Description
Business Analysts are being called upon as never before to include functional and non-functional security requirements in their Requirements specifications. Writing Security Requirements for web applications is not intuitive and to be effective you need to provide the additional information that developers need to create robust applications. This course provides the insights you need to augment Requirements specifications with practical information that will facilitate the creation of secure sites.
Audience
Experienced Business Analysts who wish to produce comprehensive and concise Security Requirements for their web applications. Development teams that want to build secure applications from the beginning.
Duration
1 Day
Objectives
- Be familiar with the Secure Software Development Lifecycle
- Understand what developers need to know to produce secure features
- Understand what Use Cases are and their value in specifying Security Requirements
- Be prepared to address Authentication in Security Requirements
- Be prepared to address role-based Access Control in Security Requirements
- Be prepared to address secure I/O in Security Requirements
- Be prepared to address secure data handling in Security Requirements
- Be prepared to address secure Session management in Security Requirements
Setup
- None
Text
- Course Workbook
Prerequisites
- A solid understanding of web application Requirements gathering and documentation
Outline
Topic 1: Introduction
- Welcome
- Motivation
- Course Objectives
- Course Overview
- The Software Development Lifecycle (SDLC)
- Security in the SDLC
- The Importance of Security Requirements
- Application Security in Context
- Lab Exercise: Requiring Security
- Quiz
Topic 2: Requirements Gathering
- Purpose, Process, Deliverables
- Who Gathers Requirements ?
- Types Of Requirements
- Requirements Outline Template
- Information Gathering Techniques
- Effective Communication
- Active Listening
- Facilitating Requirements Sessions
- Requirements Verification
- Facilitating Requirements Reviews
- Errors. Messages, and Logging
- Lab Exercise: Planning Requirements Gathering
- Quiz
Topic 3: Security Requirements
- Authentication
- Protecting Sensitive Information
- Role-based Access Control
- Secure I/O
- Form Considerations
- Recognizing and Responding to Attack
- Session Management
- Lab Exercise: Documenting Security Requirements
- Quiz
Topic 4: Overview of Use Case Analysis
- Use Cases As Actor/Goals Lists
- Identifying Actors
- Documenting Objectives
- Preconditions, Guarantees, and Triggers
- Use Case Prioritization
- Actors/Goals List
- Lab Exercise: Documenting Actors and Goals
- Quiz
- Use Cases As Narratives
- Use Case Narratives
- Primary Scenario
- Scenario Steps
- Alternative Scenarios
- Exception Scenarios
- Sequence Numbering
- Use Case Example
- When Are We Done ?
- Lab Exercise: Documenting Use Case Narratives
- Quiz
Topic 5: Authentication
- Users, Roles, and Accounts
- Certificate-based Authentication
- Single vs. Multi-Factor Authentication
- Password Strength
- Password Reset
- Security Questions
- Re-authentication
- Lab Exercise: Who Are You ?
- Quiz
Topic 6: Protecting Sensitive Information
- Defining Sensitive Information
- Protection at Rest
- Protection in Transit
- In Memory Handling
- Data Masking
- Logging and Other Output
- Lab Exercise: Data Masking at Home
- Quiz
Topic 7: Role-based Access Control
- Users, Roles, and Accounts
- Principle of Least Privilege
- Enforcing Navigation
- Maintaining State
- Protecting Critical Transactions
- Dynamic Control Management
- Dynamic Permissions Management
- Lab Exercise: Role Play
- Quiz
Topic 8: Secure I/O
- Trust Zones
- What is Untrusted Input ?
- Validating Untrusted Input
- Data Meta-Data
- Users, Roles, and Accounts
- Secure File Handling
- Handling Filenames and Directories
- Handling URLs
- Denial of Service Considerations
- Lab Exercise: File Upload
- Quiz
Topic 9: Form Considerations
- How HTTP Works
- GET vs. POST
- Request Parameters
- Cookies
- Field-Level Validation
- Cross-Field Validation
- Parameter Meta-data
- Client-Side and Server-Side Validation
- Detecting Automation
- Avoiding Multiple Submission
- Client Side Validation
- Lab Exercise: Design a Form
- Quiz
Topic 10: Data Handling
- What is an Injection Attack ?
- Encoding to Prevent Injection
- Avoiding Denial of Service
- Lab Exercise:
- Quiz
Topic 11: Session Management
- What is a Session ?
- Session Tracking
- The Session Lifecyle
- Lab Exercise:
- Quiz
Appendix Quiz Answers
Register
For more information or to register for this training course, call 1-800-840-2335 or contact us on our website.