Build Security into Your Application Development Process
Gain a working knowledge of the threats and countermeasures encountered in the application security arena from a mixture of security concepts and hands-on development training. Our instructors also provide development strategies, which fit into the software development life cycle, that your team can implement immediately after completion.
We also address compliance requirements set forth by compliance framework, such as the Payment Card Industry Data Security Standard (PCI DSS), requiring that developers be provided with secure development training.
PCI DSS Requirement 6.5.a:
“Examine software development policies and procedures to verify that up-to-date training in secure coding techniques is required for developers at least annually, based on industry best practices and guidance.”
Available Classroom Courses
Application Security 1 (Two-Day Course)
Security risks and best practices will be arranged in domains of application security, from authentication to access control, input validation, cryptography, etc. Coverage of specific vulnerabilities will emphasize those enumerated in the PCI DSS and the OWASP Top 10.
The second day of training completes the best practices and vulnerabilities within the Domains of Application Security. If time permits, the participants may choose to continue with one of our optional modules: Threat Modeling, Software Security Assurance, or Conducting Assessments.
Participants are also welcome to present one of the organization’s applications for in-class testing.
Application Security 2 (Two-Day Course)
The goal of this training is to equip participants to identify and evaluate security risks in an application environment, whether in early development or already in production. The course will cover multiple approaches to evaluate security threats, including threat modeling, architecture review, static source code analysis, manual live testing, and application security scanning.
During the first day of training, participants will perform exercises to map data flows of application environments and identify emergent threats. The second day will have participants assessing live example applications with continual guidance and feedback from the instructor. The course will also review comprehensive threat models and security assessment reports of example systems inspired by real-world enterprises.
Application Security for Leadership (Two-Day Course)
This course examines four key areas of information security in the enterprise, as seen from the point-of-view of leadership. First, we cover the causes, impacts and costs of application breaches, and what the organization can do to create a Software Security Assurance program to address security in ongoing development efforts. On day two, we look at ranking application risk in the organization’s portfolio, and creating a remediation program to manage that risk. Finally, we close with a view of the myriad regulatory regimes and standards that can impact the organization.
Mobile Application Security (Two-Day Course)
Emphasis will be placed on the distinct risks facing mobile applications compared to web services or other technologies. Security risks and best practices for Android and iOS will be arranged in domains such as authentication, access control, input validation, cryptography, etc. Coverage of specific vulnerabilities will emphasize those enumerated in the PCI DSS and the OWASP Top 10.
The second day of training completes the best practices and vulnerabilities within the Domains of Application Security for Android, followed by a look at best practices and vulnerabilities within the Domains of Application Security for iOS. Participants will complete exercises for each of the domains in Android. The same topics are then covered for iOS, using instructor-led demonstrations.