| Course |
Description |
| Software Security Fundamentals |
Provides the varying depth of security knowledge necessary to improve your software development processes. |
Awareness for Executives
(2 hours) |
Aimed at managers and executives, this overview demonstrates the importance of software security in modern software development. |
Foundations and Core Principles
(1 day) |
An overview of software security that provides a foundation for more in-depth security courses. Explains attack patterns and the software security touchpoints necessary to improve your software development lifecycle. |
Foundations and Detailed Principles
(2 days) |
A standalone, detailed course that explains all the software security touchpoints in depth. Begins with a comprehensive overview of the software security problem, walks through the software security touchpoints, and explains the Seven Pernicious Kingdoms of Software Security Errors and discusses ways of addressing and avoiding them. |
| Architecture and Design |
Explains how to review existing architectures for security flaws and how to analyze new designs to help prevent security flaws. |
Security Requirements and Abuse Cases
(1 day) |
Walks through the process of expanding code functional requirements to include non-functional security requirements. Discusses various processes such as JAD and IBIS for eliciting information, and using misuse and abuse cases to pinpoint new requirements. |
Architecture Risk Analysis
(1 day) |
Examines the architecture and design of software systems to expose security risk. Teaches how to model threats, trust and data sensitivity to help identify abuse cases. Focuses on three component analyses: Attack Resistance Analysis, Ambiguity Analysis, and Weakness Analysis. |
| Software Security Coding Errors & Defensive Programming |
Presented in context of specific languages and development platforms and includes advice on defensive programming to prevent errors from occurring. |
Defensive Programming: Java EE
(1 day) |
Focuses on common mistakes made in web applications built on the Java Enterprise Edition (J2EE) platform. Includes relevant coding errors for Java that present themselves in Java Enterprise architectures. |
Defensive Programming: C/C++
(1 day) |
Focuses on common mistakes made in C/C++ applications in client/server and distributed systems on Windows and Unix platforms. |
Defensive Programming: C# .NET
(1 day) |
Focuses on common mistakes made when building .NET applications with C#. |
| Software Security Code Review |
Explains how to use automated tools and manual inspection techniques to understand and evaluate source code in the context of security problems. |
Static Analysis for Secure Code Review
(2 days) |
Use a combination of automated code scanners, code navigation tools, and manual processes to expose security vulnerabilities in software. Explains the technical approach to security code review and gives students hands-on experience using tools. Explains how to augment existing code review activities with a security-centric approach. |
| Security Testing |
Explains how to "think like a bad guy" and add security testing into existing test strategies. |
Risk-Based Security Testing
(1 day) |
Describes a method for using real-world security risks drawn from Architecture Analysis and Abuse Cases to augment test strategy and planning efforts. Teaches how to augment test strategy and test plans to properly expose security risk during development. Helps test planners "think like an attacker" during analysis. Includes a simple "risk bootstrapping" approach to get started even when there are no early lifecycle activities to build initial risk lists. |
