Software Security Training

Software Security Training by Tonex

Software Security Training is a 2-day course where participants learn the fundamental principles of computer security, vulnerabilities, computer crimes, threats, and concept of web security.

Software security has never been more important – even a very small designer mistake in software security can lead to the loss of millions of dollars.

Access control is one of the major and the most critical security software mechanisms. It ensures that only eligible users are able to access protected resources in a given system.

The process of testing access control implemented in a given system or application follows different steps. The first and the most important step aims at generating a set of test cases that have to be exercised on the system under test.

Based on real-world applications, a large number of test cases are generated. Due to budget, time, and resources constraints, testers have to choose the tests that have to be run among all the generated tests.

The subset of test cases to be run is defined based on business-related criteria according to available budget, computing resources, and the time allocated to testing.

Commonly, there are two options, either selecting a fixed number of tests or ordering (prioritizing) tests. When prioritizing tests, the tests that have highest priority are executed first until the resources that are available for testing such as time or budget are consumed.

Since testing is an important element to assure software security and reliability, the quality of the testing itself needs a certain level of assurance.

Code coverage analysis is a process to measure the quality of the tests. Specifically, code coverage analysis focuses on the identification of areas of code that are not covered by test cases, and to increase the coverage by additional test cases.

The measurement of the code coverage can be used as an indirect metric for code quality.

At the initial stage of design and architecture, the software must be consistent and represent a unified security architecture that takes into account security principles. Designers, architects and analysts should carefully document assumptions and identify possible attacks.

Risk analysis is required for each stage of the software development life cycle. And most importantly, after the transfer of software, the maintenance and updating of software from time to time are necessary to protect the software from any new type of malicious attack.

Software Security Training Course by Tonex

Software Security Training course introduces you to a variety of topics in software security,  secure software development, and secure coding. Other topics such as secure programming techniques, trusted computing infrastructure, low level software attacks, wen security, risk management techniques, symbolic execution, and cloud/wireless/mobile device security.

By the advent of computing systems which are an essential part of our daily lives, one should be able to rely on the integrity of the system and the information should be kept confidential.

By taking Tonex software security training, you will learn the fundamental principles of computer security, vulnerabilities, computer crimes, threats, and concept of web security. Moreover, you will be introduced to the secure programming techniques as a part of software security, code auditing, SQL injection, and secure coding principles.

This seminar will teach you great deal of information about trusted computing infrastructure (TCI), process nodes, trusted platform module (TPM), software integrity, data integrity and protecting credentials included in platform security.

Tonex software security training will also help you learn about the software security attacks such as buffer overflow, data-only attacks or non-executable data attacks. Furthermore, understand the importance of web security issues, malicious websites, and denial of service attacks.

You also will learn about the main principles for secure design, open design, and risk management policies in software design. Learn to differentiate the reactive and proactive risk management techniques, interpret the statistical control charts in statistical analysis, and symbolic execution in software security.

Trainees also will finish this seminar with sufficient knowledge about the penetration testing and its tools, cloud security applications and modules, and methods of data security and privacy.

This training helps you to discover the problems of wireless network security such as LAN attacks, Wi-Fi protection schemes, WPA, and WPA2 concept and how to defense against the attacks.

Finally, the software security fundamentals training will introduce the mobile system security concepts such as: mobile browser security, authentication of mobile devices, mobile device management, malware detection techniques in mobile service and dynamic/static mobile device analysis.

Learning Objectives: By the end of this Software Security Training course, participants will be able to:

• Recognize common software security threats and vulnerabilities.
• Implement secure coding practices to prevent vulnerabilities in software development.
• Conduct software security assessments and vulnerability assessments.
• Develop strategies for secure software design and architecture.
• Apply encryption and authentication techniques to protect data and ensure confidentiality.
• Create incident response plans to effectively respond to security breaches.

Audience:

The software security training is a 2-day course designed for:

• All individuals who need to understand the concept of software security.
• IT professionals in the areas of software security
• Cyber security professionals, network engineers, security analysts, policy analysts
• Security operation personnel, network administrators, system integrators and security consultants
• Security traders to understand the software security of web system, mobile devices, or other devices.
• Investors and contractors who plan to make investments in security system industry.
• Technicians, operators, and maintenance personnel who are or will be working on cyber security projects
• Managers, accountants, and executives of cyber security industry.

Course Outline:

The software security training course consists of the following lessons, which can be revised and tailored to the client’s need:

Secure Software Development

• Assets, Threats & Vulnerabilities
• Software Assets to be Protected Threats Analysis
• Requirements
• Secure Software Design and Architecture
• Secure Design Principles
• Security Wrappers
• Design Pitfalls
• Writing Secure Code
• Testing for Software Security
• Incident Response Planning
• Software Development Security Best Practices

Computer Security Principles

• Introduction to computer security
• Computer crime
• Accuracy, Integrity, and Authenticity
• Vulnerabilities
• Introduction to Crypto
• Access control
• Threats to security
• System correctness
• Application of operating system security
• Web security
• Network security
• Operating system security

Secure Programming Techniques

• General principles of secure programming
• Reasons of insecurity
• Economic reasons
• Security measurements
• Marketing problems
• Security requirements
• Confidentiality
• Integrity Availability
• Code auditing
• C/C++ codes
• Assurance measure requirements
• Open source software and security
• Disclosure of vulnerabilities
• Vulnerability classes
• Web security
• SQL injection
• PHP
• Shell Scripts
• Java
• Secure programming for Linux and Unix
• Secure coding, principles and practices
• Statistical analysis for secure programming

Trusted Computing Infrastructure (TCI)

• Definition of trusted computing
• Processing nodes
• Protecting processing nodes against threats
• Node controllers
• Trust relationship in networked society
• Trusted computing cloud model
• Trusted Platform Module (TPM)
• Trusted computing Attestation process
• Implementation aspects
• Main TPM duties
• Unique platform identity
• Software integrity
• Network integrity
• Data integrity
• Protecting credentials
• Device identity
• Secure execution
• Crypto erase
• Examples of Platform security

Low Level Software Security Attacks and Protection

• Introduction to software security attacks
• Stack-based buffer overflow
• Heap-based buffer overflow
• Return-to-libc attacks
• Data-only attacks
• Methods of defense against security attacks
• Stack canaries
• Non-executable data
• Control- flow integrity
• Layout randomization
• Other defense methods

 Web Security

• Introduction to Web security
• Terminologies in web security
• Aspects of data security
• Web privacy
• Authentication
• Integrity
• Web security issues
• Malicious websites
• SPAM
• 419 Nigerian Scams
• Phishing
• Denial of Service (DOS)
• Distributed DOS (DDOS)
• Botnet
• Web attacks
• Action plan against web attacks

 Secure Design Principles

• Least Privileges
• Fail-Safe Defaults
• Economy of Mechanism
• Complete Mediation
• Open Design
• Separation of Privilege
• Diebold voting machines example
• Least Common Mechanism
• Psychological Acceptability
• Fail-safe defaults
• Principles of software security
• Defense practice
• Compartmentalize
• Promoting the privacy
• Using community resources
• Securing easy targets

Risk Management

• Security risk management concepts
• Definition of risk management
• Threat response time
• Regulatory compliance
• Infrastructure management cost
• Risk prioritization
• Reactive and proactive risk management
• Identifying risk management prerequisites
• Communicating risks
• Assessing risks
• Classifying assets
• Organizing risk information
• Threat probability estimation
• Quantifying risks
• Conducting decision support
• Control solution
• Implementing controls
• Measuring program effectiveness

Statistical Analysis

• User interface
• Statistical roles and challenges in network security
• Network traffic and data
• Network data characteristics
• Exploring network data
• Descriptive analysis
• Visualizing analysis
• Data reduction
• Network data modeling for association and prediction
• Bivariate analysis
• Measuring user behavior
• Supervised learning
• Decision analysis in network security
• Uncertainty analysis
• Statistical control chart

Symbolic Execution

• Base Imperative Language
• Input domain
• Expressions and types
• Basic definitions
• Traces, paths, and programs
• Basics of symbolic execution
• Classic symbolic execution
• Generalized symbolic execution
• Application of symbolic execution
• Trace based symbolic execution
• Multi-path symbolic execution
• Macroscopic view of symbolic execution
• Cost of symbolic execution

Penetration Testing

• Definition
• Port scanning
• Vulnerability scanning
• Penetration testing
• Why penetration testing?
• Steps toward application of penetration testing
• Penetration testing tools
• Kali Linux
• Maltego
• WHOIS service
• Vega
• Hydra

 Cloud Security

• Definition of cloud
• Definition of security
• Cloud computing definition
• Features, attributes, characteristic of cloud computing
• Cloud based applications
• Cloud based developments
• Cloud based infrastructure
• Cloud models (SAAS,PAAS,IAAS)
• Problems associated with cloud computing
• Trust in the cloud
• Security issues in cloud
• Multi-tenancy
• Loss of control monitoring
• Access control

Data Security and Privacy (DAP)

• Definition of Data
• Data security
• Prevention and detection of Data security issues
• Reaction against data security
• Audit standards
• Data security policies
• Data security tools
• Monitoring secured data
• Documenting the data security
• Data privacy enforcement

 Wireless Network Security

• Wireless networks and security definition
• What is LAN?
• Simple Wireless LAN
• Attacks and Defense against attacks in wireless network
• Wired Equivalent Privacy (WEP)
• Wi-Fi Protected Access (WPA)
• Wi-Fi Protected Access-Version 2 (WPA2)
• Attacks to WEP
• Defense for WEP attacks
• Common attack types for WPA and WPA2
• Common defense techniques for WPA and WPA2
• Wireless encryption

Mobile System Security (MSS)

• Mobiles are everywhere
• Uniqueness of Mobiles
• Management and security challenges for Mobile systems
• Mobile security faced by Enterprises
• Visualizing Mobile Security
• Hardware security
• Mobile Web browsers
• Authenticating users to devices
• Application security
• Mobile Security solution
• Permission and encryption
• Security philosophy
• Mobile Device Management (MDM)
• Mobile Operating Systems
• Malware Detection in Mobile System
• Cloud based detection
• Dynamic/Static analysis

Hands-on and In-Class Activities

• Labs
• Workshops
• Group Activities

Sample Workshops Labs for Software Security Training

• Application of Linux command lines
• User-mode Linux and the mln tool
• Introduction to vulnerable software
• Manual and automatic code review
• Preventing from exploitation
• Symbolic execution workshop
• SQL injection workshop
• Command execution example

Software Security Training