Application Code Review

1. Overview

Understanding Mobile Platform Architecture
IOS Security Perspective
Android Security Perspective
Application Security Concepts and Overview
Typical Mobile Attacks and Case Studies
Developing Mobile Security Policy – In line with company security policy
Mobile App Security vs Web App Security
Mobile Stack – Security Perspective
Mobile Library – Security Perspective
Mobile Application Framework – Security Perspective
Mobile Application Layer – Security perspective
Developing Secure Mobile Apps

2. Authentication

Application Signing
File System Access – Security Perspective
Web Services Authentication
Session Management on Android
Authentication Best Practices
Authorization
Web Services Authentication
Session Management on Android
Authentication Best Practices

3. Encryption and Data Protection

Encryption Overview – Security Practices
Protecting Data at Rest
Protecting Data in transit
Web Services Encryption Best Practices
Message Authentication and Non-Repudiation
Data Privacy Issues and Concern

4. Secure Coding

Protecting against Web Services Attacks – SQL Injection, XSS
Protecting against File Inclusion Vulnerabilities
Error and Exception Management
API Level Security

5. Logging

Logging Practices – Device Logging
Centralized Logging Practices

6. BYOD and Device Administration

BYOD and Device Administration – Need and Overview
Device Admin API Coverage

7. Malware and Malware Prevention

Malware and Android
Malware – Typical Malware
Typical Malware Behavior and Characteristics
Credit card Skimmer example
Malware Prevention Practices for Apps

8. Certification Exam

C-MASP program contains hands-on interactive sessions. The trainees attending these two programs are therefore required to bring their laptops to these programs. At no point during the program would it be required for the laptop to be connected to the internet.

1. Introduction to Web Application Security

Understanding the need for Web Application Security and its challenges faced by modern enterprises, previous security incidents, high profile hacks, etc.

2. Basic Concepts of Information Security

Information Security Concepts that form the bedrock of the understanding of Web Application Security.

3. Significant Web Application Breaches

An exploration of significant attacks against web applications with a Real-life Case Study.

4. Risk Assessment and Threat Profiling Modeling

Unique Risk Assessment and Threat Profiling Modeling Technique for Web Application Security from CTO’s book “Secure Java for Web Application Development”.

Web Application Risk Assessment
Exploring methods to perform Risk Assessment for Web Applications

5. Compliance Requirements for web Application Security

Specific compliance requirements and their scope on Web Application Security.

6. OWASP Top 1

OWASP Top 10 Vulnerabilities, Testing Techniques, and Mitigation Techniques.

7. Integrating Security into Application

Integrating Security into the Application Development Lifecycle (Secure SDLC).

8. Secure Coding Guidelines

Preventing against common Web Application Vulnerabilities and Penetration Techniques.

9. Web Application Security for Specific Frameworks

Web Application Security for Specific Frameworks etc.
Web Application Threat Analysis and Threat Modeling.
Identifying Threat Models for Web Application and Integrating Security into the SDLC.
Hands-on Session
Hands-on Lab Session on major topics.
Certification Exam
C-WASP program contains hands-on interactive sessions. The trainees attending these two programs are therefore required to bring their laptops to these programs. At no point during the program would it be required for the laptop to be connected to the internet.

Agenda – Day 1

Session 1

The Payment Card Industry – Evolution
Card Anatomy – The Essentials
Security and the Payment Card Industry
PCI-DSS (Payment Card Industry – Data Security Standard) – Introduction
PCI Evolution – Initial to Current Version

Session 2

Scoping for PCI Compliance and its importance
Cardholder Data Flow and nuances
Compliance Overview
Compliance Validation
Segmentation

Agenda – Day 2

Session 1

Breaches – Instances and Root cause analysis
PCI Risk Assessment
How to protect Cardholder Data – Tools & Techniques
Logs, SIEM, SOC and incident management

Session 2

Internal Controls and Reporting
Impact of virtualization and cloud security
Mitigating third-party risk
Compliance maintenance
Your PCI Landscape – evolution, requirement, and challenges (Optional)
Certification Examination

1. Information Security An Overview

Defining Information Security and Risk
Understanding Threats, Vulnerabilities, and their Interplay
Understanding Security Risk in Depth
Workshop exercises and Case Studies

2. Information Security Compliance

Importance of Risk Management for Compliance
Linking the Risk Treatment Plan to the
Compliance Framework Compliance Standards around the world – An Overview
The ISO-27001:2005 Standard and Implementation Framework
Success Factors – ISO-27001
Management Commitment to Security
Measurement of Effectiveness of Controls
Information Security Policies and Procedures
Security Management – Organization Structure

3. Incident Response and Incident Management

Designing a Comprehensive and Proactive Incident Management Framework
Identifying Incidents
Performing Root Cause Analysis
Incident Response and Closure
Learnings from Incidents and Corrective Action
Workshop Exercises

4. Enterprise Risk Management Framework

Risk Management Practices
Risk Assessment
Risk assessment methodology
Risk approaches
Threat Profiling
Threat Modeling
Calculating risk Authentication vs. Authorization
Data classification
Vulnerabilities
Defense-in-depth
Computer security policies
Policies, Procedures, and Working Guidelines
Workshop Exercise on Risk Assessment and Risk Management

5. Business Continuity and Disaster Recovery

Policies and Procedures – Information Security
Roles and responsibilities
Contingency and Business continuity planning
Legal and regulatory requirements
Disaster recovery strategy and plan
Business impact analysis
Incident Reporting and Handling

1. Information Security Stories Involving

Password Strength, security, and so on – for general users
Protection against Phishing and other Social Engineering attacks – Stories of real-world incidents
Physical Security Practices
Generic Data Security Practices
Acceptable Usage Best Practices for an organization
Mobile Security Best Practices for general users
Incident Reporting and End-User Security Responsibility
Data Protection for Mobile Devices, Secondary Storage Devices, and so on.

2. Imprint of Compliance and Privacy Regulations on Data Security

US Data Protection and Privacy Regulations and their impact on Indian Companies
UK based Data Protection and Privacy Regulations and impact on Indian Companies
EU based Data Protection and Privacy Regulations and impact on Indian Companies
Data Protection and Privacy Regulations in the Middle East – KSA, UAE, and others

Part 2

INFORMATION SECURITY PARADIGMS

1. Network Security

Introduction to Networks – The OSI Model and TCP/IP Stack
IP Addressing and CIDR Block Information
Protocol Exploration – Perspectives of popular network protocols
Routers and Switches – Concept Focus
Firewalls – Concept Focus
Intrusion Detection and Prevention Systems
Network Security Documentation
Introduction to Network Change Control
Network Security Attacks today
Hands On Exercises

2. Host and OS Security

Operating Systems – Organization
Windows
Unix/Linux Flavors
File System Organization
Specific Technology Areas – Windows and Unix
Operating System – Access Control (Technology and Frameworks)
Operating Systems Services Security
Operating System Cryptographic Concepts
Operating System – Logging and File Integrity Monitoring Practices
How to perform an effective Operating System Security Assessment
Hands On Exercises

3. Application Security

Web Application Security Challenges and Principles
Web Application Attacks and Defense Strategies:
Web Application Security Program Management
Designing Secure Web Application
Web Application Security Best Practices
Web Application Security Assessment
Hands On Exercises

Part 1

AN INTRODUCTION TO THE WORLD OF INFORMATION SECURITY

1. Evolution of Information Security

Evolution of IT – through the ages from Mainframe to Mobile Phone
Information Security through the ages
Popular hacks and attacks – Cap’n Crunch to enStage
Attack Techniques – An Evolution
Information Security – Current Day and Age
Challenges to Information Security today
Assignment – What do you think will be Enterprise Security Trends 5 Years from now?

2. Glimpses into Enterprise Security

Enterprise Security through the ages
Enterprise Security Dimensions and Paradigms
Defense-in-Depth and its application on Information Security
Case Studies in Enterprise Security
Assignment – Design a Defense-in-Depth Framework for a Small Company

3. Risk Management Essentials

Concepts of Risk and Risk Management
Risk Measurement and Impact Evaluation
Risk Assessment
Risk Assessment Concepts
Methodologies
Assignment: Perform a Risk Assessment for any company of your choice

Part 3

ENTERPRISE SECURITY TRACK

Enterprise Security Management – Overview and Principles
Overview of popular Information Security Standards and Frameworks
ISO-27001 Implementation Overview
PCI-DSS and Implementation Overview
Enterprise Policy and Procedure Management
Enterprise Vulnerability Management
Change Management and Change Control Principles
Business Continuity Management
Enterprise Incident Management
Modern Enterprise Security Challenges – Overview and Implementation Strategies

Application Code Review

Waypoints In Our Code Review Journey

Code Review – Service Overview

Ensuring Application Security At Source Code

The Intent

The Services

Review Execution

Application Profiling

Getting On The Same Page With Application Functionalities

This would assist the reviewers (in subsequent assessments) to identify any business logic security vulnerability that could exist in the application.

Detailed Code Walkthrough

Dive Into The Code Base & Explore Dependencies

Code Review

Specialists Scrutinizing The Code Integrity

Following strict protocols

A significant process

Threat Modeling

Mapping The Threats In The Steps Of STRIDE

Note: A Threat Model is not based on the vulnerabilities of an application. It is based on attack scenarios that might be possible, given the lack of security controls in the application.

Code Analysis

Cementing The Code Review Results With A Deeper Dive

Analysis and Reporting

Outcome – In One Shot

Cement The Robust Health Of Your Application Code

Quick Links

Headquarter – UAE

.

Agenda – Day 1

Session 1

Session 2

Agenda – Day 2

Session 1

Session 2

Part 2

INFORMATION SECURITY PARADIGMS

1. Network Security

2. Host and OS Security

3. Application Security

Part 1

AN INTRODUCTION TO THE WORLD OF INFORMATION SECURITY

1. Evolution of Information Security

2. Glimpses into Enterprise Security

3. Risk Management Essentials

Part 3

ENTERPRISE SECURITY TRACK

Application
Code Review

Waypoints In Our
Code Review Journey

Cement The Robust Health Of
Your Application Code