This class is unique in the security industry. As a follow on to the class How to Break and FIX Software Security, this 72 hour class is less lecture and more hands on labs. In this class students work on the actual application looking for security vulnerabilities that they are testing day in and day out. The security testing bootcamp takes top quality assurance testers into leading security testers with passion, knowledge and experience security testing their application.
|Contact Hours:||40 hr Lecture 32 hr labs|
|Prerequisites:||Understanding of TCP/IP Protocols|
|Credits:||72 CPE / 3 CEU|
|Method of Delivery:||Residential (100% face-to-face) or Hybrid|
|Class Materials:||SU textbook and testing software|
|Method of Evaluation:||95 % attendance 2. 100 % completion of Lab|
|Grading:||Pass = Attendance+ labs & quizzes Fail > 95% Attendance|
Sample Job Titles:
IA Operational Engineer
IA Security Officer
IS Manager/ IS Specialist
IS Security Engineer
IS Systems Security Manager
Platform Specialist/ Security Administrator
Security Analyst/ Security Control Assessor
This 72 hour accelerated class is taught using face to face modality or hybrid modality. Class includes 72 hours of contact studies, labs, reading assignments and final exam - passing the final exam is a requirement for graduation.
Who should attend: 40 hrs Lecture 32 hr Labs
Porgramming Managers and your teams. Software testers, software developers, development and test managers, security auditors and anyone involved in software production for resale or internal use will find it valuable. Information Security and IT managers; Information Assurance Programmers; Information Security Analysts and Consultants; Internal Auditors and Audit Consultants; QA Specialists.
- Students will be able to produce software components that satisfy their functional requirements without introducing vulnerabilities
- Students will be able to describe the characteristics of secure programming
Text Materials: labs, SU Pen Testing Materials, resource CD’s and attack handouts.
Machines a Dual Core 4M Ram, 350 Gig drives, running MS OS, linux, and VMWare Workstation
Tools for class - Whois, Google Hacking, Nslookup, Sam Spade, Traceroute, NMap, HTTrack, Superscan, Nessus, PSTool, Nbtstat, Solarwinds, Netcat, John the ripper, Nikto/Wikto, Web Scarab, HTTP Tunnel (hts.exe), LCP , Cain and Abel, Ettercap system hacking, John the Ripper Wireshark sniffers, TCP dump, D sniff, tcpdump, Metasploit, ISS exploit, web app,Core Impact, Snort, Infostego, Etherape, Firefox with plugins (Hackbar, XSSme...), ebgoat, Ounce, Fortiyf, IDA pro Helix, X Wget, Cyrpto tool, 'Curl'
- SSL vulnerabilities and testing
- Proper encryption use in web application
- Session vulnerabilities and testing
- Cross Site Request Forgery
- Business logic flaws
- Input related flaws and related defense
- SQL Injection vulnerabilities, testing and defense
Lesson Plan 40 hrs lecture/ 32 hrs labs
Self Study and Nightly Assignments. Students will need to complete required reading and analyze how specific security issues correspond to their area of testing focus of the application.
Lesson 1 - 8 hrs Lecture 5 hr Labs
Security Briefings. Each morning will start with a briefing on the security issues specific to the application. Application-specific security testing issues are discussed every morning and then immediately implemented against the application and throughout the day-long deep security testing sessions.
Lesson 2-5 - 12 hrs Lecture 15 hr Labs
Application-specific Security Testing . Several days of intense hands-on security testing of the application is performed by the students. The class is broken into two-person teams who compete to find the most security defects by performing specific attacks on the sections of the product they typically perform QA testing.
Corporate Requirements. To achieve the required results, your company needs to provide access to a developer knowledgeable of the entire application, the complete threat model as well as details on past defects discovered in the application. This will enable a strategic attack plan to be created prior to the course that will be discussed and explained during the class.
Additionally, your company needs to make sure the students do all pre-class reading and all nightly assignments. This will be an intense several days of security education and testing that will push each student as they evolve from top quality assurance testers into lead security testers. Prizes should be provided to the students for each security defect discovered with special prizes to the top three teams based on the number and severity of the security bugs they find.
Grades -All students must ordinarily take all quizzes, labs, final exam and submit the class practical in order to be eligible for a Q/ISP, Q/IAP, Q/SSE, or Q/WP credential unless granted an exception in writing by the President. Know that Q/ISP classes draws quite the spectrum of students, including "those less comfortable," "those more comfortable," and those somewhere in between. However, what ultimately matters in this course is not so much where you end up relative to your classmates but where you end up relative to yourself in on Friday of class. The course is graded as a pass or fail solely on your attendance and participation. Those less comfortable and somewhere in between are not at a disadvantage vis-à-vis those more comfortable. Escalating labs help you prepare for real world scenarios. Each labs escalates upon itself, increasing in intensity, rising to the next level, while your mitigating the threat step by step