Fundamentals of Secure Application Development

Learn the best practices for secure application development

Course Code : 1907

$1395

Overview

From proactive requirements to coding and testing, the Fundamentals of Secure Application Development covers the best practices that would help participants to avoid making users, customers and organizations vulnerable to attack at the application layer. The course prepares participants to return to work ready to build higher quality, more robust protected applications.

Schedule Classes

Delivery Format
Starting Date
Starting Time
Duration
Location

Live Classroom
Monday, 30 September 2019
8:30 AM - 4:30 PM EST
2 Days
Washington, DC

Delivery Format
Starting Date
Starting Time
Duration
Location

Live Classroom
Monday, 28 October 2019
8:30 AM - 4:30 PM EST
2 Days
Kansas City, MO

Delivery Format
Starting Date
Starting Time
Duration
Location

Live Classroom
Monday, 18 November 2019
8:30 AM - 4:30 PM EST
2 Days
New York, NY

Delivery Format
Starting Date
Starting Time
Duration
Location

Live Classroom
Monday, 9 December 2019
8:30 AM - 4:30 PM EST
2 Days
San Francisco, CA

Looking for more sessions of this class?

Course Delivery

This course is available in the following formats:

Live Classroom
Duration: 2 days

Live Virtual Classroom
Duration: 2 days

What You'll learn

  • Secure software development
  • Security contexts and security policies
  • Security terms and requirements
  • Analysis for secure development
  • Coding and verification
  • Testing the code for security
  • Managing and operating secure software
  • Improving the security of software development processes

Outline

  • Assets, threats and vulnerabilities
  • Security risk analysis (Bus and Tech)
  • Secure development processes (MS, BSI, etc.)
  • Defense in depth
  • Approach for this course
  • Introductory case study
  • Assets to be protected
  • Threats expected
  • Security imperatives (Internal and external)
  • Organization’s risk appetite
  • Security terminology
  • Organizational security policy
  • Security roles and responsibilities
  • Security training for roles
  • Generic security goals and requirements
  • Exercise: Our own security context
  • Project-specific security terms
  • Project-related assets and security goals
  • Product architecture analysis
  • Use cases and misuse/abuse cases
  • Dataflows with trust boundaries
  • Product security risk analysis
  • Elicit, categorize prioritize SecRqts
  • Validate security requirements
  • Exercise: Managing security requirements
  • High level design
    • Architectural risk analysis
    • Design requirements
    • Analyze attack surface
    • Threat modelling
    • Trust boundaries
    • Eliminate race objects
  • Detail-level design
    • Secure design principles
    • Use of security wrappers
    • Input validation
    • Design pitfalls
    • Validating design security
    • Pairing mem mgmt. functions
    • Exclude user input from format strings
    • Canonicalization
    • TOCTOU
    • Close race windows
    • Taint analysis
    • Exercise: A secure software design, Instructor Q & A
  • Coding
    • Developer guidelines and checklists
    • Compiler security settings (per)
    • Tools to use
    • Coding standards (per language)
    • Common pitfalls (per language)
    • Secure/safe functions/methods
      • Stack canaries
      • Encrypted pointers
      • Memory initialization
      • Function return checking (e.e. malloc)
      • Deferencing pointers
    • Integer type selection
      • Range checking
      • Pre/post checking
    • Synchronization primitives
  • Early verification
    • Static analysis (code review w/tools)
    • Unit and dev team testing
    • Risk-based security testing
    • Taint analysis
    • Exercise: Secure coding Q & A
  • Assets to be protected
  • Threats expected
  • Security imperatives (internal and external)
  • Organization’s risk appetite
  • Static analysis
  • Dynamic analysis
  • Risk-based security testing
  • Fuzz testing (whitebox vs. blackbox)
  • Penetration testing (whitebox vs. blackbox)
  • Attack surface review
  • Code audits
  • Independent security review
  • Exercise: Testing software for security
  • Incident response planning
  • Final security review
  • Release archive
  • OS protections
    • Address space layout randomization
    • Non-executable stacks
    • W^X
    • Data execution prevention
  • Monitoring
  • Incident response
  • Penetration testing
  • Exercise: A secure software release
  • Process review
  • Getting started
  • Priorities
  • Exercise: Your secure software plan
View More

Prerequisites

Participants need to have a basic understanding and working knowledge of application and software development.

Who Should Attend

The course is highly recommend for –

  • Application development managers
  • Software engineers
  • Software developers
  • CISOs, CISAs and security professionals
  • Software testers
  • QA managers, directors and staff
  • Test management
  • Business analysts
  • Project managers
  • IT specialists (security, capacity management, networking)

Interested in this course? Let’s connect!

Customer Reviews

Name
Email
Rating
Comments

No reviews yet