security awareness, training and education catalog · security awareness topics these lessons cover...

Security Awareness, Training and Education Catalog

SECURITY AWARENESS, TRAINING AND EDUCATION CATALOG

Introduction

The human factor – what employees do or don’t do – is the biggest threat to an organization’s information security, yet it’s often the most overlooked. Whether they are processing credit cards, handling clients’ personal information, or developing software solutions for your business, your employees are ripe targets for information thieves seeking access to your sensitive data, unless you help them learn how to protect against and respond to security incidents. It’s vital to your business to provide security education to your employees and partners.

Trustwave offers two key types of security education:

• Security Awareness Education for all staff • Secure Developer Training for technical staff

Use this catalog to browse these security education offerings. If you have questions, reach out to your Trustwave account manager or use the Contact Us section of the Trustwave website at www.trustwave.com.

http://www.trustwave.com

Table of Contents

Security Awareness Education (SAE) _______________________________2

• SAE Lessons ____________________________________________________3

• Banking Security _________________________________________________6

• Security Awareness Course Builder _______________________________7

• SAE Visual Material _______________________________________________8

Secure Development Training (SDT) ________________________________9

• SDT Lessons ___________________________________________________10

• Secure Development Bundles ____________________________________17


2

Security Awareness Education

Every Trustwave Security Awareness Education (SAE) program is customized for

you, the client. Your options include how your online security education courses

will be set up and which additional print-based materials you would like to order

to reinforce your program year-round. This section is designed to guide you

through the program and help you choose the option that is right for you and

your organization.

SAE LessonsUse the SAE Lessons list to browse our library of security awareness lessons. Categorized by areas of interest, each lesson’s catalog code, topic, and objectives are listed to help you decide which topics are most appropriate for your target audience(s). Most lessons are available in English, Spanish, Portuguese, French, and Swedish. You may also view our lessons in the Trustwave SAE portal. Contact your Trustwave account manager if you would like to receive a free trial.

Security Awareness Course BuilderThe Security Awareness Course Builder page lists the lessons included in each course offering, tailored for common organizational roles requiring security awareness training. If these lesson combinations don’t fit your organization’s needs, or if you’d like to include additional materials such as quizzes or your organization’s own information security policies, use the table at the bottom of the Security Awareness Course Builder page to identify the course content you would like us to build.

SAE PostersOften, organizations administer formal security awareness training only once per year. Including SAE posters in your office environment helps keep employees aware of their security responsibilities year-round.

3

SAE LessonsEach course in your Security Awareness Education program may be comprised of one or more of the following lessons. Use this guide to identify the lessons you would like to include in each course. If you have any questions, or if you would like to receive a free trial, contact your Trustwave account manager.

Compliance Lessons These lessons cover the basic principles of various compliance standards mandating training and other information security measures. # Lesson Name Lesson Objectives Supporting Objectives

COM-01 PCI OverviewRecognize how the Payment Card Industry (PCI) Data Security Standard (DSS) protects cardholder data.

• Recognize the key PCI stakeholders, and common merchant acceptance channels and classifications.

• Recognize high-level compliance requirements.• Describe the PCI regulatory environment and recognize high level compliance requirements.

COM-02 HIPAA Overview

Recognize how U.S. Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) laws protect the privacy and security of protected health information (PHI).

• Recognize key HIPAA and HITECH stakeholders.• Recognize the purpose and scope of HIPAA privacy and security rules.• Recognize high-level compliance requirements.

COM-03 PCI for Retail ManagersRecognize how the PCI DSS affects managers and their role in enacting PCI compliance strategies.

• Recognize credit card features and security elements.• Recognize indicators of credit card fraud or tampering.• Understand how to respond in the case of suspicious or fraudulent payment activity.

COM-04PCI Essentials (abbreviated version of PCI Overview)

Recognize how PCI self-regulates to protect cardholder data.

• Recognize the cycle of a credit card transaction.• Recognize high-level compliance requirements.

Core Concepts These lessons cover basic security awareness concepts that all employees should understand.

# Lesson Name Lesson Objectives Supporting Objectives

COR-01 Introduction to Security Awareness

Demonstrate basic knowledge of security awareness.

• Understand the definition of security awareness. • Recognize the importance of protecting information.

COR-02 Social EngineeringRecognize how common social engineering tactics threaten information security.

• Define social engineering, recognize who is at risk of becoming a victim and list the types of information targeted by social engineers.

• Understand the definition of security awareness, recognize the most common channels for social engineering, and recognize popular social engineering ploys.

• List best practices to avoid becoming a victim of social engineering.


4

Security Awareness Topics These lessons cover best practices for common types of tools and activities on the job. Include all those that apply to your employees’ work activities.


SAT-01 Physical SecurityDefine physical security, recognize common threats and list best practices.

• Recognize the importance of physical security and list the information at risk.• Recognize common attacks on physical security.• Recognize physical security vulnerabilities and best practices for securing your workplace.

SAT-02 PC SecurityDefine PC security, recognize common threats and list best practices.

• Recognize the risks of leaving your computer unprotected.• List and describe common PC attacks, vulnerabilities, and user mistakes that put your information

and systems at risk.• List and describe critical PC security measures and best practices.

SAT-03 Email SecurityDefine email security, recognize common threats and list best practices.

• Recognize the risk to information security if secure email practices are not in place.• Recognize the most common email scams and the measures you can take to avoid becoming a victim.• List best practices for using email securely.

SAT-04 Password SecurityDefine password security, recognize common threats and list best practices.

• Recognize the importance of keeping passwords protected.• List the ways password protection may be used to keep information secure.• List basic rules for building a strong password and recognize best practices for effective password

use.

SAT-05 Web Browsing SecurityDefine web browsing security, recognize common threats and list best practices.

• Recognize the risks of visiting unknown and unsecure websites.• List the most common web security threats and recognize how you may put your organization’s

information at risk.• List and describe best practices for browsing the web securely.

SAT-06 Mobile Device SecurityDefine mobile device security, recognize common threats and list best practices.

• Recognize the risks of leaving your device unprotected.• Recognize common mobile device attacks and user mistakes that put information at risk.• List and describe common mobile device security measures.

Best Practices for Job Roles These lessons target specific job roles within an organization. Each course you create should contain one of these JRT (Job Role Training) lessons, depending on your role and industry.


JRT-01 Secure Practices for Retail Associates

Recognize the security awareness responsibilities of retail associates and the laws, regulations, methods and best practices that help keep information secure in the retail environment.

• Recognize the information security responsibilities of retail associates that impact the retail environment.

• List and describe information security responsibilities and best practices of retail associates.

JRT-02 Secure Practices for Retail Managers

Recognize the security awareness responsibilities of retail managers and the laws, regulations, methods and best practices that help keep information secure in the retail environment.

• Recognize the security responsibilities of retail managers or owners that impact the retail environment.• List and describe information security responsibilities and best practices of retail managers.

5


JRT-03 Secure Practices for Call Center Employees

Recognize the security awareness responsibilities of call center employees and the laws, regulations, methods and best practices that help to keep information secure.

• Recognize the information security laws and regulations that impact the call center environment.• Recognize the responsibility of call center employees to protect the information they work with each

day.• List and describe the information security responsibilities and best practices of call center employees.

JRT-04 Secure Practices for Call Center Managers

Recognize the security awareness responsibilities of call center managers and the laws, regulations, methods and best practices that help keep information secure in the call center.

• Recognize the information security responsibilities of call center managers and the related laws and regulations that impact the call center environment.

• List and describe information security responsibilities and best practices of call center managers.

JRT-05 Secure Practices for Enterprise Employees

Recognize the security awareness responsibilities of enterprise employees and the laws, regulations, methods and best practices that help keep information secure.

• Recognize the security responsibilities of enterprise employees and the information security laws and regulations that impact the enterprise environment.

• List and describe information security responsibilities and best practices of enterprise employees.

JRT-06 Secure Practices for IT and Engineering Staff

Recognize the security awareness responsibilities of IT and engineering staff and the laws, regulations, methods and best practices that help keep information secure.

• Recognize the information security-related laws and regulations that impact the IT and application development environment and the responsibilities of personnel to protect the information they work with each day.

• List and describe the information security responsibilities of IT and engineering staff.• List best practices for IT and engineering staff to help keep information secure.

Advanced Security Topics These lessons cover a wide range of advanced topics for managers and technical personnel.


ADV-01 PCI Forensic Investigations

Recognize how the PCI forensic investigation process works and identify how a breach is discovered, investigated and remediated.

• Identify common ways breaches are discovered and the high level steps employees should take if a breach is discovered.

• Learn about the Trustwave PCI forensic investigation process and a breached organization’s responsibility to report and remediate security deficiencies.

• Recognize common security threats and the importance of continuous compliance to protect against them.

ADV-02 Exploring Security Trends

Recognize key findings of Trustwave’s annual Global Security Report and list ways to improve security this year based on last year’s trends.

• Recognize the purpose and contents of Trustwave’s Global Security Report.• Recognize key findings of the current Global Security Report.• List security best practices that help organizations avoid the security pitfalls of last year.


6

Banking SecurityOnline banking has soared in popularity, not only for businesses but for consumers who depend on banks for their everyday financial needs. While you are taking steps to protect their customers from identity theft and financial crimes, customers themselves must also implement security best practices when accessing online banking on their personal or business computers. Providing resources to customers to educate them about best practices for securing their information online demonstrates your commitment to securing your customers’ information, improves security for you and your customers and helps satisfy Federal Financial Institutions Examination Council (FFIEC) requirements for customer education.

Banking Security These lessons target the specific security awareness needs of bank customers who use online accounts to manage their finances.


BAN-01 Online Banking Security

Recognize the risks and threats that come with online banking, as well as the technology and security best practices available to help combat such threats.

• Recognize ways information is stolen from online accounts.• Recognize the monetary risk of security incidents and the top attack targets used by criminals.• Learn how banks and their customers work together to protect valuable information.

BAN-02Protecting Online Accounts for Businesses

Recognize a business’s role in helping to secure its own online systems and accounts, and identify the security best practices businesses can follow to do so.

• Recognize a business’s role in keeping their sensitive information secure online.• List best practices for businesses to use to protect their sensitive information.

BAN-03Protecting Online Accounts for Consumers

Recognize the individual’s role in helping to secure their own online accounts, and identify the security best practices individuals can follow to do so.

• Recognize an individual consumer’s role in keeping their sensitive information secure online.• List best practices consumers can use to protect their sensitive information.

7

Security Awareness Course Builder The first table below indicates the lessons included in our basic SAE courses. These lessons are targeted to common roles that fit most organizations. Also shown below is the recommended Job Role Training (JRT) lesson for each role.

If you prefer to create a custom course, use the Create Your Own table to indicate what lessons you would like to include in which courses.

Security Awareness for Retail Associates

● ● ●

Security Awareness for Retail Managers

● ● ● ● ● ● ● ● ●

Security Awareness for Call Center Employees

● ● ● ● ● ● ● ●

Security Awareness for Call Center Managers

● ● ● ● ● ● ● ●

Security Awareness for Enterprise Employees

● ● ● ● ● ● ● ● ●

Security Awareness for IT and Engineering Staff

● ● ● ● ● ● ● ● ●

Security Awareness for Health Care Staff

● ● ● ● ● ● ● ●

Security Awareness for Bank Staff

● ● ● ● ● ● ● ● ● ●

Create your Own Use this section to mix and match lessons to build up to five courses of your own. Just print this sheet and fill in the necessary information, which you can then share with your Trustwave account manager.

CO

M-0

1C

OM

-02

CO

M-0

3C

OR

-01

SAT-

01

SAT-

02

SAT-

03

SAT-

04

SAT-

05

SAT-

06

BAN

-01

BAN

-02

BAN

-03

JRT-

01

JRT-

02

JRT-

03

JRT-

04

JRT-

05

JRT-

06

ADV-

01AD

V-02

Qui

z

Polic

y D

ocum

ent

CO

R-0

2


8

SAE Visual Material Augment your security awareness program with posters specific to your target audience. Posters are only available in English, and they are in PDF format. Posters are available for download in the SAE portal and are included with client-hosted content packages.

9

Secure Development Training (SDT)

Trustwave offers a suite of web-based technical lessons that introduce your solution development staff to theory and best practices around planning and writing secure code. You can choose to enroll employees in just one of the lessons that is most relevant to them, or give them access to an SDT lesson bundle. No matter what option you select, this section will help you decide which lessons are right for your staff.

Secure Development LessonsUse the SDT Lessons list to browse our library of SDT lessons. Categorized by the stages of the Software Development Life Cycle (SDLC), each lesson’s catalog code, topic, and prerequisites (if any) are listed here to help you decide which topics are most appropriate for your target audience(s).

Secure Development BundlesThe Secure Development Bundles page shown on page 17 in this document defines the lesson bundles available to customers using SDT. You can use the Secure Development Bundles page to note which courses (consisting of various lessons) you would like to offer to your staff.


10

Security Awareness and Process These lessons cover topics related to fundamental security awareness concepts as they relate to software development.

# Lesson Name Lesson Objectives Time Prerequisites

AWA 101 Fundamentals of Application Security

• Understand and recognize threats to applications.• Understand how to leverage the Open Web Application Security Project (OWASP) top

ten list to create more secure web applications and conduct specific activities at each development phase to ensure maximum hardening of applications.

1 hourUnderstanding of the Software Development Life Cycle (SDLC) and technologies; basic understanding of software security.

AWA 102Protecting Online Accounts for Businesses

• Recognize the main characteristics of an SDLC and the activities that an organization should perform to develop secure software.

• Recognize the need to address software security in everyday work activities.1 hour

Basic knowledge of software development processes and technologies.

AWA 110Fundamentals of Security Awareness for Mobile Devices

• Recognize the security risks of using mobile devices and introduce the five fundamentals of secure mobile computing.

• Understand and be able to implement security best practices that mitigate risks to privacy, confidential data, reputation, and other assets.

30 minutes None

AWA 111 Fundamentals of Security Awareness for Social Media

• Recognize why social media security is important to both employees and employers.• Understand general privacy and security best practices that can be applied across all

social media sites.• Recognize privacy and security issues, best practices for managing company pages,

and addressing employer policies for social media usage by employees.

30 minutes None

Security Engineering These lessons cover topics related to the employment of security awareness strategies as a Software Engineer.


ENG 101Microsoft SDL for Managers

• Introduction to Microsoft SDL (Security Development Lifecycle), an industry leading software-security assurance process, developed by Microsoft to build trustworthy software products.

• Understand and identify the SDL requirements for building and deploying secure software applications.

• Understand benefits teams gain by following the SDL.• Understand their role and responsibilities as it pertains to their team following the SDL.• Understand common problems that can delay or stop product shipment.

1 hourKnowledge of the Software Development Life Cycle (SDLC)

ENG 102Introduction to the Microsoft SDL

• Learn how to design and implement products that meet an organization’s security needs.• Identify the benefits of the SDL.• Recognize the importance of the Final Security Review.• Understand the steps necessary to meet SDL requirements.• Identify the appropriate tools required by the SDL.

1 hour Knowledge of the SDLC

ENG 201SDLC Gap Analysis and Remediation Techniques

• Understand how to identify areas of improvement in the Software Development Life Cycle (SDLC).

• Review key security engineering activities. • Identify measurable goals and appropriate standards.• Assess existing development processes.• Learn how to build an activity matrix and a remediation road map.• Understand goals, processes, and best practices for auditing software security

processes within the context of the SDLC.

45 minutes• Microsoft SDL for Managers (ENG 101)• Fundamentals of Application Security (AWA 101)

SDT Lessons

11


ENG 211How to Create Application Security Design Requirements

• Understand, create, and articulate security requirements.• Understand the security engineering process.• Recognize key security engineering activities to integrate into the SDLC.• Understand software security objectives and apply security design guidelines.

1 hour• Introduction to the Microsoft SDL (ENG 102)• Fundamentals of Application Security (AWA 101)

ENG 301How to Create an Application Security Threat Model

• Identify goals of threat modeling and the corresponding SDLC requirements.• Identify the roles and responsibilities involved in the threat modeling process.• Recognize when and what to ‘threat model’.• Identify tools to assist in threat modeling.• Understand how to use threat modeling process to accurately identify, mitigate and

validate threats.

90 minutes• Fundamentals of Application Security (AWA 101)• Architecture Risk Analysis and Remediation

(DES 212)

ENG 311Attack Surface Analysis and Reduction

• Understand the goals and methodologies of attackers.• Identify attack vectors.• Learn how to minimize the attack surface of an application.• Learn how to define the attack surface of an application.• Learn how to reduce the risk to an application by minimizing its attack surfaces.

1 hour

• Fundamentals of Secure Development (COD 101)

• Architecture Risk Analysis and Remediation (DES 212)

ENG 312How to Perform a Security Code Review

• Learn how to best organize a code review.• Learn how to prioritize code segments to review.• Learn best practices for reviewing source code and maximizing security resources.

1 hour

• Fundamentals of Secure Development (COD 101)

• Architecture Risk Analysis and Remediation (DES 212)

ENG 391

How to Create an Application Security Threat Model for Embedded Systems

• Learn additional information about creating an Application Security threat model.• Learn how to map content to specific compliance and regulatory requirements.• Learn about key reference resources that support the topics covered in the module.• Assess mastery of key concepts.

30 minutesHow to Create an Application Security Threat Model (ENG 301)

ENG 392Attack Surface Analysis and Reduction for Embedded Systems

• Learn additional information about Attack Surface Analysis and Reduction (particularly important to embedded software engineers).

• Learn about key reference resources that support topics covered in this module.• Assess mastery of key concepts.

30 minutes Attack Surface Analysis and Reduction (ENG 311)

ENG 393How to Perform a Security Code Review for Embedded Systems

• Learn additional information about code (particularly important to embedded software engineers).

• Learn how to map content to specific compliance and regulatory requirements.• Learn about key reference resources that support the topics covered in the module.• Assess mastery of key concepts.

30 minutes How to Perform a Security Code Review (ENG 312)

Secure Design These lessons cover topics related to secure software architecture and design, to help plan security into applications before any code is written.


DES 101Fundamentals of Secure Architecture

• Examine the state of the industry from a security perspective.• Learn about the biggest security disasters in software design.• Understand that confidentiality, integrity, and availability are the three main tenets of

information security.• Learn how to avoid repeating past information security mistakes.

1 hour• Fundamentals of Application Security (AWA 101)• How to Create Application Security Design

Requirements (ENG 211)


12


DES 201Fundamentals of Cryptography

• Learn the basic concepts of cryptography and common ways that it is applied, from the perspective of application development.

• Learn the importance of randomness; the roles of encoding, encryption, and hashing; the concepts of symmetric and asymmetric encryption; the purpose of cryptographic keys; and the roles of message authentication codes (MACs) and digital signatures.

• Learn about complexity of cryptography.

2 hours

• Fundamentals of Application Security (AWA 101)• Fundamentals of Secure Development

(COD 101)• OWASP Top Ten Threats and Mitigations

(DES 221)

DES 212Architecture Risk Analysis and Remediation

• Learn concepts, methods, and techniques for analyzing the architecture and design of a software system for security flaws.

1 hour Fundamentals of Application Security (AWA 101)

DES 213Introduction to Security Tools and Technologies

• Review the types of security tools.• Learn how to interpret, prioritize, and act on the tool output.• Learn strategies for selecting and deploying tools.

2 hours Fundamentals of Security Testing (TST 101)

DES 221 Threats and Mitigation • Identify and mitigate the greatest threats that web application developers face. 2 hours None

DES 292Architecture Risk Analysis & Remediation for Embedded Systems

• Learn additional information about Architecture Risk Analysis and Remediation training (of particular importance to embedded software engineers).

• Assess mastery of key concepts.30 minutes Architecture Risk Analysis & Remediation (DES 212)

DES 311Creating Secure Application Architecture

• Learn how to harden applications and make them more difficult for intruders to breach.• Learn about compartmentalization, centralized input, and data validation as methods to

protect applications from malicious input.2 hours

• Fundamentals of Application Security (AWA 101)• Fundamentals of Security Testing (TST 101)

DES 391Creating Secure Application Architecture for Embedded Systems

• Learn additional information about Creating Secure Application Architecture (of particular importance to embedded software engineers).

• Assess mastery of key concepts. 30 minutes Creating Secure Application Architecture (DES 311)

Secure Coding These lessons cover topics related to the implementation stage of the Software Development Life Cycle (when code is actually written).


COD 101Fundamentals of Secure Development

• Learn about the need for secure software development.• Learn about the models, standards, and guidelines you can use to understand security

issues and improve the security posture of your applications.• Learn about key application security principles.• Learn how to integrate secure development practices into the SDLC.

80 minutes None

COD 110Fundamentals of Secure Mobile Development

• Learn about common risks associated with mobile applications.• Learn mobile application development best practices.• Understand mobile development threats and risks.

2 hours None

COD 141Fundamentals of Secure Database Development

• Understand database development best practices.1 hour 50 minutes

Fundamentals of Application Security (AWA 101)

COD 152Fundamentals of Secure Cloud Development

• Learn the common risks associated with cloud applications.• Understand cloud computing threats and risks, and the programming principals to use

to address them. 90 minutes None

13


COD 153Fundamentals of Secure Ajax Code

• Learn about AJAX technology and its common vulnerabilities and attack vectors. • Identify the differences between regular and AJAX applications, common AJAX

vulnerabilities that attackers tend to exploit, and major threats to AJAX applications. 35 minutes None

COD 190Fundamentals of Secure Mobile Development for Embedded Systems

• Learn additional information about Secure Mobile Development (of particular importance to embedded software engineers).

• Assess mastery of key concepts. 30 minutes

Fundamentals of Secure Mobile Development (COD 110)

COD 211Creating Secure Code – Java Foundations

• Learn best practices and techniques for secure application development in Java. 2.5 hours

• Fundamentals of Application Security (AWA 101)• Fundamentals of Secure Development (COD 101)• OWASP Top 10 - Threats and Mitigations

(DES 221)

COD 212Creating Secure Code – C/C++ Foundations

• Learn best practices and techniques for secure application development in C/C++. 2 hours

• Fundamentals of Application Security (AWA 101)• Fundamentals of Secure Development (COD 101)• OWASP Top 10 - Threats and Mitigations

(DES 221)

COD 213Creating Secure Code – Windows 7 Foundations

• Understand Windows 7 security features.• Learn how to build applications that leverage Windows 7 built-in security mechanisms.

2 hours

Basic knowledge of Windows programming and memory management, and knowledge of basic security features of Windows versions prior to Windows 7.

COD 215Creating Secure Code – .NET Framework Foundations

• Learn about .NET 4 security features.• Learn about changes in .NET 4.• Learn secure coding best practices.

2 hoursFundamentals of Secure Development (COD 101)

COD 217Creating Secure Code - iPhone Foundations

• Learn how to build highly secure iPhone applications.• Learn about key iPhone application risks and vulnerabilities.• Learn secure programming principles for iPhone applications.

1 hourFundamentals of Secure Mobile Development (COD 110)

COD 218Creating Secure Code - Android Foundations

• Learn how to develop secure Android applications.• Learn secure programming principles.• Learn about key Android attack vectors and mitigation techniques.

90 minutesFundamentals of Secure Mobile Development (COD 110)

COD 221Web Vulnerabilities - Threats and Mitigations

• Understand, avoid, and mitigate the risks posed by web vulnerabilities. 1 hourCreating Secure Code – J2EE Web Applications (COD 313) OR Creating Secure Code – ASP.NET (COD 311)

COD 222PCI DSS v3.1 Best Practices for Developers

• Learn about PCI DSS best practices and how to use them to address application security issues.

1 hourFundamentals of Secure Mobile Development (COD 110)

COD 231Introduction to Cross-Site Scripting - With JSP Examples

• Understand the mechanisms behind cross-site scripting vulnerabilities.• Learn how to apply secure coding best practices to prevent cross-site scripting

vulnerabilities.20 minutes

Basic knowledge of web technologies, and Java Server Pages (JSP).

COD 232Introduction to Cross-Site Scripting - With ASP.NET Examples

• Learn about cross-site scripting vulnerabilities and their consequences.• Learn secure coding best practices to help prevent cross-site scripting vulnerabilities.

20 minutesBasic knowledge of web technologies, and Java Server Pages (JSP).


14


COD 241Creating Secure Code – Oracle Foundations

• Understand the scope and requirements of database security as well as the risks presented by insecure database applications.

• Learn best practices for secure database application development.• Learn about common database attacks and how to prevent them.• Understand the risks to database applications and common database attacks.

2 hours• Fundamentals of Application Security (AWA 101)• Fundamentals of Secure Database Development

(COD 141)

COD 242Creating Secure Code – SQL Server Foundations

• Understand the scope and requirements of database security, as well as the risks presented by unsecure database applications.

• Learn the best practices for secure database application development.• Understand the risks to database applications and common database attacks.

90 minutes• Fundamentals of Application Security (AWA 101)• Fundamentals of of Secure Database

Development (COD 141)

COD 251Creating Secure AJAX Code – ASP .NET Foundations

• Understand how to mitigate common vulnerabilities and protect against common attack vectors.

• Identify threats to AJAX applications from cross-site scripting and other attacks.• Learn how to implement countermeasures against attacks.

35 minutes Fundamentals of Secure AJAX Code (COD 153)

COD 252Creating Secure AJAX Code – Java Foundations

• Understand how to mitigate common vulnerabilities and protect against common attack vectors.

• Identify threats to AJAX applications from cross-site scripting and other attacks.• Learn how to implement countermeasures against attacks.

35 minutes Fundamentals of Secure AJAX Code (COD 153)

COD 253Creating Secure Cloud Code – AWS Foundations

• Learn about the security vulnerabilities, threats, and mitigations for AWS (Amazon Web Services) cloud computing services.

• Recognize the most common security threats to cloud development and the best practices to protect against these threats.

• Learn how to identify AWS security features and how to integrate them into your AWS resources.

1 hourFundamentals of Secure Cloud Development (COD 152)

COD 254Creating Secure Cloud Code – Azure Foundations

• Learn about the risks associated with creating and deploying applications on Microsoft’s Azure cloud platform.

• Recognize core security considerations for Azure Virtual Machine (VM) security, authentication and access control, legacy .Net Framework applications, Azure web sites, and the Microsoft WebMatrix3 IDE.

90 minutesFundamentals of Secure Cloud Development (COD 152)

COD 255Creating Secure Code Web API Foundations

• Learn about common web services that may put your application at risk.• Learn best practices that you should incorporate to mitigate the risk from web

services attacks.• Understand various web services threats and the cause and impact of web

services attacks.• Learn how to implement secure development best practices to protect web services.

2 hours

• Fundamentals of Application Security (AWA 101)• Fundamentals of Secure Development (COD 101)• OWASP Top Ten Threats and Mitigations

(DES 221)

COD 292Creating Secure Code – C/C++ Foundations for Embedded Systems

• Learn additional information about C/C++ Foundations of particular importance to software engineers.

• Assess your mastery of key concepts.30 minutes Creating Secure Code – C/C++ (COD 212)

15


COD 311Creating Secure ASP .NET Code

• Learn how to develop secure web applications in C#.• Learn how to avoid common vulnerabilities in C# code.• Learn secure coding best practices.

2 hours

• Fundamentals of Application Security (AWA 101)• Fundamentals of Secure Development (COD 101)• OWASP Top 10 – Threats and Mitigations

(DES 221)• Creating Secure Code – .NET Framework

Foundations (COD 215)

COD 312Creating Secure C/C++ Code

• Learn (in depth) about application security risks and secure coding standards for C and C++ code.

• Learn how to detect code errors and remediate them as soon as possible to avoid security issues.

• Learn real-world best practices and techniques.

2 hours

• Fundamentals of Secure Development (COD 101)• Fundamentals of Application Security (AWA 101)• OWASP Top 10 – Threats and Mitigations

(DES 221)• Creating Secure Code – C/C++ Foundations

(COD 212)

COD 313Creating Secure Java Code

• Identify and use the components of the Java security model.• Identify how to use JAAS to control user authentication and authorization in your Java

application.• Learn how to implement cryptography to sign and verify Java jar files.

35 minutes

• Fundamentals of Application Security (AWA 101)• Fundamentals of Secure Development

(COD 101)• OWASP Top 10 – Threats and Mitigations

(DES 221)• Creating Secure Code – Java Foundations

(COD 211)

COD 314Creating Secure C# Code

• Learn about application security risks and secure coding standards for C# applications.

• Understand underlying coding principles and real-world best practices and techniques.

2 hours and 30 minutes

• Fundamentals of Application Security (AWA 101)• Fundamentals of Secure Development (COD 101)• OWASP Top 10 – Threats and Mitigations

(DES 221)

COD 315Creating Secure PHP Code

• Learn the security principles for building secure PHP applications.• Assess mastery of key concepts.

2 hours• Fundamentals of Application Security (AWA 101)• Fundamentals of Secure Development (COD 101)

COD 317Creating Secure iPhone Code in Objective-C

• Recognize common iOS application vulnerabilities and learn secure coding best practices.

• Recognize and mitigate threats such as malicious user input, threats to privacy and confidentiality, and more.

90 minutesCreating Secure Code - iPhone Foundations (COD 217)

COD 318Creating Secure Android Code in Java

• Learn about common Android application vulnerabilities. • Learn secure coding best practices using Java and the Android SDK.• Identify and mitigate a variety of attacks.

90 minutesCreating Secure Code – Android Foundations (COD 218)

COD 411Integer Overflows - Attacks and Countermeasures

• Learn security concepts, testing techniques, and best practices to develop robust applications that are secure against integer overflow vulnerabilities.

1 hourBasic understanding of the C, C++, and C# programming languages.

COD 412Buffer Overflows - Attacks and Countermeasures

• Learn how to avoid and mitigate the risks posed by buffer overflows.• Learn about the protection provided by the Microsoft compiler and the Windows

operating system.• Learn how to avoid buffer overflows during the design, development, and verification

phases of the SDLC.

2 hoursBasic knowledge of Windows programming and memory management in Windows.


16

Security Testing These lessons cover topics related to the testing of software for security flaws and remediating defects before release.


TST 101Fundamentals of Security Testing

• Learn security testing concepts and processes. • Learn how to conduct effective security testing.• Identify common security issues during testing, to uncover security vulnerabilities.

2 hours• Fundamentals of Application Security (AWA 101)• How to Create Application Security Design

Requirement (ENG 211)

TST 191Fundamentals of Security Testing for Embedded Systems

• Learn additional information about the Fundamentals of Security Testing training (of particular importance to embedded software engineers).

• Assess mastery of key concepts. 30 minutes Fundamentals of Security Testing (TST 101)

TST 201Classes of Security Defects

• Learn what is needed to create a robust defense against common security defects.• Learn how and why security defects are introduced into software.• Learn about common classes of attacks. • Learn about techniques and best practices to help identify, eliminate, and mitigate each

class of security defects.

3 hours• Fundamentals of Application Security (AWA 101) • Protecting Online Accounts for Businesses

(AWA 102)

TST 211How to Test for the OWASP Top 10

• Learn about the top ten OWASP flaws and how to perform testing to identify these flaws in web applications.

1 hour and 30 minutes

Fundamentals of Security Testing (TST 101)

TST 291Classes of Security Defects for Embedded Systems

• Learn additional information about Security Defects Classes (of particular importance to embedded software engineers).

• Assess mastery of key concepts. 30 minutes Classes of Security Defects (TST 201)

TST 401Advanced Software Security Testing - Tools and Techniques

• Learn about testing for specific security weaknesses.• Learn about the top ten types of attacks and the tools to use to test for these attacks.• Learn how to test software applications for susceptibility to the top ten attacks.

2 hours

• Fundamentals of Security Testing (TST 101)• Classes of Security Defects (TST 201)• Software Testing – Tools and Techniques

(TST 301)

TST 411Exploiting Buffer Overflows

• Understand and mitigate buffer-overflow exploits.• Understand the challenges faced by exploit code and how different exploitation

techniques overcome environmental limitations. 2 hours Creating Secure C/C++ Code (COD 312)

TST 491Advanced Software Security Testing for Embedded Systems

• Learn additional information about Software Security Testing (of particular importance to embedded software engineers).

• Assess mastery of key concepts.30 minutes

Advanced Software Security Testing – Tools & Techniques (TST 401)

17

Secure Development BundlesUse this section to determine which bundles you want to provide for your staff. Descriptions of the lessons in each bundle can be found in the SDT Lessons list. Custom bundles, consisting of up to six lessons or 12 hours of content, can be set up on request. Contact your Trustwave account manager if you would like to configure a custom bundle.

C/C++ Developer

• AWA 101 Fundamentals of Application Security

• COD 101 Fundamentals of Secure Development

• COD 212 Creating Secure Code – C/C++ Foundations

• COD 312 Creating Secure C/C++ Code

• COD 411 Integer Overflows – Attacks and Countermeasures

• COD 412 Buffer Overflows – Attacks and Countermeasures

• ENG 301 How to Create an Application Security Threat Model

• ENG 312 How to Perform a Security Code Review

Embedded Architect

• DES 101 Fundamentals of Secure Architecture

• DES 212 Architecture Risk Analysis and Remediation*

• DES 311 Creating Secure Application Architecture

• ENG 301 How to Create an Application Security Threat Model*

• ENG 311 Attack Surface Analysis and Reduction*

• ENG 312 How to Perform a Security Code Review*

Embedded Developer



• COD 212 Creating Secure Code – C/C++ Foundations*

• COD 312 Creating Secure C/C++ Code*

• COD 110 Fundamentals of Secure Mobile Development (optional)

Embedded QA/Test

• TST 101 Fundamentals of Security Testing*

• TST 201 Classes of Security Defects*

• TST 401 Advanced Software Security Testing - Tools and Techniques*

• TST 411 Exploiting Buffer Overflows (optional)

Java Developer



• COD 153 Fundamentals of Secure AJAX Code

• COD 211 Creating Secure Code – Java Foundations

• COD 252 Creating Secure AJAX Code – Java Foundations

• COD 313 Creating Secure Java Code

• COD 352 Creating Secure iQuery Code

• DES 221 OWASP Top 10 – Threats and Mitigations



Mobile

• AWA 110 Fundamentals of Security Awareness for Mobile Devices

• AWA 111 Fundamentals of Security Awareness for Social Media

• COD 110 Fundamentals of Secure Mobile Development

• COD 217 Creating Secure Code – iPhone Foundations

• COD 218 Creating Secure Code – Android Foundations

• COD 317 Creating Secure iPhone Code in Objective-C

• COD 318 Creating Secure Android Code in Java



.NET Developer




• COD 213 Creating Secure Code - Windows 7 Foundations

• COD 215 Creating Secure Code - .NET Framework Foundations

• COD 251 Creating Secure AJAX Code - ASP .NET Foundations

• COD 311 Creating Secure ASP .NET Code

• COD 312 Creating Secure C/C++ Code

• DES 221 OWASP Top 10 - Threats and Mitigations

Platform Bundles• Courses marked with an asterisk (*) include an additional

module, which pertains specifically to embedded systems.


18

PCI Developer

• COD 222 PCI Best Practices for Developers




PHP Developer




• COD 221 Web Vulnerabilities – Threats and Mitigations

• COD 315 Creating Secure PHP Code


• ENG 301 How to Create an Application Security Threat Mode


Project Manager




• ENG 101 Microsoft SDLC for Managers

• ENG 201 SDLC Gap Analysis and Remediation Techniques

• ENG 211 How to Create Application Security Design Requirements

Security Awareness for Developers


• AWA 102 Software Security Awareness

• AWA 110 Fundamentals of Security Awareness for Mobile Devices

• AWA 111 Fundamentals of Security Awareness for Social Media

Software Architect




• DES 212 Architecture Risk Analysis and Remediation

• DES 213 Introduction to Security Tools and Technologies

• DES 311 Creating Secure Application Architecture


• ENG 311 Attack Surface Analysis and Reduction

Test/QA

• TST 101 Fundamentals of Security Testing

• TST 201 Classes of Security Defects

• TST 211 How to Test for the OWASP Top 10

• TST 401 Advanced Software Security Testing

Web 2.0



• COD 151 Fundamentals of Web 2.0 Security



• COD 351 Creating Secure HTML5 Code

• COD 352 Creating Secure JQuery Code

security awareness, training and education catalog · security awareness topics these lessons cover...

Documents