Training Course Outline: Application Security and the SDLC

Description

This course describes how to integrate Security throughout the Software Development Lifecycle (SDLC), from the earliest stages of the project all the way to maintenance and decommissioning. It presents a comprehensive understanding of what to do at each stage of the project and development process to assure robust security is an integral part of your applications.

Audience

Software developers, Business Analysts, Project Managers, and security staff seeking to gain a practical understanding of key security considerations at each step of the project and development lifecycle. Those seeking to improve the security of their applications through a disciplined and holistic approach to software development.

Duration

1 Days

Objectives

  • Recognize the opportunities to introduce and validate security throughout the SDLC
  • Understand how to capture, communicate, and validate Security Requirements
  • Be familiar with Best Practices in secure application design
  • Be prepared to review software designs for vulnerabilities
  • Be familiar with how to avoid introducing vulnerabilities during software construction
  • Be prepared to test application security
  • Be familiar with security considerations during system Deployment
  • Understand how to maintain robust application security during the maintenance phase
  • Be familiar with security considerations during system Decommissioning of Firewall and VPN technology

Setup

  •  None

Text

  • Course Workbook

Prerequisites

  • A solid understanding of Software Development Lifecycle (SDLC)

Outline

Topic 1:     Introduction

  • Welcome
  • Course Objectives
  • Course Overview
  • Motivation for Application Security
  • Application Security in Perspective
  • The Software Development Lifecycle (SDLC)
  • Quiz

Topic 2:     Security and Project Initiation

  • Security and Project Initiation
  • Project Charter: Rough Estimate
  • Project Charter: Business Case
  • Investments and Returns
  • Investments and Time
  • Economic Value Added (EVA)
  • Net Present Value (NPV)
  • A Project as an Investment
  • Tangible and Intangible Benefits
  • Investments and Risk
  • The ROI of Application Security
  • Business Case Review
  • Constraints, Assumptions, and Issues
  • Lab Exercise: Finding Motivation
  • Quiz

Topic 3:     Gathering Security Requirements

  • Gathering Security Requirements
  • Access Control: Authentication
  • Access Control: Authorization
  • Password Management
  • Client / Server Input Validation
  • Handling Malformed Input
  • Data Handling
  • System Integrity and Updates
  • System Interfaces
  • System Monitoring
  • Infrastructure Requirements
  • Accountability and Logging
  • Avoiding Common Vulnerabilities
  • The Security Requirements Review
  • Lab Exercise: A Simple Form
  • Quiz

Topic 4:     Designing Secure Software

  • Designing Secure Software
  • Secure Application Design
  • Finite State Machine (FSM) Modeling
  • UML: State Machine Diagram
  • Finite State Machine and Security
  • State Management
  • Data Management
  • Application Security Configuration
  • Data Sanitization
  • Recognizing and Handling Invalid Transitions
  • A Security Manager
  • Direct Object References
  • Avoiding Common Vulnerabilities
  • The Security Design Review
  • Lab Exercise: Affairs of State
  • Quiz

Topic 5:     Constructing Secure Software

  • Constructing Secure Software
  • Implementation Errors
  • Numeric Overflow and Wrap Around
  • Buffer Overflow
  • Misuse of Pointers
  • Format Strings
  • Unsafe Functions
  • Session Management
  • Dynamic SQL
  • Hardcoded Credentials
  • The Security Code Review
  • Lab Exercise: The Security Code Review
  • Quiz

Topic 6:     Testing Application Security

  • Testing Application Security
  • Testing Concepts and Terms
  • Security Requirements Test Cases
  • Security Testing Tools
  • Internal Penetration Testing
  • Miscellaneous
  • Lab Exercise: Discovering Test Cases
  • Quiz

Topic 7:     System Deployment, Maintenance, and Decommissioning

  • System Deployment
  • System Deployment Considerations
  • System Maintenance
  • System Maintenance Considerations
  • System Decommissioning
  • Decommissioning Considerations
  • Lab Exercise: Maintaining Security
  • Quiz

Appendix     Quiz Answers

Appendix     Lab Solutions