, first the security of the infrastructure is discussed: hardening and configuration issues as well as various solutions for authentication and authorization alongside identity management that should be at the core of all security architecture. This is followed by some basics regarding legal and contractual issues, namely how trust is established and governed in the cloud. The journey through cloud security continues with understanding cloud-specific threats and the attackers’ goals and motivations as well as typical attack steps taken against cloud solutions. Special focus is also given to auditing the cloud and providing security evaluation of cloud solutions on all levels, including penetration testing and vulnerability analysis. The focus of the course is on application security issues, dealing both with data security and the security of the applications themselves. From the standpoint of application security, cloud computing security is not substantially different than general software security, and therefore basically all OWASP-enlisted vulnerabilities are relevant in this domain as well. It is the set of threats and risks that makes the difference, and thus the training is concluded with the enumeration of various cloud-specific attack vectors connected to the weaknesses discussed beforehand. Participants attending this course will Understand basic concepts of security, IT security and secure coding Understand major threats and risks in the cloud domain Learn about elementary cloud security solutions Get information about the trust and the governance regarding the cloud Have a practical understanding of cryptography Get extensive knowledge in application security in the cloud Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them Understand the challenges of auditing and evaluating cloud systems for security Learn how to secure the cloud environment and infrastructure Get sources and further readings on secure coding practices Audience Developers, Managers, Professionals IT security and secure coding Threats and risks in the clouds Cloud security solutions Trust and governance Practical cryptography Common implementation mistakes Web application security Security audit in the cloud Securing the cloud environment Data security in the cloud Knowledge sources |
| cl-wts | Web Application Security Testing | 14 hours | Testing plays a very important role in ensuring security and robustness of web applications. Various approaches – from high level auditing through penetration testing to ethical hacking – can be applied to find vulnerabilities of different types. However if you want to go beyond the easy-to-find low-hanging fruits, security testing should be well planned and properly executed. Remember: security testers should ideally find all bugs to protect a system, while for adversaries it is enough to find one exploitable vulnerability to penetrate into it. Attending this course will prepare software testers to adequately plan and precisely execute security tests, select and use the most appropriate tools and techniques to find even hidden security flaws. Practical exercises will help understanding web application vulnerabilities and mitigation techniques, together with hands-on trials of various testing tools from security scanners, through sniffers, proxy servers, fuzzing tools to static source code analyzers, this course gives the essential practical skills that can be applied on the next day at the workplace. Participants attending this course will Understand basic concepts of security, IT security and secure coding Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them Learn client-side vulnerabilities and secure coding practices Understand security testing approaches and methodologies Get practical knowledge in using security testing techniques and tools Be informed about recent vulnerabilities in various platforms, frameworks and libraries Get sources and further readings on secure coding practices Audience Developers, Testers IT security and secure coding Web application security Client-side security Client-side security Security testing Security testing techniques Knowledge sources |
| cl-wps | Windows Phone Security | 14 hours | Windows Phone 7 is Microsoft’s new platform for mobile devices. The course gives a comprehensive overview of the platform’s security features and their limitations. Each component of the Windows Phone 7 architecture is examined from a security standpoint, along with best practices on how to utilize the security features when developing software for the platform. The course explains the strengths and weaknesses of WP7’s security architecture along with typical mistakes to avoid when developing software for the platform. Audience Professionals |
| cl-wsc | Web Application Security | 14 hours | Protecting applications that are accessible via the web requires well-prepared security professional who are at all time aware of current attack methods and trends. Plethora of technologies and environments exist that allow comfortable development of web applications (like Java, ASP.NET or PHP, as well as Javascript or Ajax on the client side). One should not only be aware of the security issues relevant to these platforms, but also of all general vulnerabilities that apply regardless of the used development tools. The course gives an overview of the applicable security solutions in web applications, focusing on the most important technologies like secure communication and web services, tackling both transport-layer security and end-to-end security solutions and standards like Web Services Security and XML. It also gives a brief overview of the typical programming mistakes, above all connected to missing or improper input validation. The web-based vulnerabilities are demonstrated through presenting the relevant attacks, while the recommended coding techniques and mitigation methods are explained to avoid the associated problems. Exercises can be easily followed by programmers using different programming languages, thus the web application-related topics can be easily combined with other secure coding subjects, and can thus effectively satisfy the needs of corporate development groups, who typically deal with various languages and development platforms to develop web applications. Participants attending this course will Understand basic concepts of security, IT security and secure coding Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them Learn client-side vulnerabilities and secure coding practices Have a practical understanding of cryptography Understand security concepts of Web services Get practical knowledge in using security testing tools Get sources and further readings on secure coding practices Audience Developers IT security and secure coding Web application security Client-side security Client-side security Practical cryptography Security of Web services XML security Knowledge sources |
| cl-ios | IOS Security | 14 hours | iOS is a mobile operating system distributed exclusively for Apple hardware and designed with security at its core; key security features including sandboxing, native language exploit mitigations or hardware supported encryption all offer a very effective environment for secure software development. The devil is however in the details – a programmer can still commit plenty of mistakes to make the resulting apps vulnerable. This course introduces the iOS security model and the usage of various components, but also deals with relevant vulnerabilities and attacks, focusing on the mitigation techniques and best practices for avoiding them. Recommended for programmers developing apps who want to understand the security features of iOS as well as the typical mistakes one can commit on this platform. Participants attending this course will Understand basic concepts of security, IT security and secure coding Learn the security solutions on iPhone Learn to use various security features of iOS Get information about some recent vulnerabilities of iOS Learn about typical coding mistakes and how to avoid them Get practical knowledge in using security testing tools for iOS Get sources and further readings on secure coding practices Audience Professionals IT security and secure coding iOS security overview Application security Buffer overflow protection on iOS Knowledge sources |
| cl-nwa | Advanced C#, ASP.NET and Web Application Security | 21 hours | Beyond a solid knowledge in using various security features of .NET and ASP.NET, even for experienced programmers it is essential to have a deep knowledge in web-related vulnerabilities both on server and client side along with the consequences of the various risks. In this course the general web-based vulnerabilities are demonstrated through presenting the relevant attacks, while the recommended coding techniques and mitigation methods are explained in the context of ASP.NET. A special focus is given to client-side security tackling security issues of JavaScript, Ajax and HTML5. The course also deals with the security architecture and components of the .NET framework, including code- and role based access control, permission declaration and checking mechanisms and the transparency model. A brief introduction to the foundations of cryptography provides a common practical baseline for understanding the purpose and the operation of various algorithms, based on which the course presents the cryptographic features that can be used in .NET. Introduction of different security bugs follows the well-established vulnerability categories, tackling input validation, security features, error handling, time- and state-related problems, the group of general code quality issues, and a special section on ASP.NET-specific vulnerabilities. These topics are concluded with an overview on testing tools that can be used to automatically reveal some of the learnt bugs. Topics are presented through practical exercises where participants can try out the consequences of certain vulnerabilities, the mitigations, as well as the discussed APIs and tools for themselves. Participants attending this course will Understand basic concepts of security, IT security and secure coding Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them Learn client-side vulnerabilities and secure coding practices Learn to use various security features of the .NET development environment Have a practical understanding of cryptography Get information about some recent vulnerabilities in .NET and ASP.NET Get practical knowledge in using security testing tools Learn about typical coding mistakes and how to avoid them Get sources and further readings on secure coding practices Audience Developers IT security and secure coding Web application security Client-side security Client-side security .NET security architecture and services Practical cryptography ASP.NET security architecture Common coding errors and vulnerabilities Principles of security and secure coding Knowledge sources |
Other countries
Consulting
Secure Code Schulung, Secure Code boot camp, Secure Code Abendkurse, Secure Code Wochenendkurse
, Secure Code Coaching, Secure Code Training,Secure Code Kurs, Secure Code Privatkurs, Secure Code Seminar, Secure Code Lehrer
