Realtime website analytics

 

 

ADVANCE YOUR CAREER - Earn More, Be More than Certified
Q/ISP CyberSecurity Graduate / Master Certificate


Q/SSE® Qualified/ Software Security Expert Certification

Download SU's class schedule now! Everyone, no matter what software you write, software protocols, internal processes or you're responsible for secure programming. You all need to know secure coding techniques that minimize the adverse effects of SQL or other malicious hacker attacks on code.

This class is for everyone! If you want to learn how add Microsoft's SDL, sanitize inputs and test code this class is for you, if you write code this class is for you because everyone needs to know software security and how to BREAK & FIX software.

QSSE This 3-part, 5 day class delivers the best of all of the Qualified Software Security Expert classes and more. It includes items that are defensive in nature (e.g. checking error return codes before using, other data structures that should have been created, or protecting against using a pointer after it has been released), process-related and risk- related, hacking and XSS . Also included are items on how to prevent attacks with a step-by-step process how to FIX software with counter measures that protect your code.

Passing the Q/SSE classes and exams qualifies you to take the Q/SSE exam. The Q/SSE exam is made up questions you have seen from the Q/SSE classes that you take before the Q/SEE 100 multiple choice EXAM. Or you can Master the Q/SSE EXAM without taking any Q/SSE classes by passing the Q/SSE exam with a 80 or better and prove you have mastered the tactical software security skills labs from each Q/SEE class that proves your "qualified" for the job.

Lastly, its all about the web killer app. Web servers ARE the target of choice for hackers. 97% of all web applications are vulnerable, and better network security isn't the only answer! We explore a model for web application testing and discuss web application concerns, including accountability, availability, confidentiality and integrity. You will go well beyond the OWASP 10 to look at 19 specific web application attacks, including attacking the client, state, data and the server. When you leave these classes you are ready to defend your c0d3!

The best of Security University's Qualified SW Security Expert classes in a 5-day - $2,995

Q/SSE ® Qualified SW Security Expert 5-Day Bootcamp
Q/SSP ® Qualified SW Security Penetration Tester
SW Testing Onsite Bootcamp
How to Break & FIX Web Security
How to Break and FIX Software
Fundamentals of Secure Software Programming
Q/SSH ® Qualified SW Security Hacker
Q/SSBT ® Qualified SW Security Testing Best Practices
Introduction to Reverse Engineering

Class Price: $2,995

 

 
Time: 8am -6pm
Location: check schedule
Prerequisites: TCPIP
CPE Credits: 40
Instructor: Highly qualified Software Security instructors, actively involved in the Application Security community

Learning Level : Basic Programmer - Intermediate Programmer to Advanced

Who Should Attend
Software testers, software developers, development and test managers, security auditors and anyone involved in software production for resale or internal use will find it valuable. Information Security and IT managers; Information Assurance Programmers; Information Security Analysts and Consultants; Internal Auditors and Audit Consultants.

What Is CWE?
Targeted to developers and security practitioners, CWE is a formal list of software weaknesses, idiosyncrasies, faults, and flaws created to:

•  Serve as a common language for describing the source code, software design, or software architecture causes of software security vulnerabilities.

•  Serve as a standard measuring stick for software security tools targeting these issues.

•  Provide a common baseline standard for identification, mitigation, and prevention of these weaknesses.

QA Specialists - Get our What is CWE? PDF now!

For additional information about CWE, click here.

Software Security Analysis
This knowledge unit ensures that students will possess the ability to analyze software for the presence of weaknesses that may lead to exploitable vulnerabilities in operational systems.
Source code analysis
Binary code analysis
Static code analysis techniques
Dynamic code analysis techniques
Testing methodologies (Black Box/White Box/Fuzz)

Outcome: Students will be able to perform analysis of existing source code for functional correctness. They will be able to apply industry standard tools that analyze software for security vulnerabilities. Through the application of testing methodologies, students should be able to build test cases that demonstrate the existence of vulnerabilities.

Secure Software Development (Building Secure Software)
This knowledge unit ensures that students are knowledgeable in the methods that lead to the development of robust, secure software.

Secure programming principles and practices
Constructive techniques (What process might provide for “good code.”)

Outcome: Students should be able to demonstrate that they understand the techniques specifying program behavior, the classes of well known defects, how they manifest themselves in various languages, and show that they are capable of authoring programs that are free from defects.

Embedded Systems
Outcome: Students will be able to define requirements which lead to the design and fabrication of an embedded system. They will be able to program the microcontrollers to achieve an application-specific design and identify the security concerns associated with resource constrained devices.
Forensics and Incident Response or Media Exploitation (not focusing on the legal aspect)
Operating system forensics
Media forensics
Network forensics
Component forensics (cell phones, hard drives, etc.)
Outcome: Students will be able to develop a profile of an individual user's activity, determine the manner in which an operating system or application has been subverted, recover “deleted” and/or intentionally hidden information from various types of media, and demonstrate proficiency with handling a large number of different kinds of components.

Systems Programming
This knowledge unit ensures that students will be proficient in programming systems software (i.e., software that interacts with the system hardware and/or other low-level system components that interact with the hardware). Systems programming usually uses a low-level programming language (e.g., C, assembly) that allows efficient use of core resources. Systems programming is sufficiently different from applications programming such that programmers tend to specialize in one or the other.
Kernel internals
Device drivers
Multi-threading
Use of alternate processors (e.g., graphics card processors)

Outcome: Students will be able to build and integrate kernel modules, understand the system call mechanism and how malicious software subverts system calls. They should demonstrate sufficient knowledge of the networking stack to be able to construct network filter components. They will also be able to discuss strengths and weaknesses of alternative processors and demonstrate familiarity of tool sets for making use of alternative processors (e.g., GPUs).

Introduction to Software Security
  • Common Coding and Design Errors
    • Common Software Vulnerabilities
    • Fixes for Common Software Vulnerabilities
    • Data Issues
  • Information Disclosure
    • Storing Passwords in Plain Text
    • The Swap File and Incomplete Deletes
    • Creating Temporary Files
    • Leaving Things in Memory
    • Weakly-Seeded Keys and Random Number Generation
  • On the Wire
    • Trusting the Identity of a Remote Host (Spoofing)
    • Volunteering Too Much Information
    • Proprietary Protocols
    • Loops, Self References and Race Conditions
  • Web Vulnerabilities
  • Defensive Coding Principles
  • Security Testing and Quality Assurance

Web Vulnerabilities

  • Gathering information on the target
    • How web apps are built
    • Attack 1: Looking for information in HTML comments
    • Attack 2: Guessing filenames and directories
    • Attack 3: Vulnerabilities in example applications
  • Attacking the Client
    • The Need for a Rich UI
    • Attack 4: Selections outside of ranges
    • Attack 5: Client Side Validation
  • Attacking State
    • Trusting the Identity of a Remote Host (Spoofing)
    • Volunteering Too Much Information
    • Proprietary Protocols
    • Loops, Self References and Race Conditions
  • Web Services
  • Privacy
  • Attacking Data
  • Attacking the Server
  • Tool Support
Defensive Coding Principles
  • Introduction
    • Are you a Hacker or a Tester? Learn the difference
    • Learn about the Three Characteristics of Good Testing
    • Where are the bugs? Learn Methods to seek the “hidden” ones
  • Understanding the Environment
  • Software Capabilities
  • Software Testing
  • An Overview of the Methodology of How to Break Software
  • The User Interface (UI)
  • UI Areas 1 & 2: the Input and Output Domains
  • UI Area 3: Stored Data
  • UI Area 4: Computation
  • The Kernel Interface
  • The File System Interface
  • The Software Interface
Security Testing and Quality Assurance
  • Introduction
    • Where does Security Testing fit into the product lifecycle?
    • Definition of a Security Bug
    • Role of the Security Tester in the organization
    • Overview of Security Testing Elements
  • Methodology
    • Security Testing Roles
    • Threat Modeling
    • Risk Assessments
    • Security Test Planning
    • Test Team Organization and Planning
    • Reporting
  • In-Depth Look at Security Vulnerabilities (Labs and Lecture)
    • System Level
    • Data Parsing
    • Information Disclosure
    • On the Wire
    • Websites
Know Your Enemy
  • Step by Step Methodology and models for effective software testing
    • How to develop an insight to find those hard to find bugs
    • How to test Inputs and Outputs from the User Interface
    • How to test Data and Computation from the User Interface
    • How to test the File System Interface
    • How to test the Software/OS interface
    • How to use tools to inject faults for the file system and OS testing
  • Gathering Information on the Target
  • Attacking the Client
  • Attacking State
  • Attacking Data
  • Attacking the Server
  • Web Services
  • Privacy
  • Tool Support
Know your Security Solutions
  • Web Attacks and Countermeasures
  • Methodology
  • Security Vulnerabilities and Countermeasures
  • Best Practices
    • System Level
    • Data Parsing
    • Information Disclosure
    • On the Wire
    • Web Sites

*Class fees are subject to change

Hacme Books vs 2.0 Strategic Secure Software Training Application  http://www.foundstone.com/us/resources/whitepapers/hacmebooks_userguide2.pdf
Papers on SoftwareMag.com, such as:  "Implementing a Software Security Training Program" http://www.softwaremag.com/L.cfm?doc=1174-10/2008 "Holistic Approach for Secure Software" http://www.softwaremag.com/L.cfm?doc=1155-8/2008
Roman also published a paper for ISSA Journal, on "How virtualization affects PCI-DSS, A review of Top 5 Issues": https://dev.issa.org/Library/Journals/2010/January/Hau-How%20Virtualization%20Affects%20PCI%20DSS.pdf

Top 

View Class Schedule 

 

   

 
Current Schedule
Site Map SU Policies Webmaster Contact Us Opt-Out Testimonials Advertise Brochure
Copyright © 2014 Security University, Inc. All rights reserved.
Translate this page to