Public Course Descriptions
A description of each of our public courses is provided below. Our current public course offering schedule, course pricing, and registration information is available on our Public Application Security Training Schedule page.
The description of Aspect Security's entire course catalog is available on our Education and Training page.
Building and Testing Secure Web Applications - Two Day Hands On
Course Overview
Most developers learn what they know about security on the job, usually by making mistakes. Sadly, that’s not working. Most recent data shows that hackers have turned their attention away from operating system and network flaws to web applications as their target of choice. Developers who once could rely on application obscurity are now targeted by hackers who use their programming errors to steal sensitive corporate or government data, make millions of dollars in illicit gains, and embarrass their targets.
Aspect has worked with many government and commercially focused development teams around the country to raise awareness and understanding of security issues. We have developed powerful multi-day versions of this course that focus on the most common application security problems. This course covers the traditional Application Security issues including the OWASP Top Ten, plus many other issues, all of which introduce significant additional security issues that are frequently not addressed properly. It also provides a forum for developers to discuss security issues specific to their application and to establish basic security ground rules that will last throughout a project’s life cycle.
Aspect has taught this course to thousands of software developers, IT security engineers, and QA team members, including dozens of course offerings to several of the most security-minded defense contractors in the country. With its hands on testing labs, code review scenarios, and group exercises, it works. It is packed with hard-hitting examples and demonstrations of flaws uncovered in real-world code review and penetration testing efforts. SANS has selected and now offers Aspect’s course through its major SANS events all around the country. From SANS: “This is the one course in the country that has been successful in teaching application developers the most common application security problems and how to avoid them.”
Details
The course starts with a module that demonstrates just how insecure most web applications are. It demonstrates how hackers are able to attack web applications, and what common vulnerabilities they exploit. The next modules detail specific security areas, discussing the foundational principles and best practices, and review code examples of design patterns for solutions.
This course includes the following security areas:
|
|
Hands-on testing labs:
- Students will learn by actually testing a real web application that contains many security flaws. Students will use OWASP WebScarab, a security testing tool, to find and diagnose vulnerabilities. This hands-on session finishes with an exciting online challenge to cement the principles in the course.
| Topics covered in each section: | Who should attend: |
|
|
Requirements
If you are interested in participating in the hands on portions of the course, please bring a Windows based laptop. Click here for the minimum requirements.
Leading the Development of Secure Web Applications
Course Objectives
At the highest level, the objective for this course is to ensure that leaders and managers understand how to lead in a way that
encourages application security and why that is important.
Course Overview
In this one-day management session you’ll get the answers to the ten key questions that most CIOs and development
managers face when trying to improve security in the development process. The course provides proven techniques and
valuable lessons learned that can be applied to projects at any phase of their application’s lifecycle.
These ten key questions are:
1. Why is application security so important?
2. What are the most critical vulnerability areas to focus on and how?
3. What security tools and technologies do software projects need?
4. How do I establish an application security initiative in my organization?
5. How can I enhance my SDLC to include security activities?
6. How do I measure my organization’s progress in application security?
7. How can I get my developers to care about application security?
8. What teams and roles should I create to address application security?
9. How do I get a handle on the security of my entire application portfolio?
10. What is the most effective way of securing legacy applications?
This is the right course at the right time for any executive who has decided that secure application development is a priority.
The analyst community is helping CIOs understand just how critical the problem of insecure programming has become. For
example the Robert Francis Group (a well-known application development analyst group) wrote:
“The lack of application security requirements and associated poor security focus in the development process can
cripple business application security leading to significant revenue loss and perhaps liability claims from anyone
impacted by this oversight. IT executives should review application development processes and direct development
teams to build in security, rather than consider it after the application deployment.”
This course gives executives and managers the education and practical guidance they need to ensure that software projects
properly address security. The course is designed to provide a firm understanding of the importance of software security, the
critical security activities required within the software development lifecycle, and how to efficiently manage security issues
during development and maintenance. This understanding is reinforced through industry awareness and live demonstrations
of commonly found vulnerabilities in software.
Audience
The intended audience for this course is:
- Program Managers
- Account Managers
- Functional/Resource Application Managers
- Technical Program/Project Managers (Chief Engineers)
- Executives
- Directors
- Key/Technical Decision Makers
Building Secure Rich Internet Applications - One Day
This one day class will cover common RIA security threats and vulnerabilities and it will provide specific guidance on how to develop RIA to defend against these threats and vulnerabilities.
Training developers on secure coding practices offers one of highest returns on investment of any security investment by eliminating vulnerabilities at the source. Aspect’s Building Secure RIA Course is designed to enable developers to use RIA technologies in their web applications without introducing security issues. The course provides detailed examples of ‘what to do’ and ‘what not to do.' The class is lead by an experienced developer and is delivered in a very interactive manner.
This course is intended to build on one of Aspect’s foundational secure coding courses. The course will use demonstrations, code examples, and spot-the-bug exercises to get developers engaged in the topic. Developers will leave with an understanding of how RIA attacks work, the impacts of successful attacks, and what to do to defend against them.
- Securing web services and SOA takes a focus on the fundamentals like input validation, authentication, access control, error handling and logging, as well as an understanding of all the standards and mechanisms in this fast-moving area. This course teaches both with practical implementation and testing techniques.
Secure Coding for .NET - Three Day Hands On Programming
Microsoft has made secure coding a key part of their software development process. This course teaches the key best practices for securing and testing .NET web applications with hands-on programming exercises.
This course extends the Building and Testing Secure Web Applications course by adding a significant amount of .NET specific content and exercises. Everything in the two-day version of the course is covered in this course. In addition, all language-specific content such as code examples, spot the bug exercises, and server specific recommendations have been translated to .NET and the IIS server. In addition, this course adds:
Hands-on .NET coding labs:
- Three multistage hands-on .NET programming labs have been added to this course. In these labs, the student not only finds flaws in a sample .NET application, but then actually fixes the code using a .NET IDE. They complete the lab stages by retesting to prove that they have fixed the target vulnerability for that stage.
Additional Content:
- Modules on XML and Web Services Security, including additional Web Services hands-on security testing labs
- Numerous Spot the Bug Exercises are added where students are challenged to find real life security flaws in carefully constructed code samples
- More in-depth discussion of topics from the 2-day course, including additional examples, code snippets, design patterns, and configuration recommendations
Requirements
To participate in the hands on portions of the course, please bring a Windows based laptop. Click here for the minimum requirements.
Advanced Web Application Security Testing - Two Days
Course Overview While all developers need to know the basics of web application security testing, application security specialists will want to know all the advanced techniques for finding and diagnosing security problems in applications. Aspect’s Advanced Web Application Security Testing training is based on a decade of work verifying the security of critical applications. The course is taught by an experienced application security practitioner in an interactive manner.
This two day course is designed to teach existing web application developers how to test for security issues. Participants of this course will learn how to scope a security review and prioritize the work, understand the manual and automated tools and techniques available and when to apply them, and learn how to determine the real risk value. In order to achieve these goals, students will assess the OWASP Top Ten security areas within a real world application.
This course will utilize a modified version of the Java Pet Store J2EE web application provided by the Blueprints project. Not only will we identify vulnerabilities introduced into the application, but students will also be asked to identify actual 0-day vulnerabilities existing in the Java Pet Store baseline! Students gain hands-on testing experience with freely available web application security test tools to find and diagnose flaws and learn to identify them in their own projects. The students are then guided through the process of how to create and communicate effective software security flaw descriptions for the flaws they have discovered.
Prerequisites
Students need to be very familiar with common web application security issues including the OWASP Top Ten. As an advanced class, students should already have had some basic experience doing web application security testing. At a minimum, the students should have already gone through and solved most of the web application security lessons in OWASP's WebGoat (www.owasp.org/index.php/OWASP_WebGoat_Project) or have experienced similar testing activities.Requirements
To participate in the hands on portions of the course, please bring a Windows based laptop. Click here for the minimum requirements.
Secure Coding for Java EE - Two Day Hands On Programming
Summary
This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of Java focused content, including:
- Java EE security overview,
- All coding examples and recommendations are specifically focused on Java and Java servers, and
- 3 additional hands on coding labs where the students find and then fix security vulnerabilities in a Java EE application developed for the class.
To make room for this Java specific content, some of the more basic material has been removed, and some topics covered in our standard course are not addressed here.
This course is a compressed version of Aspect's standard 3-day Secure Coding for Java EE course.
Course Overview
Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.
This powerful two day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.
Details
This course starts with a module designed to raise awareness of just how insecure most Java EE based web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how Java EE web applications work from a security perspective.
The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following Java EE web application security areas (which encompass the entire OWASP Top 10 plus more):
- Authentication and Session Management
- Access Control
- Cross-Site Request Forgery (CSRF)
- Cross-Site Scripting (XSS)
- Input Validation
- Protecting Sensitive Data (w/ Crypto)
- Database Security (Including SQL Injection)
- Error Handling and Logging
- Code Quality
For each area, the course covers the following:
- Theoretical foundations
- Recommended security policies
- Common pitfalls when implementing
- Details on historical exploits
- Best practices for implementation
Hands on Testing Exercises
To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.
Hands on Coding Exercises (Only in Java specific version of this class!)
For this Java focused course, students will additionally have the opportunity to find, exploit, and then fix Java coding vulnerabilities in three different Java labs using Eclipse.
Requirements
If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop.
Foundations of Web Application Security for Java EE - One Day Hands On Programming
Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is just not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts. This powerful one day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.
This course includes coverage of the following common vulnerability areas (the OWASP Top 10):
- A1 - Cross Site Scripting (XSS)
- A2 - Injection Flaws
- A3 - Malicious File Execution
- A4 - Insecure Direct Object Reference
- A5 - Cross Site Request Forgery (CSRF)
- A6 - Information Leakage and Improper Error Handling
- A7 - Broken Authentication and Session Management
- A8 - Insecure Cryptographic Storage
- A9 - Insecure Communications
- A10 - Failure to Restrict URL Access
To cement the principles discussed, students can participate in a number of hands-on security testing exercises where they attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises. Students need to bring their own windows based laptop to participate in the exercises.
Requirements
If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop
Leading, Planning and Executing an Application Security Initiative
Today, every business function relies on custom software applications. These applications are typically built under tremendous time pressure by internal or contracted developers to fulfill a specific business need. Organizations need to be able to trust that this software has appropriate security mechanisms to thwart attacks and that the code does not contain vulnerabilities. Even software product companies have an extremely difficult time achieving trustworthy code, and experience shows that most custom applications have far more vulnerabilities. Recent market trends show a clear pattern: organizations need an Application Security Initiative in order to achieve this level of trust in their custom-built applications.
This course will provide answers to some of the key questions you may have been challenged with:
- Why is application security so important?
- What are the most critical vulnerability areas to focus on and how?
- What security tools and technologies do software projects need?
- How do I establish an application security initiative in my organization?
- How can I enhance my SDLC to include security activities?
- How do I measure my organization’s progress in application security?
- How can I get my developers to care about application security?
- What teams and roles should I create to address application security?
- How do I get a handle on the security of my entire application portfolio?
- What is the most effective way of securing legacy applications?
This is the right course at the right time for any executive or manager who has decided that secure application development is a priority. The analyst community is helping CIOs understand just how critical the problem of insecure programming has become. For example the Robert Francis Group (a well-known application development analyst group) wrote:
“The lack of application security requirements and associated poor security focus in the development process can cripple business application security leading to significant revenue loss and perhaps liability claims from anyone impacted by this oversight. IT executives should review application development processes and direct development teams to build in security, rather than consider it after the application deployment.”
In this two-day management session you’ll get an industry perspective of application security, understand the key vulnerabilities to applications, be able to analyze root cause, and provide practical and proven techniques in building out an application security initiative. This course gives executives and managers the education and practical guidance they need to ensure that software projects properly address security. The course is designed to provide a firm understanding of the importance of software security, the critical security activities required within the software development lifecycle, and how to efficiently manage security issues during development and maintenance. This understanding is reinforced through industry awareness, live demonstrations of commonly found application vulnerabilities and workgroup exercises allowing attendees to conduct capability assessments and recommend improvement plans.
Public Offering Schedule and Registration
Our current public course offering schedule, course pricing, and registration information is available on our Public Application Security Training Schedule page.
