Call : (+91) 968636 4243
Mail : info@EncartaLabs.com
EncartaLabs

Secure Software Development

( Duration: 3 Days )

COURSE AGENDA

1

Secure Software Concepts

  • Core Concepts
    • Confidentiality
    • Integrity (e.g., reliability, alterations, authenticity)
    • Availability
    • Authentication
    • Authorization
    • Accounting
    • Nonrepudiation
  • Security Design Principles
    • Least Privilege
    • Separation of Duties
    • Defense in Depth
    • Fail Safe
    • Economy of Mechanism
    • Complete Mediation
    • Open Design
    • Least Common Mechanism
    • Psychological Acceptability
    • Weakest Link
    • Leveraging Existing Components
  • Privacy (e.g., data anonymization, user consent, disposition, test data management)
  • Governance, Risk and Compliance (GRC)
    • Regulations and compliance
    • Legal (e.g., intellectual property, breach notification)
    • Standards (e.g., ISO, PCI, NIST)
    • Risk Management
2

Secure Software Requirements

  • Policy Decomposition (e.g., Internal and External Requirements)
  • Data Classification and Categorization
    • Data Ownership (e.g., data owner, data custodian)
    • Labeling (e.g., sensitivity, impact)
    • Types of Data (e.g., structured, unstructured data)
    • Data life-cycle (e.g., generation, retention, disposal)
  • Functional Requirements (e.g., Use Cases and Abuse Cases)
    • Role and user definitions (who)
    • Deployment environment (where)
    • Object (what)
    • Activities/actions (how)
    • Sequencing and timing (when)
  • Operational Requirements (e.g., how the software is deployed, operated, managed)
3

Secure Software Design

  • Design Processes
    • Attack surface evaluation
    • Threat modeling (e.g., APT, insider threat, common malware, third party/supplier)
    • Control identification and prioritization
    • Documentation
    • Design and architecture technical review (e.g., reviewing interface points and deployment diagram, walk-throughs to verify requirements)
    • Risk Assessment for Code Reuse
  • Design Considerations
    • Application of Methods to Address Core Security Concepts
    • Security Design Principles
    • Interconnectivity
    • Interfaces (e.g., security management interfaces, out-of-band management, log interfaces)
  • Securing Commonly Used Architecture
    • Distributed computing (e.g., client server, peer-to-peer, message queuing)
    • Service-oriented architecture (e.g., enterprise service bus, web services)
    • Rich Internet applications (e.g., client side exploits or threats, remote code execution, constant connectivity)
    • Pervasive/Ubiquitous computing (e.g., wireless, location-based, RFID, near field communication, sensor networks)
    • Integration with existing architectures
    • Cloud Architectures (e.g., software as a service, platform as a service, infrastructure as a service)
    • Mobile applications
  • Technologies
    • Authentication and Identity Management
    • Credential management (e.g., X.509 and SSO)
    • Flow control (e.g., proxies, firewalls, middleware, message queuing)
    • Logging (e.g., application event logs, syslog)
    • Data Loss Prevention (DLP)
    • Virtualization
    • Digital Rights Management (DRM)
    • Trusted Computing (e.g., TPM, TCB, malware, code signing)
    • Database security (e.g., encryption, triggers, views, privilege management)
    • Programming Language Environment (e.g., CLR, JVM, compiler switches, sandboxing)
    • Operating Systems
4

Secure Software Implementation/Coding

  • Declarative versus Imperative (Programmatic) Security
  • Vulnerability Databases/Lists (e.g., OWASP Top 10, CWE)
  • Defensive Coding Practices and Controls
    • Concurrency
    • Configuration
    • Cryptography
    • Output Sanitization (e.g., Encoding)
    • Error Handling
    • Input Validation
    • Logging & Auditing
    • Session Management
    • Exception management
    • Safe APIs
    • Type Safety
    • Memory Management (e.g., locality, garbage collection)
    • Configuration Parameter Management (e.g., start-up variables, cryptographic agility)
    • Tokenizing
    • Sandboxing
  • Source Code and Versioning
  • Development and Build environment (e.g., build tools, automatic build script)
  • Code Analysis (e.g., static, dynamic)
  • Anti-tampering Techniques (e.g., code signing, obfuscation)
5

Secure Software Testing

  • Testing Artifacts (e.g., strategies, plans, cases)
  • Testing for Security and Quality Assurance
    • Functional Testing (e.g., logic)
    • Nonfunctional Testing (e.g., reliability, performance, scalability)
    • Security Testing (e.g., white box and black box)
    • Environment (e.g., interoperability, test harness)
    • Bug tracking (e.g., defects, errors and vulnerabilities)
    • Attack surface validation
    • Standards (e.g., ISO, OSSTMM, SEI)
  • Types of Testing
    • Penetration
    • Fuzzing (e.g., generated, mutated)
    • Scanning (e.g., vulnerability, content, privacy)
    • Simulation (e.g., environment and data)
    • Failure (e.g., fault injection, stress testing, break testing)
    • Cryptographic validation (e.g., PRNG)
    • Regression
    • Continuous (e.g., synthetic transactions)
  • Impact Assessment and Corrective Action
  • Test Data Lifecycle Management (e.g., privacy, dummy data, referential integrity)

Encarta Labs Advantage

  • One Stop Corporate Training Solution Providers for over 6,000 various courses on a variety of subjects
  • All courses are delivered by Industry Veterans
  • Get jumpstarted from newbie to production ready in a matter of few days
  • Trained more than 50,000 Corporate executives across the Globe
  • All our trainings are conducted in workshop mode with more focus on hands-on sessions

View our other course offerings by visiting https://www.encartalabs.com/course-catalogue-all.php

Contact us for delivering this course as a public/open-house workshop/online training for a group of 10+ candidates.

Top
Notice
X