Aspect is the leading provider of application security training courses, averaging 500 students per quarter. Aspect understands that education and training is one of the critical building blocks to achieving application security in an organization. Since 1998, we've taught thousands of developers, architects, testers, and managers how to build and test applications to ensure security. From individual course offerings, to entire training initiatives, Aspect can meet your organization's application security training needs.

We offer onsite training at customer sites both in the U.S. and internationally. For individuals or small groups, public offerings of our courses are available directly through Aspect Security (see our current public course offering schedule) as well as through the SANS Institute and major security conferences such as the OWASP Conferences.

Hands On Courses

Over the years, we've found that hands-on experience with application security is the best way to learn. In many organizations, policies and restrictions can make it difficult to gain the necessary experience. To address this problem, we developed WebGoat and released it for free at OWASP. WebGoat is a full-blown web application that has dozens of lessons describing common application vulnerabilities. Now, anyone can start to learn about application security vulnerabilities in a safe environment.

Avoiding Innocent Code

Our goal is to teach developers how to avoid the "innocent code" mindset and understand their application's threat model. Most technical staff simply haven’t been exposed to security at school or during their career. Even highly skilled architects and developers don't always consider how a malicious attacker could exploit their work.

Arranging a Course

Most clients arrange to host our courses in their own facilities. Public courses are provided through the SANS Institute. To schedule a course, discuss an organization-wide training program, or for more information, please contact us at 301-604-4882 or info@aspectsecurity.com.

Our Instructors

Aspect's instructors are professional software developers who have dedicated their career to application security. Our instructors spend the majority of their time working with clients to secure critical web applications using a wide variety of web application technology. This practical experience allows our instructors to have interesting discussions about real-world problems that drive home the lessons being taught.

Curriculum Overview

Software Developer and Architect Training

• Building and Testing Secure Web Applications - 2 day with hands-on testing
• Secure Coding for Java EE - 3 day with hands-on testing & coding labs
• Secure Coding for C# - 3 day with hands-on testing & coding labs
• Secure Coding for ASP.NET - 3 day with hands-on testing & coding labs
• Secure Coding for Cold Fusion MX - 3 day with hands-on testing & coding labs
• Secure Coding for Classic ASP - 3 day with hands-on testing & coding labs

Optional Modules

• Building Secure Web Services and SOA - 1/2 day
• Building Secure Rich Internet Applications (Ajax) - 1/2 day

Note: All classes qualify as OWASP Top Ten Training, per v1.0 and v1.1 of the PCI Data Security Standard (PCI DSS).

Software Tester and Quality Assurance Training

• Testing Web Application Security - 2 day with hands on testing
• Advanced Web Application Security Testing - 2 day with hands on advanced tools

Leader and Manager Training

• Leading the Development of Secure Applications - 1 day
• Planning and Executing an Application Security Initiative - 1 day workshop

Security Specialist Training

• Advanced Application Security Testing with WebScarab - 2 day
• Threat Modeling - 2 day  (coming soon)

Awareness Seminars

• Application Security Awareness - 1/2 day
• Application Security Introduction - 1 day
• Application Security Refresher - 1 day

COURSE DESCRIPTIONS

Based on years of application security consulting work, Aspect's courses are designed to help developers and architects focus on what really matters. Developers will learn how to build security into applications, rather than bolting it on at the end of the SDLC. Hands-on programming examples and security testing exercises drive home all the key application security prinicples, vulnerabilities, countermeasures, and patterns. Most courses require only a common Windows laptop or workstation.

All the multiday classes in this category cover a common set of application security vulnerabilities including the OWASP Top Ten. As such, all these courses qualify as OWASP Top Ten Training, per v1.0 and v1.1 of the PCI Data Security Standard (PCI DSS). Requirement 6.5 of the PCI DSS specifically requires that organizations "cover prevention of common coding vulnerabilities in (their) software development processes", specifically listing the OWASP Top Ten as a minimum set to cover.

• Building and Testing Secure Web Applications - 2 or 3 day hands on

This course teaches developers how to avoid all of the common pitfalls in building critical web applications, including all of the OWASP Top Ten. The course uses hands-on exercises and group discussions to change the way developers think about security. The 3 day version adds additional areas, including XML and web services security.

• Secure Coding for Java EE - 3 day hands on programming

Although billed as a secure language, Java EE applications have as many vulnerabilities as other languages. The Java edition of Secure Coding focuses on enabling Java EE developers to build secure applications using Java, J2EE and common open source Java security mechanisms. It covers servlets, Struts, JSP, persistence layers, and more.

• Secure Coding for ASP.NET - 3 day hands-on programming

Microsoft has made secure coding a key part of their software development process. This course teaches the key best practices for securing and testing .NET web applications with hands-on programming exercises.

• Secure Coding for Cold Fusion MX - 3 day hands on programming

Cold Fusion applications can be difficult to secure. Developers will learn by actually securing a Cold Fusion application against many of the most common vulnerabilities.

• Secure Coding for Classic ASP - 3 day hands on programming

Many organizations have applications written in classic ASP. These applications don't have the same kind of security infrastructure that is available in modern environments. This course covers securing these applications with hands-on exercises to fix vulnerabilities.

• Building Secure Web Services and SOA - 1/2 day (optional module)

Securing web services and SOA takes a focus on the fundamentals like input validation, authentication, access control, error handling and logging, as well as an understanding of all the standards and mechanisms in this fast-moving area. This course teaches both with practical implementation and testing techniques.

• Building Secure Rich Internet Applications - 1/2 day (optional module)

Rich Internet applications using technologies like Ajax, Flash, ActiveX, and Java Applets require special attention to secure. This half day seminar addresses the special issues that arise in this type of application development.

• Advanced Web Application Security Testing - 2 day hands on testing

Integrating security into software testing and QA activities is critical to achieving secure applications. With lots of hands on exercises and group activities, this course covers creating, coordinating, and executing security testing as part of a software testing and QA process.

• Leading the Development of Secure Applications - 1 day

Managing a project to create a secure application takes the right combination of activities, teams, and supporting technology. This engaging course leads you through a set of proven, practical activities that result in demonstrable security.

• Planning and Executing an Application Security Initiative - 1 day

This 1 day workshop discusses approaches for improving your organization's ability to produce secure code. We'll work through organizational structure, budget, teams, project planning, process improvement, technology integration, metrics, and other issues. You'll emerge with a set of clear priorities and a roadmap for your initiative.

• Advanced Application Security Testing with WebScarab - 2 day

This course shows how to use all the advanced features of WebScarab to fully test web applications and web services. Advanced features like scripting, fuzzing, session analysis, and much more are covered in hands-on labs.

• How to Become an Application Security Architect - 2 day

Most software projects should have an application security architect to ensure that security is addressed properly throughout the lifecycle. This course details activities like threat modeling, security requirements, application security architecture, coding guidelines, security testing, and more.

• Threat Modeling - 2 day

This hands-on course teaches a practical threat modeling approach that has proven effective. With many group exercises, worksheets, and techniques you can take home and apply immediately, we'll show you how to create, manage, and use a threat model to drive application security across the lifecycle.

• Application Security Awareness - 1/2 day

This short course is designed to enable participants to understand the importance of application security, identify key areas and issues, and become familiar with the important activities in producing secure code.

• Application Security Introduction - 1 day

This full-day course is targeted for organizations who are just getting started with application security and would like a walkthrough from an experienced practitioner. This course is similar to the awareness seminar, but has more demonstrations and group exercises.

• Application Security Refresher - 1 day

The application security refresher is intended for students who have completed a secure coding class and need to stay up to date with the latest threats, techniques, and best practices.