SECURE DEVELOPMENT TRAINING
The responsibility for securely developed applications lies, in part, with developers. However, it is often the case that developers are targeted and judged on areas that are not security-related. It may be that the security of an application or system is an afterthought.
LRQA Nettitude delivers a two-day secure development course aimed at empowering developers with techniques that result in secure code being delivered almost without thought. Securely developed code does not need to be an arduous affair. By integrating secure development practices into the core of what developers do, the overall security posture of their work will markedly improve with little impact to other measures of output. LRQA Nettitude specialise in making this a reality through secure development training.
What Does A Typical Secure Development Course Look Like?
LRQA Nettitude will generally spend two days delivering a hands-on course that clearly demonstrates common pitfalls that result in insecure code. The course is typically modified to suit the specific requirements of the organisation receiving the training. For example, the programming languages used as examples and the vulnerabilities focused on will vary. The following is an example where web application development and impact demonstrations were the primary concerns. Contact us to receive a syllabus unique to your requirements.
DAY ONE
1. Tools used for web and general security assessment
- Intercepting proxies such as Burp Suite
- SSL assessment tools
- SQLMap
- Other general tools
2. OWASP top 10
- Focusing on how these apply to (specific to client):
- C#
- HTML/JS
- Examples of real-world attacks
3. Vulnerabilities not covered by OWASP top 10
- Server side request forgery
- Weak password/account controls
- Inappropriate use of cryptography
4. Advanced web vulnerabilities and platform-specific flaws
- Angular JS sandbox bypass
- Unsafe unserialisation
- Cross origin resource sharing flaws
- dMongoDB misconfigurations
DAY TWO
5. Dangerous software features
- Identification
- Examples of these exploited
- Mitigation strategies if removal is not possible
6. Attack awareness
- How organizations are attacked focus on the following vectors:
- Social engineering (SE) – phishing and internal SE
- Outdated software
- Detection
- Response
- Principle of least privilege
7. Post exploitation
- Password hash cracking
- Data exfiltration
- Lateral movement
8. Mitigation against social engineering
- In-depth demonstration of social engineering attack
- Mitigating against:
- Limiting social media exposure
- Macro lockdown/signing
- File associations
9. Capture the flag
Who Will Deliver The Course?
LRQA Nettitude uses only those security consultants who have experience as both developers and as security professionals to deliver secure development training.
How Will The Training Be Delivered?
LRQA Nettitude understands that ‘death by PowerPoint‘ is neither an engaging or useful means of knowledge transfer. There is real power in allowing students to arrive at their own “aha!” moment and so that is how the training is designed to be delivered.
The training is very practical in nature; developers will be taught the art of offense as well as defense in order to help cement the impact of insecure coding practices in their minds. Often, the training takes on a competitive nature too – indeed, the course ends with a friendly competition that pits the developers against each other.
Although each course is tailored to suit the requirements of the organisation, LRQA Nettitude’s trainers are well equipped to ‘go off road’ and take the delivery in whatever direction is of most benefit to the delegates, as their strengths and weaknesses emerge. This may mean spending more or less time on a given topic than originally anticipated or it might even mean the delivery of content not originally planned for.
With all of that said, the objectives of the course are laid out at the very beginning of the process and LRQA Nettitude will always ensure that those objectives are met.
