Duration
2 Days
12 CPD hours
This course is intended for
The intended audience for this comprehensive course on Information Assurance and
STIGs includes professionals with roles such as:
IT professionals - System administrators, network engineers, and security
analysts who are responsible for maintaining and securing IT infrastructure and
web applications.
Developers - Software engineers and web developers who design, implement, and
maintain web applications, and need to integrate security best practices
throughout the development process. Project teams - Cross-functional teams that
collaborate on application development projects, including members from
development, testing, and deployment teams. Technical leads - Senior software
engineers or architects who oversee technical aspects of projects and ensure the
implementation of secure design and coding practices. Project managers -
Professionals responsible for planning, executing, and closing projects,
ensuring that security requirements are met throughout the project lifecycle.
Overview
Working in an interactive learning environment, guided by our application
security expert, you'll explore:
The concepts and terminology behind defensive coding
Threat Modeling as a tool in identifying software vulnerabilities based on
realistic threats against meaningful assets
The entire spectrum of threats and attacks that take place against software
applications in today's world
The role that static code reviews and dynamic application testing to uncover
vulnerabilities in applications
The vulnerabilities of programming languages as well as how to harden
installations
The basics of Cryptography and Encryption and where they fit in the overall
security picture
The requirements and best practices for program management as specified in the
STIGS
The processes and measures associated with the Secure Software Development (SSD)
The basics of security testing and planning
Understand the concepts and terminology behind defensive coding
Understand Threat Modeling as a tool in identifying software vulnerabilities
based on realistic threats against meaningful assets
Learn the entire spectrum of threats and attacks that take place against
software applications in today's world
Discuss the role that static code reviews and dynamic application testing to
uncover vulnerabilities in applications
Understand the vulnerabilities of programming language as well as how to harden
installations
Understand the basics of Cryptography and Encryption and where they fit in the
overall security picture
Understand the fundamentals of XML Digital Signature and XML Encryption as well
as how they are used within the web services arena
Understand the requirements and best practices for program management as
specified in the STIGS
Understand the processes and measures associated with the Secure Software
Development (SSD)
Understand the basics of security testing and planning
The Information Assurance (STIG) Overview is a comprehensive two-day course that
delves into the realm of Information Assurance, empowering you to enhance your
cybersecurity skills, understand the essentials of STIGs, and discover
cutting-edge web application security practices. This immersive experience is
tailored for IT professionals, developers, project teams, technical leads,
project managers, testing/QA personnel, and other key stakeholders who seek to
expand their knowledge and expertise in the evolving cybersecurity landscape.
The course focuses on the intricacies of best practices for design,
implementation, and deployment, inspired by the diverse and powerful STIGs,
ultimately helping participants become more proficient in application
security.The first half of the course covers the foundations of DISA's Security
Technical Implementation Guides (STIGs) and learn the ethical approach to bug
hunting, while exploring the language of cybersecurity and dissecting real-life
case studies. Our expert
instrtors will guide you through the importance of respecting privacy, working
with bug bounty programs, and avoiding common mistakes in the field.The next
half delves into the core principles of information security and application
protection, as you learn how to identify and mitigate authentication failures,
SQL injections, and cryptographic vulnerabilities. You?ll gain experience with
STIG walkthroughs and discover the crucial steps for securing web
applications.Throughout the course, you'll also explore the fundamentals of
application security and development, including checklists, common practices,
and secure development lifecycle (SDL) processes. You?ll learn from recent
incidents and acquire actionable strategies to strengthen your project teams and
IT organizations. You'll also have the opportunity to explore asset analysis and
design review methodologies to ensure your organization is prepared to face
future cybersecurity challenges.
DISA'S SECURITY TECHNICAL IMPLEMENTATION GUIDES (STIGS)
* The motivations behind STIGs
* Requirements that the various software development roles must meet
* Implementing STIG requirements and guidelines
WHY HUNT BUGS?
* The Language of CyberSecurity
* The Changing Cybersecurity Landscape
* AppSec Dissection of SolarWinds
* The Human Perimeter
* Interpreting the 2021 Verizon Data Breach Investigation Report
* First Axiom in Web Application Security Analysis
* First Axiom in Addressing ALL Security Concerns
* Lab: Case Study in Failure
SAFE AND APPROPRIATE BUG HUNTING/HACKING
* Working Ethically
* Respecting Privacy
* Bug/Defect Notification
* Bug Bounty Programs
* Bug Hunting Mistakes to Avoid
PRINCIPLES OF INFORMATION SECURITY
* Secuity Is a Lifecycle Issue
* Minimize Attack Surface Area
* Layers of Defense: Tenacious D
* Compartmentalize
* Consider All Application States
* Do NOT Trust the Untrusted
IDENTIFICATION AND AUTHENTICATION FAILURES
* Applicable STIGs
* Quality and Protection of Authentication Data
* Proper hashing of passwords
* Handling Passwords on Server Side
* Session Management
* HttpOnly and Security Headers
* Lab: STIG Walk-Throughs
INJECTION
* Applicable STIGs
* Injection Flaws
* SQL Injection Attacks Evolve
* Drill Down on Stored Procedures
* Other Forms of Server-Side Injection
* Minimizing Injection Flaws
* Client-side Injection: XSS
* Persistent, Reflective, and DOM-Based XSS
* Best Practices for Untrusted Data
* Lab: STIG Walk-Throughs
APPLICATIONS: WHAT NEXT?
* Common Vulnerabilities and Exposures
* CWE/SANS Top 25 Most Dangerous SW Errors
* Strength Training: Project Teams/Developers
* Strength Training: IT Organizations
CRYPTOGRAPHIC FAILURES
* Applicable STIGs
* Identifying Protection Needs
* Evolving Privacy Considerations
* Options for Protecting Data
* Transport/Message Level Security
* Weak Cryptographic Processing
* Keys and Key Management
* Threats of Quantum Computing
* Steal Now, Crack Later Threat
* Lab: STIG Walk-Throughs
APPLICATION SECURITY AND DEVELOPMENT CHECKLISTS
* Checklist Overview, Conventions, and Best Practices
* Leveraging Common AppSec Practices and Control
* Actionable Application Security
* Additional Tools for the Toolbox
* Strength Training: Project Teams/Developers
* Strength Training: IT Organizations
* Lab: Recent Incidents
SDL OVERVIEW
* Attack Phases: Offensive Actions and Defensive Controls
* Secure Software Development Processes
* Shifting Left
* Actionable Items Moving Forward
* Lab: Design Study Review
ASSET ANALYSIS
* Asset Analysis Process
* Types of Application-Related Assets
* Adding Risk Escalators
* Discovery and Recon
DESIGN REVIEW
* Asset Inventory and Design
* Assets, Dataflows, and Trust Boundaries
* Risk Escalators in Designs
* Risk Mitigation Options