WA3358

Security Fundamentals for Software Engineers Training

This Security fundamentals course covers basic security concepts and more advanced topics, such as threat modeling and risk management. By the end of this course, students are able to understand the principles of information security, apply security concepts to real-world situations, implement security controls to protect information assets, evaluate the security of information systems, and manage information security risks.

Course Details

Duration

3 days

Prerequisites

  • Basic to advanced programming skills in a common development language such as but not limited to C, Java, JavaScript, or Python
  • Understanding of the software development lifecycle

Target Audience

  • New software developers
  • Experienced software developers needing security concepts
  • Software development managers
  • Database and data analysts tasked with development support

Skills Gained

  • Design software that is secure from the beginning
  • Examine previously build software for secure refactoring
  • Find information and guidance on software vulnerabilities
  • Apply company security policies to the development lifecycle
Course Outline
  • Security Concepts
    • Confidentiality
    • Integrity
    • Availability
    • AAA
  • Zero Trust concepts
    • Never Trust/Always Verify
    • Assume Breach
    • Insider Threats
  • Encryption/PKI
    • Certificate management
    • TLS/SSL/HTTPS
    • Certificate formats
    • Openssl certificates
    • Generating key pairs with ssh-keygen
  • Authentication/Authorization
    • MFA
    • SSO
    • Oauth
    • SAML
    • Least Privilege
    • Privileged Access management
  • OWASP
    • Overview of the OWASP Top Ten
    • OWASP Juice Shop Demo
    • Overview of OWASP Web Security Testing Guide
  • Threat Modeling
    • A general approach to threat modeling
    • STRIDE overview
    • Data flow
  • Data classification and protection
    • Classify and label data
    • Encrypt data at rest
    • Encrypt data in transit
    • Secrets management
    • Best practices for storing and handling passwords/keys/tokens
    • JWT overview
    • AWS Secrets Manager
    • Hashicorp Vault
  • Risk Management, Governance, and Compliance
    • Supply chain security for software libraries
    • NIST and other security frameworks overview
  • Secure Architecture and Design
    • Leverage enterprise tools and patterns
    • Protect sensitive data
    • Zero Trust
    • Resiliency (backup/restore)
    • Server-side validation
    • Isolate security functions
    • Application partitioning
    • Re-auth high-value transactions
    • Logging and monitoring
  • Opensource Vulnerability Management
    • Defectdojo demo
    • OpenVAS demo
    • Overview of impact and maintenance of open-source software