Security Awareness Education Catalog

Security EducationCatalogue

SECURITY EDUCATION CATALOGUE

INTRODUCTION

The human factor—what employees do or don’t do—is the biggest threat to an organization’s information security, yet it’s often the most overlooked. Whether they are swiping credit cards, handling clients’ personal information, or developing software solutions for your business, your employees are ripe targets for information thieves seeking access to your sensitive data—if you do not help them learn to protect it. Arm yourself with security education for staff and partners. Use this catalogue to browse Trustwave’s security education offerings, including security awareness training for all staff and secure software development courses for technical staff. If you have questions, reach out to your Trustwave account manager or use the “Contact Us” section of the Trustwave website.

Table of Contents

Security Awareness Education (SAE) ___________________________ 2• SAE Course Catalogue ______________________________________ 3

• Security Awareness Course Builder ___________________________ 6

• SAE Print Material __________________________________________ 7

• Banking Security ___________________________________________ 8

Secure Development Training (SDT) ____________________________ 9• SDT Course Catalogue _____________________________________ 10

• Secure Development Course Bundles _________________________ 16


2

Security Awareness Education (SAE)

Every Trustwave Security Awareness Education (SAE) program is customized for you, the client. Your options include how your online security awareness training course will be set up and what additional print-based materials you would like to order to reinforce your program all year round. This section is designed to help guide you through these options and choose the program that is right for you and your organization.

SAE Course CatalogueUse these pages to browse our growing library of security awareness lessons. Categorized by areas of interest, each lesson’s catalogue code, topic and objectives are listed here to help you decide which topics are most appropriate for your target audience(s). Most lessons are available in English, Spanish, Portuguese, French and Swedish. You may also view all of our lessons in the Trustwave SAE Portal itself - contact your Trustwave account manager if you would like to receive a free trial account on our service.

SAE Custom Course BuilderThis page lists the lessons included in each of our course offerings for the most common types of organizational roles targetedforsecurityawarenesstraining.Ifthesecombinationsdon’tfityourorganization’sneedsjustright,oryou’dliketo include additional materials such as quizzes or your organization’s own information security policies as part of the course, use the interactive spaces at the bottom of the page to identify the contents of the course(s) you would like us to build.

SAE PamphletsDo you employ cashiers and servers who do not have ready access to computers at work? Do you hire temporary workers whose schedules don’t allow much time for training? No problem. Instead of enrolling this population in our online service, you can order our security awareness training pamphlets suitable for front-line workers. The content of the brochures is the same as what is included in our online course. Pamphlets are currently available in English, Spanish and Portuguese.

SAE PostersOften, organizations administer a formal security awareness training only once per year. Including SAE posters in your officeenvironmenthelpskeepemployeesawareoftheirsecurityresponsibilitiesyear-round.

3

SAE Course CatalogueEach course in your Security Awareness Education (SAE) program can be comprised of one or more of the following lessons. Use this guide to identify the lessons you would like to include in each course. If you have any questions, or if you would like to receive a free trial account on the Trustwave SAE Portal, contact your Trustwave account manager for more information.

Compliance Overviews COM lessons cover the basic principles of various compliance standards mandating training and other information security measures. # Lesson Name Lesson Objectives Supporting Objectives

COM-01 PCI OverviewRecognize how the Payment Card Industry (PCI) self-regulates to protect cardholder data.

• RecognizethekeyPCIstakeholders,andcommonmerchantacceptancechannelsandclassifications.• Recognize the cycle of a credit card transaction.• Describe the PCI regulatory environment and recognize high level compliance requirements.

COM-02 HIPAA OverviewRecognize how U.S. HIPAA and HITECH laws protect the privacy and security of protected health information (PHI).

• Recognize key HIPAA and HITECH stakeholders.• Recognize the purpose and scope of HIPAA privacy and security rules.• Describe the HIPAA regulatory environment and recognize high level compliance requirements.

Core Concepts COR lessons cover basic security awareness concepts that all employees should understand. We recommend including these 5-minute lessons for all your staff.

# Lesson Name Lesson Objectives Supporting Objectives

COR-01 Introduction to Security Awareness

Demonstrate basic knowledge of security awareness.

• Definesecurityawarenessandrecognizetheimportanceofprotectinginformation.

COR-02 Social EngineeringDefinesocialengineeringandrecognizecommonthreats to information security and how to avoid becoming a victim.

• Definesocialengineering,recognizewhoisatriskofbecomingvictimsandlistthetypesofinformationtargeted by social engineers.

• List the most common channels for social engineering, and recognize popular ploys.• List best practices to avoid becoming a victim of social engineering.

SECURITY AWARENESS TOPICS SAT lessons cover best practices for common types of tools and activities on the job. Include all those that apply to your employees’ work activities.


SAT-01 Physical SecurityDefinephysicalsecurity,recognizecommonthreats and list best practices.

• Definephysicalsecurity,recognizetheimportanceofphysicalsecurityandlisttheinformationatrisk.• Recognize common attacks on physical security.• Recognize physical security vulnerabilities and best practices for securing your workplace.

SAT-02 PC SecurityDefinePCsecurity,recognizecommonthreatsand list best practices.

• DefinePCsecurityandrecognizetherisksofleavingyourcomputerunprotected.• List and describe common PC attacks, vulnerabilities, and user mistakes that put your information and

systems at risk.• List and describe critical PC security measures and best practices.

SAT-03 Email SecurityDefineemailsecurity,recognizecommonthreatsand list best practices.

• Defineemailsecurityandrecognizetherisktoinformationsecurityifsecureemailpracticesarenotinplace.

• Recognize the most common email scams and the measures you can take to avoid becoming a victim.• List best practices for using email securely.


4


SAT-04 Password SecurityDefinepasswordsecurity,recognizecommonthreats and list best practices.

• Definepasswordsecurityandrecognizetheimportanceofkeepingpasswordsprotected.• List the ways password protection may be used to keep information secure.• List basic rules for building a strong password and recognize best practices for effective password use.

SAT-05 HIPAA OverviewDefineWebbrowsingsecurity,recognizecommon threats and list best practices.

• DefineWebbrowsingsecurityandrecognizetherisksofvisitingunknownandunsecurewebsites.• List the most common Web security threats and recognize how you may put your organization’s

information at risk.• List and describe best practices for browsing the Web securely.

SAT-06 Mobile Device SecurityDefinemobiledevicesecurity,recognizecommonthreats and list best practices.

• Definemobiledevicesecurityandrecognizetherisksofleavingyourdeviceunprotected.• Recognize common mobile device attacks and user mistakes that put information at risk.• List and describe common mobile device security measures.

BEST PRACTICES FOR JOB ROLES JRTlessonstargetspecificjobroleswithinanorganization.EachcoursemaycontainoneJRTlessontocoverbestpracticesforthetargetrole.# Lesson Name Lesson Objectives Supporting Objectives

JRT-01 Secure Practices for Retail Associates

Recognize the security awareness responsibilities of retail associates and the laws, regulations, methods and best practices that help keep information secure in the retail environment.

• Recognize the information security responsibilities of retail associates and the related laws and regulations that impact the retail environment.

• List and describe information security responsibilities and best practices of retail associates.

JRT-02 Secure Practices for Retail Managers

Recognize the security awareness responsibilities of retail managers and the laws, regulations, methods and best practices that help keep information secure in the retail environment.

• Recognize the security responsibilities of retail managers or owners and the information security laws and regulations that impact the retail environment.

• List and describe information security responsibilities and best practices of retail managers.

JRT-03 Secure Practices for Call Center Employees

Recognize the security awareness responsibilities of call center employees and the laws, regulations, methods and best practices that help to keep information secure.

• Recognize the information security laws and regulations that impact the call center environment.• Recognize the responsibility of call center employees to protect the information they work with each day.• List and describe the information security responsibilities and best practices of call center employees.

JRT-04 Secure Practices for Call Center Managers

Recognize the security awareness responsibilities of call center managers and the laws, regulations, methods and best practices that help keep information secure in the call center.

• Recognize the information security responsibilities of call center managers and the related laws and regulations that impact the call center environment.

• List and describe information security responsibilities and best practices of call center managers.

JRT-05 Secure Practices for Enterprise Employees

Recognize the security awareness responsibilities of enterprise employees and the laws, regulations, methods and best practices that help keep information secure.

• Recognize the security responsibilities of enterprise employees and the information security laws and regulations that impact the enterprise environment.

• List and describe information security responsibilities and best practices of enterprise employees.

JRT-06 Secure Practices for IT and Engineering Staff

Recognize the security awareness responsibilities of IT and engineering staff and the laws, regulations, methods and best practices that help keep information secure.

• Recognize the information security-related laws and regulations that impact the IT and application development environment and the responsibility of personnel to protect the information they work with each day.

• List and describe the information security responsibilities of IT and engineering staff.• List best practices for IT and engineering staff to help keep information secure.

5

ADVANCED SECURITY TOPICS ADV lessons cover a wide range of topics for managers and technical personnel. # Lesson Name Lesson Objectives Supporting Objectives

ADV-01 PCI Forensic Investigations

Recognize how the PCI forensic investigation process works and identify how a breach is discovered, investigated and remediated.

• Identify common ways breaches are discovered and the high level steps employees should take if a breach is discovered.

• Describe the Trustwave PCI forensic investigation process and a breached organization’s responsibility toreportandremediatesecuritydeficiencies.

• Recognize common security threats and the importance of continuous compliance to protect against them.

ADV-02 Exploring Security Trends

RecognizekeyfindingsofTrustwave’sannualGlobal Security Report and list ways to improve security this year based on last year’s trends.

• Recognize the purpose and contents of Trustwave’s Global Security Report.• RecognizekeyfindingsofthecurrentGlobalSecurityReport.• List security best practices that help organizations avoid the security pitfalls of last year.


6

Security Awareness Course Builder This page lists the lessons included in our basic Security Awareness Education courses. These courses are targeted to commonrolesthatfitmostorganizations’needs.Selectthecourse(s)thatfityourtargetaudience(s)byclickinginsidethe box beside it, or build your own course using the blank spaces below. Descriptions of each lesson in our library can be found in the SAE Course Catalogue.

Security Awareness for Retail Associates

Security Awareness for Retail Managers

Security Awareness for Call Center Employees

Security Awareness for Call Center Managers

Security Awareness for Enterprise Employees

Security Awareness for IT and Engineering Staff

Security Awareness for Health Care Workers

Security Awareness for Bank Workers

Create your Own Usethissectiontomixandmatchlessonstobuilduptofivecoursesofyourown.Justusetheinteractivecheckboxesbelowtoselectcoursecontent.

CO

M-0

1C

OM

-02

CO

R-0

1C

OR

-02

SAT-

01SA

T-02

SAT-

03SA

T-04

SAT-

05SA

T-06

BAN

-01

BAN

-02

BAN

-03

JRT-

01JR

T-02

JRT-

03JR

T-04

JRT-

05JR

T-06

ADV-

01AD

V-02

Qui

z

Polic

y D

ocum

ent

7

SAE Print Material

POSTERS AugmentyourSecurityAwarenessEducationwithpostersspecifictoyourtargetaudience.Clickthecheckboxtoselecttheposter(s)youwant.Usethe“total”fieldtospecifyhowmanyofeachposteryouwant.Postersareavailableonly in English. Contact your Trustwave account manager if you have questions.

SAE Pamphlets Trustwave’s SAE Pamphlets are perfect for employees who do not have ready access to computers at work, or a lot of time to devote to training. The pamphlets can be cobranded to include your logo and company name, and are available in English, SpanishandPortuguese.Usethe“total”fieldtospecifyhowmanypamphletsyouwould like to order. Each pamphlet consumes a single SAE license.

Call Center

Total: Total: Total: Total: Total: Total: Total: Total:

Retail

Web

Total: Total: Total: Total:Total: Total: Total: Total:

Office

Total:


8

Banking SecurityOnline banking has soared in popularity, not only for businesses but for consumers who depend on banks for their everydayfinancialneeds.Whileyouaretakingstepstoprotecttheircustomersfromidentitytheftandfinancialcrimes,customers themselves must also implement security best practices when accessing online banking on their personal or business computers. Providing resources to customers to educate them about best practices for securing their information online demonstrates your commitment to securing your customers’ information, improves security for you and your customers and helps satisfy FFIEC requirements for customer education.

BANKING SECURITY BANlessonstargetthespecificsecurityawarenessneedsofbankcustomerswhouseonlineaccountstomanagetheirfinances.# Lesson Name Lesson Objectives Supporting Objectives

BAN-01 Online Banking Security

Recognize the risks and threats that come with online banking, as well as the technology and security best practices available to help combat such threats.

• Recognize ways information is stolen from online accounts.• Recognize the monetary risk of security incidents and the top attack targets used by criminals.• Describe how banks and their customers work together to protect valuable information.

BAN-02Protecting Online Accounts for Businesses

Recognize a business’s role in helping to secure its own online systems and accounts, and identify the security best practices businesses can follow to do so.

• Recognize a business’s role in keeping their sensitive information secure online.• List best practices for businesses to use to protect their sensitive information.

BAN-03Protecting Online Accounts for Consumers

Recognize the individual’s role in helping to secure their own online accounts, and identify the security best practices individuals can follow to do so.

• Recognize an individual consumer’s role in keeping their sensitive information secure online.• List best practices consumers can use to protect their sensitive information.

9

Secure Development Training (SDT)

Trustwave offers a suite of Web-based technical courses that introduce your solution development staff to theory and best practices around planning and writing secure code. You can choose to enroll employees in just one of the courses that is most relevant to them, or to give them access to the full suite of Secure Coding Design courses we offer. Whichever option you select, this section will help you decide which course(s) are right for your staff.

Secure Development Course CatalogueUse these pages to browse our library of Secure Development courses. Categorized by the stages of the software development life cycle, each course’s catalogue code, topic and prerequisites (if any) are listed here to help you decide which topics are most appropriate for your target audience(s).

Secure Development Course BuilderThispagedefinesthecoursebundlesavailabletoSDTcustomers.Usethisworksheettonotewhichcoursesyouwouldliketo offer to your staff.


10

SECURITY AWARENESS AND PROCESS COURSES# Lesson Name Lesson Objectives Time Supporting Objectives

AWA 101 Fundamentals of Application Security

Upon course completion, students will be able to understand and recognize threats to applications, leverage the OWASP top 10 list to create more secure Web applications and conductspecificactivitiesateachdevelopmentphasetoensuremaximumhardeningofyour applications.

2 Hours• Understanding of the software development

lifecycle and technologies; basic understanding of software security.

AWA 102 Protecting Online Accounts for Businesses

By the end of this course, students will be familiar with the main characteristics of a secure software development lifecycle and the activities that an organization should perform to develop secure software. Additionally, students will recognize the need to address software security in their everyday work.

1 hour • Basic knowledge of software development processes and technologies.

AWA 103 Six Fundamentals of Information Security

By the end of this course, students will be familiar with the main characteristics of a secure software development lifecycle and the activities that an organization should perform to develop secure software. Additionally, students will recognize the need to address software security in their everyday work.

1 hour • None

AWA 104 Fundamentals of the PCI-DSS

This course is designed to meet the PCI-DSS requirement and will provide such awareness as well as an basic understanding of each of the PCI-DSS requirements addressing cardholder data security.

1 hour • None

AWA 105Fundamentals of Security Awareness - Mobile and Social Media

Thissecurityawarenesscoursefocusesonhowsensitivedataandconfidentialinformationcan be compromised with the use of social media and mobile devices by today’s work force. Using a fun and interactive computer based format, the viewer is made aware of the risks associated with these technologies, and how to use them safely.

30 minutes • None

SECURITY ENGINEERING COURSES # Lesson Name Lesson Objectives Time Supporting Objectives

ENG 102 Introduction to the Microsoft SDL

The goal of this course is to help students understand and identify the Security Development Life Cycle (SDL) requirements for building and deploying secure software applications.ThecoursedemonstratesthebenefitsteamsgainbyfollowingtheSDL,anditprovides managers with information regarding their role and responsibilities in ensuring the team follows the SDL.

1 hour • Knowledge of the software development lifecycle.

ENG 201 SDLC Gap Analysis and Remediation Techniques

Uponcompletionofthiscourse,theparticipantwillbeabletoidentifythebenefitsoftheSecurity Development Lifecycle, recognize the importance of the Final Security Review, follow the necessary steps to meet SDL requirements and identify the appropriate tools required by the SDL.

1 hour • Knowledge of the software development lifecycle.

ENG 211How to Create Application Security Design Requirement

This course provides an understanding of the goals, processes and best practices for auditing software security processes within the context of the Microsoft Security Development Life Cycle.

45 minutes • Introduction to the Microsoft SDL (ENG 102), Fundamentals of Application Security (AWA 101).

ENG 301How to Create an Application Security Threat Model

This course provides an understanding of the goals, processes and best practices for auditing software security processes within the context of the Microsoft Security Development Life Cycle.

1 hour • Fundamentals of Application Security (AWA 101).

SDT Course Catalogue

11

ENG 311 Attack Surface Analysis and Reduction

In this course, students will learn to identify the goals of threat modeling and the corresponding SDL requirements, identify the roles and responsibilities involved in the threat modeling process, recognize when and what to threat model and identify the tools that help with threat modeling. Students will also learn to use the threat modeling process to accurately identify, mitigate and validate threats.

1 hour• Fundamentals of Secure Development

(COD 101), Architecture Risk Analysis and Remediation (DES 212).

ENG 312 How to Preform a Security Code Review

Course provides an understanding of the goals and methodologies of attackers, identificationofattackvectorsandhowtominimizetheattacksurfaceofanapplication.

1 hour• Fundamentals of Secure Development

(COD 101), Architecture Risk Analysis and Remediation (DES 212).

ENG 391

How to Create an Application Security Threat Model for Embedded Systems

This course provides students with guidance on how to best organize code reviews, prioritize those code segments that will be reviewed, best practices for reviewing source code and maximize security resources.

1 hour

• Fundamentals of Secure Architecture (DES 101), How to Create Application Security Design Requirements (ENG 211), How to Create an Application Security Threat Model (ENG 301), Creating Secure Code – ASP.Net (COD 311) OR C/C++ (COD 312) OR J2EE (COD 313).

ENG 392Attack Surface Analysis and Reduction for Embedded Systems

This course module provides additional training on How to Create an Application Security Threat Model of particular importance to embedded software engineers. It includes mappingofcontenttospecificcomplianceandregulatoryrequirements,linkstokeyreference resources that support the topics covered in the module and a “Knowledge Check” quiz that assesses mastery of key concepts.

30 minutes • How to Create an Application Security Threat Model (ENG 301).

ENG 393How to Perform a Security Code Review for Embedded Systems

This course module provides additional training on Attack Surface Analysis and Reduction of particular importance to embedded software engineers.

30 minutes • Attack Surface Analysis and Reduction (ENG 311).

Secure DESIGN DES courses cover topics in secure software architecture and design, to help plan security into applications before any code is written.

# Lesson Name Lesson Objectives Time Supporting Objectives

DES 101 Fundamentals of Secure Architecture

Understand the state of the software industry from a security perspective, by learning from past software security errors and how to avoid repeating those mistakes. They will also be abletorecognizeanduseconfidentiality,integrityandavailability(CIA)asthethreemaintenets of information security.

1 hour • None

DES 211 OWASP Top 10 - Threats and Mitigations

Recognize best practices for understanding, identifying and mitigating the risk of vulnerabilities and attacks within the OWASP Top 10.

2 hour • None

DES 212 Architecture Risk Analysis and Remediation

Recognize concepts, methods and techniques for analyzing the architecture and design of asoftwaresystemforsecurityflaws.

1 hour • Fundamentals of Secure Architecture (DES 101).

DES 213 Introduction to Security Tools and Technologies

This course is designed to educate architects and developers on the technologies available to create more secure systems.

2 hour • Fundamentals of Security Testing (TST 101).

DES 301 Introduction to Cryptography

Recognize the problems that cryptography can address, the threats that apply to two communicating parties, the appropriate cryptographic solutions to mitigate these threats, and how to describe the mechanisms behind cryptographic protocols. Learners will also be able to recognize how to follow cryptographic best practices and locate cryptography resources.

1 hour

• Fundamentals of Secure Development (COD 101).

• Architecture Risk Analysis and Remediation (DES 212).

DES 311 Creating Secure Application Architecture

Recognize key security principles that can be used to improve the security of application architecture and design. Demonstrate how to apply defenses to harden applications and makethemmoredifficultforintruderstobreach,reducingtheamountofdamageanattacker can accomplish.

2 hours• Fundamentals of Secure Architecture (DES 101).

• Architecture Risk Analysis and Remediation (DES 212).


12

Secure Coding COD courses cover security topics in the implementation stage of the software development life cycle, when code is actually being written.


COD 101 Fundamentals of Secure Development

Recognize the latest trends in software security, as well as the importance of software security for business. Demonstrate how to perform threat modeling to identify threats proactively,createthreattreesforapplicationcomponents,usethreattresstofindandclassifyvulnerabilitiesandperformriskanalysisandprioritizesecurityfixes.

1 hour • None

COD 110 Fundamentals of Secure Mobile Development

This course introduces some of the common mobile application risks and the best development practices that you should follow for development to overcome risks. The course also explains how to create a mobile application threat model.

2 hours • None

COD 111 Fundamentals of Web 2.0 Security

This course introduces you to the fundamentals of secure Web 2.0 development. The course begins with a discussion about Web 2.0, its evolution, and the technologies behindit.ThecoursedescribescommonWeb2.0attacksthatcancausesignificantlossto organizations. It reviews the best practices that you should incorporate to mitigate the risks from Web 2.0 attacks, as well as practices to avoid. The course concludes with a walk-through of a software system scenario that can help you better understand Web 2.0 attacks and apply the best practices discussed in the course.

2 hours • None

COD 201 Fundamentals of Secure Database Development

This course will demonstrate database development best practices for software architects and developers.

2 hours • Fundamentals of Secure Development (COD 101).

COD 211 Understanding Secure Code - JRE

RecognizeandremediatecommonJavaWebsoftwaresecurityvulnerabilities.Definedataleakage, injection attacks, client/server protocol manipulation attacks, and authentication exploitations and mitigate these security vulnerabilities.

1 hour • Fundamentals of Secure Development (COD 101).

COD 212 Understanding Secure Code - C/C++

Recognize how to write secure code in C/C++ for Windows and Unix platforms, robust code development and secure socket programming. Demonstrate how to apply time-tested defensive coding principles to develop secure applications. Recognize the nine defensive coding principles and how to use them to prevent common security vulnerabilities.

75 minutes • Fundamentals of Secure Development (COD 101).

COD 213 Understanding Secure Code - Windows 7

DefineWindows7securityfeaturesandbuildapplicationsthatleverageWindows7’sbuilt-in security mechanisms.

2 hours

• Basic knowledge of Windows programming and memory management, and knowledge of basic security features of Windows versions prior to Windows 7.

COD 215 Understanding Secure Code - .NET 4.0

Recognize .NET 4.0 security features, including concepts such as Code Access Security (CAS) and .NET cryptographic technologies. Recognize security changes in .NET 4.0 including level 2 security transparency, the new sandboxing and permission model, introductionofconditionalAPTCAandchangestoevidenceobjectsandcollections.Definesecure coding best practices that will enable students to build more secure applications in .NET 4.0.


13


COD 216 Understanding Secure Code - NET 2.0

Define.NET2.0securityfeatures,includingconceptssuchasCodeAccessSecurity(CAS)and .NET cryptographic technologies. Recognize secure coding best practices that will enable students to build more secure applications in .NET 2.0.


COD 217 Creating Secure Code - iPhone Foundations

Learn to develop and deploy secure iPhone applications by leveraging Apple’s security services and following Web application secure coding best practices.

1 hour • Fundamentals of Secure Mobile Development (COD 110).

COD 218 Creating Secure Code - Android Foundations

LearntodevelopsecureAndroidapplicationsbyapplyingAndroid-specificsecuredevelopment best practices and techniques. The course emphasizes key Android security features that can help you prevent common application vulnerabilities.

90 minutes • Fundamentals of Secure Mobile Development (COD 110).

COD 221 Web Vulnerabilities - Threats and Mitigations

Recognize,avoidandmitigatetherisksposedbyWebvulnerabilities.Definethemostcommon and recent attacks against Web-based applications, such as cross-site scripting attacks and cross-site request forgery attacks. Demonstrate how to avoid and/or mitigate Web vulnerabilities using real-world examples.

1 hour• Creating Secure Code – J2EE Web Applications

(COD 313) OR Creating Secure Code – ASP.NET (COD 311).

COD 222 PCI Best Practices for Developers

Recognize application security issues within the PCI DSS and best practices for addressing each requirement. Recognize how addressing the PCI DSS requirements during the design and build stages of the development life cycle will improve application security and will simplify compliance.

1 hour • Fundamentals of Secure Architecture (DES 101).

COD 231Introduction to Cross-Site Scripting - With JSP Examples

Recognize the mechanisms behind cross-site scripting vulnerabilities, describe cross-site scripting vulnerabilities and their consequences, and apply secure coding best practices to prevent cross-site scripting vulnerabilities.

20 minutes • Basic knowledge of Web technologies, and Java Server Pages (JSP).

COD 232Introduction to Cross-Site Scripting - With ASP.NET Examples

Recognize the mechanisms behind cross-site scripting vulnerabilities, describe cross-site scripting vulnerabilities and their consequences and apply secure coding best practices to prevent cross-site scripting vulnerabilities.

20 minutes • Basic knowledge of Web technologies, and Java Server Pages (JSP).

COD 311 Creating Secure Code - ASP .NET

Demonstrate the development of secure web applications in C#. Recognize common web application vulnerabilities and demonstrate ways to avoid those vulnerabilities in C# code. Inthehands-onsection,studentswilldiscoverthevulnerabilitiesforthemselvesandfindways to address them, greatly enhancing the security of their code. Upon completion of this class, participants will be able to recognize the need to follow secure coding best practices, follow secure coding best practices and locate additional resources on secure coding best practices for ASP.NET.

4 hours • Understanding Secure Code - .Net 4.0 (COD 215).

COD 312 Creating Secure Code - C/C++

DefineapplicationsecurityrisksandsecurecodingstandardsforCandC++applications,and the different types of errors that can be introduced while coding. Recognize the importance of detecting these errors and remediating them as early as possible to avoid securityissues.Definereal-worldbestpracticesandtechniques,andstaticanalysistoolsto detect and resolve security vulnerabilities in code.

90 minutes • Understanding Secure Code – C/C++ (COD 212).


14


COD 313 Create Secure Code - J2EE Web Applications

Demonstrate development of secure web applications in Java. Recognize common web applicationvulnerabilitiesanddefinewaystoavoidthosevulnerabilitiesinJavacode.Inthehands-onsection,studentswilldiscoverthevulnerabilitiesthemselvesandfindwaystoaddress them, greatly enhancing the security of their code. Upon completion of this course, participants will be able to recognize why software security matters to their business, recognize the root causes of the more common vulnerabilities, identify the symptoms of common vulnerabilities and use security best practices to prevent common vulnerabilities.

2 hours • Understanding Secure Code – JRE (COD 211)

COD 314 Creating Secure C# Code

This course will provide a deep understanding of application security risks and secure coding standards for C# applications. The main lesson guides students through the concepts underlying the coding principles and illustrates real-world best practices and techniques and the labs allow students to test what they have learned

3 hours • Understanding Secure Code - .NET 4.0 Foundations (COD 215)

COD 315 Creating Secure PHP Code

This course introduces best practices for developing secure PHP code. The course also identifiescommonPHPvulnerabilitiesthatattackerscanexploittogainaccesstocriticalinformation. In addition, the course explains mitigation techniques that you can use to avoid common PHP vulnerabilities and write secure code.

2 hours • Fundamentals of Secure Development (COD101)

COD 321 Creating Secure Code - Oracle Foundations

This course provides the student with an understanding of the scope and requirements of database security as well as the risks presented by insecure database applications. After taking this course, the student will be able to understand the risks to database applications; apply security best practices when developing database applications; understand common database attacks; code applications with countermeasures to common database attacks.

2 hours • Fundamentals of Secure Database Development (COD 201)

COD 322 Creating Secure Code - SQL Server Foundations

This course provides the student with an understanding of the scope and requirement of database security as well as the risks presented by unsecure database applications. After taking this course, the student will be able to understand the risks to database applications; apply security best practices when developing database applications; understand common database attacks; code applications with countermeasures to common database attacks.

90 minutes • Fundamentals of Secure Database Development (COD 201)

COD 411IntegerOverflows- Attacks and Countermeasures

Anintegeroverflowisaprogrammingerrorthatcanseverelyimpactacomputersystem’ssecurity.Duetothesubtletyofthisbug,integeroverflowsareoftenoverlookedduringdevelopment. This course covers the security concepts, testing techniques and best practices that will enable students to develop robust applications that are secure against integeroverflowvulnerabilities.

1 hour • Basic understanding of the C, C++, and C# programming languages.

COD 412BufferOverflows- Attacks and Countermeasures

Recognizehowtoavoidandmitigatetherisksposedbybufferoverflows.Recognizeprotections provided by the Microsoft complier and the Windows operation system, and adviceonhowtoavoidbufferoverflowsduringthedesign,developmentandverificationphase of the software development life cycle.

2 hours • Basic knowledge of Windows programming and memory management in Windows.

15

Security Testing TSTcoursescovertopicsintestingsoftwareforsecurityflawsandremediatingdefectsbeforerelease.# Lesson Name Lesson Objectives Time Supporting Objectives

TST 101 Fundamentals of Security Testing

Definesecurity-testingconceptsandprocessesthatwillhelpstudentsanalyzeanapplication from a security perspective and to conduct effective security testing. Recognize different categories of security vulnerabilities and the various testing approaches that target these classes of vulnerabilities. Several manual and automated testing techniques are presented which will help identify common security issues during testing and uncover security vulnerabilities.

2 hours • None

TST 201 Classes of Security Defects

Recognize how to create a robust defense against common security defects. Students will learn why and how security defects are introduced into software, and will be presented with common classes of attacks, which will be discussed in detail. Along with examples of real life security bugs, students will be shown techniques and best practices that will enable the team to identify, eliminate and mitigate each class of security defects. Additional mitigation techniques and technologies are described for each class of security defect.

3 hours • None

TST 211 How to Test for the OWASP Top 10

The Open Web Application Security Project (OWASP) Top Ten is a listing of critical security flawsfoundinwebapplications.Recognizehowtheseflawsoccuranddemonstratetestingstrategiestoidentifytheflawsinwebapplications.

1 hour • Fundamentals of Security Testing (TST 101)

TST 301 Software Testing - Tools and Techniques

This course introduces the tools and techniques used during software security testing. After taking this course, the student will be able to create a software security test plan; decide which software security testing tools to use; know how to apply the testing tools; understand and apply penetration testing techniques.

90 minutes • None

TST 401Advanced Software Security Testing Techniques

Thiscoursedelvesdeeplyintothetechniquesfortestingspecificsecurityweaknesses.After taking this course, the student will be able to understand the ten types of attacks; know which tools to use to test for these attacks; test software applications for susceptibilitytothetenspecificattacks;describetheexpectedmitigationsrequiredtoprevent these attacks.

2 hours• Fundamentals of Security Testing (TST 101)

• Software Testing - Tools and Techniques (TST 301)

TST 411 Exploiting Buffer Overflows

Recognizethethreatsposedbybuffer-overflowexploits,andthemechanismsbehindexploitationofstack-basedandheap-basedbufferoverflows.Definechallengesfacedbyexploit code and how different exploitation techniques overcome environmental limitations.

2 hours • Creating Secure Code – C/C++ (COD 312)


16

Secure Development Course BundlesUse this checklist to determine which course(s) you want to provide for your staff. Descriptions of each course in the SDT library can be found in the SDT Course Catalogue on the previous pages. Custom bundles, consisting of up to six (6) courses or twelve (12) hours of content, can be set up on request. Contact your Trustwave account representative if youwouldliketoconfigureacustombundle.

Java Developer

• AWA-101 Fundamentals of Application Security

• COD-101 Fundamentals of Secure Development

• COD-221 Web Vulnerabilities – Threats & Mitigations

• COD-211 Creating Secure Code – JRE Foundations

• COD-313 Creating Secure J2EE Code

.NET Developer




• COD-215 Creating Secure Code - .NET 4.0 Foundations (or .NET 2.0 version)

• COD-311 Creating Secure ASP.NET Code

C/C++ Developer



• COD-312 Creating Secure Code – C/C++ Foundations

• COD-392 Creating Secure C/C++ Code

PHP Developer




• COD-315 Creating Secure PHP Code

Mobile Applications

• AWA-105 Security Awareness – Mobile & Social Media

• COD-110 Fundamentals of Secure Mobile Development

• COD-217 Creating Secure Code – iPhone Foundations

• COD-218 Creating Secure Code – Android Foundations

Software Architect


• DES-101 Fundamentals of Secure Architecture

• DES-212 Architecture Risk Analysis and Remediation

• DES-311 Creating Secure Application Architecture

• ENG-301 How to Create an Application Security Threat Model

• ENG-311 Attack Surface Analysis and Reduction

Project Manager

• ENG-101 Microsoft SDL for Managers

• ENG-201 SDLC Gap Analysis and Remediation Techniques

• ENG-211 How to Create Application Security Design Requirements


• DES-101 Fundamentals of Secure Architecture

Test/QA

• TST-101 Fundamentals of Security Testing

• TST-201 Classes of Security Defects

• TST-211 How to Test for the OWASP Top 10

• TST-301 Software Security Testing – Tools & Techniques

• TST-401 Advanced Software Security Testing

17

Trustwave is a leading provider of compliance, Web, application, network and data security solutions delivered through the cloud, managed security services, software and appliances. For organizations faced with today’s challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its TrustKeeper® portal and other proprietary security solutions. Trustwave helps millions of organizations manage compliance and secure their network infrastructure—rangingfromFortune500businessesandlargefinancialinstitutionstosmallandmedium-sizedretailers—managecomplianceandsecure their network infrastructures, data communications and critical information assets. Trustwave is headquartered in Chicago with officesworldwide.Formoreinformation:https://www.trustwave.com.

Copyright © 2013 Trustwave Holdings, Inc.

Learn more at Trustwave.com