SECURE DEVELOPMENT TRAINING
The responsibility for securely developed applications lies, in part, with developers. However, it is often the case that developers are targeted and judged on areas that are not security-related. It may be that the security of an application or system is an afterthought.
LRQA Nettitude delivers a two-day secure development course aimed at empowering developers with techniques that result in secure code being delivered almost without thought. Securely developed code does not need to be an arduous affair. By integrating secure development practices into the core of what developers do, the overall security posture of their work will markedly improve with little impact to other measures of output. LRQA Nettitude specialise in making this a reality through secure development training.
This course can now also be delivered remotely and has been designed to deliver the same impact as the course delivered on site.
What Does A Typical Secure Development Course Look Like?
LRQA Nettitude will generally spend two days delivering a hands-on course that clearly demonstrates common pitfalls that result in insecure code. The course is typically modified to suit the specific requirements of the organisation receiving the training. For example, the programming languages used as examples and the vulnerabilities focused on will vary. The following is an example where web application development and impact demonstrations were the primary concerns. Contact us to receive a syllabus unique to your requirements.
a. Trainer introduction
b. Course introduction
d. Current threat landscape
e. Recent breaches and their implications (GDPR)
2.2 Information Security Fundamentals
d. Why use the CIA model?
2.3 Information Security Data States
a. Data at rest
b. Data in use
c. Data in transit
d. Secure communications
e. Access controls
f. Secure storage
g. Hashing and password storage
2.4 Understanding Risk
a. Asset value
b. Threat consideration
c. Vulnerability assessment
d. Risk calculation
e. Risk mitigation
2.5 Trust Relationships
a. Principle of least privilege
b. Data sharing between components
c. Secure handling of data and user input
2.6 OWASP Top 10 Vulnerabilities
Analysis of each of the following type of vulnerability with
hands on exploitation and discussion around remediation:
a. A1 : Injection
b. A2 : Broken Authentication
c. A3 : Sensitive Data Exposure
d. A4 : XML External Entities (XXE)
e. A5 : Broken Access Control
f. A6 : Security Misconfiguration
g. A7 : Cross-Site Scripting (XSS)
h. A8 : Insecure Deserialisation
i. A9 : Using Components with Known Vulnerabilities
j. A10 : Insufficient Logging & Monitoring
2.7 Being Proactive About Security
a. How to research about security issues
b. Threat modelling techniques
c. Test plans
d. OWASP Application Security Verification Standard
and how this can be used during development
and Quality Assurance.
2.8 OWASP Top 10 Proactive Controls
a. Define Security Requirements
b. Leverage Security Frameworks and Libraries
c. Secure Database Access
d. Encode and Escape Data
e. Validate All Inputs
f. Implement Digital Identity
g. Enforce Access Controls
h. Protect Data Everywhere
i. Implement Security Logging and Monitoring
j. Handle All Errors and Exceptions
2.9 Resources for Developers
a. OWASP Code Review Guide
Who Will Deliver The Course?
LRQA Nettitude uses only those security consultants who have experience as both developers and as security professionals to deliver secure development training.
How Will The Training Be Delivered?
LRQA Nettitude understands that ‘death by PowerPoint‘ is neither an engaging or useful means of knowledge transfer. There is real power in allowing students to arrive at their own “aha!” moment and so that is how the training is designed to be delivered.
The training is very practical in nature; developers will be taught the art of offense as well as defense in order to help cement the impact of insecure coding practices in their minds. Often, the training takes on a competitive nature too – indeed, the course ends with a friendly competition that pits the developers against each other.
Although each course is tailored to suit the requirements of the organisation, LRQA Nettitude’s trainers are well equipped to ‘go off road’ and take the delivery in whatever direction is of most benefit to the delegates, as their strengths and weaknesses emerge. This may mean spending more or less time on a given topic than originally anticipated or it might even mean the delivery of content not originally planned for.
With all of that said, the objectives of the course are laid out at the very beginning of the process and LRQA Nettitude will always ensure that those objectives are met.
In order to adapt to a new way of working, LRQA Nettitude have developed an efficient system for delivering remote training courses. This training will be delivered by webinar and will include all standard training courses material which will be available to download. Whilst this is delivered on screen, we aim to keep it highly interactive and just as engaging to again ensure there are no deaths by PowerPoint.