90% of data breaches are caused by software vulnerabilities. · • identify threats proactively...
TRANSCRIPT
90% of data breaches are caused by software vulnerabilities.
Offered in partnership with
Get the skills you need to build secure software applications
Secure Software Development (SSD) Advanced Level Certificate
www.ce.ucf.edu/ssd
REGISTER ONLINE NOW www.ce.ucf.edu/ssd 866-232-5834
An SSD certificate is highly-regarded because it addresses the root cause of data breaches – application layer vulnerabilities. The knowledge attained is not general purpose; it is specialized and critical to thwarting cybercrime.
The SSD Certificate Program provides assurance that an individual has demonstrated mastery of real-world software security skills. The knowledge and techniques learned in this certificate program is based on and developed by experts in application security field - and offer both defensive techniques as well as awareness as to how a hacker will attack software applications.
Certificate Course Work
Advanced Level Certificate Course hours: 8 • Creating Secure Code - C C++ Foundations OR Creating Secure Code –
JRE Foundations OR Understanding Secure Code for .NET 4.0• Architecture Risk Analysis• How to Create an Application Security Threat Model • Attack Surface Analysis & Reduction • Choice: How to test for the OWASP top Ten or Classes of Security Defects• Choice: Creating Secure Code – iPhone Foundations OR Creating Secure
Code – Android Foundations
About UCF
• Second largest university in the nation
• Top 10 among U.S. universities for the power and impact of its patents
• Ranked fifth, “Top Up-and-coming” national university by U.S. News & World Report
UCF Stands for Opportunity
Benefits
Individuals
• Be a real influencer in CyberSecurity
• Learn skills that increase your marketability
• Take courses at your convenience
• Earn CPE/CEU credits
Corporations
• Secure mission critical applications
• Reduce IT and data risk
• Comply with mandates for security training
• Demonstrate commitment to customers
Secure Software Development (SSD) Certificate Program
REGISTER ONLINE NOW www.ce.ucf.edu/ssd 866-232-5834
Creating Secure Code – C/C++ Foundations
Course Description
This course will provide an overview of the threat modeling process and describe the ways to collect information for your application, build the activity-matrix and threat profile, and analyze risks. It will also teach you the nine defensive coding principles and how to use these principles to prevent common security vulnerabilities.
Modules
Threat ModelingAfter completing this module, you will be able to:
• Identify threats proactively• Create threat trees for your components• Use threat trees to find vulnerabilities• Classify vulnerabilities• Perform risk analysis and prioritize security fixes.
Defensive Coding Principles This module provides an overview of nine defensive coding principles that can be used in any programming language. After completing this module, you will be able to:
• List the time-tested defensive coding principles• Use the coding principles to prevent common security vulnerabilities
Objectives
• Perform threat modeling to identify vulnerabilities and analyze risks
• Leverage time-tested defensive coding principles to design and develop secure applications
Assessment
Participants will complete various self-test questions throughout the course
Advanced Level Certificate
REGISTER ONLINE NOW www.ce.ucf.edu/ssd 866-232-5834
Foundation Level CertificateCreating Secure Code – JRE Foundations
Advanced Level Certificate
Course Description
In this course, you will learn to recognize and remediate common Java Web software security vulnerabilities. This course has three modules, which introduce you to these vulnerabilities and help you to identify and remediate them.
Modules
Common Java Web Software Security Vulnerabilities: Part 1This module covers common vulnerabilities, including data leakage, and client or server protocol manipulation attacks. These attacks evade code reviews and test teams, including decisions based on a referrer tags, information disclosure, and failure to validate user input. You will learn what these vulnerabilities look like in code and see how you can fix them. After completing this module, you will be able to recognize and mitigate common Java Web software security vulnerabilities. Common Java Web Software Security Vulnerabilities: Part 2This module will cover:
• InjectionAttacks:oSQLInjectiono Cross-site Scripting (XSS)
Common Java Web Software Security Vulnerabilities: Part 3This module will cover:
• ExploitingAuthentication:oSessionHijackingo Session Fixation o Cross-site Request Forgery (CSRF)
Assessment
Participants will complete various self-test questions throughout the course
REGISTER ONLINE NOW www.ce.ucf.edu/ssd 866-232-5834
Creating Secure Code – JRE Foundations Understanding Secure Code - .NET 4.0
Course Description
This course describes .NET security features, including concepts such as Code Access Security (CAS) and .NET cryptographic technologies. It also provides secure coding best practices that will enable you to build more secure applications in .NET.
Modules
Explaining .NET Security Features In order to build secure applications in .NET, it is important that you first understand the .NET Framework and the security features it offers. This module provides you with the knowledge you need to understand the foundation of .NET, the CLR’s native security infrastructure (Code Access Security), cryptographic technologies, and the ASP.NET security infrastructure. After completing this module participants will be able to:
• Describe the Origins and Impact of Web vulnerabilities • Recognize the dangers of ActiveX control misuse • Recognize the dangers of cross-site scripting, canonicalization, SQL
Injection, HTTP response splitting, and cross-site request forgeryvulnerabilities
Applying .NET Secure Coding Best Practices This module introduces several protections and best practices which if implemented properly, help mitigate the risk of web vulnerabilities in applications. Topics covered include the limitations of common mitigations, truly effective mitigations such as allow lists and frame restrictions, and SDL requirements aimed at mitigating Web vulnerabilities. After completing this module you will be able to:
• Recognize the limitations of common mitigations for Web vulnerabilities • Recognize effective mitigations for Web vulnerabilities • Recognize the SDL requirements aimed at mitigating Web vulnerabilities
Objectives
• Identify the differences between managed and un-managed code
• Recognize the interactions between Windows access control and CAS
• Describe how cryptography is handled in .NET
• Recognize the main aspects of ASP .NET security and security improvements brought by .NET 2.0
• Avoid common .NET security pitfalls
• Write defensive code that protects your application from common threats
• Recognize when code is required to be reviewed for security vulnerabilities
Assessment
Participants will complete various self-test questions throughout the course
Advanced Level Certificate
REGISTER ONLINE NOW www.ce.ucf.edu/ssd 866-232-5834
Foundation Level CertificateArchitecture Risk Analysis & Remediation
Advanced Level Certificate
Course Description
This course defines concepts, methods, and techniques for analyzing the architecture and design of a software system for security flaws. Special attention is given to analysis of security issues in existing applications; however, the principles and techniques are applicable to systems under development. You will be shown various analyses that enable effective architecture risk analysis including accurately capturing application architecture, threat modeling with attack trees, attack pattern analysis, and enumeration of trust boundaries.
Objectives
• Extract architecture views of a software system suitable for security analysis
• Apply a number of complementary techniques to find security vulnerabilities that cannot be easily discovered through tools
• Weigh the comparative impact of design-level security
• Apply techniques and methodologies to model threats, trust, and data sensitivity
• Build abuse cases and use them to explore how your software might be attacked
• Integrate Architecture Risk Analysis with the management of security knowledge in your organization
Assessment
A multiple-choice exam is taken at the end of the course.
REGISTER ONLINE NOW www.ce.ucf.edu/ssd 866-232-5834
Creating an Application Security Threat Model
Course Description
This course introduces the technique of Threat Modeling, its primary goals, and its role within software development. Once you are familiar with the concepts behind Threat Modeling, the entire Threat Modeling process is demonstrated – giving you the knowledge you need to apply Threat Modeling to your own products and design/develop more secure code.
Modules
Defining Threat Modeling This module equips you with the necessary information to help you understand the importance of Threat Modeling and the role it plays in identifying and mitigating threats. After completing this module you will be able to:
• Identify the goals of Threat Modeling • Recognize the relation between Threat Modeling and the SDL • Identify the roles involved in the Threat Modeling process• Understand what and when to Threat Model
Applying the Threat Modeling ProcessThis module identifies in detail each step in the Threat Modeling process, outlines each step’s purpose, and demonstrates the procedure to follow in order to apply each step. This module includes a lab to help you apply what you have learned in a real-world scenario. After completing this module you will be able to:
• Describe the application using diagrams • Identify Threat Types by using STRIDE • Identify appropriate mitigation techniques • Recognize the role of the Threat Model document • Understand the various threat modeling tools available to you
Objectives
• Identify the goals of Threat Modeling and the corresponding SDL requirements
• Identify the roles and responsibilities involved in the Threat Modeling process
• Use the Threat Modeling process to accurately identify, mitigate, and validate threats
• Leverage various tools that help with Threat Modeling
Assessment
Participants will complete various self-test questions throughout the course
Advanced Level Certificate
REGISTER ONLINE NOW www.ce.ucf.edu/ssd 866-232-5834
Foundation Level CertificateAttack Surface Analysis & Reduction
Advanced Level Certificate
Objectives
• Define attack surface of an application
• Learn how to reduce application risk by reducing the attack surface
Assessment
Participants will complete various self-test questions throughout the course
Course Description
Your system’s attack surface represents the number of entry points you expose to a potential attacker - for example, user interfaces, Web services, database access, and so on. Fewer entry points means less chance of an attacker finding a vulnerability in your code. Therefore, it is important that you understand what an attack surface is and then see how you can measure and reduce the attack surface of your application.
Modules
Understanding Attack SurfaceThis module provides details that help you understand the attack surface of an application. After you understand how an attack surface affects application risk, you use the attack surface reduction goals to minimize the attack surface of your application. After completing this module, you will be able to:
• Describe what an attack surface is • Understand how the attack surface impacts application risk
Measuring and Reducing Attack SurfaceThis module discusses the common metrics you can use, including attack surface, to measure application security. Measuring the attack surface of an application helps you measure the relative risk and its trends. This module also discusses best practices that you can use to reduce the attack surface of your application. Reducing the attack surface helps you reduce the possibility of undiscovered vulnerabilities that can impact the security of your application. After completing this module, you will be able to measure and reduce the attack surface of your application.
REGISTER ONLINE NOW www.ce.ucf.edu/ssd 866-232-5834
Attack Surface Analysis & Reduction How to Test for the OWASP Top Ten
Course Description
TheOpenWebApplicationSecurityProject(OWASP)TopTenisalistingofcritical security flaws found in web applications. Organizations that address these flaws greatly reduce the risk of a web application being compromised, and testing for these flaws is a requirement of the Payment Card Industry Standards (PCI-DSS) as well as other regulatory bodies. This course explains how these flaws occur and provides testing strategies to identify the flaws in web applications.
Modules
Testing OWASP Top 10: Part 1Topics covered in this module:
• A1:Injection• A2: Cross-Site Scripting (XSS) • A3: Broken Authentication and Session Management • A4:InsecureDirectObjectReferences• A5: Cross-Site Request Forgery (CSRF)
Testing OWASP Top 10: Part 2Topics covered in this module:
• A6: Security Misconfiguration • A7: Insecure Cryptographic Storage • A8: Failure to Restrict URL Access • A9: Insufficient Transport Layer Protection • A10: Unvalidated Redirects and Forwards
Objectives
• Determine if a web application is vulnerable to the top five security vulnerabilities identified in the OWASP Top 10 list.
• Determine if a web application is vulnerable to the last five security vulnerabilities identified in the OWASP Top 10 list.
• Explain how to protect the application against these security vulnerabilities
Assessment
Participants will complete various self-test questions throughout the course
Advanced Level Certificate
REGISTER ONLINE NOW www.ce.ucf.edu/ssd 866-232-5834
Foundation Level CertificateClasses of Security Defects
Advanced Level Certificate
Objectives
• Understand and outline the common classes of security defects
• Recognize the potential impact that common security defects can have
• Identify the programming errors that are responsible for common security defects
• Apply coding best practices in order to avoid common security vulnerabilities
• Find common security defects in an application’s source code
• Map common security defects with specific technologies
• Test software in order to detect common security bugs
• Locate additional resources on common security defects
Assessment
Participants will complete various self-test questions throughout the course
Course Description
This course equips you with the knowledge you need to create a robust defense against common security defects. You will learn why and how security defects are introduced into software, and will be presented with common classes of attacks, which will be discussed in detail. Along with examples of real life security bugs, you will be shown techniques and best practices that will enable you and your team to identify, eliminate, and mitigate each class of security defects. Additional mitigation techniques and technologies are described for each class of security defect.
Modules
Classes of Security DefectsThis module presents the underlying root causes of security defects, explains the difference between functional and security bugs, and describes the inherent insecure nature of software. Defending against Common Security DefectsThis module offers best practice tips for defending against common security defects such as:
• buffer and integer overflows • format string problems • integer overflow • SQLandcommandinjection• improper error handling • cross-site scripting • unprotected network traffic • lack of server-side authorization • poor usability • weak authentication and data protection • information leakage • improper file access • spoofing • race conditions • unauthenticated key exchange • weak random number generation • improper use of SSL and TLS
REGISTER ONLINE NOW www.ce.ucf.edu/ssd 866-232-5834
Classes of Security Defects Creating Secure Code - iPhone Foundations
Course Description
In this 1-hour course, you will learn to develop and deploy secure iPhone applications by leveraging Apple’s security services and following web application secure coding best practices.
Modules
iPhone Application VulnerabilitiesiPhone security breaches are a growing problem with serious financial consequences, particularly when those breaches affect enterprise networks. Many iPhone application security vulnerabilities are fundamentally the same as those of other applications. iPhone attack vectors include web-based malware,SQLinjection,sessionhijacking,theftofdataatrestandintransit,andjailbreaking.Yourdevelopmentstrategyforprotectingyourapplicationsshould include data encryption, access control, code signing, iTunes store validation, sandboxing, and securing network connections. This module helps you understand iPhone security vulnerabilities, attack vectors, and the costs associated with security breaches. Additionally, this module covers each type of vulnerability, its root cause, and the best method for protection.
Applie iOS and SDK Developer Security ToolsIn this module, we will discuss all of the iOS security services available to iPhone application developers. You will learn how to use each of these components to protect against the attacks covered in Module one. The iOS security services discussed in this module include encryption, isolation, secure connection, input validation, and authentication.
iPhone Secure Development Best PracticesThis module provides language- and tool-specific instruction on how to integrate Apple security services into your own secure coding best practices tofullyprotectagainstallmajorvulnerabilities.
Objectives
• Identify iPhone application security risks and the costs associated with a successful attack
• Explain the role of Apple iOS and SDK tools in providing security to iPhone applications
• Protect sensitive data from theft or compromise, both at rest and in transit
• Integrate secure coding best practices into your C andObjective-CiPhoneapplications
Assessment
Participants will complete various self-test questions throughout the course
Advanced Level Certificate
REGISTER ONLINE NOW www.ce.ucf.edu/ssd 866-232-5834
Foundation Level CertificateCreating Secure Code - Android Foundations
Advanced Level Certificate
Objectives
• Identify common security issues and attack vectors in Android applications
• Identify security features of the Android OS, SDK, and NDK
• Identify application-based permissions, data protection methods, and code signing, packaging, and updating techniques used to secure Android applications
• Identify best practices for securely developing Android applications and protecting sensitive data
Assessment
Participants will complete various self-test questions throughout the course
Course Description
This 90-minute course will help you develop secure Android applications by applying Android-specific secure development best practices and techniques. The course emphasizes key Android security features that can help you prevent common application vulnerabilities.
Modules
Android Application VulnerabilitiesOne reason for the enormous popularity of Android phones is the wide variety and number of applications being published each year. Because Android provides an open development platform, and developers have full access to APIs and frameworks, there are far fewer constraints on how developers create their applications than in competing environments, such as Apple’s iOS. However, the open platform and the freedom developers have also increases the number of potential vulnerabilities. This module gives you an overview of Android application security and various risks associated with the platform. Security Features of the Android OS, SDL, and NDKIn this module, you will learn how to integrate security services of Android’s Linux kernel, SDK, and hardware into your application.
Android Secure Development Best PracticesIn this module, you will learn how to protect your Android application by following secure coding best practices.