training curriculum
TRAINING CURRICULUM 2018 H1 S ECUR ITY COMPAS S // securitycompass.com
1
2
S E CUR ITY COMPAS S // securitycompass.com
Index 1
Why Security Compass?
2
Choose the Course Configuration that’s Right for Your Business Needs
3
Course Catalogue
4
Discover Role-Based Training
6
General Awareness Courses
7
Secure Software Lifecycle Courses
8
Secure Coding Courses
10
Mobile Security Courses
10
Courses Coming Soon
11
About Security Compass
S ECUR ITY COMPAS S // securitycompass.com
3
4
S E CUR ITY COMPAS S // securitycompass.com
Why Security Compass? We designed our software security training to meet the agile needs of today’s modern organizations, with adaptive courseware that can be tailored to meet the learning goals of individual students. Whether you are trying to reach compliance or raise security standards across an organization, our training is flexible enough to meet your educational needs.
INDUSTRY-LEADING COURSE CONTENT Our in-house research team is dedicated to understanding and learning how to protect against the newest and most dangerous attack types.
CONTINUOUSLY UPDATED MATERIAL We regularly update course content to reflect our latest research, so you can rest assured your organization is receiving the freshest and most up-to-date security training.
ENGAGING AND INTERACTIVE INTERFACE We make our courses personable and adaptable to students’ individual needs. Whether beginners or experts, students can study at their own pace and focus on the material that they need to learn.
EXCLUSIVE (ISC)² PARTNERSHIP FOR SOFTWARE SECURITY PRACTITIONER (SSP) SUITES Security Compass provides industry-first (ISC)² accredited courses with Software Security Practitioner (SSP) Suites. Students have the opportunity to gain an industry-recognized certificate, while organizations have the ability to demonstrate their AppSec robustness.
S ECUR ITY COMPAS S // securitycompass.com
1
Choose the Course Configuration that’s Right for Your Business Needs FULL COURSE LIBRARY The most flexible option; our Full Course Library option includes access to all courses including SSP Suites, any new courses released during your license period, and a variety of continuing education materials. Justin-time training is also included if you have SD Elements deployed.
2
ANY SSP SUITE Just tell us how many developers need training and let them choose the SSP Suite that’s right for them. Our Any SSP Suite option offers flexible, role-based training that’s specially designed to meet the varying needs of developers across large teams. Students can use their SSP Suites training to obtain industry-recognized (ISC)² certificates.
FIVE PACK COURSE BUNDLE Organizations can mix and match any 5 courses from the full course catalogue. All students will get access to the same 5 courses. Our Five Pack Course Bundle option offers the highest level of customization for organizations with specific educational needs.
SINGLE COURSES Select only the courses you need. Our Single Course option is best for smaller organizations addressing highly-focused learning gaps.
JUST-IN-TIME TRAINING Use Security Compass’s industry-leading Application Security Requirements and Threat Management (ASRTM) platform, SD Elements, and receive integrated just-in-time training modules delivered to developers at the moment they are actively building security into applications.
S E CUR ITY COMPAS S // securitycompass.com
SSP SUITES | ROLE-BASED TRAINING
We aim to provide business relevant security courses to help your staff champion security and defend your organization’s most valuable software.
Coming Soon GDPR for Developers
General Awareness Secure Software Lifecycle
Course Catalogue
JAVA .NET PHP C++
Mobile
Secure Coding
Defending Web APIs
SAW101
Security Awareness
SAW102
Security Awareness PCI Compliance
APP101
Application Security Fundamentals
SEC101
OWASP Top 10 Updated to 2017 standards
SEC202
Threat Model Express
CLO101
Defending Cloud-Based Applications
DAT101
Defending Databases
DVP101
DevSecOps for Managers
CSP101
Secure Software Concepts
CSP102
Secure Software Requirements
CSP103
Secure Software Design
CSP104
Secure Software Coding
CSP105
Secure Software Testing
CSP106
Software Acceptance
CSP107
Software Operations Maintenance & Disposal
CSP108
Supply Chain and Software Acquisition
JAV201
Defending Java
JAV301
Defending JSP
NET201
Defending .NET
NET202
Defending ASP .NET Core in C#
PHP201
Defending PHP
CPP201
Defending C
HTM201
Defending HTML5
SEC201
Defending Web Applications
DJA101
Defending Django
NOD101
Defending Node.JS
PYT201
Defending Python
IOS301
Defending Swift for iOS
MOB101
Defending Mobile
IOS201
Defending iOS
AND201
Defending Android
IOS AND SA
QA
PM
GEN
NEW
NEW
S ECUR ITY COMPAS S // securitycompass.com
3
Discover Role-Based Training
SOFTWARE SECURITY PRACTITIONER SUITES
The Software Security Practitioner Suites are a series of on-demand learning courses that teach foundational elements of software security and language-specific secure coding. Each suite caters to your specific role, breaking down the learning so users efficiently learn only what they need. At the conclusion of the course, users will validate their skills by passing a certificate exam.
JAVA SUITE
J
The Java suite covers Java development, including fundamental coding concepts, design and implementation. Understand J2EE vulnerabilities common to the OWASP top 10, and see how these vulnerabilities affect Java web applications.
.NET SUITE
.NET
The .NET suite is designed to help students learn how to make secure software. Students will learn .NET 4.5 vulnerabilities common to the OWASP Top 10 and see how these vulnerabilities affect .NET applications, and will learn defensive coding techniques that can be directly applied to their organization.
PHP SUITE
PHP
The PHP suite informs students of PHP vulnerabilities common to the OWASP Top 10. Students will learn secure coding defenses and techniques for each vulnerability.
C++ SUITE
C++
The C++ suite presents common vulnerabilities in C/C++ software. Students will learn about safe memory management, insecure functions and how to defend against buffer overflow security concerns in unmanaged languages.
Includes: • Secure Software Concepts • Secure Software Design • OWASP Top 10 * • Secure Software Coding • Defending Java
Includes: • Secure Software Concepts • Secure Software Design • OWASP Top 10 * • Secure Software Coding • Defending .NET
Includes: • Secure Software Concepts • Secure Software Design • OWASP Top 10 * • Secure Software Coding • Defending PHP
Includes: • Secure Software Concepts • Secure Software Design • OWASP Top 10 * • Secure Software Coding • Defending C * OWASP Top 10 will be updated to 2017 standards in 2018 Q1
4
S E CUR ITY COMPAS S // securitycompass.com
Includes: • Secure Software Concepts • Secure Software Design • OWASP Top 10 * • Secure Software Coding • Defending iOS • Defending Mobile
IOS SUITE
iOS
The iOS suite teaches students secure iOS coding techniques to defend against vulnerabilities such as insecure data storage, weak server side controls, lack of binary protections and more.
Includes: • Secure Software Concepts • Secure Software Design • OWASP Top 10 * • Secure Software Coding • Defending Android • Defending Mobile
ANDROID SUITE
A
The Android suite teaches secure coding concepts for Android applications. This includes secure Android coding techniques to defend against vulnerabilities such as insecure data storage, weak server side controls, lack of binary protections and more.
Includes: • Secure Software Concepts • Secure Software Requirements • Secure Software Design • OWASP Top 10 * • Software Acceptance • Threat Model Express
SECURITY ARCHITECT SUITE
SA
The Architect suite teaches students the key techniques to reducing risk in the development lifecycle by understanding how to correctly identify threats.
Includes: • Secure Software Concepts • OWASP Top 10 * • Secure Software Testing • Software Acceptance
QA SUITE
QA
The Q/A suite provides students with the ability to analyzes code and understand the principles of secure testing and testing software from a security perspective.
PROJECT MANAGER SUITE
PM
Includes: • Secure Software Concepts • Secure Software Requirements • Software Acceptance • Supply Chain and Software Acquisition
The Project Manager suite analyzes the full development lifecycle, depicting secure coding, requirements and design. Students will have the ability to define important security criteria to allow software to be promoted to release.
GENERAL SUITE
G
The General Suite provides students with fundamental security education, that they can directly apply to their position. Students will learn the 10 most prevalent web application security issues by OWASP and will have a full understanding of PCI-DSS requirement 12.6.1.
Includes: • Security Awarness • PCI Compliance • OWASP Top 10 * * OWASP Top 10 will be updated to 2017 standards in 2018 Q1
S ECUR ITY COMPAS S // securitycompass.com
5
General Awareness #
Course
Description
Time
Audience
SAW101
Security Awareness
Understand common security issues faced around the office environment which includes items such as managing e-mail, passwords, mobile devices, and more.
60 mins
General Staff
SAW102
Security Awareness PCI Compliance
Understand payment card compliance including the data security standard and how it affects organizations who manage or process credit card data. This lesson meets PCI-DSS requirement 12.6.1.
10 mins
General Staff
APP101
Application Security Fundamentals
Build a solid understanding of the core concepts of application security. Students will learn about trending AppSec topics, and discover how AppSec fits into the bigger picture of InfoSec as a whole.
60 mins
Developers, General Staff
SEC101
OWASP Top 10 Updated to 2017 standards
Understand the top 10 most prevalent web application security issues as defined by OWASP. Students will understand each vulnerability and best practices to defending these risks. This course meets PCI compliance requirement 6.5a. This course has been updated to reflect the latest OWASP Top 10 vulnerabilities defined in 2017.
60 mins
Developers, General Staff
SEC202
Threat Model Express
Students will learn about the attacks that their apps may face and then an informal approach to threat modeling. Students will first learn the steps in executing a TME, and then they will engage in a guided fictional exercise.
60 mins
Developers, Architect
CLO101
Defending Cloud-Based Applications
This course aims to teach you about common security concerns surrounding cloud-based applications and to some extent, cloud providers. Students will also learn about best practices and security concepts involved when creating applications for the cloud, all the way from requirements to deployment.
60 mins
Developers
DAT101
Defending Databases
Understand the vulnerabilities that affect your databases. We’ll cover a variety of techniques for securing your databases against such vulnerabilities as SQL injection, buffer overflows, protocol vulnerabilities, and more. Students will also learn some best practices for managing a database to keep it and its data safe.
60 mins
Developers
DVP101
DevSecOps for Managers
In this course, students will learn about DevOps before exploring how security fits into the picture. Understand the benefits of a DevOps model, the difficulties in transitioning to it, and how to achieve DevSecOps.
30 mins
Technology Managers
NEW
6
S E CUR ITY COMPAS S // securitycompass.com
Secure Software Lifecycle #
Course
Description
Time
Audience
CSP101
Secure Software Concepts
Students will understand the fundamentals to creating secure code and basic concepts to secure development. This includes the importance of secure design and understanding regulations such as privacy, governance and compliance.
60 mins
Developers
CSP102
Secure Software Requirements
Gathering the correct requirements to build secure software is one of the more difficult aspects to ascertain. Students will understand key techniques to reducing risk in the SDLC by understanding how to correctly identify requirements.
50 mins
Developers
CSP103
Secure Software Design
Understand the considerations and compromises that must be made when it comes to designing secure software. Students will learn about techniques to design secure software such as Threat Modeling and best practices to securing third party technologies that are often associated with modern software.
85 mins
Developers
CSP104
Secure Software Coding
Understand the considerations and compromises that must be made when it comes to designing secure software. Students will learn about techniques to design secure software such as Threat Modeling and best practices to securing third party technologies that are often associated with modern software.
40 mins
Developers
CSP105
Secure Software Testing
Understand the principles to secure testing and testing software from a security perspective. Students will understand the fundamentals to setting up testing frameworks to promote software resiliency.
40 mins
Developers
CSP106
Software Acceptance
Understand how to generate criteria for software acceptance. The focus will be acceptance from a security standpoint and how students can define important security criteria being allowing software to be promoted to release.
25 mins
Developers
CSP107
Software Operations Maintenance and Disposal
Understand from an infrastructure perspective, steps to ensure software is secure upon deployment and operation. Students will learn how to monitor software and define procedures to dispose and support software for end-oflife scenarios.
35 mins
Developers
S ECUR ITY COMPAS S // securitycompass.com
7
Secure Software Lifecycle #
Course
Description
Time
Audience
CSP108
Supply Chain and Software Acquisition
Understand how to identify risks when sourcing software from the supply chain. Students will learn about risk management, protecting intellectual property, procurement and best practices when outsourcing software to suppliers.
80 mins
Developers
Secure Coding
8
#
Course
Description
Time
Audience
JAV201
Defending Java
Understand J2EE vulnerabilities common to the OWASP top 10, and see how these vulnerabilities affect Java web applications. Students will learn secure coding defenses for each vulnerability.
60 mins
Developers
JAV301
Defending JSP
Understand how to defend your Java web apps against attacks. Using code samples from Java Server Pages, this course covers a variety of techniques for securing against such vulnerabilities as SQL injection, cross-site scripting/ request forgery, man-in-the-middle attacks and more.
90 mins
Developers
NET201
Defending .NET
Understand .NET 4.5 vulnerabilities common to the OWASP top 10, and see how these vulnerabilities affect .NET web applications. Students will learn secure coding defenses for each vulnerability.
60 mins
Developers
NET202
Defending ASP .NET Core in C#
This course covers secure application development using C# in ASP.NET Core. Students will learn about software vulnerabilities and how hackers exploit them, followed by techniques for coding to defend against a variety of attacks.
80 mins
Developers
S E CUR ITY COMPAS S // securitycompass.com
Secure Coding #
Course
Description
Time
Audience
PHP201
Defending PHP
Understand PHP5 vulnerabilities common to the OWASP top 10, and see how these vulnerabilities affect PHP web applications. Students will learn secure coding defenses for each vulnerability.
60 mins
Developers
CPP201
Defending C
Understand desktop software vulnerabilities when it comes to creating software in C/C++. Students will learn about safe memory management, insecure functions and how to defend against buffer overflow security concerns from unmanaged languages.
50 mins
Developers
HTM201
Defending HTML5
Learn about HTML standards designed to defend against vulnerable JavaScript, AJAX, JSON and iFrames. Students will learn the new technologies available in HTML5 to safely perform cross-domain requests as well as the use of offline storage, cross-origin resource sharing (CORS), cross-domain messaging (CDM), and iFrame sandboxing. Students gain a defensive understanding of the business risks to HTML5 mash-ups.
60 mins
Developers
SEC201
Defending Web Applications
Understand web application vulnerabilities typically seen during security testing such as brute force attacks, session management concerns, encryption and more. These aspects, although not directly part of the OWASP Top 10, are important to know as they can still lead to security vulnerabilities.
60 mins
Developers
DJA101
Defending Django
Learn about Django’s built-in security features and other layers of protection to your app. Learn how to set up your projects securely to prevent attacks at run-time and how to secure the admin console. Students will also learn how to identify secure and insecure practices to protect your application against common attacks.
40 mins
Developers
NOD101
Defending Node.JS
Understand the security risks when developing and deploying applications in Node.js. Implement defensive coding techniques and configurations to support secure coding for Node.js.
60 mins
Developers
PYT201
Defending Python
Students will learn how to use secure database queries, avoid risky Python functions, handle serialization safely, validate, encode and sanitize input, protect files and folders, and secure temporary files. Students will complete this course with an understanding of important defenses against various vulnerabilities.
35 mins
Developers
S ECUR ITY COMPAS S // securitycompass.com
9
Mobile Security #
Course
Description
Time
Audience
IOS301
Defending Swift for iOS
Students will learn about common vulnerabilities affecting Swift iOS applications. A variety of techniques will be covered for securing an application against these vulnerabilities. Students will also learn to identify and write secure Swift code, differentiate between secure and insecure coding methods, and understand the various factors that come together to help defend Swift iOS applications from attacks.
40 mins
Developers
MOB101
Defending Mobile
In this code-agnostic course, students will understand the risks to creating mobile applications. Students will learn how hackers attack mobile apps through data is stored on the device, data transmitted in the cloud and data in memory. They will learn best practices to securing mobile apps for any mobile operating system.
60 mins
Developers
IOS201
Defending iOS
Students will learn secure coding concepts for the OWASP Mobile Top 10, for iOS apps. This includes understanding the business risks when creating mobile applications and secure iOS coding techniques to defend against vulnerabilities such as insecure data storage, weak server side controls, lack of binary protections and more.
90 mins
Developers
AND201
Defending Android
Understand the considerations and comUnderstand secure coding concepts for the OWASP Mobile Top 10, for Android apps. Students will learn the business risks when creating mobile applications and secure Android coding techniques to defend against vulnerabilities such as insecure data storage, weak server side controls, lack of binary protections and more.
90 mins
Developers
NEW
Coming Soon #
10
Course
Description
Time
Audience
GDPR for Developers
Coming Soon
TBD
TBD
Defending Web APIs
Coming Soon
TBD
TBD
S E CUR ITY COMPAS S // securitycompass.com
About Security Compass We designed our software security training to meet the agile needs of today’s modern organizations, with adaptive courseware that can be tailored to meet the learning goals of individual students. Whether you are trying to reach compliance or raise security standards across an organization, our training is flexible enough to meet your educational needs.
[email protected] www.securitycompass.com
M a k i n g S o f t war e S e c u re
S ECUR ITY COMPAS S // securitycompass.com
11
1
2
S E CUR ITY COMPAS S // securitycompass.com
Index 1
Why Security Compass?
2
Choose the Course Configuration that’s Right for Your Business Needs
3
Course Catalogue
4
Discover Role-Based Training
6
General Awareness Courses
7
Secure Software Lifecycle Courses
8
Secure Coding Courses
10
Mobile Security Courses
10
Courses Coming Soon
11
About Security Compass
S ECUR ITY COMPAS S // securitycompass.com
3
4
S E CUR ITY COMPAS S // securitycompass.com
Why Security Compass? We designed our software security training to meet the agile needs of today’s modern organizations, with adaptive courseware that can be tailored to meet the learning goals of individual students. Whether you are trying to reach compliance or raise security standards across an organization, our training is flexible enough to meet your educational needs.
INDUSTRY-LEADING COURSE CONTENT Our in-house research team is dedicated to understanding and learning how to protect against the newest and most dangerous attack types.
CONTINUOUSLY UPDATED MATERIAL We regularly update course content to reflect our latest research, so you can rest assured your organization is receiving the freshest and most up-to-date security training.
ENGAGING AND INTERACTIVE INTERFACE We make our courses personable and adaptable to students’ individual needs. Whether beginners or experts, students can study at their own pace and focus on the material that they need to learn.
EXCLUSIVE (ISC)² PARTNERSHIP FOR SOFTWARE SECURITY PRACTITIONER (SSP) SUITES Security Compass provides industry-first (ISC)² accredited courses with Software Security Practitioner (SSP) Suites. Students have the opportunity to gain an industry-recognized certificate, while organizations have the ability to demonstrate their AppSec robustness.
S ECUR ITY COMPAS S // securitycompass.com
1
Choose the Course Configuration that’s Right for Your Business Needs FULL COURSE LIBRARY The most flexible option; our Full Course Library option includes access to all courses including SSP Suites, any new courses released during your license period, and a variety of continuing education materials. Justin-time training is also included if you have SD Elements deployed.
2
ANY SSP SUITE Just tell us how many developers need training and let them choose the SSP Suite that’s right for them. Our Any SSP Suite option offers flexible, role-based training that’s specially designed to meet the varying needs of developers across large teams. Students can use their SSP Suites training to obtain industry-recognized (ISC)² certificates.
FIVE PACK COURSE BUNDLE Organizations can mix and match any 5 courses from the full course catalogue. All students will get access to the same 5 courses. Our Five Pack Course Bundle option offers the highest level of customization for organizations with specific educational needs.
SINGLE COURSES Select only the courses you need. Our Single Course option is best for smaller organizations addressing highly-focused learning gaps.
JUST-IN-TIME TRAINING Use Security Compass’s industry-leading Application Security Requirements and Threat Management (ASRTM) platform, SD Elements, and receive integrated just-in-time training modules delivered to developers at the moment they are actively building security into applications.
S E CUR ITY COMPAS S // securitycompass.com
SSP SUITES | ROLE-BASED TRAINING
We aim to provide business relevant security courses to help your staff champion security and defend your organization’s most valuable software.
Coming Soon GDPR for Developers
General Awareness Secure Software Lifecycle
Course Catalogue
JAVA .NET PHP C++
Mobile
Secure Coding
Defending Web APIs
SAW101
Security Awareness
SAW102
Security Awareness PCI Compliance
APP101
Application Security Fundamentals
SEC101
OWASP Top 10 Updated to 2017 standards
SEC202
Threat Model Express
CLO101
Defending Cloud-Based Applications
DAT101
Defending Databases
DVP101
DevSecOps for Managers
CSP101
Secure Software Concepts
CSP102
Secure Software Requirements
CSP103
Secure Software Design
CSP104
Secure Software Coding
CSP105
Secure Software Testing
CSP106
Software Acceptance
CSP107
Software Operations Maintenance & Disposal
CSP108
Supply Chain and Software Acquisition
JAV201
Defending Java
JAV301
Defending JSP
NET201
Defending .NET
NET202
Defending ASP .NET Core in C#
PHP201
Defending PHP
CPP201
Defending C
HTM201
Defending HTML5
SEC201
Defending Web Applications
DJA101
Defending Django
NOD101
Defending Node.JS
PYT201
Defending Python
IOS301
Defending Swift for iOS
MOB101
Defending Mobile
IOS201
Defending iOS
AND201
Defending Android
IOS AND SA
QA
PM
GEN
NEW
NEW
S ECUR ITY COMPAS S // securitycompass.com
3
Discover Role-Based Training
SOFTWARE SECURITY PRACTITIONER SUITES
The Software Security Practitioner Suites are a series of on-demand learning courses that teach foundational elements of software security and language-specific secure coding. Each suite caters to your specific role, breaking down the learning so users efficiently learn only what they need. At the conclusion of the course, users will validate their skills by passing a certificate exam.
JAVA SUITE
J
The Java suite covers Java development, including fundamental coding concepts, design and implementation. Understand J2EE vulnerabilities common to the OWASP top 10, and see how these vulnerabilities affect Java web applications.
.NET SUITE
.NET
The .NET suite is designed to help students learn how to make secure software. Students will learn .NET 4.5 vulnerabilities common to the OWASP Top 10 and see how these vulnerabilities affect .NET applications, and will learn defensive coding techniques that can be directly applied to their organization.
PHP SUITE
PHP
The PHP suite informs students of PHP vulnerabilities common to the OWASP Top 10. Students will learn secure coding defenses and techniques for each vulnerability.
C++ SUITE
C++
The C++ suite presents common vulnerabilities in C/C++ software. Students will learn about safe memory management, insecure functions and how to defend against buffer overflow security concerns in unmanaged languages.
Includes: • Secure Software Concepts • Secure Software Design • OWASP Top 10 * • Secure Software Coding • Defending Java
Includes: • Secure Software Concepts • Secure Software Design • OWASP Top 10 * • Secure Software Coding • Defending .NET
Includes: • Secure Software Concepts • Secure Software Design • OWASP Top 10 * • Secure Software Coding • Defending PHP
Includes: • Secure Software Concepts • Secure Software Design • OWASP Top 10 * • Secure Software Coding • Defending C * OWASP Top 10 will be updated to 2017 standards in 2018 Q1
4
S E CUR ITY COMPAS S // securitycompass.com
Includes: • Secure Software Concepts • Secure Software Design • OWASP Top 10 * • Secure Software Coding • Defending iOS • Defending Mobile
IOS SUITE
iOS
The iOS suite teaches students secure iOS coding techniques to defend against vulnerabilities such as insecure data storage, weak server side controls, lack of binary protections and more.
Includes: • Secure Software Concepts • Secure Software Design • OWASP Top 10 * • Secure Software Coding • Defending Android • Defending Mobile
ANDROID SUITE
A
The Android suite teaches secure coding concepts for Android applications. This includes secure Android coding techniques to defend against vulnerabilities such as insecure data storage, weak server side controls, lack of binary protections and more.
Includes: • Secure Software Concepts • Secure Software Requirements • Secure Software Design • OWASP Top 10 * • Software Acceptance • Threat Model Express
SECURITY ARCHITECT SUITE
SA
The Architect suite teaches students the key techniques to reducing risk in the development lifecycle by understanding how to correctly identify threats.
Includes: • Secure Software Concepts • OWASP Top 10 * • Secure Software Testing • Software Acceptance
QA SUITE
QA
The Q/A suite provides students with the ability to analyzes code and understand the principles of secure testing and testing software from a security perspective.
PROJECT MANAGER SUITE
PM
Includes: • Secure Software Concepts • Secure Software Requirements • Software Acceptance • Supply Chain and Software Acquisition
The Project Manager suite analyzes the full development lifecycle, depicting secure coding, requirements and design. Students will have the ability to define important security criteria to allow software to be promoted to release.
GENERAL SUITE
G
The General Suite provides students with fundamental security education, that they can directly apply to their position. Students will learn the 10 most prevalent web application security issues by OWASP and will have a full understanding of PCI-DSS requirement 12.6.1.
Includes: • Security Awarness • PCI Compliance • OWASP Top 10 * * OWASP Top 10 will be updated to 2017 standards in 2018 Q1
S ECUR ITY COMPAS S // securitycompass.com
5
General Awareness #
Course
Description
Time
Audience
SAW101
Security Awareness
Understand common security issues faced around the office environment which includes items such as managing e-mail, passwords, mobile devices, and more.
60 mins
General Staff
SAW102
Security Awareness PCI Compliance
Understand payment card compliance including the data security standard and how it affects organizations who manage or process credit card data. This lesson meets PCI-DSS requirement 12.6.1.
10 mins
General Staff
APP101
Application Security Fundamentals
Build a solid understanding of the core concepts of application security. Students will learn about trending AppSec topics, and discover how AppSec fits into the bigger picture of InfoSec as a whole.
60 mins
Developers, General Staff
SEC101
OWASP Top 10 Updated to 2017 standards
Understand the top 10 most prevalent web application security issues as defined by OWASP. Students will understand each vulnerability and best practices to defending these risks. This course meets PCI compliance requirement 6.5a. This course has been updated to reflect the latest OWASP Top 10 vulnerabilities defined in 2017.
60 mins
Developers, General Staff
SEC202
Threat Model Express
Students will learn about the attacks that their apps may face and then an informal approach to threat modeling. Students will first learn the steps in executing a TME, and then they will engage in a guided fictional exercise.
60 mins
Developers, Architect
CLO101
Defending Cloud-Based Applications
This course aims to teach you about common security concerns surrounding cloud-based applications and to some extent, cloud providers. Students will also learn about best practices and security concepts involved when creating applications for the cloud, all the way from requirements to deployment.
60 mins
Developers
DAT101
Defending Databases
Understand the vulnerabilities that affect your databases. We’ll cover a variety of techniques for securing your databases against such vulnerabilities as SQL injection, buffer overflows, protocol vulnerabilities, and more. Students will also learn some best practices for managing a database to keep it and its data safe.
60 mins
Developers
DVP101
DevSecOps for Managers
In this course, students will learn about DevOps before exploring how security fits into the picture. Understand the benefits of a DevOps model, the difficulties in transitioning to it, and how to achieve DevSecOps.
30 mins
Technology Managers
NEW
6
S E CUR ITY COMPAS S // securitycompass.com
Secure Software Lifecycle #
Course
Description
Time
Audience
CSP101
Secure Software Concepts
Students will understand the fundamentals to creating secure code and basic concepts to secure development. This includes the importance of secure design and understanding regulations such as privacy, governance and compliance.
60 mins
Developers
CSP102
Secure Software Requirements
Gathering the correct requirements to build secure software is one of the more difficult aspects to ascertain. Students will understand key techniques to reducing risk in the SDLC by understanding how to correctly identify requirements.
50 mins
Developers
CSP103
Secure Software Design
Understand the considerations and compromises that must be made when it comes to designing secure software. Students will learn about techniques to design secure software such as Threat Modeling and best practices to securing third party technologies that are often associated with modern software.
85 mins
Developers
CSP104
Secure Software Coding
Understand the considerations and compromises that must be made when it comes to designing secure software. Students will learn about techniques to design secure software such as Threat Modeling and best practices to securing third party technologies that are often associated with modern software.
40 mins
Developers
CSP105
Secure Software Testing
Understand the principles to secure testing and testing software from a security perspective. Students will understand the fundamentals to setting up testing frameworks to promote software resiliency.
40 mins
Developers
CSP106
Software Acceptance
Understand how to generate criteria for software acceptance. The focus will be acceptance from a security standpoint and how students can define important security criteria being allowing software to be promoted to release.
25 mins
Developers
CSP107
Software Operations Maintenance and Disposal
Understand from an infrastructure perspective, steps to ensure software is secure upon deployment and operation. Students will learn how to monitor software and define procedures to dispose and support software for end-oflife scenarios.
35 mins
Developers
S ECUR ITY COMPAS S // securitycompass.com
7
Secure Software Lifecycle #
Course
Description
Time
Audience
CSP108
Supply Chain and Software Acquisition
Understand how to identify risks when sourcing software from the supply chain. Students will learn about risk management, protecting intellectual property, procurement and best practices when outsourcing software to suppliers.
80 mins
Developers
Secure Coding
8
#
Course
Description
Time
Audience
JAV201
Defending Java
Understand J2EE vulnerabilities common to the OWASP top 10, and see how these vulnerabilities affect Java web applications. Students will learn secure coding defenses for each vulnerability.
60 mins
Developers
JAV301
Defending JSP
Understand how to defend your Java web apps against attacks. Using code samples from Java Server Pages, this course covers a variety of techniques for securing against such vulnerabilities as SQL injection, cross-site scripting/ request forgery, man-in-the-middle attacks and more.
90 mins
Developers
NET201
Defending .NET
Understand .NET 4.5 vulnerabilities common to the OWASP top 10, and see how these vulnerabilities affect .NET web applications. Students will learn secure coding defenses for each vulnerability.
60 mins
Developers
NET202
Defending ASP .NET Core in C#
This course covers secure application development using C# in ASP.NET Core. Students will learn about software vulnerabilities and how hackers exploit them, followed by techniques for coding to defend against a variety of attacks.
80 mins
Developers
S E CUR ITY COMPAS S // securitycompass.com
Secure Coding #
Course
Description
Time
Audience
PHP201
Defending PHP
Understand PHP5 vulnerabilities common to the OWASP top 10, and see how these vulnerabilities affect PHP web applications. Students will learn secure coding defenses for each vulnerability.
60 mins
Developers
CPP201
Defending C
Understand desktop software vulnerabilities when it comes to creating software in C/C++. Students will learn about safe memory management, insecure functions and how to defend against buffer overflow security concerns from unmanaged languages.
50 mins
Developers
HTM201
Defending HTML5
Learn about HTML standards designed to defend against vulnerable JavaScript, AJAX, JSON and iFrames. Students will learn the new technologies available in HTML5 to safely perform cross-domain requests as well as the use of offline storage, cross-origin resource sharing (CORS), cross-domain messaging (CDM), and iFrame sandboxing. Students gain a defensive understanding of the business risks to HTML5 mash-ups.
60 mins
Developers
SEC201
Defending Web Applications
Understand web application vulnerabilities typically seen during security testing such as brute force attacks, session management concerns, encryption and more. These aspects, although not directly part of the OWASP Top 10, are important to know as they can still lead to security vulnerabilities.
60 mins
Developers
DJA101
Defending Django
Learn about Django’s built-in security features and other layers of protection to your app. Learn how to set up your projects securely to prevent attacks at run-time and how to secure the admin console. Students will also learn how to identify secure and insecure practices to protect your application against common attacks.
40 mins
Developers
NOD101
Defending Node.JS
Understand the security risks when developing and deploying applications in Node.js. Implement defensive coding techniques and configurations to support secure coding for Node.js.
60 mins
Developers
PYT201
Defending Python
Students will learn how to use secure database queries, avoid risky Python functions, handle serialization safely, validate, encode and sanitize input, protect files and folders, and secure temporary files. Students will complete this course with an understanding of important defenses against various vulnerabilities.
35 mins
Developers
S ECUR ITY COMPAS S // securitycompass.com
9
Mobile Security #
Course
Description
Time
Audience
IOS301
Defending Swift for iOS
Students will learn about common vulnerabilities affecting Swift iOS applications. A variety of techniques will be covered for securing an application against these vulnerabilities. Students will also learn to identify and write secure Swift code, differentiate between secure and insecure coding methods, and understand the various factors that come together to help defend Swift iOS applications from attacks.
40 mins
Developers
MOB101
Defending Mobile
In this code-agnostic course, students will understand the risks to creating mobile applications. Students will learn how hackers attack mobile apps through data is stored on the device, data transmitted in the cloud and data in memory. They will learn best practices to securing mobile apps for any mobile operating system.
60 mins
Developers
IOS201
Defending iOS
Students will learn secure coding concepts for the OWASP Mobile Top 10, for iOS apps. This includes understanding the business risks when creating mobile applications and secure iOS coding techniques to defend against vulnerabilities such as insecure data storage, weak server side controls, lack of binary protections and more.
90 mins
Developers
AND201
Defending Android
Understand the considerations and comUnderstand secure coding concepts for the OWASP Mobile Top 10, for Android apps. Students will learn the business risks when creating mobile applications and secure Android coding techniques to defend against vulnerabilities such as insecure data storage, weak server side controls, lack of binary protections and more.
90 mins
Developers
NEW
Coming Soon #
10
Course
Description
Time
Audience
GDPR for Developers
Coming Soon
TBD
TBD
Defending Web APIs
Coming Soon
TBD
TBD
S E CUR ITY COMPAS S // securitycompass.com
About Security Compass We designed our software security training to meet the agile needs of today’s modern organizations, with adaptive courseware that can be tailored to meet the learning goals of individual students. Whether you are trying to reach compliance or raise security standards across an organization, our training is flexible enough to meet your educational needs.
[email protected] www.securitycompass.com
M a k i n g S o f t war e S e c u re
S ECUR ITY COMPAS S // securitycompass.com
11
