eLearning Course Catalog Version 2021.9 (Released: 9/2/2021) General disclaimer This document presents details about the training offerings from Synopsys at the time of its creation. Synopsys has used reasonable efforts to ensure that the information provided in this document is accurate and up to date, but details and offerings are subject to change. This document contains confidential information about Synopsys and its businesses. Copies of this document may only be provided, and disclosure of the information contained in it may only be made, with written prior agreement from Synopsys. Ownership and disposal The information contained in this document is owned by Synopsys. The recipient shall dispose of the data as confidential waste and/or return the document to Synopsys upon request.
Synopsys eLearning Synopsys offers a hosted eLearning curriculum that enables organizations of all sizes to quickly deploy industry-leading training companywide. Synopsys eLearning is a subscription-based online training service providing on-demand, unlimited access to our comprehensive library of hosted eLearning courses. With an annual subscription, you get 24/7 access to our interactive security courses including knowledge checks and final exams, individual and group reporting, and periodic content updates so you can easily meet compliance and contractual training requirements. For companies that deploy their own learning management system (LMS), all eLearning courses are SCORM-compliant and can be deployed within your current LMS.
Synopsys eLearning Catalog | June 2021 | synopsys.com | 1 Table of contents Courses are available in English, Chinese, and Japanese.
Fundamentals...... 4 Attack and Defense ...... 5 DevSecOps Security ...... 6 Foundations of Information Security Awareness...... 7 Introduction to Cryptography for Architects and Developers...... 8 Introduction to GDPR...... 9 OWASP Top 10...... 10 Principles of Software Security...... 11 Defensive Strategies...... 12 Database Security ...... 13 DevOps for Security Managers ...... 14 Introduction to Automotive Security ...... 15 Introduction to Securing the Internet of Things ...... 16 Living With Open Source ...... 17 Open Source Policies and Risks...... 18 Secure Communication for the Internet of Things...... 19 Secure Development for Financial Services ...... 20 Secure Password Storage...... 21 Threat Modeling...... 22 Languages and Platforms...... 23 Building Security Into ASP.NET ...... 24 C/C++ Security ...... 26 Defensive Programming for COBOL...... 27 Defensive Programming for HTML5 Security...... 28 Defensive Programming for Java EE Web Applications...... 29 Defensive Programming for PHP Security...... 30 Foundations of COBOL Security ...... 32 Foundations of .NET Platform Security...... 34 Hapi.js Security...... 35 Introduction to HTML5 Security...... 36 Introduction to PHP Security ...... 37 Java Advanced Secure Coding...... 39 Java Security Fundamentals ...... 40 Java Spring Security...... 41 JavaScript Security...... 42 Node.js Security...... 44
Synopsys eLearning Catalog | June 2021 | synopsys.com | 2 React.js Security...... 45 Secure Programming for Golang ...... 46 Securing AngularJS...... 47 Securing Express.js...... 48 Securing Python Web Applications...... 49 Cloud Platforms ...... 50 Introduction to Cloud Security ...... 51 Secure Implementation of Docker and Kubernetes ...... 52 Securing Amazon Web Services...... 53 Securing Google Cloud Platform ...... 54 Securing Microsoft Azure...... 55 Securing MongoDB ...... 56 Authentication and Authorization...... 57 Advanced OAuth 2.0 Topics...... 58 OAuth 2.0 Security...... 60 OpenID Connect...... 61 SAML Security...... 62 Securely Accessing APIs Using OAuth 2.0...... 64 Securely Granting Access to an API Using OAuth 2.0...... 65 Mobile...... 66 Advanced Android Security ...... 67 Android Security...... 69 Foundations of Mobile Security...... 70 Fundamentals of iOS...... 71 Secure Programming for iOS...... 73 Requirements, Architecture, and Training ...... 75 Architecture Risk Analysis...... 76 Risk-Based Security Testing Strategy...... 78 Software Security Requirements...... 80 Regulation and Compliance...... 81 GDPR for Developers and Architects ...... 82 GDPR for Development and Project Managers ...... 83 GDPR for Upper Management...... 84 Introduction to CCPA, California Consumer Protection Act...... 85 PCI DSS Security ...... 86 Secure Development for Healthcare...... 87
Synopsys eLearning Catalog | June 2021 | synopsys.com | 3 Fundamentals
Fundamentals
Synopsys eLearning Catalog | June 2021 | synopsys.com | 4 Course Outline Fundamentals Introduction to Attack and Defense • Introduction to Attack and Defense • Understanding Your Enemy • Vulnerabilities Are Here to Stay • The Trinity of Trouble • Impacts of Insecure Software Attack and Defense
Data Protection • NEW: GDPR 1 Hour Beginner • Attacks on Data in Motion • Securing Data in Motion: System Footprint • Securing Data in Motion: Encryption Course Description • Securing Data in Motion: Keys and Data Web applications are becoming an increasingly high-value target • Attacks on Data at Rest for hackers looking to make a quick buck, damage reputations, • Securing Data at Rest • Crypto Best Practices or just boost their “street cred.” There is no shortage of publicly known attack tools and techniques, and software developers are Handling User Input outnumbered and at the front line of defense. This course will • SQL Injection teach you how attackers discover and exploit vulnerabilities in • SQL Injection: Examples the real world and how to build a strong line of defense. • Command Injection • Cross-Site Scripting • NEW: XML External Entities (XXE) Attack Learning Objectives • Unvalidated Redirects: Vulnerable? • Recognize security flaws in web applications • Unvalidated Redirects: Spotting and Defense • Build defenses against common web application vulnerabilities Authentication and Authorization • Use tools and techniques to test your own applications for • Authentication Attacks vulnerabilities • Defending Against Authentication Attacks • Implement application features to enhance your users’ • Authorization Attacks • Defending Against Authorization Attacks security posture
Session Protection Intended Audience • Weak Cookie Security • Architects • Attacking Sessions: Hijacking • Back-End Developers • Attacking Sessions: Fixation • Enterprise Developers • Cross-Site Request Forgery • Front-End Developers • Protecting Against CSRF • SameSite Cookie Attribute • Building Secure Session Mechanisms Prerequisites • Principles of Software Security Security Configurations • Foundations of Information Security Awareness • Attacking Application Configurations • Insecure by Default • Securing Third-Party Components • Changing Defaults • Preventing Information Leakage
Monitoring and Detection • Tools of the Trade • Tools: Firewalls • Tools: Alerts and Logging • Tools: Detection and Honeypots
Synopsys eLearning Catalog | June 2021 | synopsys.com | 5 Course Outline Fundamentals Introduction and Key Concepts • DevOps • Why DevOps Works • DevSecOps • Continuous Integration, Delivery, and Deployment (CI/CD2) • Pipelines DevSecOps Security • DevSecOps and CI/CD2 • Market Segments • Case Study 1 Hour Beginner DevSecOps Drivers and Challenges • Business Drivers Course Description • Business Challenges DevSecOps stands on a foundation of agile ideas and principles, • Technology Drivers such as frequent delivery, a focus on automation, and speed to • Technology Challenges • Case Study deployment. DevSecOps focuses on key principles such as a self-service environment, on-demand provisioning, continuous DevSecOps and People feedback, customization, and speedy delivery. Covering the • Changing Responsibilities fundamentals of DevSecOps and its integral components, this • Case Study course helps you to understand how a concerted push for DevSecOps and Process secure development agility can deliver value to an organization. • DevSecOps and Processes Enhancement • Case Study Learning Objectives • Explore the fundamentals of DevSecOps and its integral DevSecOps and Technology components • Tools in the Belt • Choosing the Right Tools • Understand how DevSecOps integrates security at multiple • Case Study points in DevOps workflows • Identify organizational challenges of embedding security and quality in DevSecOps • Maintain engaged discussions among DevSecOps stakeholders • Explore the types of tools capable of boosting operational efficiency • Begin to confidently qualify sales and consulting opportunities efficiently
Intended Audience • Architects • Enterprise Developers • Front-End Developers • Mobile Developers
Prerequisites • None
Synopsys eLearning Catalog | June 2021 | synopsys.com | 6 Course Outline Fundamentals Introduction to Information Security Awareness • What Exactly is Security Awareness? • Identifying and Understanding Assets • Boundaries Between Work and Home
Workstation Security Foundations of • Overview of Workstation Security • Five Steps to Physical Security • Network Connections Information Security • Malicious Software • Data Protection Awareness • Defense Mechanisms: Barriers and Updates • Defense Mechanisms: Files and Storage • Know That You Have Been Hacked 1 Hour Beginner User Account Security • Introduction: Accounts Rule the Web • Securing Accounts: What Can Go Wrong? Course Description • Securing Accounts: Password Security Practices Security awareness is a process of constant refinement and • Securing Accounts: Password Managers education. Every person has a key role in keeping their company • Key Considerations When Choosing a Password Manager secure and out of the headlines. This course walks through • Multifactor Authentication what it takes to effectively identify and act upon security risks in Mobile Device Security your personal and work lives. It covers a broad range of modern • Introduction: Mobile Devices in the Workplace security topics and provides actionable advice. • Physical Device Security • Physical Device Security: A Story Learning Objectives • Mobile Device Security: Basics • Quickly identify potential common security risks in the • Mobile Device Security: Applications workplace • Tinkering: What to Know • Assess the security of their workstations, mobile devices, and office spaces Social Engineering • Build a strong password creation and storage mechanism • Introduction: People as a Target • Recognize the implications of real-world data breaches • Physical Social Engineering: What to look for • Identify corporate information assets and understand how to • Physical Social Engineering: Common attack Techniques handle them securely • Email Phishing Attacks • Email Phishing Attacks: Tips to Avoid Getting Inbox-Duped • Text Message Phishing Intended Audience • Voice/Phone Phishing • Architects • Use Social Media Safely • Back-End Developers • Phishing in the Real World • Front-End Developers • Enterprise Developers Working From Home • Mobile Developers • Introduction • QA Engineers • Home Network Security • Workstation and Devices Security • Video Conferencing Prerequisites • None
Synopsys eLearning Catalog | June 2021 | synopsys.com | 7 Course Outline Fundamentals Cryptography Foundations • What Is Cryptography? • Terminology and Core Concepts • What Is Cryptography Used For? • Real-World Cryptography • Primitives Introduction to
Encryption • Common Encryption Primitives Cryptography for • Symmetric Key Encryption • Asymmetric Key Encryption Architects and • Common Encryption Ciphers • Initialization Vectors • Padding Developers • Using Asymmetric Encryption Securely
Cryptographic Hash Functions • Common Hash Function Algorithms 1 Hour Beginner • Password Storage • Data Integrity Course Description • Lifeboat’s Sinking Ship Cryptography: It’s what makes it possible to safely bank, shop, Message Authentication Codes (MACs) and work on the internet. Cryptography helps store passwords • MACs vs. Hashes securely and even helps prevent data loss if you lose your • How MACs Work device. This course will teach you the cryptography basics you • Examples need to know to design and develop secure applications and • Best Practices systems. Digital Signatures • How Digital Signatures Work Learning Objectives • Implementations • Describe common cryptographic implementations • Putting It Together With TLS • Make security-conscious decisions around cryptography Building a Secure Cryptosystem • Understand real-world threats to cryptography • Questions to Consider • Know when and how to use specific cryptographic primitives • Architecting Your Cryptosystem • Key Management Intended Audience • Choosing Protocols and Algorithms • Architects • Cryptographic Life Cycle • Security Engineers • Case Study • Software Developers • Key Takeaways • Systems Administrators Knowledge Check Prerequisites • Principles of Software Security • OWASP Top 10 • Attack and Defense
Synopsys eLearning Catalog | June 2021 | synopsys.com | 8 Course Outline Fundamentals What Is GDPR and Why Do We Care? • Overview and History • Applicability • Fines Personal Data Introduction to GDPR • Comparing Personal and Sensitive Personal Data • Categories and Examples
Basic Principles ¾ Hour Beginner • Data Protection by Design and by Default • Data Privacy Impact Assessment Course Description • Data Protection Office The General Data Protection Regulation (GDPR), which took • Breach Detection and Notification effect in 2018, is EU legislation for the protection of personal Subjects’ Rights data. It broadens the definition of personal data and introduces • Requirements for Consent additional rights for data owners. Because applications often • Right to Be Forgotten receive, process, and store personal data, everyone involved • Right to Restriction of Processing • Right to Be Informed in the application development life cycle should understand • Data Access and Portability the requirements set by GDPR. Otherwise, they risk increased exposure to litigation, costly fines, and a damaged brand image. This course introduces GDPR and the basic principles of the regulation.
Learning Objectives • Understand GDPR, who it concerns, why it’s important, and how it affects the development life cycle • Identify personal data and special categories of personal data • Explain the basic principles of personal data protection per GDPR • Get a basic understanding of data subjects’ rights • Become familiar with GDPR-relevant terms (data privacy impact assessment, data protection officer, etc.)
Intended Audience • Architects • Back-End Developers • Enterprise Developers • Front-End Developers • Management • Mobile Developers • QA Engineers
Prerequisites • None
Synopsys eLearning Catalog | June 2021 | synopsys.com | 9 Course Outline Fundamentals Introduction to the OWASP Top 10 • Introduction to the OWASP Top 10 • Boost Your Career With The OWASP Top 10
Injection • SQL Injection OWASP Top 10 • Command Injection • EquiHAX: Fallout • EquiHAX: Remote Command Injection 1 ½ Hours Beginner
Broken Authentication • Authentication Overview Course Description • Session Security Overview The OWASP Top 10 is a valuable tool for defining the major risks • Session Security Considerations in web applications today from an attacker’s perspective—but • Authentication Security there are only 10. This course highlights the lessons of the • A Leaky Vault OWASP Top 10, but then “goes to 11” by covering other critical • Authentication Solutions: Build Versus Buy security issues every developer should know.
Sensitive Data Exposure Learning Objectives • Handling Sensitive Data Securely • Understand the role of security in the software development • Grammarly Mixup life cycle and how best to create secure applications XML External Entities • Recognize how these software security defects are exploited • What Is XXE? • Identify discovery methods for these issues • XML External Entity File Disclosure Example • Implement the practices that help prevent the most common • XXE Remediation mistakes and lead to more secure software
Broken Access Control Intended Audience • Access Control Introduction • Architects • Function-Level Access Control Introduction • Back-End Developers • Strategies • Enterprise Developers • Insecure Direct Object References: In a Nutshell • Front-End Developers • Creating Your Own Users for Fun and Profit • Mobile Developers Security Misconfigurations • Protection Prerequisites • Hijacking Third-Party Dependencies for Fun and Profit • None
Cross-Site Scripting • XSS Protection Checklist
Insecure Deserialization • Deserializing Untrusted User Input • Preventing Deserialization Attacks
Using Components with Known Vulnerabilities • Securing Third-Party Software Components • Quick Questions • An Upstream Bug
Insufficient Logging and Monitoring • Insufficient Logging and Monitoring • Logging and Monitoring Best Practices • Logging Technologies • Security Logging Interfaces
Synopsys eLearning Catalog | June 2021 | synopsys.com | 10 Course Outline Fundamentals Basic Software Security Concepts • The Importance of Software Security • Software Security Vocabulary • What Is Secure Software? • Obstacles to Software Security • Building Security In Principles of • Roles in Software Security
Fundamentals of a Software Security Initiative Software Security • Goals of a Software Security Initiative • Engineering and Governance • Software Security Group (SSG), Outreach, and Satellites ¾ Hour Beginner • Vendor Management • Evolution of a Software Security Initiative Course Description Software Development Life Cycle (SDLC) Dive into the basics of software security inside the development • The Touchpoints process. This course introduces the fundamentals of software • Secure Software Development Life Cycle security problems, risks, and general approaches for producing • Software Security Intelligence • Technical Standards and Reference Frameworks better software. It also presents an approach to building • Training software security into the development process, further enabling developers to deliver better software. This course was Assessing Software and Code Review created by the experts who wrote the book on software security. • The Criticality of Assessing Software • ARA / Threat Modeling The approaches described in this course are used by leading • Manual Code Review global companies with mature software security initiatives. • Static Analysis • Dynamic Analysis Learning Objectives • Fuzz Testing • Discuss basic security terminology comfortably when • Risk-Based Security Testing discussing your own development work • Penetration Testing • Confidently contribute to discussions of software security • Interactive Application Security Testing (IAST) principles • Discovery Method Pros and Cons • Participate in the initial strategy, formation, and role • The Importance of Fixing Software delegation of a software security initiative • Confidently begin to contribute to your company’s overall design of a software security strategy
Intended Audience • Architects • Back-End Developers • Enterprise Developers • Front-End Developers • Mobile Developers • QA Engineers
Prerequisites • None
Synopsys eLearning Catalog | June 2021 | synopsys.com | 11 Defensive Strategies Course Outline Defensive Strategies Introduction to Database Security • Types of Databases • Quick Questions • Security Challenges and Risks • Steps to Secure a Database • Quick Questions Database Security •
Governance and Compliance 1 Hour Beginner • Data Inventory • Data Protection Policy • Data Protection Policy Contents Course Description • Quick Questions Databases have been growing both in size and complexity • Privacy and Compliance during the past few years. At the same time, new legal and Authentication and Access Control compliance requirements have been introduced to protect • Authentication and Access Control Risks personal and sensitive data. • Authentication • Access Control This course will guide you through the steps to secure • Best Practices databases. It provides an overview of the current threat and Encryption compliance landscape for databases and highlights the • Transparent Data Encryption importance of defining data inventory and data protection • Other Encryption Methods policy. Learners will get a thorough understanding of the best • Key Management practices for database authentication and access control as • Other Data Protection Mechanisms well as the available database encryption methods. The course • Choosing the Right Encryption Mechanism also provides guidelines on hardening databases and describes Operation and Monitoring methods of auditing and monitoring. • Configuration and Hardening • Securing the Database Ecosystem Learning Objectives • Audit Trails • Understand the steps required to secure a database • Native Database Auditing • Create a data protection policy • Database Monitoring: Host Agents • Database Monitoring: Network Monitoring and DAM • Follow best practices to control access to databases • Best Practices • Use the most efficient method for encrypting data in the databases Summary • Harden databases according to best practices • Protecting Your Most Valuable Asset: Information • Enable auditing and monitoring of databases • Authentication and Access Control • Compare different tools for managing third-party • Database Encryption dependencies • Hardening • Monitoring • Securing Data in the Cloud Intended Audience • Architects • QA Engineers
Prerequisites • None
Synopsys eLearning Catalog | June 2021 | synopsys.com | 13 Course Outline Defensive Strategies Introduction to History • History and Evolution • Underlying Drivers: Time-to-Market and Self-Service Software Delivery Software Life Cycle and Challenges DevOps for Security • How Engineering-Led Initiatives See Their Life Cycle • Challenges Security Initiatives Face • Maturing Firms May Have It Harder Managers • Challenge 1: Cadence • Challenge 2: Gating the SDL 1 ½ Hours Beginner • Challenge 3: Building Using a Federated Workforce • Challenge 4: Automation: Reducing Reliance on Human (Manual) Effort Course Description • Challenge 5: Inventory This course is geared toward security executives who own a software security group or are sponsoring a security initiative Achieving Security Governance: Inventorying Software, Conducting Defect Discovery organizationwide. It covers how to align legacy and net-new • Introduction and Pillars necessary security tools and activities with a DevOps culture • Inventorying Assets, Scope and its underlying delivery technologies, conventions, and • Discovering Inventory culture. This course prepares security executives to gain and • Automating Practice Areas maintain a “seat at the table” with development leadership • Defect Discovery • DevOps Defect Discovery by providing enough “what” and “how” regarding sw-defined security governance to productively participate—and even Security Governance: Process Remediation Workflow, drive—sw-defined security governance, or as some say, “the Sec and Gating in DevSecOps” that ultimately secures DX. • Alternatives to Gates • Remediation Enablement • Accountability Learning Objectives • Continuous Telemetry, Accompanying Continuous Delivery • Understanding the DevOps movement for organizations and how cloud technology adoption greatly enabled and Measurement accelerated CI/CD toolchain and DevOps culture adoption • DORA • Identify and address common challenges in converting legacy • Security, a Subset of Quality controls to the new culture • Sample Security Measures • Plan a culturally compatible approach to addressing these challenges • Participate in existing engineering measurement practices, adding security metrics
Intended Audience • DevOps Practitioners • Managers • Security Practitioners
Prerequisites • DevSecOps • OWASP Top 10
Synopsys eLearning Catalog | June 2021 | synopsys.com | 14 Course Outline Defensive Strategies Introduction • Secure Design • Secure Development • Secure Testing & Certification • Secure Maintenance • Collaborating With Third Parties Introduction to • Knowledge Base
Secure Design Automotive Security • Introduction • Security Policies & Standards 1 Hour Beginner • Product Risk Assessment • Segmentation, Isolation, and Zero-Trust • Secrets Management Course Description • Hardware Security The Introduction to Automotive Security course is designed • Knowledge Base to teach the basics of secure automotive system design. The Secure Development course considers automotive security from two perspectives: • Introduction (1) an internet-connected mobile systems platform and (2) • Concept of Traceability extravehicular support systems such as web data services. • Secure Development Life Cycle (SDLC) Learners are introduced to security concepts and secure design • Automated Security Test Cases processes for automotive applications. The course applies • Product Hardware Development Concerns • Supply Chain Security to technology professionals in the automotive industry who • Product Safety participate in the development of automotive systems. • Knowledge Base Learning Objectives Secure Testing & Maintenance • Understand basic security principles for securing vehicular • Introduction and extravehicular information systems • Static Application Security Testing (SAST) • Get an overview of a few industry standards for securing • Dynamic Analysis Security Testing (DAST) • Penetration Testing (Pen Testing) vehicle systems • Diagnostics and Forensics • Learn where to go for additional information • Reporting Security Assessment Results • Security Patching Intended Audience • Knowledge Base • Architects • Back-End Developers • Developers • Enterprise Developers • Mobile Developers • QA Engineers
Prerequisites • Java Security Fundamentals • Principles of Software Security
Synopsys eLearning Catalog | June 2021 | synopsys.com | 15 Course Outline Defensive Strategies Introduction to the Internet of Things • What Is IoT? • Consumer IoT • Medical IoT • Smart City Introduction to Securing IoT Architecture • IoT Device(s) the Internet of Things • Communication • IoT Supporting Services • Integration With Third-Party Services 1 Hour Beginner • APIs for Third-Party Integrations • Web Client • Mobile Client Course Description • Engineering Challenges of IoT This course introduces the complexities of the Internet of Things (IoT) and the security issues that plague IoT systems. IoT Protocols • Types of Communication The core focus of the course is IoT security. We’ll cover the • Short-Range Communications unique and manifold features of IoT and how they relate to • Long-Range Communications security and privacy. At the end, learners will know enough • Application Data Protocols about the security pitfalls of IoT systems to make informed IoT Threat Modeling decisions, whether as IoT vendors creating products or as • Threat Modeling Review enterprise or personal consumers making choices about what • STRIDE devices to deploy. • Threat Countermeasures • Spoofing Learning Objectives • Tampering • Understand the top security issues plaguing IoT • Repudiation • Perform threat modeling on an IoT product design • Information Disclosure • Have a clear grasp of the regulatory concerns for IoT • Denial of Service • Elevation of Privilege Intended Audience IoT Security • Architects • Open Web Application Security Project (OWASP) Top 10 for • Back-End Developers IoT • Enterprise Developers • Weak, Guessable, or Hardcoded Passwords • Front-End Developers • Insecure Network Services • Mobile Developers • Insecure Ecosystem Interfaces • Lack of Secure Update Mechanism • QA Engineers • Use of Insecure or Outdated Components • Insufficient Privacy Protections Prerequisites • Insecure Data Transfer and Storage • None • Lack of Device Management • Insecure Default Settings • Lack of Physical Hardening • Case Study: Mirai Botnet
IoT Regulation Concerns • Disclaimer • General Data Protection Regulation (GDPR) • California Consumer Privacy Act (CCPA) • IoT Device Security Act (SB-327) • Payment Card Industry Data Security Standard (PCI DSS)
Synopsys eLearning Catalog | June 2021 | synopsys.com | 16 Course Outline Defensive Strategies Benefits of Using Open Source Software • Key Benefits of Using Open Source Software • Open Source License Types • Growth in Available Open Source Components • Growth in Number of Components in Codebases Living With Open • Benefits Risks of Using Open Source Software Source • Three Types of Risk • License Risk • Survey Results 1 ¼ Hours Beginner • Source Code Risk • Operational Risk • Conclusion Course Description In this course, you’ll learn how to evaluate and manage risks Deep Dive on Open Source License Risk when using open source software. You’ll walk away with an • License Risk • License Conflicts understanding of the three types of risk that open source brings • Types of Usage to your projects and how to create a plan for managing each • Distribution Model type. • Real-World License Risk • Conclusion Learning Objectives Deep Dive on Open Source Security Risks • Weigh the benefits of using open source vs closed source • Source Code Vulnerabilities • List the three types of risks associated with open source • Survey Results • Evaluate open source license risk • Malicious Source Code • Calculate security risk levels for source code • Scanning for Vulnerabilities • Plan for managing operational risk when using open source • Public Vulnerabilities • Transitive and Direct Impacts Intended Audience • Conclusion • Architects Deep Dive on Open Source Operational Risks • Back-End Developers • Community Development • Enterprise Developers • Analyzing Operational Risk by Component • Front-End Developers • Management Bringing It All Together • Mobile Developers • Summary • Managing Risk Prerequisites • Conclusion • None
Synopsys eLearning Catalog | June 2021 | synopsys.com | 17 Course Outline Defensive Strategies Introduction • Introduction • Benefits of Using Open Source • Risks • Impact from Noncompliance with Licenses Open Source Policies Open Source Licenses • Open Source License Categories and Risks • GNU GPL • GPL Variants • Apache 1 Hour Beginner • MIT • BSD • Mozilla Public License Course Description • Quick Question The use of open source code in modern applications is constantly rising. Open source software brings numerous Using Open Source Licenses Correctly • Overview advantages, including speeding development and minimizing • How to Use GPL Licenses Correctly costs. But there are also significant risks to using open source • Steps to GPL Compliance in terms of security vulnerabilities, licensing, and compliance. • Using Other Open Source Licenses • Components with Multiple Licenses In this course, we present the most widely used open source • Relicensing • Dual Licensing licenses and explain the obligations they entail for users. We explain how these licenses can be used correctly and how to Security Risks of Open Source Software avoid license conflicts. We also analyze the security risks of • Vulnerabilities and Open Source Software open source software and how vulnerabilities can be found and • Security Risks dealt with. Finally, we analyze the steps that need to be taken to • Minimizing Security Risks in Open Source Software • Finding and Patching Vulnerabilities build a corporate open source policy that will govern the use of • Software Composition Analysis Tools open source software throughout the organization. Building an • Choosing a SSCA tool open source policy is essential in order to minimize both license and security risks. Building and Open Source Policy • Governance and Strategy • Putting Together a Team Learning Objectives • Essential Components • Understand widely used open source licenses • Sourcing and Selection • Understand the obligations they bring • Support and Maintenance • Understand how to use the most well-known open source • Contributions licenses • Creating a New Open Source Project • Understand the security risks of using open source code and • Approval Process how they can be mitigated • Auditing • Build a corporate policy on the use of open source software in Summary an organization • Governance and Management of Open Source • Handling License and Compliance Risks Intended Audience • Handling Security Risks • Architect • Conclusion: To Use or Not to Use open Source Software • Back-End Developer • Front-End Developer • Enterprise Developer • Mobile Developer • QA Engineer
Prerequisites • Living With Open Source
Synopsys eLearning Catalog | June 2021 | synopsys.com | 18 Course Outline Defensive Strategies IoT Review • What Is IoT? • IoT Architecture • IoT Communications • IoT OWASP Top 10 Secure Communication IoT Communications Security • IoT Communications for the Internet of • IoT Application Protocols Security • IoT Communication Cryptography • Communication Vulnerability Example: Bluetooth Low Energy Things
IoT Firmware Security • Firmware Basics 1 Hour Beginner • Quick Question • Extracting the Firmware Course Description • Filesystem Vulnerabilities This course digs deeper into the facets of the Internet of • Binary Vulnerabilities • Firmware Updating Vulnerabilities Things (IoT) most plagued by security issues. Students learn the techniques employed by real-world attackers to undermine IoT Authentication the security of IoT devices and their surrounding ecosystems. • IoT Authentication Overview Upon completion students will have a solid understanding of the • IoT User Authentication • IoT Machine-to-Machine Authentication decisions facing an IoT vendor creating a secure IoT product, as well as the knowledge of how to assess IoT product security as IoT Mobile and Web Application Security an enterprise or personal consumer. • IoT and Mobile/Web Interfaces • Mobile App Security Revisited Learning Objectives • Web App Security Revisited • Understand the top attacks against IoT devices • Perform high-level security assessments on IoT devices • Have a clear grasp of best practice mitigation strategies
Intended Audience • Architects • Back-End Developers • Enterprise Developers • Front-End Developers • Mobile Developers • QA Engineers
Prerequisites • Introduction to Securing the Internet of Things
Synopsys eLearning Catalog | June 2021 | synopsys.com | 19 Course Outline Defensive Strategies Challenges of the Modern Regulatory Environment • Current State of Compliance for Financial Services • Challenges and Concerns • Key Concerns for Software Development Analysis of the Regulatory Landscape for Financial Secure Development Services • Introduction to Compliance for Financial Services • Comparison of Regulatory Frameworks for Financial Services • Areas of Focus • Requirements for the Software Development Life Cycle 1 Hour Beginner Authentication, Authorization, and Access Control • Requirements for Authentication • Password Policies Course Description • Authorization, Access Control, and Monitoring This course presents the current compliance landscape • Session Management for building applications for the financial services sector. Data Privacy The regulatory landscape for financial services is extremely • Personal Data Protection: A (Not So) New Requirement complex, with a lot of overlapping requirements. The goal of • Categories and Definitions of Personal Data this course is to analyze this complex environment and outline • Compliance Requirements for Privacy: GDPR the consolidated requirements posed by various legal and • CCPA: What It Is and Definitions compliance frameworks. The course focuses on requirements • CCPA: Business and Technical Requirements • GLBA Privacy Rule for authentication, authorization, and access control. It also presents requirements for privacy and personal data protection Data Encryption and Integrity brought about by recent legislation such as GDPR and CCPA. • Encrypting Data at Rest The course concludes with operational security requirements as • Transport Layer Security and Encryption of Data in Motion • Protecting Data Integrity well as what is mandated for breach detection and notification.
Operational Security and Monitoring Learning Objectives • Securing the Infrastructure • Understand the main legal and compliance frameworks • Testing Requirements for financial services and what requirements they bring to • Keeping Logs and Auditing developing applications • Breach Detection and Notification • Implement compliant policies for authentication, authorization, and access control • Identify personal data and be able to protect that data based on the privacy requirements imposed by the corresponding legal frameworks • Apply necessary encryption and integrity protection mechanisms for sensitive data • Outline the controls required to secure applications and monitor for potential security breaches
Intended Audience • Architects • Back-End Developers • Enterprise Developers • Front-End Developers • Management • Mobile Developers • QA Engineers
Prerequisites • None
Synopsys eLearning Catalog | June 2021 | synopsys.com | 20 Course Outline Defensive Strategies The Importance of Password Storage • Introduction • The Security Properties of Passwords • The Security Properties of Passwords • Quick Question • Data Breaches and Passwords Secure Password • Have I Been p0wned? • Wrap Up Storage Why Is Password Storage So Difficult? • Introduction • The Insanity of Plaintext Passwords 1 ½ Hours Intermediate • Common Password Storage Mechanisms • Wrap Up Course Description Storing Passwords Using One-Way Functions Developers have been storing passwords for ages. But did you • Introduction know that the best practices from 10 years ago are hopelessly • The Properties of Cryptographic Hash Functions • Output Length outdated? In this course, we look at commonly used but weak • Example Hash Functions and Attacks Against Them password storage mechanisms. Gradually, we work toward • Case Study the current best practice for storing passwords. A real-life • Wrap Up case study shows how to build a layered approach to storing Salting Stored Passwords passwords securely. • Introduction • Salting a Password Learning Objectives • Example Code • Describe the weaknesses for password-based authentication • Salt Effectiveness Against Attack systems • Length Considerations • Analyze the security of an existing password storage • HMACs mechanism Storing Passwords With an Adaptive One-Way Functions • Implement a password storage mechanism using current • Introduction best practices • Properties of Adaptive One-Way Functions • Devise a strategy to upgrade an existing legacy and insecure • Proof of Work password storage mechanism • Adaptive Property and Tuning • Choosing an Adaptive One-Way Function Intended Audience • Example • Architect • Case Study • Back-End Developer Storing Passwords With Encryption • Enterprise Developer • Introduction • The Properties of Encryption Prerequisites • Password Encryption Practice • Introduction to Cryptography for Developers and Architects • Passwords Encryption: Code Examples • Security Properties and Weaknesses • Encryption’s Main Advantage • Case Study • Wrap Up
Upgrading Existing Mechanisms • Introduction • Rolling Upgrade • Layered Upgrade • Wrap Up
Conclusion • Introduction • Normalizing Your inputs • Salting Passwords • Using and Adaptive One-Way Function • Use of a Pepper • Upgrading or Rotating Storage/Verification Schemes
Synopsys eLearning Catalog | June 2021 | synopsys.com | 21 Course Outline Defensive Strategies What Is Threat Modeling? • The Goal of Threat Modeling • A Pragmatic Approach to Threat Modeling • Software Defects vs. Bugs vs. Flaws Why Should You Threat Model? Threat Modeling • Finding Security Problems Early • Focusing on Flaws, Not Bugs • Identifying Critical Components in the Architecture 1 Hour Intermediate • Thinking Beyond Canned Attacks • Aligning Business Requirements and Security Requirements Course Description Threat Modeling, in a Nutshell It’s a fact: Malicious attackers are coming for your data, and • Strategies for Threat Modeling • Basing Threat Modeling on a … Model there are many potential points of entry that you should • Architecture-Agnostic Threat Modeling address. Unfortunately, not every fix is obvious, simple, or even effective. Threat modeling helps to put the abundance Common Threat Modeling Methodologies of threats in order and contextualize security through the lens • The Big Picture • Microsoft’s Threat Modeling Using STRIDE of the attack. This course explains how threat modeling helps • Applying Architectural Risk Analysis (ARA) you think about security in a structured way, covering common • Alternative Approaches threat modeling methodologies and how to handle discovered threats. STRIDE • Data Flow Diagrams • The STRIDE Keywords Learning Objectives • Finding Threats With STRIDE • Understand the purpose of threat modeling and its relation to • Making STRIDE More Concrete other security activities • Understand how threat modeling fits into Microsoft’s SDL Architectural Risk Analysis (ARA) • Understand how threat modeling fits into the Synopsys • ARA, in a Nutshell Touchpoints methodology • Business Context and System Decomposition • Understand the process of threat modeling and risk • Attack Resistance Analysis management • Underlying Framework Weakness Analysis • Get started with threat modeling • Ambiguity Analysis
Fitting Threat Modeling Into the SDLC Intended Audience • Threat Modeling Throughout the SDLC • Everyone • Responsibilities and Actors • Managing Risk Prerequisites • Tracing Risk Throughout the SDLC • None Conclusion • Threat Modeling Methodologies • Threat Modeling in the SDLC
Synopsys eLearning Catalog | June 2021 | synopsys.com | 22 Languages and Platforms Course Outline Languages and Platforms Handling Input Security • Welcome to Building Security Into ASP.NET • Don't Trust the Client • General Input Validation • ASP.NET Request Validation • Validator Controls Building Security Into • Razor's ValidationHelper • MVC Model Binding and Validation ASP.NET • Cross-Site Scripting • Output Encoding • Template Injection • Injections 2 Hours Intermediate • Open Redirect Attacks • Cross-Origin Request Sharing • Deserializing Objects Course Description ASP.NET is the platform of choice for .NET developers. The Dealing With Files Securely security built into the framework has come a long way in 15 • Defending the File System years, but there are still some areas that require the developer • Directory Traversal to remain vigilant in guarding their application from attackers. • Defending Against Directory Traversal • Local File Inclusion Learn the ins and outs of identity management, data protection • Defending Against a Local File Inclusion Attack best practices, attack prevention techniques, and other security • The Dangers of File Uploads topics as they apply to .NET. • Attack Review • Defending Against File Upload Attacks Learning Objectives • Windows-Specific Issues • Determine what features of ASP.NET already meet their • Linux-Specific Issues security requirements Identity • Understand how to develop secure applications on top of • Introduction to Access Control ASP.NET, and how to safely use the various editions of the • Identity Management in ASP.NET framework • ASP.NET Core Identity • Azure Active Directory Intended Audience • ASP.NET 4 Membership • Architects Authentication • Back-End Developers • What Is Authentication? • Enterprise Developers • Two-Factor Authentication • Certificate Authentication Prerequisites • External Authentication Providers • None • Authentication in ASP.NET Core • Authentication in Azure App Service • Authentication in ASP.NET 4 MVC • Authentication in ASP.NET Web Forms
Continued on next page
Synopsys eLearning Catalog | June 2021 | synopsys.com | 24 LanguagesRequirements, and Architecture, Platforms and Training
Building Security Into ASP.NET (cont.)
Authorization Configuration Management • Authorization • Why Is Configuration Important? • Role-Based Authorization • Environment Settings • Claim-Based Authorization • Web Servers and Hosting • Policy-Based Authorization • Hosting With Kestrel Web Server • Resource-Based Authorization • Hosting With HTTP. sys • View-Based Authorization • Hosting With IIS HTTP Server • Razor Authorization Conventions • HTTPS • Security Headers Session Management • Keeping It Updated • Sessions in ASP.NET • Handling Session Cookies Side-Client Integration • Shared SSO Cookies • API Security With SPAs • Cross-Site Request Forgery • Authentication With SPA • SameSite Cookies • Authorization With SPA • Anti CSRF in ASP.NET Core and Razor • Securing Blazor WebAssembly Apps • Anti CSRF in ASP.NET 4 Web Forms • Working With SignalR
Data Protection in ASP.NET Conclusion • Using Cryptography in ASP.NET • Where We've Been So Far • ASP.NET Core DataProtection • A Summary of All You've Learned • Configuring DataProtection • Where to Go to Learn More • Time Limitations • Password Protection in ASP.NET • Using ASP.NET Core DataProtection in ASP.NET 4
Exceptions and Logging • Exception Management and Logging • Handling Exceptions • Bad Exception-Handling Practice • Managed Exceptions in ASP.NET Core • Logging • Logging Best Practice • Logging in ASP.NET Core • Monitoring with Application Insights • Information Leakage • Debugging • Debugging: Spot the Problem
Synopsys eLearning Catalog | June 2021 | synopsys.com | 25 Course Outline Languages and Platforms Introduction • Brief History of C/C • Problems Facing C • Legacy Code • Undefined Behavior C/C++ Security String Handling • Introduction • Representation of Strings 1 ¼ Hours Advanced • Improperly Bounded String Copies • Off by One Errors • Null Termination Errors Course Description • Truncation Issues Writing secure code in C/C++ is far from trivial. This course Memory Management introduces the complexity of working with the C/C++ family of • Introduction languages, especially from a security perspective. Learn about • Initialization Issues major security flaws that can lead to insecure programs and • Failing to Check Return Values how to combat them. Lesson topics include string handling, • Writing to Freed Memory memory management, integer overflow and wrapping, format • Dereferencing NULL Pointers • Double Free string attacks, and more. • Memory Leaks • Zero Length Allocations Learning Objectives • C++ Memory Management • Identify use cases where C/C++ is widely used • Apply new best practices for safely manipulating strings Integers • Identify unsafe memory handling practices • Introduction • Apply mitigation techniques to common integer mishandling • Wraparound Issues • Understand issues with concurrency and parallelism • Truncation Errors • Describe best practices for access controls Format String Attacks • Introduction Intended Audience • Crashing Programs • Architects • Reading From the Stack • Application Security Specialists • Reading From Arbitrary Memory Addresses • Code Auditors • Buffer Overflows • Developers • Writing to Arbitrary Memory Addresses • QA Engineers Concurrency • Introduction Prerequisites • Race Conditions • Principles of Software Security • Value Corruption • OWASP Top 10 • Volatile Objects • Deadlock
File I/O • Introduction • Access Control Overview • Access Control: Elevated Privileges • Access Control Example: Elevating Privileges • Temporarily Dropping Privileges • Permanently Dropping Privileges • Directory Traversal • Time of Check Time of Use (TOCTOU)
Synopsys eLearning Catalog | June 2021 | synopsys.com | 26 Course Outline Languages and Platforms Introduction • Course Overview • Introduction to COBOL Defensive Techniques
Input Validation and Data Representation • SQL Injection Defensive • Ensure Secure Input Validation and Data Representation
Prevent API Abuse Programming • Prevent API Abuse • Mitigation Approach • Checking LINK and Program Response Code for COBOL
Time and State Issues • Time of Check to Time of Use 1 Hour Advanced • Mitigation Approaches • File Locking Course Description Error Handling Building on the Foundations of COBOL Security course, this • Implement Appropriate Error Handling module explores specific defensive programming techniques • Leaking Sensitive Information • Failing to Clean Up for building secure COBOL programs. The course follows a • Failing to Handle All Error Conditions well-established software security vulnerability taxonomy to • Handling Errors Too Broadly walk students through a set of defensive programming best • Reporting Errors Too Broadly practices that apply to the COBOL environment. The vision • Mitigation Approach for Error Handling behind the course is to teach secure developer behaviors that Quality and Environment follow the principle of “defense in depth” and help prevent • Avoid Code Quality Issues COBOL programs from being the weakest link in the enterprise • Enforce Proper Encapsulation security chain. In addition to covering other techniques, the • Bad Code: Environment course discusses COBOL-specific methods for input validation, • Mitigation Approach secure database interactions, secure error handling, and proper • Conclusion resource synchronization.
Learning Objectives • Confidently discuss the guiding principles for secure design • Apply best practice COBOL defensive programming techniques • Confidently discuss the software security touchpoints for COBOL programs
Intended Audience • Architects • Back-End Developers • Enterprise Developers • QA Engineers
Prerequisites • Principles of Software Security • OWASP Top 10 or Attack and Defense • Foundations of COBOL Security
Synopsys eLearning Catalog | June 2021 | synopsys.com | 27 Course Outline Languages and Platforms Risk Landscape • Modern Browsers • Modern Web Applications • The Attack Surface • The Reincarnation of Cross-Site Scripting Defensive The Security Model of the Web • Same-Origin Policy • Same-Origin Policy Example Programming for • Sidestepping the SOP With Clickjacking • JavaScript Execution HTML5 Security • Subresource Integrity
Client-Side Data Storage • Risks of Client-Side Data Storage 1 ½ Hours Intermediate • Security Considerations • Clearing Data Course Description Web Messaging HTML5 is the fifth revision of the HTML standard. HTML5 and • Sending Messages its integration with JavaScript introduce new security risks that • Receiving Messages you must consider carefully when writing web front-end code. • Overview of Best Practices Modern web-based software, including mobile web front-end Iframe Sandboxing applications, make heavy use of innovative JavaScript and • The Sandbox Attribute HTML5 browser support to deliver advanced user experiences. • Relaxing the Sandbox Front-end developers focus their efforts on creating these • Sandboxing Use Cases • Consequences of the Sandbox experiences and are generally not aware of the security implications of the technologies they use. Content Security Policy (CSP) • Defining a CSP Policy This course helps web front-end developers understand the • Limiting Cross-Site Scripting With CSP risks involved with manipulating the HTML Document Object • Deploying a Strong CSP Policy • CSP Beyond XSS Model (DOM) and using the advanced features of JavaScript • Additional CSP Features and HTML5 (e.g., cross-origin resource sharing, local storage, • Overview of Best Practices and content security policy). In this course, we’ll reinforce some important security aspects of modern browser architecture and Understanding Cross-Origin Resource Sharing • Simple CORS Requests present defensive programming techniques that developers can • Authenticated CORS Requests apply immediately to avoid introducing common vulnerabilities. • Understanding the Threat Model of CORS We’ll also provide a detailed description of typical JavaScript • Preflighted CORS Requests sources and sinks and explain how to use them to detect • Handling Headers With CORS problems in code. • CORS Beyond JavaScript
Securing Web Applications With CORS Learning Objectives • Special CORS Cases • Recognize that client-side code can introduce security • Building a CORS Policy vulnerabilities • CORS and CSRF • Appreciate the HTML5 risk landscape • Testing Your CORS policy • Apply defensive programming techniques in HTML5 • Identify and fix security vulnerabilities in your HTML5 code Additional HTML5 Features • Permission-Based APIs • Web Workers Intended Audience • WebSockets • Front-End Developers • Mobile Developers Conclusion • Controlling JavaScript Prerequisites • Compartmentalization • OWASP Top 10 • Introduction to HTML5 Security • Architecture Risk Analysis
Synopsys eLearning Catalog | June 2021 | synopsys.com | 28 Course Outline Languages and Platforms Introduction, Overview • Introduction • Java EE Architecture • Container Security • Transport Security • Messaging Security Defensive • Java Enterprise Non-Web Risks
Container Security Programming for Java • Introduction • Encoding Reserved Control Sequences Within Untrusted Input EE Web Applications • Data Validation • Container Authentication and Authorization • Data Sources • Session Management ¾ Hour Advanced • Bean Validation API
Transport Security Course Description • Introduction Defensive Programming for Java EE Web Applications picks up • Secure Transport Techniques where Java Security Fundamentals and Java Advanced Secure • Common Security Concerns Coding leave off. This course covers important features and Messaging Security information for Java EE application designers. You’ll learn about • Introduction common security concerns across the enterprise, as well as • Generating/Processing API Service Tokens methods and features to strengthen enterprise solutions. The • Securing SOAP/XML Messages course also includes relevant information beyond platform • Common Security Concerns specifications and features, such as the transfer of Java EE • Equifax 2017 Incident specifications from Oracle to the Eclipse Foundation.
Learning Objectives • Understand and apply security features provided by the Java EE framework • Anticipate and address common security challenges across Java EE applications • Prepare for platform changes that may impact your Java EE solution
Intended Audience • Architects • Back-End Developers • Enterprise Developers
Prerequisites • Java Security Fundamentals • Java Advanced Secure Coding
Synopsys eLearning Catalog | June 2021 | synopsys.com | 29 Course Outline Architecture Languages and Platforms • Introduction to PHP Architecture • Security Architecture for Responsive Web Apps • Traditional Full-Stack PHP Architecture • MVC Frameworks • Security in Microservices Defensive • Using Modern Frameworks • Object-Oriented Design • Modern Frameworks Protect Against SQL Injection Programming • Security Helpers • Unit Testing • Principle: Defense in Depth for PHP Security • Principle: Least Privilege • Inter-Tier Auth/Process IDs • Encrypted Communication Between Components 1 ¾ Hours Intermediate • Hacking Team Authentication Course Description • Advanced Password Handling This course covers how to design, build, and integrate with • Using JWTs frameworks and native PHP functionality to secure applications. • How to Integrate With JWTs It is geared toward lead developers or developers with a strong • How to Authenticate • Verifying the JWT interest in security, or the need to resolve threat model, secure • How to Log Out code review, or penetration test reports. It provides students • How to Support Two-Factor Authentication with the knowledge and skills required to protect data and • Enrolling Your User in Google Two-Factor Authentication applications from attack. By the conclusion of this course, • Validating Google Codes students will understand how to design and implement security Session Management functionality, and how to leverage native PHP and common • Session Management in PHP frameworks to secure their applications. • Session Management at Scale . • Session Management Using Frameworks
Access Control Learning Objectives • Access Control in Frameworks • Authenticate users, including using modern JSON Web Token • Identities, Credentials, and Roles single sign-on (JWT SSO), and integrate with two-factor • Zend Framework Roles authentication • Store sensitive state securely on the server Input Validation • Build and enforce access control policies, including • Introduction to Input Validation implementing role-based access control and capability-based • A General Framework for Input Validation access control (used heavily in mobile applications) • Client-Side Validation • Implement a full range of input validation and output • Specific Consideration of PHP 7 • Zend Framework encoding to avoid common pitfalls such as cross-site scripting (XSS), DOM-based XSS, and SQL injection Output Encoding • Design and implement secure storage of sensitive data • Introduction • Configure PHP securely • Output Encoding Basics • Output Encoding in Frameworks Intended Audience • PHP 7 • Architects • Zend Framework • Automatic Encoding Using Template Engines • Back-End Developers • Front-End Developers
Continued on next page Prerequisites • Introduction to PHP Security • OWASP Top 10
Synopsys eLearning Catalog | June 2021 | synopsys.com | 30 LanguagesRequirements, and Architecture, Platforms and Training
Defensive Programming for PHP Security (cont.)
Error Handling, Logging, and Auditing Configuration • Introduction • Introduction • Secure Logging • Configuration • Preventing Log Injection • Disabling Dangerous Functions • Logging Frameworks • Dis-allow Includes from Unexpected Locations • Log Storage and Retention • HttpOnly • Auditing • Secure Flag • Web Application Firewalls (WAFs) • Scope • Using OWASP Core Rule Set • Working With ZIP Files • Working With Images Advanced Data Protection • EXIF Infiltration • Collection and Protection of Sensitive Records • Simple Concatenation • The Years of the Megabreach • Backup and Incidental Files • Concerns Both Regional and Global • Dependency Checks • Sensitive Data at Rest • TLS Configuration • Protecting Against Misuse • Configuring Content Security Policies • Protecting Against Unauthorized Change • Advanced CSP • Protecting Against Unauthorized Disclosure • Unsafe Inline • Encryption for Personally Identifiable Records • Unsafe Eval • Third-Party Packages • Privacy Breach Due to Configuration Error • Zend Framework • ACME Cinemas in the News • CISO Response
Business Logic Flaws • Business Logic Flaws and Thinking Evil • ACME Cinemas in Booking Nightmare • Threat Modeling • Spoofing • Tampering • Repudiation • Information Disclosure • Denial of Service • Elevation of Privilege • Race Conditions • Easter Eggs • Discovering Time Bombs, Deliberate Logic Flaws, and Easter Eggs
Synopsys eLearning Catalog | June 2021 | synopsys.com | 31 Course Outline Languages and Platforms COBOL Ecosystem • Introduction • OLTP Applications • Batch Processing Applications • Examples of COBOL Applications • Architecture Foundations of • Architecture Exploitation With Middleware • Architecture Key Terms COBOL Security • Changing Environment
Typical COBOL System Assets • Introduction 1 Hour Beginner • Never Disclose Mainframe Software • Handling Sensitive Information • Unauthorized Access Course Description There are many risks and myths associated with COBOL The Cost of (In)Security programming security. In this course, we’ll review COBOL • Security Breaches and COBOL programming best practices, discuss a taxonomy of COBOL • Hacking Critical Business Assets • Hacking Insurance system vulnerabilities, and provide guidance on how to avoid or • Sailing With Pirates mitigate them.
COBOL Security Myths Learning Objectives • The Security Myths of COBOL • Recognize common security risks with COBOL programs • Myth 1: COBOL Applications Are Not Connected to the • Identify security vulnerabilities in COBOL code Internet • Myth 2: Common Attack Techniques Do Not Apply to Batch- • Write secure code to mitigate risk Mode Mainframe Applications • Myth 3: COBOL Applications Are Not Responsible for Input Intended Audience Validation • Application Security Specialists • Myth 4: Hackers Are Not Interested in Targeting COBOL • Architects Applications • Developers • QA Engineers Understand Security Principles • Introduction to Security Principles • Building an application? Ask These Questions Prerequisites • Authentication Overview • Principles of Software Security • Achieving Secure Authentication • OWASP Top 10 or Attack and Defense • Authorization Overview • Authorization Models and Solutions • Authorization Check Example • Vulnerabilities Identified in z/OS Mainframe Systems • Further Learning
Ensure Secure Input Validation and Data Representation • Recognizing Harmful Data • SQL Injection and COBOL • Prevent Data Leakage: Buffer Overflow • Approaching Input Validation • Output Encoding • Output Encoding Example
Continued on next page
Synopsys eLearning Catalog | June 2021 | synopsys.com | 32 Requirements,Languages and Architecture, Platforms and Training
Foundations of COBOL Security (cont.)
Secure Database Access • Why Databases Are Business-Critical • Assuring Access Is Secure • Example: Clear Text • Example: Insecure Data Access • Using BIND Utility
Secure Logging Practices • Why Logs Are Kept • Logs and Attackers • Follow Logging Practices • Example: Scrubbing Logs of Sensitive Information
Secure Error Handling • Introduction • Security Problems • Common Problems • Hackers Looking for Messages • Error Handling: Mitigation Practices • Failure to Handle Errors • Detection Next Steps • Errors and System Functions • Example: Secure Error Handling
Synopsys eLearning Catalog | June 2021 | synopsys.com | 33 Course Outline Languages and Platforms Introduction • .NET Overview • Significant Features • Related Components and Courses Data Validation Foundations of .NET • Introduction • Sanitization and Validation • Blacklisting and Whitelisting Platform Security
Injection Defense • Introduction 40 Minutes Intermediate • SQL Injection • Encoding Reserved Control Sequences Within Untrusted Input • XML Parser Defense Course Description The .NET platform serves as a powerful framework for Cryptography • Introduction developing a wide range of applications, from rich websites and • Symmetric Encryption desktop applications to versatile shared libraries and embedded • Asymmetric Encryption systems. The platform’s specific architecture and unique • Cryptographic Hashes security model set it apart from other environments. While these • Cryptographic Randomness traits offer developers and architects a variety of enhancements Logging to the capabilities of their applications, they also introduce • Introduction specific risks from an application security perspective. In this • Logging Domains course, you’ll learn how to avoid application security risks when • Logging Security Use Cases using .NET platforms. • Design Implementations, and Testing Considerations • Events to Log • Event Attributes Learning Objectives • Logging Systems • Identify the .NET framework components and related concepts • Identify and strategize the use of .NET security features • Identify limitations for each security feature • Implement security processes into the development of .NET applications based on best practices
Intended Audience • Architects • Back-End Developers • Front-End Developers • QA Engineers
Prerequisites • Principles of Software Security • OWASP Top 10
Synopsys eLearning Catalog | June 2021 | synopsys.com | 34 Course Outline Languages and Platforms Introduction • What Hapi Is All About
Security in the Hapi Framework • Hapi's Security Philosophy • Hapi Modules and Plugins Hapi.js Security • Hapi Hapi Joi Joi • Logging in Hapi 1 ¾ Hours Intermediate Configuring Security Headers • The Effect of Security Headers • Security Headers in Hapi Course Description • Overview of Current Best Practices Hapi is not your typical server-side JavaScript framework. Hapi's creators put in a lot of effort to make Hapi work for you instead Serving Static Files of against you. In this course, we look at what that means for • Serving Static Files security. At the end of this course, you will have a thorough • Path Traversal Vulnerabilities understanding of the Hapi-specific security aspects for building • Serving Directories with Inert modern applications. • Custom Path Validation
Mitigating XSS in Hapi Views Learning Objectives • Hapi and Templating Engines • Illustrate how common vulnerabilities manifest themselves in • Refresher on XSS Hapi applications • Quick Question • Prevent path traversal and XSS vulnerabilities in Hapi • Overview of XSS Mitigations applications • Mitigating XSS in Handlebars Views • Identify how Hapi supports authentication, session • Mitigating XSS in React Views management, and authorization • Explain how OAuth 2.0 and OpenID Connect can be integrated User Authentication in Hapi into a Hapi application • Integrated User Authentication • Define security best practices for modern Hapi applications • Delegating Authentication with OpenID Connect • Combining OpenID Connect with OAuth 2.0 Intended Audience Session Management in Hapi • Back-End Developers • Sessions in Modern Applications • Cookie-Based Sessions in Hapi Prerequisites • Securing Cookies • OWASP Top 10 • Securing Cookies Best Practices • JavaScript Security • Cookie Security In Hapi
Making Authentication Decisions • Enforcing Authorization • Authorization on Routes • Entities and Scopes • Implement an Internal Authorization Mechanism • Handling External Access Tokens
Conclusion • Hapi and Security • Security Headers • Serving Files • Mitigating XSS When Serving HTML • Authentication and Session Management • Authorization
Synopsys eLearning Catalog | June 2021 | synopsys.com | 35 Course Outline Languages and Platforms The Underlying Security Model • Introduction • Browsing Contexts • The Concept of an Origin • Same-Origin Policy Introduction to HTML5 • Origin-Controlled Resources • Secure Contexts • Script Execution Contexts Security • Wrap Up
Strong Isolation With Iframes 1 ¼ Hours Beginner • Introduction • Origin-Based Isolation • The Sandbox Attribute Course Description • Isolating Content From Your Own Origin With Sandboxed This course introduces the security model of the web and iframes builds on top of that. The core focus of the course is HTML5, • Sandboxing Content Directly both its weaknesses and its strengths. We’ll talk about how • Wrap Up attackers abuse legitimate interaction patterns in the browser and how to use various browser mechanisms for security. At Communication Between Contexts • Introduction the end, learners will have a good understanding of the security • The Basics of Cross-Document Messaging model of the web so they can spot potential security issues and • Cross-Document Messaging Security Considerations implement appropriate defenses. • Channel Messaging • Building a Client-Side Architecture Learning Objectives • Wrap Up • Explain the isolation boundaries enforced by modern browsers Tabnabbing and UI Redressing • Securely enable limited interactions between isolated • Introduction contexts • Social Engineering Attacks • Understand how UI redressing and tabnabbing attacks work • Tabnabbing Through window.opener and how to defend against them • Traditional Clickjacking and UI Redressing Attacks • Implement defenses to neutralize dangerous attributes of • Drag-and-Drop Clickjacking Attacks HTML5 forms • Restricting Framing as a Defense • Understand how client-side storage mechanisms enlarge the • Conclusion attack surface HTML5 Form Security • Illustrate the danger of injection vulnerabilities using payloads other than script injection • Introduction • New Form Capabilities • Injection Threats of Form Capabilities Intended Audience • Client-Side Input Validation • Architects • Conclusion • Back-End Developers • Front-End Developers Advanced Injection Attacks • Introduction Prerequisites • Dangling Markup Injection • Principles of Software Security • Base Tag Injection • OWASP Top 10 • New XSS Attack Vectors • Script Gadgets • Conclusion
Client-Side Storage Mechanisms • Introduction • Various Storage Mechanisms • The Storage Security Model • Security Considerations When Using Client-Side Storage • Conclusion
Synopsys eLearning Catalog | June 2021 | synopsys.com | 36 Course Outline Languages and Platforms Web Server Configuration • Web Server and PHP Interpreter • Handlers • Superglobals • Forced Browsing • Forced Browsing: Storing Code Outside the Root Introduction to • Forced Browsing: Storing Everything in the Document Root • Apache Caveat • Directory Exceptions PHP Security • Run As Unprivileged User PHP Configuration and Sandboxing 1 Hour Intermediate • Breaking Out of the PHP Sandbox • OS Command Injection • OS Command Injection: Example Course Description • File System Access This implementation-focused course dives into core security • Path Traversal skills needed for the PHP platform. It provides strategies and • File System Manipulation examples for previously insecure practices in PHP. • disable_functions • Handling Errors Safely • Configuring Error Reporting Learning Objectives • Explain how web servers handle requests and hand them over PHP Command Injection to PHP interpreter • Dynamic Code Injection • Recognize that there is no sandbox with PHP, and how to • eval() tackle those implications • Be Careful With Callbacks • Use configuration files to control the PHP interpreter as to • Remote and Local File Inclusion effectively apply the most important security controls • Remote and Local File Inclusion, Continued • Properly plan for users and the filesystem as to prevent • Injecting Code as Data • Template Injection command execution • Serialization • Recognize that the availability of dynamic code does not • Using extract() in Views mean it can be used • Malware Loves Dynamic Code • Generate strong random numbers in different versions of PHP with CSPRNG and PRNG Using the Right Tool for the Job • Perform checks on $_FILES server-side and client side • (CS)PRNG • Achieve and describe the concept of plane separation with • Native PRNGs in PHP PDO and other drivers • Session Management • Set up a project (i.e., code, not a server) capable of • Is your server-side check really server-side? • Don't Trust Your $_FILES customized error handling without showing verbose error • Validate Your MIME Types Correctly information to the user • Rename Your Uploads • Store Your Uploads Securely Intended Audience • Not Just $_FILES • Architects • TimThumb Fiasco • Back-End Developers • Enterprise SQL Injection • SQL Injections • Front-End Developers • Non-Malicious Input • QA Engineers • Malicious Input • Parameterized Queries Prerequisites • Prepared Statements • Principles of Software Security • Other Database Engines • OWASP Top 10 • Validating Inputs
Continued on next page
Synopsys eLearning Catalog | June 2021 | synopsys.com | 37 Requirements,Languages and Architecture, Platforms and Training
Introduction to PHP Security (cont.)
Mitigating Content Injection Attacks Third-Party Components • XSS • Problem Definition • Stored XSS • That Time Our Framework Didn't Protect Us • Reflected XSS • Dependency Management 101 • Reflected XSS, Continued • To Fork or Not to Fork • DOM-Based XSS • Coordinating Release • Separation of Concerns • Provenance and Distribution Integrity • Output Encoding • Cautionary Tale: left-pad • URL Encoding • Composer • How to Steal Credentials Using XSS • Composer Risks • XML Injection • PHP's Native Extensions • XML External Entity (XXE) • Risks of Native Extensions • XML Entity Expansion (XEE) • Bottom Line • PHP's XML Parsers • Open source is more secure, right? • Securing XML in PHP • The Google Toolbar Attack Requests and Responses • LDAP • Requests and Responses • LDAP Injection • What triggers the output? • Escaping LDAP User Inputs • Responses and Structure • Gotta catch-all! Password Storage • Error Reporting Question • Data Breaches • Output Buffering • Password Storage and Verification • Bear traps included! • Simple Hash • Redirection • Simple Attacks • Authenticating Requests • Salted Hashes as Defense • CSRF Tokens • Adaptive One-Way Functions • Selecting a One-Way Function • Default Behavior and Calling Conventions • Beat Practice: Specifics of Argon2
Synopsys eLearning Catalog | June 2021 | synopsys.com | 38 Course Outline Languages and Platforms Introduction • Preventing Injection • Authentication and Access • Cryptography • Secure Communication • Public Key Infrastructure (PKI) Java Advanced • Web Security • Important Security Features in Java SE Versions 8–11 Secure Coding Preventing Injection • Introduction to Preventing Injection • Defending Against SQL Injection 1 Hour Advanced • Encoding Reserved Control Sequences Within Untrusted Input • XML Parser Defense Course Description Authentication and Access Control Java Advanced Secure Coding continues where Java Security • Introduction Fundamentals leaves off. This course discusses advanced • Java Authentication and Authorization Services (JAAS) • Policy Management: Protection Domains, Security Policies, coding concepts and significant platform security features and Security Manager applies them to practical use cases to address typical business • Sandbox Security security challenges. We cover preventing injection attacks, • Hot Water: Building Your Own Security Controls: platform authentication and access control, cryptography, Recommendations secure network communications, public key infrastructure, Cryptography and web security, along with a summary of newer features • Introduction introduced in Java 8/9. • Managing Passwords • Ciphers Learning Objectives • Digital Signatures • Learn about platform authentication and access control • Secure Random Number Generation libraries, cryptography, and secure communications over • Heartbleed Bug untrusted networks • Message Digests • Learn PKI concepts and relevant Java platform security Secure Communications controls, such as the CertPath API, PKIX, and OCSP/CRL • Java Secure Socket Extension (JSSE) revocation services • Java GSS-API and Java SASL API • Apply practical ideas to defend against SQL injection, XML parser attacks, CSRF, XSS, URL attacks, HTTP response Public Key Infrastructure redirect attacks, and more using the Java platform as well as • Introduction: Roles and Artifacts Within PKI Ecosystem third-party security libraries, such as OWASP • Java’s PKI Model Support • Trust Management in Java • Java CertPath API Intended Audience • Storing Keys/Secrets • Back-End Developers • Revocation Services (OCSP/CRL) • Front-End Developers • Product Architects Web Security • Security Architects • Cross-Site Request Forgery (CSRF) Defense • CSRF Defense Example • Advice for Defending Against CSRF Attacks Prerequisites • Open Redirect Defense • Java Security Fundamentals • URL Validation • HTTP Security Response Headers • User Interface Security
Important Security Features in Java SE 8–11 • Security Changes for Java 8–11 • Brief Considerations When Upgrading to Java 9
Synopsys eLearning Catalog | June 2021 | synopsys.com | 39 Course Outline Languages and Platforms Introduction • Strong Data Typing • Automatic Memory Management • Byte Code Verification • Secure Class Loading • Exception Handling Java Security • Security Libraries
Platform Security Fundamentals • Introduction • Strong Data Typing • Automated Garbage Collection 1 Hour Beginner • Secure Class Loading • Bytecode Verification • Exception Handling Course Description No matter what product or service you’re building, Operational Concerns—Java Security Platform understanding Java platform security is an essential foundation. • SDLC Security • Strategic Design for Security In this course, you’ll learn platform security concepts along • Certify Your Software Against Supported Java Runtime with practical security knowledge you can immediately apply Environments (JREs) to your own project. You’ll write secure code using platform • Principles of Least Privilege (POLP) APIs and identify common mistakes. This course is beneficial • Secure by Default whether you’re building desktop applications, web applications, Data Validation service infrastructure, the Internet of Things (IoT), or embedded • Introduction applications. • Sanitization and Validation • Security Validation: Blacklisting and Whitelisting Learning Objectives • Tackle Java platform security concepts and architecture Logging • Implement public key infrastructure (PKI) and Java trust • Getting Started With Logging • Logging Domains management concepts • Logging Security Use Cases • Write secure code using Java SE APIs • Design, Implementation, and Testing Considerations • Avoid common platform security pitfalls • Events to Log • Event Attributes Intended Audience • Security Logging With OWASP • Back-End Developers • Logging Technology • Front-End Developers Advanced Coding Concept • Product Architects • Introduction • Security Architects • Avoid String for Volatile Secrets • Avoid Deserializing Objects From Untrusted Sources Prerequisites • Java Native Interface (JNI) Bypasses Platform Safety • None Controls and Buffer Overflows • XEE/XXE XML Attacks
Synopsys eLearning Catalog | June 2021 | synopsys.com | 40 Course Outline Languages and Platforms Securing Spring Applications • The Java Spring Ecosystem • The Spring Security Framework • Spring Security in Various Application Types Common Web Vulnerabilities Java Spring Security • Server-Side Injection Attacks • Client-Side Injection Attacks • Secure Data Transport 1 ½ Hours Intermediate • Overview of Current Best Practices Configuring Security Headers Course Description • The Effect of Security Headers This course is your guide to building secure Java Spring • Security Headers in Spring Security • Overview of Current Best Practices applications. Throughout the course, we analyze what Spring Security can and cannot do for you. We’ll show you how to User Authentication with Spring integrate advanced security mechanisms with only a few • User Authentication lines of code and configuration. In the end, you’ll have a solid • Handling User Authentication in Spring • Using the "Remember Me" Feature understanding of the power of Spring Security, along with the • Common Attacks against Authentication Forms gusto to start using Spring Security in your applications. • Overview of Best Practices Learning Objectives Secure Password Storage • Understand what Spring Security brings to the table • Password Storage Best Practices • Determine current best practices for building secure Java • Storing Passwords with Spring Security Spring applications • Supporting Multiple Password Storage Mechanisms • Overview of Current Best Practices • Describe how to use Spring Security’s authentication and authorization features in practice Authentication with OpenID Connect • Integrate a secret vault into a Spring application • Why Using OpenID Connect? • Background on OpenID Connect Intended Audience • Integrating OpenID Connect in Spring • Architects • Overview of Current Best Practices • Back-End Developers Implementing an Authorization Framework • Enterprise Developers • Access Control Models • Leveraging Spring Security for Authorization Prerequisites • Avoiding Common Authorization Vulnerabilities • Java Security Fundamentals • Overview of Current Best Practices • OWASP Top 10 Advanced Authorization Scenarios • API Authorization with OAuth 2.0 • Implementing a CORS Policy • Securely Exposing WebSockets • Overview of Current Best Practices
Managing Secrets in Your Application • The Need for Secrets Management • The Benefits of Centralized Secret Storage • Using Spring Vault in Practice • Overview of Current Best Practices
Conclusion (Spring Security) • Overview of Current Best Practices
Synopsys eLearning Catalog | June 2021 | synopsys.com | 41 Course Outline Languages and Platforms Introduction to JavaScript • Introduction • What’s So Great About JavaScript? • Traditional Browser Security • Same-Origin Policy • Modern-Day JavaScript JavaScript Security • Server-Side JavaScript • We Love JavaScript! 1 ¼ Hours Intermediate JavaScript Basics • JavaScript Basics • Strict Mode Course Description • Comparing Equality Operators This course presents an overview of quirks and features • I’m Watching You that make JavaScript such a flexible, powerful, and popular • Avoid Global Scope • Separating Scope With ES6 Features language. The course does not focus specifically on client-side • Refrain From Setting document.domain or server-side JavaScript, but instead gives an overview of security features built into the JavaScript language itself, as well XSS and Untrusted Data Sources as security features provided by the browsers and utilized by • Introduction to XSS • Dataflow JavaScript web applications. • Untrusted Sources • I’m Loving It... or NOT The main sections of the course offer a deep dive into the most • Who Watches the Watchmen? common, most severe, and oldest JavaScript security issue: cross-site scripting (XSS). It examines different JavaScript JavaScript Execution Contexts • JavaScript Execution Contexts execution contexts, dataflow concepts for identifying the issues, • Inline JavaScript and protection mechanisms. It also covers the clickjacking • External JavaScript vulnerability and mitigation methods. The last lesson focuses • Event Handlers on managing dependencies in client-side and server-side • Scalable Vector Graphics applications and tools for identifying vulnerabilities in third-party • Unique Resource Identifier (URI) • Dynamic Execution: eval JavaScript libraries. • Taking Remote Control of the Demo Gods • Dynamic Execution: Time Functions Learning Objectives XSS Defense Measures • Navigate JavaScript language specifics, like comparisons and • XSS Defenses scoping, that may cause security issues • Output Encoding • Identify JavaScript execution contexts • Sanitization • React Strategies • Perform manual dataflow analysis with the knowledge of • Input Validation JavaScript sources and sinks • Handling JSON • Find common XSS issues in JavaScript code and select the • Headers: X-XSS-Protection Header best protection method for each case • Cookies: httpOnly Flag • Apply several mitigation techniques against the clickjacking • Load Resources Securely vulnerability • Resources: Subresource Integrity • Compare different tools for managing third-party dependencies
Continued on next page Intended Audience • Front-End Developers
Prerequisites • OWASP Top 10
Synopsys eLearning Catalog | June 2021 | synopsys.com | 42 Requirements,Languages and Architecture, Platforms and Training
JavaScript Security (cont.)
Content Security Policy • Content Security Policy • Policies • Hashing and Nonces • CSP Implications • CSP Limitations • Configuring CSP • Improving Your CSP • Writing a Policy for Different Versions of CSP • Extracting Inline JavaScript • You Shall Not Pass! • Final Note: Browser Support
Iframes and Clickjacking • Iframes • Clickjacking • Defense Measure: CSP • Defense Measure: X-Frame-Options • Defense Measure: Frame Busting • Iframe Sandboxing • Iframe Sandboxing Options • Now You See Me
Managing Third-Party Dependencies and Code Analysis • Third-Party Dependencies • Package Managers • Know Your Dependencies • Tools: Third-Party Dependency Audit • Tools: Code Analysis • Manual Review
Synopsys eLearning Catalog | June 2021 | synopsys.com | 43 Course Outline Languages and Platforms Validating Data in ExpressJS • Validating Data Overview • What Is Untrusted Data? • Where to Validate Data • Validating Data at the Request Layer • Validating Data at the Model Layer Node.js Security
Handling Authentication in NodeJS Applications • Protecting Passwords 1 Hour Intermediate • Protecting Against User Enumeration • Locking User Accounts Course Description Access Control in NodeJS The benefits of the NodeJS platform keep growing, but it can • Principle of Least Privilege and Roles • Function-Level Access Controls still suffer from the same common web vulnerabilities as other • Access Control Mistakes web application frameworks and platforms. This course looks at solutions to common security pitfalls associated with using Session Management in ExpressJS ExpressJS, Pug, and MongoDB. We'll also examine preventive • Session Hijacking • Enabling HttpOnly Flag measures for building a more secure application using a • Enabling the Secure Flag defense-in-depth approach. • Session Timeouts • Session Fixation Learning Objectives • Forcing Reauthentication • Use bcrypt for password storage • Avoid common access control mistakes NodeJS Transport Security • Use HTTP headers for additional transport and session • TLS, SSL, and HTTPS security • Quick Question • Audit third-party dependencies for known vulnerabilities • Importance of TLS • HTTP Strict Transport Security Header • Content Security Policy Intended Audience • Architects Pug Security Concerns • Back-End Developers • Cross-Site Scripting • Front-End Developers • Common Templating Systems • Server-Side Template Injection Prerequisites Preventing MongoDB Query Selector Injection Attacks • Introduction to Cryptography for Developers and Architects • Injecting JavaScript • Injecting Operators
Managing Third-Party Dependencies • Unused Packages • Package Popularity • Check for Outdated Packages • Check for Known Vulnerabilities • Run a Private Repository
Synopsys eLearning Catalog | June 2021 | synopsys.com | 44 Course Outline Languages and Platforms Introduction • React Components • Secure React Components
Avoiding Component Injection Attacks (XSS) • Common Coding Patterns for Avoiding React.js Security – Code Injection via Props – Code Injection via CSS-in-JS Frameworks – Code Injection Vulnerabilities in Third-Party Components 1 Hour Intermediate Avoiding Attacker-Controlled JSON Exploits • Common Coding Patterns for Avoiding Attacker-Controlled Course Description JSON Attacks React is a popular front-end web framework that has changed Avoiding Vulnerable Third-Party Libraries the way many people develop web applications. While React is • Traits of a Well-Maintained Package fairly secure as is, there are still some things to consider when • Version Control of Audited Packages using it to build applications. This course will teach you how to Avoiding Trust in Client-Side Routing as a Security avoid the common pitfalls developers encounter by assuming Control React will automatically protect them from all types of security • What a UI Router Is issues. • Client-Side Routing vs. Server-Side • Why Client-Side Protected Routes Are Not a Security Control Learning Objectives Avoiding Vulnerable Versions of React • Write secure React components • Major Vulnerabilities in Prior Versions • Prevent React component injection attacks • Securely handle attacker-controlled JSON • Avoid vulnerable third-party React component libraries • Use client-side routing securely • Avoid the use of vulnerable versions of React
Intended Audience • Front-End Developers
Prerequisites • None
Synopsys eLearning Catalog | June 2021 | synopsys.com | 45 Course Outline Languages and Platforms Introduction • Overview • Error Handling • Dependency Management
Golang for Web Secure Programming • Vanilla Go • Gorilla Framework for Golang • Revel • Gin Gonic • Mat Ryer’s Web Services Pattern 1 ¼ Hours Intermediate Web Interfaces for Golang • Enforcing HTTPS Communications Course Description • Rest API Go promises to make programmers more productive by being • Web Pages expressive, concise, clean, and efficient. In this course, we will • Forms: CSRF teach you how to handle security in this popular open source • Forms: Validation and Sanitization programming language. • Secure Headers
Concurrency in Go Learning Objectives • Goroutines • Identify the most popular frameworks and conventions that • Race Conditions can be used to write a web application and their security pros • DoS Prevention and cons • Context Package • Evaluate the security considerations of the different methods a client and a Go application can use to communicate to each Data Storage other • Session Management: Cookies • Identify the security risks and considerations when writing • Cryptographic Signature With Generated Tokens concurrent code • Session Management: JWT • Work with the included functions and cryptographic • Access Control Frameworks algorithms and understand their limitations • SQL Databases • Understand the nuances and techniques to get the required Cryptography data logged in order to respond to potential security issues in • Password Storage the future • The math/rand Package • Crypto Go Package Intended Audience • Back-End Developers Logging • Logging Events Prerequisites • Runtime Crashes • OWASP Top 10 • In Conclusion
Synopsys eLearning Catalog | June 2021 | synopsys.com | 46 Course Outline Languages and Platforms Introduction to AngularJS Security • Introduction to AngularJS • Comparing AngularJS v1.x and v4.x • Single-Page Applications (SPA) AngularJS Templates and Expressions Securing AngularJS • What Is an AngularJS Template? • What Is an AngularJS Expression? • Strict Contextual Escaping 1 ¼ Hours Advanced • Sanitization • Sandbox Course Description Built-In AngularJS Security Protections AngularJS, the superheroic JavaScript framework from Google, • How CSP Affects AngularJS Usage • AngularJS and Bypassing CSP is a defining technology when it comes to building single-page • Making It All Work applications. The framework removes the drudgery from writing • Using AngularJS CSRF Protections robust, user-driven applications but requires a different way of thinking about architecture and security. This course takes a Cross-Site Scripting Using AngularJS Expressions • Sandbox and Its Removal tour through common mistakes developers make when building • Dangers of Using Server-Side Templates AngularJS applications, how these mistakes can introduce • Abusing Expressions security vulnerabilities, and how to avoid them so you don’t get • Angular.element Issues compromised. Authentication in AngularJS • Common Issues in Single-Page Applications Learning Objectives • Client-Side Controls • Understand the security protections built into AngularJS • Alternative to JWT • Architect secure single-page applications • Avoid coding practices that lead to template injection Authorization in AngularJS • Prevent cross-site scripting (XSS) vulnerabilities • Ensuring Server-Side Access Controls • Understand the role of authentication and authorization in • Enabling Access Restrictions on Views single-page applications AngularJS Web Storage Security • Examining Storage Services Intended Audience • Keeping Data From Being Cached • Front-End Developers
Logging and Monitoring Prerequisites • Handling Client-Side Exception Logging • Types of Events to Log • JavaScript Security • OWASP Top 10
Synopsys eLearning Catalog | June 2021 | synopsys.com | 47 Course Outline Languages and Platforms Introduction • Introduction to the Securing Express.js Course Content
Execution Environment • Dropping Privileges • Avoiding Information Leaks During Crashes Securing Express.js • Keeping Express Running • Manifest Security Enforcement
Secure Coding Patterns 1 Hour Intermediate • Error Handling • Prototype Pollution Course Description • Handling Regex In this course, you’ll learn how to write secure Express • Single Thread Concerns • Zeroing Buffers applications. This course will give you the tools, perspectives, and patterns you need to security harden all aspects of your Handling Secrets Express applications. We’ll cover defensive coding techniques • Keeping Secrets in the Environment and show you how to prevent common vulnerabilities like cross- HTTP Transport Security site scripting and SQL injection. • Versions • Ciphers Learning Objectives • Pinning • Manage vulnerabilities in third-party library dependencies • Strict Transport • Securely handle application secrets HTTP Security Headers • Enable Transport Layer Security (TLS) • Helmet.js • Leverage security-related HTTP headers • Common HTTP Headers • Securely implement server-side templating • Secure Cookie Usage • Avoid common vulnerabilities like cross-site scripting and SQL injection Secure Request Handling • Validation Intended Audience • Sanitization • Architects • Contextual Escaping • Route Regex • Back-End Developers • Rate Limiting • Whitelisting vs. Whitelist Prerequisites • Static Assets • JavaScript Security • Code Execution • Command Execution
Secure Response Handling • Validation • Sanitization • Contextual Escaping • Information Leakage • Server-Side Rendering
Database Communication • NoSQL • SQL • Parameterization • Validation • Contextual Escaping • Error Handling • Connection Secrets
Logging • Life-Cycle • Contents • Sanitization • Contextual Escaping
Synopsys eLearning Catalog | June 2021 | synopsys.com | 48 Course Outline Languages and Platforms Python Primer • Features • Python for Web Development • Python 3.x • Quick Question • Reasons to Switch Securing Python Web
Python 3.x Core Languages Security Considerations • Errors and Exceptions Applications • Eval() and Input() Functions • Unicode Strings • OpenSSL 1 Hour Intermediate • Final Note on Syntax Web Application Security Course Description • Cross-Site Scripting Python is one of the most popular programming languages • Contextually Aware Output Encoding in the world. This flexible, open source language can be used • Server-Side Template Injection • Login with Facebook to develop software for everything from simple prototyping to high-performance gaming applications, enterprise-grade web Web Application Security 2: Attacks on Persisted Assets frameworks, mobile applications, and more. This course dives • Injection Overview deep into defensive programming techniques for Python, with • SQL Injection examples using the two most well-known web frameworks built • Quick Question on top of Python: Django and Flask. Web Development Framework Configuration • Web Development Framework Scope of Responsibility Learning Objectives • CSRF Protection • Use the framework's built-in security features to provide • Limiting Scope and Access to Attacks defense-in-depth • Same Site Cookies • Protect against common attack vectors in the OWASP Top 10 • Referrer Policy • Identify the security responsibilities and address how to build • Transporting Tokens Securely • Token Expiry security in • HTTP Strict Transport Security • Configure a web development framework • Allowed_Hosts • Implement session management securely • Environment-Based Secrets Management • Effectively implement authentication and authorization • Matching Definitions • TLS Configuration Intended Audience • Error Handling • Architects • Clickjacking • Back-End Developers • Monitoring and Notification • Enterprise Developers Session Management • Front-End Developers • Attacks on Session Management • Persistent Sessions Prerequisites • Quick Question • OWASP Top 10 • Scope • Principles of Software Security • Expiry • Protecting Cookie Integrity
Authentication and Authorization • Authentication Factors • Attacker Objectives • Matching Definitions • Authentication • Password Storage • Authorization Overview • Is the User Logged In? • Authorizing a User to Access a Controller • Enforcing CRUD Properties on Model Data
Synopsys eLearning Catalog | June 2021 | synopsys.com | 49 Cloud Platforms Course Outline Cloud Platforms Introduction to Cloud Security • Introduction • Cloud Deployment Methods • Software Delivery Mechanisms • Security Challenges and Barriers Introduction to Cloud Cloud Infrastructure Security • Introduction • Identity and Access Management Security • Network Security: Virtual Private Cloud • Patch Management • Hijacking Tesla’s AWS Credentials 1 Hour Beginner Data Security • Introduction Course Description • Object Storage Security The cloud is here to stay. As development and software delivery • Persistent Disks move rapidly toward cloud infrastructure, you must be equipped • Managed Databases • Cloud Storage Double Whammy to address the challenges of security and compliance. In this course, you’ll learn common cloud terminology and how Container and Serverless Security to navigate the vast array of security controls you need to • Introduction consider when moving to a cloud provider. By course end, you’ll • Container Security understand how to address common security challenges of • Serverless Security running software in cloud infrastructure. Monitoring and Alerting • Introduction Learning Objectives • Security Metrics Collection • Identify different cloud delivery models • Monitoring • Evaluate security features offered by public cloud providers • Alerting • Build cloud infrastructure with security in mind • Metrics Found the Miner • Protect data stored in cloud environments • Build security controls into cloud technologies such as serverless and containers
Intended Audience • Architects • Back-End Developers • Enterprise Developers • Front-End Developers
Prerequisites • None
Synopsys eLearning Catalog | June 2021 | synopsys.com | 51 Course Outline Cloud Platforms Introduction • The State of Software Deployment • Continuous Integration and Deployment • Incorporating Security Into DevOps Container Security Secure Implementation • Anatomy of a Container • Docker Security Considerations • Securing Container Images of Docker and
Container Deployment Techniques • Immutable Infrastructure Kubernetes • Container Orchestration
Introduction to Kubernetes 1 Hour Intermediate • Overview and History of Kubernetes • Infrastructure Components • Interacting With Kubernetes Clusters Course Description • Kubernetes Networking Containers have taken center stage as the preferred method of deploying software to production. As security practitioners, we Kubernetes Security Considerations must adapt to the latest technologies or be left in the dust. This • Authentication course focuses on the intricacies of building a modern cloud • Authorization infrastructure capable of taking containers from a developer’s • Kubelet Security • Managing Secrets laptop to production, in a secure manner. • Native Security Features • Auditing and Logging Learning Objectives • Understand the need for containers and container DevSecOps Pipelines orchestration tools • Logging and Monitoring • Implement security hardening techniques in Docker and • CI/CD Security • Anomaly Detection Kubernetes • Securing Third-Party Dependencies • Build security checkpoints into the SDLC and DevOps • Container Security Tools and Resources pipelines • Understand the importance of containers when moving toward DevOps
Intended Audience • Architects • Back-End Developers • Enterprise Developers • Front-End Developers • QA Engineers
Prerequisites • Principles of Software Security
Synopsys eLearning Catalog | June 2021 | synopsys.com | 52 Course Outline Cloud Platforms Introduction to AWS Security • Introduction to Cloud Security • Shared Responsibility Model • AWS Architecture • Application Security • Compliance and Governance Securing Amazon • AWS Security or Bust
Infrastructure Security Web Services • Virtual Private Cloud (VPC) Security • Network Routing • Security Groups 1 Hour Intermediate • Firewalls and Access Control Lists • Comparison • Denial of Service Protection Course Description • Web Application Firewall This course dives into the world of secure full-stack software • AWS Systems Manager development and deployment using Amazon AWS. Learn to use • AWS Firewall Manager and Network Security Strategy AWS-specific tools and features to ensure your application’s Identity and Access Management production data is adequately protected and monitored. By • Identity Access Management Overview course end, you should understand how to set up a basic • IAM in AWS hardened AWS infrastructure capable of deploying a production • Temporary Tokens web application.. • Authentication for Your Apps • Permissions and Access Control • Storing and Accessing Credentials Learning Objectives • Summary • Deploy web applications securely using AWS • Compromising a Password Manager’s Password • Implement robust identity and access management controls • Utilize built-in AWS security features Data Security • Store and transmit data in AWS environments securely • Data Handling Introduction • Integrate security monitoring and alerting • Encrypting EBS Volumes • S3 Data Protection • S3 Security Best Practices Intended Audience • AWS Key Management Service • Architects • Data Backups, Retention, and Disposal • Back-End Developers • 2017: The Year of the Misconfigured S3 Bucket • Enterprise Developers • Front-End Developers Monitoring and Alerting • Introduction to Security Monitoring in the Cloud Prerequisites • Auditing and Logging • Introduction to Cloud Security • CloudTrail Security Monitoring in AWS • Creating Alerts Using CloudWatch • Extending Alerting Capabilities • AWS Config • GuardDuty Security Monitoring • Putting It All Together
Synopsys eLearning Catalog | June 2021 | synopsys.com | 53 Course Outline Cloud Platforms Introduction to Google Cloud Platform • Introduction • Cloud Security Overview • Key Concepts • Managing GCP Securing Google Cloud GCP Infrastructure and Security Features • Introduction • GCP Project Structure Platform • Physical and Host Security • Denial-of-Service Mitigations • Compliance and Regulation ¾ Hour Beginner • PCI Won’t Save You (Real-Life Story) Identity and Access Management in GCP Course Description • Introduction to Identity and Access Management This course dives into details around developing and deploying • Google Cloud Identity and Access Management software and services, securely, using Google Cloud Platform. • Leveraging Google Cloud Access Management • Configuring Users and Roles You’ll learn how to use GCP-specific tools and features to • IAM Audit Trail ensure your application’s production data is adequately • IAM Best Practices protected and monitored. By course end, you should understand how to set up a basic hardened GCP infrastructure capable of Network and Data Security deploying a production web application. • Introduction • Virtual Private Cloud Overview • Routes and Firewall Rules Learning Objectives • Data Storage Security • Launch applications and services securely in GCP • Encrypting Data in Transit • Implement identity and access controls • Leaky Cloud Buckets (Real-Life Story) • Protect data at rest and in transit • Stay on top of cutting-edge security features in GCP New and Upcoming GCP Features • Analyze logs in GCP for security-related events • Introduction • Cloud Security Command Center • VPC Service Controls Intended Audience • Container Registry Vulnerability Scanning • Architects • Infrastructure Security Scanning • Back-End Developers • Cryptocurrency Mining for Fun and Profit (Real-Life Story) • Enterprise Developers • Front-End Developers Logging • QA Engineers • Getting Started With Logging • Logging Domains • Logging Security Use Cases Prerequisites • Design, Implementation, and Testing Considerations • OWASP Top 10 • Events to Log • Event Attributes • Security Logging With OWASP • Logging Technology
Synopsys eLearning Catalog | June 2021 | synopsys.com | 54 Course Outline Cloud Platforms Azure Cloud Security Fundamentals • Introduction to Azure • Compliance and Regulation • Shared Responsibility Model • Azure Privacy Standards • Application Security in Azure Securing Microsoft
Azure Platform Security Features • Operations Management Suite Azure • Resource Manager • Azure Security Center • Web Application Firewall (WAF) ¾ Hour Intermediate • Web Application Scanning and Penetration Testing • Logs Are a Hacker’s Best Friend (or Enemy) Course Description Network Security This course explores the ins and outs of securing software built • Azure Virtual Networks and deployed on the Microsoft Azure cloud platform. Learn • External Connectivity • Network Security Groups (NSGs) how to use Azure-specific features to ensure your application’s • Network Routes production data is adequately protected and monitored. By course end, you should understand how to set up a secure Identity and Access Management infrastructure using Azure, capable of deploying cloud-native • Identify and Access Management Overview web applications and services. • Azure Active Directory Introduction • AD Tenants and Administration • Authentication and Access Control Learning Objectives • Password-Based Authentication • Deploy web applications securely using Microsoft Azure • Command Line Interface Authentication • Implement identity and access management controls in the • Multifactor Authentication cloud • Single Sign-On • Use built-in Azure security features • Role-Based Access Control • Store and transmit data in Azure environments securely • IAM Security Best Practices • Integrate security monitoring and alerting Data Security and Encryption • Data Storage Mechanisms in Azure Intended Audience • Key Management • Architects • Encrypting Data at Rest • Enterprise Developers • Disk Encryption • Front-End Developers • Encrypting Azure Storage Data • Encrypting Data in Transit Prerequisites • Shared Access Signature • None
Synopsys eLearning Catalog | June 2021 | synopsys.com | 55 Course Outline Cloud Platforms Securing NoSQL • It’s Not a New Technology • It’s an Unusual Technology • Requires a New Take on an Old Set of Vulnerabilities Access Control Securing MongoDB • Authentication • 509 or CR? • Work With Shared Clusters ¾ Hour Intermediate • Authorization • Roles and Privileges • Built In Versus User Defined Course Description MongoDB is the leading document-oriented, or NoSQL, Logging • Enabling Logging Globally database on the market today. It is commonly used for very • Tagging Bits to Log quick transactional websites, but the security profile is not that • Audit Significant Events well understood. In this course, we’ll cover some of the best • The Audit Guarantee™ ways to solidify your security profile. Configuration • Bump the HTTP Status Interface Learning Objectives • Locking Down the REST API • Correctly configure a MongoDB instance to defend against • Best Bet—the Network Infrastructure known attacks • Build code to access a MongoDB database that prevents Hardening MongoDB Databases known attacks • Disable Internet Access • Design and develop effective MongoDB authentication and • What Is MongoDB Good For? authorization • Reevaluating Life Choices • Test a MongoDB implementation against known attacks • Disable Default Accounts • Encrypt Sensitive Data • Use TLS (Really) Intended Audience • Wait, There Isn’t Encryption at Rest? (Nope) • Back-End Developers • Mobile Developers Good Overall Practices • Perform Input Validation (Filtr) • Turn Off Unused Services Prerequisites • Avoid $where • OWASP Top 10 • Direct Object Reference • Server Side Injection • Remove Sample Data
Making MongoDB Weep With Security Tests • Some Nice Attack Vectors • No Authentication • Weak Authorization • Accessing the Admin Database • Cleartext Communication • Multiple Interface Weakness • No Built In Data Encryption • Working With MongoDB files • NoSQLMap
A New Frontier
Synopsys eLearning Catalog | June 2021 | synopsys.com | 56 Authentication and Authorization Course Outline Authentication and Authorization Introduction • Advanced Scenarios • Wrap-Up
End-User Authentication With OAuth 2.0 • Introduction Advanced OAuth 2.0 • Pseudo-Authentication With OAuth 2.0 • Challenges With OAuth 2.0-Based Authentication • Introducing OpenID Connect Topics • Wrap-Up
OAuth 2.0 for Browserless and Input-Constrained 1 Hour Advanced Devices • Introduction Course Description • The Idea Behind the Device Flow Almost every company that exposes an API is converging • The Device Flow in Detail • Additional Considerations toward OAuth 2.0 as a delegation framework. Therefore, OAuth • Wrap-Up 2.0 is still under active development, and a wide variety of complex deployment scenarios are supported. In this course, Client-Based Token Revocation we look at a couple of new and upcoming features. We also • Introduction • The Need for Token Revocation investigate a commonly misunderstood scenario: doing user • The Token Revocation Endpoint authentication with OAuth 2.0. • Considerations for Token Revocation • Wrap-Up Learning Objectives • Implement a secure third-party authentication scenario using Strengthening Bearer Tokens OAuth 2.0 • Introduction • The Idea Behind Proof-of-Possession • Describe the technical requirements for revoking OAuth 2.0 • Proof-of-Possession for Tokens and Codes tokens • Practical Mechanisms to Implement Proof-of-Possession • Explain the challenges with token theft, and potential • Wrap-Up solutions in the OAuth 2.0 ecosystem • Explain how to deploy OAuth 2.0 in alternate scenarios, such Mutual TLS in OAuth 2.0 as mobile applications • Introduction • Using Mutual TLS for Client Authentication • Technical Aspects of Client Authentication With Mutual TLS Intended Audience • Mutual TLS for Binding Access Tokens • Architects • Embedding Certificate Information in Access Tokens • Back-End Developers • Considerations for Using Mutual TLS • Mobile Developers • Wrap-Up Prerequisites Token Binding in OAuth 2.0 • OAuth 2.0 Security • Introduction • Token Binding for Refresh Tokens • Technical Aspects of Token Binding • Token Binding for Access Tokens • Representing Token Binding in Tokens • Token Binding Considerations • Wrap-Up
Continued on next page
Synopsys eLearning Catalog | June 2021 | synopsys.com | 58 AuthenticationRequirements, Architecture,and Authorization and Training
Advanced OAuth 2.0 Topics (cont.)
Identify Delegation • Introduction • Impersonation Versus Delegation • The Idea Behind a Token Exchange • The Token Exchange in Detail • Additional Considerations • Wrap-Up
Using JWTs for Client Authentication • Introduction • Text-Based Client Credentials • Key-Based Client Authentication • Security Considerations • Wrap-Up
Wrapping Up OAuth 2.0 • Introduction • The Current OAuth 2.0 Landscape
Synopsys eLearning Catalog | June 2021 | synopsys.com | 59 Course Outline Authentication and Authorization The Need for OAuth 2.0 • An Example OAuth 2.0 Scenario • The Valet Key Analogy • Valet Keys in Our Application Delegated Access With OAuth 2.0 OAuth 2.0 Security • A Brief History of OAuth 2.0 • OAuth 2.0 Terminology • Conceptual Overview of OAuth 2.0 1 ½ Hours Intermediate • OAuth 2.0 Clients Overview of OAuth 2.0 Grant Types Course Description • Overview of Different Grant Types and Their Purposes OAuth 2.0 is a widely used framework for securing access to • Authorization Code Grant • Device Authorization Grant APIs. But due to its complexity, many developers struggle to • Client Credentials Grant use and integrate OAuth 2.0 securely. This course introduces • Implicit Grant the core concepts of OAuth 2.0 and investigates the currently • Resource Owner Password Credentials Grant recommended flows. It also provides a quick overview of Delegated Access From a Confidential Client deprecated flows and looks at common security pitfalls and • A Confidential Client Scenario misconceptions. • Delegated Access with the Authorization Code Flow • Security Properties of the Authorization Code Flow Learning Objectives • Identify the actors/roles in an OAuth 2.0 architecture Delegated Access From a Public Client • Differentiate between OAuth 2.0 and OpenID Connect • A Public Client Scenario • Understand how access tokens are used in OAuth 2.0 • Augmenting the Authorization Code Grant With PKCE • Mobile and Native Clients • Identify current best practice flows for different types of • Front-End Web Clients clients • Security Properties of the Authorization Code Flow With PKCE • Understand the difference between access tokens and refresh tokens Long-Term Delegated Access • The Purpose of Access Tokens Intended Audience • Running a New Flow • Architects • Quick Question • Back-End Developers • Using Refresh Tokens • Enterprise Developers • Securing Refresh Tokens • Front-End Developers Common Pitfalls and Misconceptions • Mobile Developers • Mistaking OAuth 2.0 for What It Is Not • Abusing OAuth 2.0 for Authentication Prerequisites • Modifying OAuth 2.0 Flows • None
Wrapping Up OAuth 2.0 • The Core Concepts of OAuth 2.0 • Quick Questions • High-Level Security Considerations
Synopsys eLearning Catalog | June 2021 | synopsys.com | 60 Course Outline Authentication and Authorization Introduction • What Is OpenID Connect? • History of OpenID 1.0 to OpenID Connect • Relation to OAuth 2.0 • SAML vs. OpenID Connect • Terms and Definitions OpenID Connect
Tokens • Anatomy of the ID Token 1 Hour Advanced • JSON Web Tokens • Access Tokens and Refresh Tokens • Offline Access Course Description Grant Types Single sign-on and federated identity on the web have long • Authorization Code Flow been a nightmare. Overly complex XML-based systems are • Implicit Flow hard to implement in an interoperable way. OAuth 2.0 seems • Hybrid Flow like a good solution but was never built for authentication. As a • Common Insecure Design Pattern: Covert Redirect consequence, many OAuth 2.0-based authentication systems Requesting User Information are insecure. • What Is a Claim? • Standard Claims Enter OpenID Connect. Designed for authentication and built on • Address Claim top of OAuth 2.0, OpenID Connect addresses many problems • Additional Claims developers have struggled with over the years. This course Request Object positions OpenID Connect and explores how to authenticate • Passing a Request Object by Value end users against an identity provider. By applying these • Passing a Request Object by Reference principles, you can significantly improve the architecture of your • Validating Requests application. Discovery • WebFinger Learning Objectives • Issuer Endpoint Discovery • Position OpenID Connect in the world of web-based • Configuration Discovery delegation and identity federation systems • Implement a secure OpenID Connect flow for various types of Registration web applications • Client Metadata • Understand how identity providers offer SSO solutions and • Client Configuration Endpoint advanced session management mechanisms Signatures and Encryption • Use dynamic discovery to load the necessary information • Signing from the identity provider • Encryption • Use additional security features to fine-tune the security • Reasons for Signing and Encrypting properties of OpenID Connect flows OpenID Connect With Google Intended Audience • Generate and Store State Token • Request Authorization Code • Architects • Confirm State Token Authenticity • Back-End Developers • Exchange the Authorization Code for an Access Token and ID • Enterprise Developers Token • Front-End Developers
Prerequisites • OAuth 2.0 Security
Synopsys eLearning Catalog | June 2021 | synopsys.com | 61 Course Outline Authentication and Authorization Introduction • Different SAML Versions • SAML in a Modern Application Landscape
The Conceptual Idea Behind SAML • MEALSCORE: A SAML Scenario SAML Security • Different Use Cases • The Responsibilities in a SAML Scenario
The Pros and Cons of SAML 2 Hours Intermediate • What SAML Can Do • What SAML Cannot Do Course Description • SAML, OAuth 2.0, and OpenID Connect This course provides an overview of the Security Assertion • Picking a SAML Implementation Markup Language (SAML). It explores the building blocks of Overview of SAML Building Blocks SAML as applied to a single sign-on scenario. Throughout the • SAML Building Blocks course, we highlight the security responsibilities of the different • SAML Assertions stakeholders in a SAML flow. Finally, we put SAML into context • SAML Protocols • SAML Bindings with more modern technologies, such as OAuth 2.0 and OpenID • SAML Profiles Connect. • The Role of XML Learning Objectives SAML Assertions • Assess whether SAML is the right solution to an IAM problem • A Real-World SAML Assertion • Describe how SAML building blocks are used to build a • Breaking Down a SAML Assertion protocol • Validating the Signature • Verifying the Validity • Identify the role of a SAML identity provider and SAML service • Using a SAML Assertion provider • List crucial security requirements for a secure SAML SAML Protocols, Bindings, and Profiles deployment • Overview of SAML Protocols • The Authentication Request Protocol Intended Audience • Overview of SAML Bindings • Architects • The HTTP Redirect and HTTP POST Bindings • Overview of SAML Profiles • Back-End Developers • The Web Browser SSO Profile • Enterprise Developers
SAML for Service Providers Prerequisites • Fitting SAML into the Application Architecture • OWASP Top 10 • A SAML Implementation Example • Handling Logout • Application-Specific Security Considerations • Supporting Multiple Identity Providers
Continued on next page
Synopsys eLearning Catalog | June 2021 | synopsys.com | 62 AuthenticationRequirements, Architecture,and Authorization and Training
SAML Security (cont.)
SAML for Identity Providers • Handling User Authentication • Setting Up Delegation • Bridging SAML to Other Protocols
SAML Security Considerations • General Security Recommendations • Security Considerations for Service Providers • Security Considerations for Identity Providers
Conclusion • SAML in Modern Applications • OAuth 2.0, OpenID Connect, and SAML
Synopsys eLearning Catalog | June 2021 | synopsys.com | 63 Course Outline Authentication and Authorization Introduction • An Example OAuth 2.0 Scenario • Conceptual View of OAuth 2.0 • Accessing Protected Resources Registering a Client Application Securely Accessing • The Need for Client Registration • Registering Different Types of Clients • Registering a Client APIs Using OAuth 2.0 • The Importance of Redirection URIs
Scopes and Permissions 1 Hour Intermediate • Scopes vs. Permissions • Practical Examples of Scopes • Handling Scopes in an OAuth 2.0 Flow Course Description • Security Considerations Because many APIs depend on OAuth 2.0 to implement proper The Client Credentials Grant Flow access control, applications accessing these APIs need to have • Defining the Client Application established mechanisms to securely support OAuth 2.0. This • Initializing the Flow course discusses the four main OAuth 2.0 flows and how each • Practicalities of the Client Credentials Grant Flow of them supports a distinct access scenario. You’ll learn how • Limitations and Security Considerations to use OAuth 2.0 to access remote APIs and address client The Resource Owner Password Credentials Grant Flow registration, as well as additional security considerations. • Defining the Client Application • Initializing the Flow Learning Objectives • Practicalities of the Client Credentials Grant Flow • Describe how to register a client application and request • Limitations and Security Considerations proper permissions • Select the right OAuth 2.0 flow based on the use case you’re The Implicit Grant Flow handling • Defining the Client Application • Initializing the Flow • Implement an application that uses OAuth 2.0 to access • Practicalities of the Implicit Grant Flow remote APIs • Limitations and Security Considerations • Explain the additional security considerations that need to be taken into account The Authorization Code Grant Flow • Defining the Client Application Intended Audience • Initializing the Flow • Architects • Practicalities of the Authorization Code Grant Flow • Limitations and Security Considerations • Back-End Developers • Front-End Developers The PKCE-Based Authorization Code Grant Flow • Defining the Client Application Prerequisites • Initializing the Flow • None • Practicalities of the PKCE-based Authorization Code Grant Flow • Limitations and Security Considerations
Additional OAuth 2.0 Security Considerations • Secure Communication Channels • Using Refresh Tokens • Secure Token Storage • Preserving the Integrity of OAuth 2.0 Flows
Wrapping Up API Access with OAuth 2.0 • Conclusion • OAuth 2.0 Flows • Security Considerations
Synopsys eLearning Catalog | June 2021 | synopsys.com | 64 Course Outline Authentication and Authorization Introduction • Examples of Protected Resources • The Complexity of OAuth 2.0
Authentication, Authorization, and OAuth 2.0 • API Security Based on OAuth 2.0 Securely Granting • The Relationship Between Authentication, Authorization, and OAuth 2.0 • Deciding Which OAuth 2.0 Flows to Support Access to an API
Different Access Token Types • Different Types of Access Tokens Using OAuth 2.0 • Reference Tokens • Self-Contained Tokens ¾ Hour • Considerations for Choosing a Token Type Intermediate
Handling Incoming Access Tokens • Getting the Access Token From the Request Course Description • Introspecting Reference Tokens Modern web applications are often backed by APIs. These • Verifying Self-Contained Tokens APIs depend on OAuth 2.0 to implement access control. Since • Security Considerations OAuth 2.0 is a delegation framework, implementing access control is not as simple as it seems. In this course, we look at Restricting Access Using Well-Defined Scopes the architecture of a back-end application using OAuth 2.0. We • The Purpose of Scopes • Using Scopes for Authorization investigate the security properties of different kinds of access • Practical Use of Scopes tokens. We also look at the importance of token introspection, and how to use that data to make access control decisions. Implementing Access Control Using OAuth 2.0 • Getting the Access Token • Validating the Access Token Learning Objectives • Making Authorization Decisions • Explain the difference between the different flavors of access tokens Wrapping Up • Explain the role of a token introspection endpoint • Making Authorization Decisions • Define a custom set of scopes for fine-grained access control • Secure access to an API using OAuth 2.0
Intended Audience • Architects • Back-End Developers
Prerequisites • OAuth 2.0 Security
Synopsys eLearning Catalog | June 2021 | synopsys.com | 65 Mobile Course Outline Mobile Secure Application Development for Android • Introduction • Security for Android Applications • Android, Java, and Kotlin • Conclusion Advanced Android Enhanced Exception Handling in Kotlin • Introduction • Exception Handling in Java Security • Exception Handling in Java: Question • Handling Null Pointer Exceptions in Kotlin • Addressing Type Safety 1 ¾ Hours Advanced • Defensive Coding Guidelines for Kotlin • Conclusion Course Description Secure Network Communication Building secure Android applications requires a solid • Introduction understanding of the features offered by Android, coupled • Using HTTPS Correctly • SSL Without HTTPS with concrete secure coding guidelines. Throughout this • The Need for Certificate Pinning course, learners will build up security knowledge for Android • Certificate Pinning in Practice applications. We’ll cover topics such as secure network • Best Practices for Pinning communication, handling secrets, dealing with authentication, • Conclusion and handling permissions. Every Android developer should take Handling Secrets and Sensitive Data this course to learn about security best practices for modern • Introduction Android applications. • Encrypting and Decrypting Data • Storing Keys With the Android Keystore Learning Objectives • Password-Based Key Generation • Understand how to use the latest security features offered by • Conclusion Android Local User Authentication • Design and build secure Android applications • Introduction • Analyze Android applications for common security flaws • Local Authentication Scenarios • Using Biometric Authentication Intended Audience • Unlocking Cryptographic Keys With Authentication • Architects • Alternative Authentication Mechanisms • Mobile Developers • Conclusion
API-Based User Authentication Prerequisites • Introduction • Android Security • Simple User Authentication • Introducing OpenID Connect • Integrating OIDC Into the Application • Behind the Scenes • Conclusion
Continued on next page
Synopsys eLearning Catalog | June 2021 | synopsys.com | 67 Requirements,Mobile Architecture, and Training
Advanced Android Security (cont.)
Secure API Access Using Permissions Effectively • Introduction • Introduction • Scenarios for Securing API Access • Permissions and Protection Levels • Using OAuth 2.0 for Secure API Access • Permissions and Protection Levels: Question • Handling Access Tokens • Custom Permissions • Handling Refresh Tokens • Requesting Permissions From the User • Conclusion • Using Permission Groups • Conclusion Handling Web Content • Introduction Conclusion • Rendering Web Content on Android • Introduction • Integrating a WebView Into the Application • Language and Platform Security • Bridging JavaScript and Native Code • Protecting Sensitive Data • Web Security in a WebView Context • Remote Authentication and API Access • Security Considerations • Handling Web Content • Conclusion • Permissions and Intents • Custom Permission Securing Intents • Conclusion • Introduction • Using Intents Within an Application • Calling Other Applications With Intents • Handling Incoming Intents • Best Practices • Conclusion
Synopsys eLearning Catalog | June 2021 | synopsys.com | 68 Course Outline Mobile Introduction: The Risks to Android Apps • Man-in-the-Middle Attacks • Reverse Engineering • Malicious User With a Proxy • Malicious App Installed on the Device • Rooted Device Android Security • Rooted Device: Stolen!
Android APK Structure 1 ¼ Hours Intermediate • Getting Into the APK • Keep Secrets Out of the Packages Course Description Android Security Model The Android operating system has several built-in security • Full-Disk Encryption • File-Based Encryption features to protect application users from attackers—e.g., • Sandboxing network sniffers, malicious app writers, device thieves, and • Permissions Model: Protection and Consent more. It is important for Android application developers to understand what protections these features provide but Permissions Issues • Permission Redelegation also where they can fall short in protecting users. It is the • Overly Permissioned Apps responsibility of Android application developers to practice • Consequences of Overly Permissioned Apps defensive programming to protect the users of their applications • Augmented Gaming and Permissions from the common attacks that attackers use to compromise applications and their data. This course teaches important Intent Issues • Unauthorized Intent Recipient information about the Android platform but also focuses on the • Unauthorized Intent Recipient: An Example defensive programming techniques that developers must know • Intent Forging to write secure apps. • Sticky Broadcasts • How Easily Can Attackers Find and Exploit Vulnerable Apps? Learning Objectives Insecure Storage • Appreciate the risks to Android applications • Insecure Storage • Understand the structure of Android package files • Saving Files Without Using MODE_PRIVATE • Understand the Android security model and the protections • Saving Files to the SD Card provided by the Android OS • Saving Sensitive Data to SQLite Databases • Apply defensive programming techniques for common • Logging Sensitive Data Android vulnerabilities • WebViews • How Likely Is It That a Device Will Be Lost or Stolen? Intended Audience Use of Client-Side Controls • Mobile Developers • RSA Conference Mobile App • Overreliance on Device Interrogation Prerequisites • Client-Side Controls to Prevent Access to Functionality • Principles of Software Security • Reliance on Root Detection • Foundations of Mobile Security • Reliance on Root Detection: Biometrics • OWASP Top 10 Secure Communications • Secure Communications • Insecure Certificate Validation • SSL/TLS Best Practices • Certificate Planning • Scanning for SSL/TLS Best Practices • Compromised Certificate Authorities
Synopsys eLearning Catalog | June 2021 | synopsys.com | 69 Course Outline Mobile Mobile Platforms • Mobile Concerns: Thick Clients • Thick Clients: Performance vs. Security • Thick Clients: Official Apps are Best • Sandboxing • Sandboxing for Android Foundations of • Sandboxing for iOS • Code Signing • Code Signing for Android Mobile Security • Code Signing for iOS • Code Signing: Summary • Permissions ¾ Hour Beginner • App Store Verification • Challenges • Challenges With Rooted/Jailbroken Devices Course Description Mobile applications have become an everyday part of life, Mobile Applications whether we are checking email, getting directions, or sending • Mobile Web Application funny pictures to friends. While mobile devices offer an ever- • Native Mobile Application • Hybrid Mobile Application increasing number of developers a chance to interact with • Cross-Platform Frameworks users via their application, they also provide unique security • Security Considerations challenges that can be difficult to understand. This course provides an overview of the risks a developer needs to be aware Mobile Threats of when developing for mobile. • The Mobile Threat Landscape • Remote Attacks • Client-Side Attacks Learning Objectives • Malicious Applications and Profiles • Understand common mobile application security • Social Engineering vulnerabilities • Quick Questions • Define the security controls of multiple mobile operating • Network Attacks systems • Articulate real-world threats to mobile applications Application Security Vulnerabilities • Insecure Data Storage • Insufficient Transport Layer Protection Intended Audience • Unintended Data Leakage • Architects • Lack of Binary Protections • Front-End Developers • Mobile Developers Application Security Controls • QA Engineers • Introduction to Security Controls • Does Data Need to Be There? • Securing Data at Rest Prerequisites • Securing Data in Transit • None • Preventing Unintended Data Leakage • Binary Hardening
Mobile Application Security Testing • Testing Overview • Testing Debug Builds (Android Only) • Testing Release Builds • Dealing with Hardened Applications • Other Considerations
Synopsys eLearning Catalog | June 2021 | synopsys.com | 70 Course Outline Mobile Overview and Mobile Device Usage • Introduction • Mobile Device Usage • Simplified Tasks • Required Functionality • Constant Connectivity Fundamentals of iOS • Multi-Personal Device • User Workflow Expectations • Lost/Stolen 1 ½ Hours Advanced Platform Overview and Integrated Controls • Introduction Course Description • Unix Base Apple’s iOS platform provides an always-expanding set of • Integrated Security Controls features for creating terrific user-focused applications. But – Integrated Security Controls: Data Execution Prevention – Integrated Security Controls: Address Space Layout these applications are still prone to security vulnerabilities, Randomization whether iOS-specific or common across platforms. This course • Integrated Security Controls provides an overview of the iOS operating system architecture – Stack Canaries and security issues affecting iOS applications. – Secure Enclave – Closed System • Apple Watch Additional Controls Learning Objectives • Describe the iOS architecture Development and Application Structure • Determine the correct application type for an application’s • SDK: iOS Architecture Layers needs • SDK: High-Level APIs and Hybrid Frameworks • Evaluate the security implications of the language used to • Application Structure write iOS applications • Extension Points on Apple Platforms • Describe platform security controls Common iOS Platform Issues • Identify common iOS application vulnerabilities • Introduction • Reverse Engineering Intended Audience • Jailbreaking Overview • Back-End Developers • Perspectives on Jailbreaking • Front-End Developers – Jailbreaking and Normal Users • Product Architects – Jailbreaking and Attackers • Security Architects – Jailbreaking and Users – Jailbreaking and Developers • Memory Management Prerequisites • OWASP Top 10 • Foundations of Mobile Security Continued on next page
Synopsys eLearning Catalog | June 2021 | synopsys.com | 71 Requirements,Mobile Architecture, and Training
Fundamentals of iOS (cont.)
Platform Security Controls Application Issues: Input and Storage • Platform Security Controls • Data Representation and Validation • Application Sandboxing Introduction • Cryptographic Issues • Application Sandbox – Algorithm Usage – Documents – Key Management – Library and tmp – Initialization – Sandbox Access Caution • The Many Forms of Local Storage • Non-Application Sandbox Storage Options: Introduction – Local Storage Overview • Outside Application Sandbox Storage – NSUserDefaults – Cloud Based – SQLite DB – Server – iOS Keychain • Interprocess Communication (IPC): URL Scheme – Document Directory • IPC Keychain Sharing (Keychain Access Groups) – Screenshot Snapshots • IPC: Pasteboard – Memory Management • IPC Extensions • Data Protection: API • Keychain and Biometric Security • Data Protection: potential Weakness • Cryptography and Certificate Management • Leaky Databases • Privacy Controls • Mobile Data Breaches
Application Issues: Authentication/Authorization and Communications • Authentication – Lack of Authentication – Broken Authentication – Weak Authentication Policies – Insecure Session Management – Client-Side Authentication • Authorization • Communication Issues • Interprocess Communication (IPC) – Custom URL Schemes – Pasteboard – Keychain Sharing – Custom Keyboards – General Other Extensions – Apple Push Notification Service (APNS) – General IPC
Synopsys eLearning Catalog | June 2021 | synopsys.com | 72 Course Outline Mobile Secure Development Introduction • Introduction to iOS Development Languages • Introduction to Objective-C • Variables • Constants • Messaging Secure Programming • Pointers • Introduction to Swift • Variables for iOS • Constants • Optionals Chaining and Unwrapping • String Interpolation 1 Hour Advanced • Pointers • So which is safer, Objective-C or Swift? • Other Non-Language-Specific Things Course Description The Apple iOS platform provides a comprehensive set of Secure Communications features for creating versatile mobile applications. The • Introduction platform’s specific architecture and security model sets it apart • App Transport Security • HTTPS Recommendation from other mobile operating environments. This distinction • ATS Help introduces specific risks from a mobile application security • Certificate Pinning perspective. This course teaches defensive programming • No Pinning techniques to mitigate common risks in iOS applications. It • Certificate Pinning via WKWebKit gives special emphasis to describing key security controls • Push Notification provided by the platform and how to use them correctly. • Notification Recommendations • Session Management Learning Objectives Client-Side Injection • Understand the security benefits of each language and which • WebViews may be the better solution to select • Controlling a WebView • Identify security concerns with IPC (basic) and what to do to • NAVIGATIONS DELEGATE prevent issues • XSS and JavaScript • Identify and use secure communication techniques to protect • Introduction to SQL Injection data in transit • SQL Injection Vulnerability Example • Correct Example • Identify and use WebView components securely • Note • Understand how to authenticate and authorize users • Understand the downsides of common local storage options Authentication and how to protect sensitive data • Authentication • Device Authentication vs. Application Authentication and Intended Audience Client-Side vs. Server-Side • Architects • Touch ID Introduction • Bad • Back-End Developers • Touch ID Recommendation • Enterprise Developers • Authentication Credentials • Front-End Developers • Management • Mobile Developers Continued on next page • QA Engineers
Prerequisites • Foundations of Mobile Security • Fundamentals of iOS • OWASP Top 10
Synopsys eLearning Catalog | June 2021 | synopsys.com | 73 Requirements,Mobile Architecture, and Training
Secure Programming for iOS (cont.)
Secure Storage Inter-Process Communication • Local Storage and Data Leakage • Inter-Process Communication in iOS • Introduction to Logging • URL Scheme • Logging • Defining a URL Scheme • CAUTION! • Handling a URL • Background Screenshots • Opening an Application Using a URL • Background screen shots Recommendations • Recommendation • NSUserDefaults Introduction • General (System) Pasteboard • NSUserDefaults The Bad • Pasteboard Access • NSUserDefaults: Ensuring Controls • Pasteboard Best Practice: Adding Security Controls • NSUserDefaults: Performance Improvements • Pasteboard Best Practice: Handoff Controls • NSUserDefaults: Offline Access • Named Pasteboards: Sharing Data Between Apps • NSUserDefaults: Server Authentication • Access • Data Files: Introduction • Restrictions and Best Practice • The Bad: Data Protection API • App Group Containers • Recommendation: Data Protection API • Shared Keychain Groups • Data Protection: Performance Improvement • Data Protection: Offline Access • Data Protection: Server Authentication • Keychain Services • KeyChain Recommendations
Binary Protections • DISCLAIMER! • Debugger Detection • Jailbreak Detection • Code Obfuscation
Synopsys eLearning Catalog | June 2021 | synopsys.com | 74 Requirements, Architecture, and Training Course Outline Requirements, Architecture, ARA Overview • What Is ARA? and Training • When Do You Perform ARA? • Indicators ARA Is Necessary • Ongoing ARA
Design Flaws and the Techniques That Find Them • Bugs vs. Flaws Architecture Risk • Examples of Security Flaws at Design Level • Is There a Tool for That? • Analysis Types for ARA Analysis
ARA Output • What Do You Get? 1 ½ Hours Advanced • Who Uses It? • Following Up With Secure Design Course Description Dependency Analysis Architecture risk analysis (ARA) is a set of techniques that • Dependency Analysis Overview aims to discover design flaws and the risks they pose within a • Analyzing an Application’s Environment • Implementation Considerations system. ARA does not replace other analysis techniques such • Illuminate Interfaces and Contracts as penetration testing and code review; it complements those • Base Security Controls and Limitations techniques. Once you learn the techniques discussed in this course, you will have the skills needed to identify design-level Known Attack Analysis defects—even if the system being analyzed has been pen-tested, • What Is Known Attack Analysis? • Applying Principles code-reviewed, and released. • Commonly Discovered Flaws • Technique: Build an Attack Checklist Learning Objectives • Technique: Build a List of Security Controls Common to • Explain to others why a technique like ARA is required to have Design Patterns secure software • Technique: Connections Between Architectural Elements • Learn the different types of analyses that are used when • Technique: Pay Close Attention to Dynamic Code Generation performing ARA and Interpretation • Identify the kind of output that is needed or expected when • Techniques: APIs Across Stateless Protocols performing ARA System-Specific Analysis • System-Specific Analysis Intended Audience • System-Specific Analysis: Business Relation • Application Security Specialists • Discovering Intentions • Architects • Trust • Developers • The Problem With Trust • QA Engineers • Software Security Modeling Techniques • Trust Modeling • Data Sensitivity Classification Prerequisites • Threat Modeling • Principles of Software Security • OWASP Top 10 or Attack and Defense
Continued on next page
Synopsys eLearning Catalog | June 2021 | synopsys.com | 76 Requirements, Architecture, and Training
Architecture Risk Analysis (cont.)
Guiding Principles for ARA • Guiding Principles Overview • Secure the Weakest Link • Practice Defense in Depth • Be Reluctant to Trust • Storing Secrets Is Hard • The Principle of Least Privilege • Fail and Recover Securely • Compartmentalize • Promote Privacy • Keep It Simple • Mediate Completely • Separation of Duties • Make Security Usable
Models of an ARA System • ARA Models Overview • Component Diagram • Threat Model Diagram
Risks, Issues, and Documentation • Traceability Matrix • Documenting Technical Risks • Example: Customer Credentials • Documenting Observations • Security Testing
Synopsys eLearning Catalog | June 2021 | synopsys.com | 77 Course Outline Requirements, Architecture, Introduction to Risk-Based Security Testing • Introduction and Training • The Key Players • The Software Security Discipline • What Is Software Security? • Two Broad Classes of Security Defects • Security Testing • Testing Security Functionality Risk-Based Security • Managing Risks • Defining What Security Means for You Testing Strategy Defining Requirements • Requirements • Functional Requirements 1 ¼ Hours Intermediate • Non-Functional Requirements • Derived Requirements • Attributes of Good Requirements Course Description • Security Requirements, not Security Features Software security is a key element in your assurance and • Security Requirement Types compliance strategy for protecting your applications and • Non-functional Security Requirements critical data. Organizations need applications that not only • Derived Security Requirements work correctly under normal use but also continue to work • Thinking Backwards • Automated Teller Machine: A Scenario acceptably in the face of malicious attack. Software security • Security Requirements testing extends beyond basic functional requirements and is a critical part of a secure software development life cycle. Getting Started Risk-based security testing is about building confidence that • Where Do I Start? attackers cannot turn security risks into security problems. This • Risk-Based Security Testing Process • Security Goals course teaches you to think like an attacker when testing your • Guiding Principles for Secure Design applications. • Risk Classifications • Putting It All Together Learning Objectives • Develop a white box testing strategy based on real-world risks Testing Strategies to improve where and how testing resources can be focused • Adding Risk-Based Security Testing • Integrating the RBST Process • Describe how to use architecture risk analysis and abuse • Using Threat Models case artifacts to enhance test plans • Using Architecture Risk Analysis Results • Use knowledge of common software errors for developing • Using Abuse Cases test cases to expose them • What Are You Accomplishing? • Strategize ways to integrate risk-based security testing into • Effective Testing your SDLC Resourcing and Players • Introduction Intended Audience • Testing Tools • Back-End Developers • Think Like an Attacker • Front-End Developers • Who are you up against? • QA Engineers
Prerequisites Continued on next page • Principles of Software Security • OWASP Top 10 or Attack and Defense
Synopsys eLearning Catalog | June 2021 | synopsys.com | 78 Requirements, Architecture, and Training
Risk-Based Security Testing Strategy (cont.)
Common Risk Areas: Part 1 • Security Coding Error Test Approach • Kingdom 1: Input Validation and Representation • SQL Injection • Cross-Site Scripting (XSS) • Kingdom 2: API Abuse • Ignoring Return Values • Using Deprecated Methods • Kingdom 3: Security Features • Privacy Violation • Default Authentication • Privilege Abuse • Handling Secrets
Common Risk Areas: Part 2 • Introduction • Kingdom 4: Time and State • Parameter Tampering • URL Tampering • Cookie Tampering • Kingdom 5: Errors • Exception Handling • Triggering Errors • Kingdom 6: Code Quality • Memory Leaks • Source Code Comments and Strings • Kingdom 7: Encapsulation • Violations of Boundaries Between Components • Violations of Data Trust Levels
Going Forward • Trying It All Together • Your Judgment Is Crucial • Challenges in Adopting Software Security Testing • Software Security Framework • A Software Security Roadmap • Mature Over Time
Synopsys eLearning Catalog | June 2021 | synopsys.com | 79 Course Outline Requirements, Architecture, Introducing Security in the SDLC • Introduction and Training • The Importance of Requirement Gathering • What Are Software Security Requirements? • Types of Software Security Requirements • Internal Risk and Threat Assessment • Threat Modeling • Security Training and Awareness Software Security
Types of Software Security Requirements • Introduction: Functional, Nonfunctional Requirements Requirements • Software Security Requirements: Category Listing and Definitions • Requirements Gathering and Methodologies ¾ Hour Beginner – Intro – Specifications – Use Cases Course Description – User Stories This course introduces the role of security requirements in • User Stories: Misuse Stories the software development life cycle and explains how to write effective, verifiable requirements. The goal is to understand The Role of Software Security Requirements • Introduction first how to incorporate security into the SDLC and then how to • Security Requirements Overview choose a style of security requirements that fits your project’s • Approaches to Security Requirements: Risk-Based and and organization’s needs. The course wraps up with an action Addressing a Threat Agent plan to help learners verify the effectiveness of security • Collecting and Prioritizing Security Requirements requirements through security testing and hands-on auditing. Writing Effective Security Requirements • Introduction to SMART Requirements Learning Objectives • Understanding SMART Requirements • Explain the benefit of introducing security-specific – Specific requirements as part of an overall requirements-gathering – Measurable strategy – Attainable • Understand the approaches and methodologies used to write – Relevant software security requirements – Testable • Differentiate between functional and nonfunctional software • SMART Example requirements and understand which type of requirements- • Categories of Software Security Requirements gathering technique best fits your organization • Examples of Software Security Requirements • Operational Security Requirements • Describe the qualities of effective security requirements and implement requirements that increase application security Verifying Security Requirements • Implement verifications to ensure security requirements are • Introduction met and enforced during and after deployment • Verifying Security Requirements • Code Review Intended Audience • Security Testing • Architects • Compliance Audit • Back-End Developers • Enterprise Developers • Front-End Developers • QA Engineers
Prerequisites • None
Synopsys eLearning Catalog | June 2021 | synopsys.com | 80 Regulation and Compliance Course Outline Regulation and Compliance Privacy by Design and by Default • Definition and Categories of Personal Data • Designing an Application With Privacy Requirements • Privacy by Default Getting Consent GDPR for Developers • Requirement for End-User Consent • Methods to Get Consent • Consent Revocation and Architects
Personal Data Collection and Processing • Collection of Necessary Data Only 1 Hour Beginner • Right to Restrict Data Processing • Data Profiling Course Description Accessing Personal Data GDPR introduces several new requirements for personal • Users’ Right to Access and Edit Personal Data • Right to Correct Data data protection and rights for data subjects. It is crucial for • Data Retention Requirements applications to be compliant with these regulatory requirements, which bring about specific technical requirements. This course Data Portability and Right to Deletion provides detailed guidance to help developers create and deploy • Exporting Data applications compliant with GDPR. It focuses on significant • Deleting Data • Handling Data Transferred to Third Parties aspects of GDPR, such as getting users’ consent, privacy by design, right to access and deletion, and the mechanisms Anonymization and Encryption that you can use to protect users’ rights, such as encryption, • Encrypting Data at Rest and in Motion anonymization, and pseudonymization. • Integrity Protection • Anonymization and Masking Learning Objectives Access Control and Logging • Integrate privacy into the SDLC • Access Control Requirements and Mechanisms • Establish guidelines for obtaining user consent for personal • Keeping Audit Trails and Logs data collection and processing • Identify minimum personal data collection levels, and enforce restrictions in processing • Enable end users to access, rectify, export, and delete their personal information • Understand how security mechanisms like encryption, hashing, pseudonymization, anonymization, and masking can support GDPR compliance • Implement access controls and audit trails to protect the confidentiality of personal data
Intended Audience • Architects • Back-End Developers • Enterprise Developers • Front-End Developers • Mobile Developers
Prerequisites • Introduction to GDPR
Synopsys eLearning Catalog | June 2021 | synopsys.com | 82 Course Outline Regulation and Compliance Personal Data Mapping • Categories of Personal Data • Personal Data Inventory: Records of Processing Activities • Data Flow Mapping Data Subjects' Rights GDPR for Development • Consent Management • Right to Access, and Rectification • Right to Be Forgotten and Project Managers • Exporting and Transferring Data
Design Requirements ¾ Hour Beginner • Privacy by Design • Requirements for Profiling • The Role of the DPO Course Description This course provides a thorough understanding of GDPR’s Data Privacy Impact Assessment • Introduction requirements for personal data protection and how they affect • When Is a DPIA Mandatory? the software development life cycle. Lessons provide details • DPIA Methodologies on mapping personal data within an application and creating a dataflow map that helps identify privacy-related risks. You’ll Requirements for Development, Testing, and Production walk away understanding how to use a data privacy impact • Data Protection • Security Mechanisms assessment to assess risks to personal data and how to • Breach Notification determine the needed technical and organizational controls. Security mechanisms that can be used to protect personal data are also presented at a high level.
Learning Objectives • Create a personal data inventory for an application and update the records of processing activities accordingly • Understand how to create a dataflow map and use it to determine risks for personal data • Become familiar with data subject rights and how they affect the software development life cycle • Gain a thorough understanding of the GDPR requirements that affect the design phase of software development • Go through the basic steps of a data privacy impact assessment and use it to determine the necessary privacy controls for an application • Understand the security mechanisms that can be used to protect personal data • Become familiar with the processes that need to be in place to detect and report a personal data breach
Intended Audience • Architects • Management
Prerequisites • None
Synopsys eLearning Catalog | June 2021 | synopsys.com | 83 Course Outline Regulation and Compliance Why You Need to Comply With GDPR • Introduction to GDPR • Scope and Applicability • Compliance Users’ Rights GDPR for Upper • Right to Be Informed • Right to Access, Rectification and Portability • Right to Be Forgotten Management
Obligations to End Users • Informing Users ¾ Hour Beginner • Consent Requirements • Data Collection • Privacy by Default and by Design Course Description • Data Protection This course introduces top management to GDPR. You’ll learn Obligations to Authorities about the scope of GDPR, whether your organization needs to • Records of Processing Activities be compliant, and the results of noncompliance in both legal • Data Flow Mapping and practical terms. The course covers the responsibilities • Data Protection Impact Assessment organizations have toward individuals and authorities in terms • Breach Notification of GDPR, the role of the data protection officer (DPO), and how Data Protection Officer to determine whether your organization needs a DPO. • The Role of DPO • DPO Responsibilities Learning Objectives • Who Can Be a DPO • Understand the importance of complying with GDPR, and the results, penalties, and liabilities for noncompliance • Identify the rights of data subjects and how they translate into requirements for your organization • Understand your organization’s requirements to protect personal data of individuals • Identify your obligations to supervising authorities • Understand when you need a DPO, the DPO’s responsibilities, and the skills required for this position
Intended Audience • Management
Prerequisites • None
Synopsys eLearning Catalog | June 2021 | synopsys.com | 84 Course Outline Regulation and Compliance What Is CCPA? • Introduction: What Is CCPA? • Scope and Penalties • Consumer Rights at a Glance Consumer Rights Introduction to CCPA, • Purposes for Collecting Personal Information • Right to Access and Disclosure • Right to Deletion California Consumer • Right to Opt Out • Right to Nondiscrimination Protection Act Requirements for Businesses • Notices to Consumers 1 Hour Beginner • Privacy Policy • Receiving and Responding to Requests • Handling Requests to Opt Out Course Description • Verifying Requests This course introduces the California Consumer Protection Act • Rules Regarding Minors to developers and anyone else involved in the development life • Record-Keeping cycle. CCPA introduces several new rights for consumers based Roadmap to CCPA Compliance in California and also requirements for businesses, especially • Roadmap to CCPA Compliance those with an online presence. • Know Your Data • Breach Detection In this course, we provide all necessary guidelines to ensure • Data Protection Best Practices your applications are compliant with CCPA. We describe the notices you must provide consumers and how to do this through your applications or websites. We also elaborate on how to receive, verify, and handle CCPA-related consumer requests. Finally, we highlight all necessary steps to follow to ensure continuous compliance with CCPA.
Learning Objectives • Understand what CCPA is, whom it concerns, why it is significant, and the consequences of noncompliance • Have a clear understanding of California consumer rights mandated by CCPA and what requirements these introduce into the software development life cycle • Become familiar with how a business should receive, verify, process, and respond to consumer requests regarding personal data, and how to do this online • Understand what documentation is required by CCPA, including notices to consumers, privacy policies, and so on • Put together a roadmap to ensure compliance with CCPA
Intended Audience • Architects • Back-End Developers • Enterprise Developers • Front-End Developers • Mobile Developers • QA Engineers
Prerequisites • None
Synopsys eLearning Catalog | June 2021 | synopsys.com | 85 Course Outline Regulation and Compliance Introduction to PCI DSS Developer Training • PCI DSS Training Agenda • The Payment Card Industry and the SSC • An Overview of the PCI DSS • Why Are We Here? PCI DSS Security PCI DSS Version 3.2.1 Overview • Understanding the PCI DSS • PCI DSS Control Group 1 1 Hour Beginner – Build and Maintain a Secure Network and System • Control Group 2: Protect Cardholder Data – Focus on Requirements 3–4 Course Description • Control Group 3: Maintain a Vulnerability Management This course offers security training for any developers that Program work on PCI DSS–relevant applications. In this course, we – Focus on Requirements 5–6 • Control Group 4: Implement Strong Access Control Measures explain the annual PCI DSS training requirements for developers – Focus on Requirements 7–9 and proceeds to provide the necessary training. We focus on • Control Group 5: Regularly Monitor and Test Networks the standard itself and how it affects developers across all – Focus on Requirements 10–11 requirements. We highlight real-world examples for lessons • Control Group 6: Maintain an information Security Policy learned, and we cover recent and upcoming changes in the PCI – Focus on Requirement 12 DSS standard in detail. PCI DSS v3.2.1—What’s Changed and What’s Coming • What’s Changed Learning Objectives • Why Now? • Gain a high-level understanding of the PCI DSS as a whole • What’s Wrong With the SSL and Legacy TLS? and its relevance to developers • How Can We Check and Fix Our Transport Issues? • Understand annual development training requirements • PCI SSF and Changes Coming From the PCI SSC mandated by the PCI DSS and the need to take this course in • PA-DSS and the PCI SSF and Industry Impact parallel with OWASP Top 10 Real-World Example • Understand the changes in PCI DSS 3.2.1 and their impact on • Pipeline Issues developers • More Than One Way to Do It • Apply knowledge from a real-world example of a payment industry security event Preparing for PCI DSS Assessment • Gain knowledge of the PCI DSS assessment process and how • First Things First to be prepared as a developer • Six Months Before Starting • Understand upcoming changes to the PCI DSS and other PCI • Documentation to Review • People to Interview SSC programs • Processes to Validate • Evolve your own training program to continue to adapt to the ever-changing security landscape of the payment industry
Intended Audience • Back-End Developers • Front-End Developers • Product Architects • Security Architects
Prerequisites • OWASP Top 10
Synopsys eLearning Catalog | June 2021 | synopsys.com | 86 Course Outline Regulation and Compliance Challenges of Developing Healthcare Applications • Severity of the Problem • Current Challenges for Software Developers in Healthcare • Key Compliance Requirements • Summary Secure Development Legal and Regulatory Compliance in the Healthcare Industry • Introduction to Compliance Frameworks for Healthcare for Healthcare • Significant Regulations for Cyber Security Requirements in Healthcare 1 Hour Beginner • Applicability • Applicability Continued • Patient Rights Course Description • Requirements for Software Developers This course presents the current compliance landscape • When to Include Software Security for building applications for the healthcare sector. Health • Requirements for Purchasing Medical Equipment information is the most sensitive and critical category of • Requirements for Mobile Applications personal data. This course outlines the requirements for Health Information Protection protecting health information that are either defined by legal • Definitions and compliance frameworks or established as best practices. It • Data Protection and Encryption focuses on requirements for authentication, authorization, and • Data Integrity • Data Recovery and Disposal access control, and also presents requirements for encryption and data integrity that were brought about by legislation such as Securing Healthcare Applications HIPAA and the HITECH Act. It also covers the requirements for • Authentication and Authorization breach detection and notification. The course concludes with • Access Control requirements for developing software for medical devices and • Quick Questions • Auditing and Logging deploying them in a healthcare provider. • Breach Detection and Notification Learning Objectives Medical Devices Security • Understand the main legal and compliance frameworks for • Compliance for Medical Devices healthcare and the requirements they bring to developing • Security for Medical Devices applications • Deployment Best Practices • Identify personal health information and implement security controls to adequately protect it • Implement best practices regarding authentication and controlling access to health information • Understand the requirements for breach notification • Describe the security and privacy requirements when developing software for medical devices and subsequently deploying them in a healthcare provider
Intended Audience • Architects • Back-End Developers • Enterprise Developers • Front-End Developers • Mobile Developers • QA Engineers
Prerequisites • None
Synopsys eLearning Catalog | June 2021 | synopsys.com | 87