Certified Application Security Engineer (CASE) Net
Certified Application Security Engineer (CASE) Net
Course Code:
CS08
Course Objective
To ensure that application security is no longer an afterthought but a foremost one.
To lay the foundation required by all application developers and development organizations, to produce secure applications with greater stability and fewer security risks to the consumer, therefore, making security a foremost thought.
To ensure that the organizations mitigate the risk of losing millions due to security compromises that may arise with every step of application development process.
To help individuals develop the habit of giving importance to security sacrosanct of their job role in the SDLC, therefore opening security as the main domain for testers, developers, network administrator.
Target Audience
NET Developers with a minimum of 2 years of experience and individuals who want to become application security engineers/analysts/testers
Individuals involved in the role of developing, testing, managing, or protecting wide area of applications
Course Outline
Module 1: Understanding Application Security, Threats, and Attacks.
What is a Secure Application
Need for Application Security
Most Common Application Level Attacks
SQL Injection Attacks
Cross-site Scripting (XSS) Attacks
Parameter Tampering
Directory Traversal
Cross-site Request Forgery (CSRF) Attack
Denial-of-Service (DoS) Attack
Denial-of-Service (DoS): Examples
Session Attacks
Cookie Poisoning Attacks
Session Fixation
Why Applications become Vulnerable to Attacks
Common Reasons for Existence of Application Vulnerabilities
Common Flaws Existed due to Insecure Coding Techniques
Improper Input Validation
Insufficient Transport Layer Protection
Improper Error Handling
Insecure Cryptographic Storage
Broken Authentication and Session Management
Unvalidated Redirects and Forwards
Insecure Direct Object References
Failure to Restrict URL Access
What Constitutes a Comprehensive Application Security?
Application Security Frame
3W’s in Application Security
Insecure Application: A Software Development Problem
Solution: Integrating Security in Software Development Life Cycle (SDLC)
Functional vs Security Activities in SDLC
Advantages of Integrating Security in SDLC
Microsoft Security Development Lifecycle (SDL)
Software Security Standards, Models, and Frameworks
The Open Web Application Security Project (OWASP)
OWASP TOP 10 Attacks-2017
The Web Application Security Consortium (WASC)
WASC Threat Classification
Software Security Framework
Software Assurance Maturity Model (SAMM)
Building Security in Maturity Model (BSIMM)
BSIMM vs OpenSAMM
Module 2: Security Requirements Gathering.
Importance of Gathering Security Requirements
Security Requirements
Gathering Security Requirements
Why We Need Different Approach for Security Requirements Gathering
Key Benefits of Addressing Security at Requirement Phase
Stakeholders Involvement in Security Requirements Gathering
Characteristics of Good Security Requirement: SMART
Types of Security Requirements
Functional Security Requirements
Security Drivers
Security Requirement Engineering (SRE)
SRE Phases
Security Requirement Elicitation
Security Requirement Analysis
Security Requirement Specification
Security Requirement Management
Common Mistakes Made in Each Phase of SRE
Different Security Requirement Engineering Approaches/Model
Abuse Case and Security Use Case Modeling
Abuse Cases
Threatens Relationship
Abuse Case Modeling Steps
Abuse Cases: Advantages and Disadvantages
Abuse Case Template
Security Use Cases
Security Use Cases are Abuse Case Driven
Modeling Steps for Security Use Cases
Mitigates Relationship
Abuse Case vs Security Use Case
Security Use Case: Advantages and Disadvantages
Security Use Case Template
Security Use Case Guidelines
Example 1: Use Case for Online Bidding System
Example 1: Abuse Case for Online Bidding System
Example 1: Security Use Case for Online Bidding System
Example 2: Use Case for ATM System
Example 2: Abuse Case for ATM System
Example 2: Security Use Case for ATM System
Example 3: Use Case for E-commerce System
Example 3: Abuse Case for E-commerce System
Example 3: Security Use Case for E-commerce System
Effectiveness of Abuse and Security Case
Abuser and Security Stories
Textual Description Template: Abuser Stories and Security Stories