Cybsec Security Systems
Página PrincipalSobre NosotrosServiciosCapacitaciónNoticiasArtículosInvestigaciónContáctenos Contáctenos via Email
 
 
Information Security in the Development of Software

Seminar Objectives:

  • Show the audience the security aspects involved in the various stages of software development.
  • Point out the most common application weaknesses and the fundamentals of a secure programming to defend it against advanced attacks.
  • Provide developers with knowledge on the current best practices for secure application development.
  • Provide the project manager with the knowledge necessary to analyze, quantify and qualify the security risks involved in a software project.

Developed for:

  • Development Project Leaders, Programmers, QA Analysts, Functional Analysts, Computer Security Officers, Auditors.

Agenda:

1. Introduction to security in software development

  • Real-case vulnerabilities and their impact.
  • Problems posed by insecure applications.
  • Breaking myths.
  • Involvement of the Computer Security Department in software development.

2. Security during the analysis stage

  • Security rules to analyze requirements

3. Security in software development

  • Risk analysis
    • Attack trees
    • Threat Modeling
  • Principles of attack surface reduction
  • Principle of least privilege
  • Privilege separation
  • Secure error handling
  • Defense in depth criterion
    • “Fail Secure” criterion
    • Error message definition
    • Information disclosure prevention
  • Handling sensitive data
    • Secure storage.
    • Secure transfer.
    • Encryption and hashes
  • Interaction with databases
  • Interaction with Firewalls and IDS’s
  • Audit and Logging
  • Authentication design
  • Design of profiles and access levels
  • Design of protection against Denial of Service (D.O.S)
  • Security usability
  • Guidelines for security documentation
    • Risk mitigation through documentation
    • Good security documentation practices

4. Security in software coding

  • Most usual vulnerabilities. How to prevent them.
    • Buffer Overflow
    • SQL Injection
    • Cross Site Scripting (XSS)
    • Canonical representation issues
    • Information disclosure
    • Privilege escalation.
    • Session handling errors.
  • Preventing DOS in software coding.

5. Software security testing

  • Security testing techniques
    • Security vs functional testing
    • Risk-based security testing
    • Code review
  • Security testing in software life cycle
  • Security testing tools
  • Software security metrics
    • CMM and secure development
    • OWASP Application Security Metrics Project

6. Secure implementation of applications

  • Design of secure implementation
    • Secure Default handling
    • Security advice for Windows applications.
    • Security advice for Unix/Linux applications.
  • Installation and hardening of base software
    • Installation topology
    • OS and base software assurance
    • Prevention of information disclosure
  • Security in the implementation process
    • Separation of environments
  • Implementation management
    • Release and patch handling
    • Code signing

Enrollment

Please contact Claudia Macri (cmacri@cybsec.com) Tel/Fax: (+54-11) 4371-4444.
  ©2009 Cybsec S.A. Todos los derechos reservados
Sobre Nosotros | Gestión Estratégica | Gestión Operativa | Gestión de Control | Auditorías PCI | Capacitación | Noticias | Artículos | Investigación | Contáctenos Diseño y Desarrollo Alfadesign
©2009 Cybsec S.A. Todos los derechos reservados