Secure Software Design

Security Training Series

Course Code: TT8600

Skill Level: Intermediate and Beyond

Duration: 4 Days

Course Overview

Secure Software Design is an intensive security training course, essential for experienced software designers and architects who need to engineer secure enterprise-supported web applications. In addition to teaching basic vulnerabilities, this course digs deep into sound processes and practices that apply to the entire software development lifecycle.

In this course, students thoroughly examine issues and risks associated with web applications, including XML processing, rich interfaces, and both RESTful and SOAP-based web services. Students will repeatedly attack and then understand the tactical and strategic defensive measure for various assets associated with fully functional web applications and web services. This hands-on approach drives home the mechanics of how to secure web applications in the most practical of terms.

Security is costly, and this course focuses both on how to effectively use resources and where to apply those resources. During the course, students are presented with a list of actionable items to fully leverage the results of applying secure practices. Attack phases and types of defensive controls are related to the activities that the students participate in during the lab and group activities. Students will develop an understanding of the importance of defaulting to a secure position and deviating from that as is appropriate. The rationale for deviating from the most secure position is based on understanding risk and threats.

Security experts agree that the least effective approach to security is "penetrate and patch". It is far more effective to "bake" security into an application throughout its lifecycle. After spending significant time trying to defend a poorly designed (from a security perspective) web application, developers are ready to learn how to build secure web applications starting at project inception. The final portion of this course builds on the previously learned mechanics for building defenses by exploring how design and analysis can be used to build stronger applications from the beginning of the software lifecycle.

Course Objectives

Students who attend Secure Software Design will leave the course armed with the skills required to recognize software vulnerabilities (actual and potential) and design defenses for those vulnerabilities. This course quickly introduces developers to the various types of threats against their software. The concept and process of Threat Modeling is introduced as a key enabler for architecting effective and appropriate security for software and information assets.

Our engaging instructors and mentors are highly experienced practitioners who bring years of current "on-the-job" experience into every classroom. Guided by our expert team, attendees will learn to:

Understand the concepts and terminology behind defensive coding
Learn the entire spectrum of threats and attacks that take place against software applications in today's world
Recognize and characterize existing and planned defensive controls
Relate controls and activities to the phases of a typical exploit
Understand and implement the processes and measures associated with the security development lifecycle (SDL)
Identify appropriate security objectives and regulations including evolving privacy considerations
Develop a list of risk escalators as well as potential mitigations based on an understanding of vulnerabilities
Recognize design features that can significantly increase an application’s attack surface
Build an asset inventory and begin the process of prioritizing their value
Work with a baseline asset inventory to develop an initial asset inventory for a software application
Understand and apply defensive options to data assets
Perform attack surface analysis and associated mitigations
Identify the need for defensive measures on data flows that cross trust boundaries
Understand and use Threat Modeling as a tool in identifying software vulnerabilities based on realistic threats against meaningful assets
Use Threat Modeling to identify potential vulnerabilities in a real-life case study
Perform a category-based vulnerability analysis to help ensure that any gaps are identified

Need different skills or topics? If your team requires different topics or tools, additional skills or custom approach, this course may be further adjusted to accommodate. We offer additional application development, secure coding, secure software development, hacking, database security, bug hunting and other related topics that may be blended with this course for a track that best suits your needs. Our team will collaborate with you to understand your needs and will target the course to focus on your specific learning objectives and goals.

Course Prerequisites

This is an intermediate -level design and analysis course, designed for experienced web developers who wish to get up and running on designing well-defended software applications. Real-world programming experience is highly recommended for code reviews, but is not required.

Please see the Related Courses Tab for Pre-Requisite course specifics and links, links to similar courses you might review as an alternative, as well as suggested Next-Step Follow-On Courses and Learning Path recommendations.

Course Agenda

Please note that this list of topics is based on our standard course offering, evolved from typical industry uses and trends. We’ll work with you to tune this course and level of coverage to target the skills you need most. Topics, agenda and labs are subject to change, and may adjust during live delivery based on audience interests, skill-level and participation.

Session: Foundation for Securing Web Applications

Lesson: Why Hunt Bugs?

Security and Insecurity
Dangerous Assumptions
Attack Vectors
Lab: Case Study in Failure

Lesson: Removing Bugs

Open Web Application Security Project (OWASP)
OWASP Top Ten Overview
Web Application Security Consortium
CERT Secure Coding Standards
Bug Hunting Mistakes to Avoid
Tools and Resources

Lesson: Principles of Information Security

Security Is a Lifecycle Issue
Minimize Attack Surface Area
Layers of Defense: Tenacious D
Compartmentalize
Consider All Application States
Do NOT Trust the Untrusted

Session: Understanding Vulnerabilities 101

Lesson: Unvalidated Data

Buffer Overflows
Integer Arithmetic Vulnerabilities
Unvalidated Data: Crossing Trust Boundaries
Defending Trust Boundaries
Whitelisting vs Blacklisting
Demo: Defending Trust Boundaries

Lesson: A1: Injection

Injection Flaws
SQL Injection Attacks Evolve
Drill Down on Stored Procedures
Other Forms of Injection
Minimizing Injection Flaws
Demo: Defending Against SQL Injection

Lesson: A2: Broken Authentication

Quality and Protection of Authentication Data
Handling Passwords on Server Side
SessionID Risk Reduction
HttpOnly and Security Headers
Demo: Defending Authentication

Lesson: A3: Sensitive Data Exposure

Protecting Data Can Mitigate Impact
In-Memory Data Handling
Secure Pipes
Failures in TLS/SSL Framework

Lesson: A4: XML External Entities (XXE)

XML Parser Coercion
XML Attacks: Structure
XML Attacks: Injection
Safe XML Processing
Demo: Safe XML Processing

Lesson: A5: Broken Access Control

Access Control Issues
Excessive Privileges
Insufficient Flow Control
Unprotected URL/Resource Access
Examples of Shabby Access Control
Sessions and Session Management
Demo: Unsafe Direct Object References
Lab: Spotlight: Verizon

Session: Understanding Vulnerabilities 102

Lesson: A6: Security Misconfiguration

System Hardening: IA Mitigation
Application Whitelisting
Least Privileges
Anti-Exploitation
Secure Baseline

Lesson: A7: Cross Site Scripting (XSS)

XSS Patterns
Persistent XSS
Reflective XSS
DOM-Based XSS
Best Practices for Untrusted Data
Demo: Defending Against XSS

Lesson: A8/9: Deserialization/Vulnerable Components

Deserialization Issues
Identifying Serialization and Deserializations
Vulnerable Components
Software Inventory
Managing Updates
Lab: Spotlight: Equifax

Lesson: A10: Insufficient Logging and Monitoring

Fingerprinting a Web Site
Error-Handling Issues
Logging In Support of Forensics
Solving DLP Challenges

Lesson: Spoofing, CSRF, and Redirects

Name Resolution Vulnerabilities
Fake Certs and Mobile Apps
Targeted Spoofing Attacks
Cross Site Request Forgeries (CSRF)
CSRF Defenses
Demo: Cross-Site Request Forgeries

Lesson: Cryptography Overview

Strong Encryption
Message Digests
Encryption/Decryption
Keys and Key Management
NIST Recommendations

Session: Secure Development Lifecycle (SDL)

Lesson: SDL Overview

Attack/Defense Basics
Types of Security Controls
Attack Phases: Offensive Actions and Defensive Controls
Secure Software Development Processes
Shifting Left
Actionable Items Moving Forward
Lab: Design Study Review

Lesson: SDL In Action

Risk Escalators
Risk Escalator Mitigation
SDL Phases
Actions for each SDL Phase
SDL Best Practices
Lab: Risk Escalators

Lesson: Asset Analysis

Asset Analysis Process
Types of Application-Related Assets
Adding Risk Escalators
Discovery and Recon
Lab: Design Study Asset Analysis

Lesson: Threat Modeling Overview

Threat Modeling Terminology
Threat Modeling Process
Attack Surface Analysis and Reduction
Threat Identification
Threat Modeling Best Practices
Lab: Attack Surface Analysis

Lesson: Threat Modeling in Action

Modeling Using Data Flow Diagrams
Pushing the Modeling Process
Using Model to Identify Potential Threats
Category-Based Vulnerability Analysis
Mitigating Identified Vulnerabilities
Lab: Threat Modeling
Lab: Vulnerability Analysis

Session: Moving Forward with Application Security

Lesson: Applications: What Next?

Common Vulnerabilities and Exposures
CWE/SANS Top 25 Most Dangerous SW Errors
Strength Training: Project Teams/Developers
Strength Training: IT Organizations
Leveraging Common AppSec Practices and Control
Lab: Recent Incidents
Lab: Spotlight: Capital One

Lesson: Making Application Security Real

Cost of Continually Reinventing
Paralysis by Analysis
Actional Application Security
Additional Tools for the Toolbox

Additional Topics: Time Permitting

Lesson: Security Design Patterns

Authentication Enforcer
Authorization Enforcer
Intercepting Validator
Secure Base Action
Secure Logger
Secure Pipe
Secure Service Proxy
Intercepting Web Agent

Course Materials

Hands-on Setup Made Simple! All course materials, data sets, course software (limited version, for course use only), course notes and related resources (as applicable) are provided for attendees in our easy access, no installation required, remote lab environment for the duration of the course. In most cases, we can also offer local (non-cloud) set up as an alternative. Our tech team will help set up, test and verify lab access for each attendee prior to the course start date, ensuring a smooth start to class and successful hands-on course experience for all participants.

Every-Course Extras = High-Value & Long-Term Learning Support! Most courses also include our unique EveryCourse Extras package (Post-Course Resource Site access, Review Labs, Live Instructor Follow-on Support, Free *Live* Course Refresh Re-Takes, early access to Special Offers, Free Courses & more). Please ask for details.

Raise the bar for advancing technology skills

Attend a Class!

Live scheduled classes are listed below or browse our full course catalog anytime

Special Offers

We regulary offer discounts for individuals, groups and corporate teams. Contact us

Custom Team Training

Check out custom training solutions planned around your unique needs and skills.

EveryCourse Extras

Exclusive materials, ongoing support and a free live course refresh with every class.

Mix, Match & Master!
2FOR1: Two Courses, One Price!
Enroll in *any* two public courses (for 2023 *OR* 2024 dates!) by December 31, for one price! Learn something new, or share the promo!

Click for Details & Additional Offers

Learn. Explore. Advance!

Extend your training investment! Recorded sessions, free re-sits and after course support included with Every Course

Gain the skills you need with less time in the classroom with our short course, live-online hands-on events

Trivera QuickSkills: Free Courses and Webinars

Training on us! Keep your skills current with free live events, courses & webinars

Trivera AfterCourse: Coaching and Support

Expert level after-training support to help organizations put new training skills into practice on the job

The voices of our customers speak volumes

A very good balance of teaching time to lab time. I've done other courses that I found to be much lighter on content and heavy on labs to waste time. This was a refreshing change of pace.

Adam G

Best programming class I've ever been in, head and shoulders above any thing I took in college as part of a computer science degree. The instructor was thorough and very detailed, he was very good abut explaining all possible scenarios a situation would apply to. The way the albs were structured and the class was conducted was very good for interaction and hand on learning.

Danish J

The instructor was clearly knowledgeable about Java and programming in general. He was very attentive to every student's individual needs and constantly encouraged questions, concerns, student issues to be raised and addressed each one thoroughly.

Mark M

First time in my life I have attended remote class and I find it great. Personally I don't feel there is any area which require improvement!

Rishi M

Excellent training. Even though it was online, I did not have any issues understanding or getting the answers for the questions I had. The lab exercises are interesting to apply what was learnt. Overall very good training. Thank you!

Anitha

Great job overall. Great communicator and explained complex concepts in a simple, easier to understand format.

Jeremy G

Both the instructor and the course material were very thorough - the course material has many helpful references - the labs were well laid out, making it easy to learn from and get done on time

Steve C.

Excellent detail about the Spring framework which directly relates to my role as a senior engineer. I found the content and style to be very enjoyable, and would encourage me to ask questions where previously I might not have paid much attention, eg. pom version numbers / spring starters being imported. The focus on the different styles of unit testing was also excellent and I would plan to incorporate in day to day work.

Edward K

Instructor was beyond phenomenal. He had an in depth knowledge of the course material and always ensured that everyone understood what was being discussed. I really enjoyed the mix of theory and practical examples of each part of the course.

Cillian M

Special Offers
Limited Offer for most courses.

SAVE 50%

Learn More