Air Force Training Courses

Fall 2014 Course Schedule

TPL036: Introduction to Ruby and Rails ...... 2 TPL482: JSON and JSON Schema ...... 3 SV066: Linux/Unix Security ...... 4 TSV436: Secure Code Review ...... 5

Fall 2014 Course Schedule

TPL036: Introduction to Ruby and Rails

Course Description: This course provides a thorough introduction to the Ruby programming language. Students will explore what differentiates Ruby from other modern programming languages.

The class will have a strong focus on the tools that Ruby provides to generate logic and build applications with less code than other programming languages. Once a basic understanding of the Ruby programming language is attained, the class will provide an introduction to Ruby on Rails.

This is a popular development framework for rapidly creating web applications. Students will leave the class with the tools they need to create simple Ruby and Rails applications and explore the ecosystem further on their own.

Course Objectives:

• Install and setup a Ruby and Rails environment • Identify the basics of the Ruby programming language. • Create and configure a Rails application • Develop a basic understanding of programming with Ruby, with the tools necessary to learn more • Provide knowledge on the architecture of a Ruby on Rails application, with the ability to create a basic web application using it.

Format: Lecture/Lab

Prerequisites: Experience with an object oriented programming language, such as Java or C#

Target Audience: This course is open to all MITRE technical staff.

Length: 2 Days (14 Hours)

Schedule: 11-Feb-2015 - 12-Feb-2015 (8:30 - 4:30)

Instructor: Andy is an architect and developer on popHealth, a Ruby-based open source platform for calculating clinical quality measures. The design of popHealth allows the software to calculate quality measures for very large groups of patients in an easily scalable fashion. Andy is Technical Lead of the current effort to deploy a popHealth prototype installation at VA.

Andy holds a BS in Electrical Engineering from Eastern Nazarene College and an MS in Computer Systems Engineering from Boston University.

Fall 2014 Course Schedule

TPL482: JSON and JSON Schema

Course Description: JSON is a data format that is increasingly being used for data exchanges due to its compactness. JSON Schema is a simple, powerful schema language for validating JSON-formatted data. In this course you will learn the JSON data format and you will learn the JSON Schema language. You will learn how to write JSON documents. You will learn how to create JSON Schemas and validate JSON documents against JSON Schemas.

Format: Lecture/Lab

Prerequisites: None

Target Audience: All MITRE Staff

Length: Two Days

Schedule: 3-Feb-2015 - 4-Feb-2015 (8:00 - 4:00)

Instructor: Roger Costello ([email protected]) is a lead staff in E54C, Agile and Adaptive Software Engineering. He has worked extensively in the Internet technologies area. Roger has been actively involved with XML and the entire family of XML technologies for several years. Roger has created and taught over a dozen different courses on the XML technologies and is regularly invited to talk at XML conferences. He has traveled to many of the MITRE sites around the world, providing XML training. Roger is regularly invited to teach XML courses to the Boston chapter of the IEEE.

As well as XML training, Roger consults for numerous MITRE projects that are using XML technologies. He has a Ph.D. in Computer Science from Ohio State University.

Fall 2014 Course Schedule

SV066: Linux/Unix Security

Course Description: This course is a hands-on introduction to Linux/Unix security fundamentals that are critical to cyber security. Curriculum will start from basic host security, working up to Security-Enhanced Linux (SELinux) and Mandatory Access Control (MAC) configuration. This course will be designed to fill in knowledge gaps for attendees. Attendees with all levels of technical backgrounds will benefit from this class.

Critical components include audit configuration, data encryption, securely managing system resources, kernel security and managing privileges. Each component will be examined on both Linux based systems (CentOS) and Unix/BSD based systems (FreeBSD) to further enhance the learning process by showing different ways to address similar problems.

The class will incorporate hands-on exercises and labs. Students will gain an understanding of host based security configuration concepts. These concepts will be demonstrated by student labs based on common misconfigurations that students must address by applying concepts learned throughout the class. The class will culminate when students are asked to secure a system that has been preconfigured with bugs that have been stacked to form an insecure user environment.

It is expected that attendees will have knowledge in one or more topics covered in the class. This class is meant to fill in gaps and allow students to build on their previous knowledge to become more technically skilled cyber security professionals. Solid foundational knowledge will allow students to easily understand more advanced topics. The technical confidence students will gain in this class will allow them to quickly tackle technical hurdles in their day-to-day work. We need more ¿ninjas¿ in MITRE tech centers, who are not intimidated by the unknown, and have a broad technical background, enabling them to overcome adversity to solve critical cyber security problems.

Course Objectives:

• Introduce Linux host based security • Review security options available to a Linux/Unix host • Review auditing options available to a Linux/Unix host • Learn fundamentals of Mandatory Access Control (MAC) • Learn how to implement privilege separation for users and processes • Understand security implications of default Linux/Unix configurations • All attendees will apply all knowledge through lab exercises during the course

Format: Lab

Prerequisites: Minimal networking, system administration, and/or cyber security knowledge.

Target Audience:

 Junior tech staff  Senior tech staff that have found themselves working in a lab  Engineers changing disciplines to cyber security  Engineers in other fields supporting cyber work.

Length: 2 Days (14 Hours)

Fall 2014 Course Schedule

Schedule: February 5-6, 2015 (8:30-4:30)

Instructor: Derek Anderson ([email protected]) is a Lead Cyber Security Engineer in Department J83C - Army/Navy Security. He supports various customers performing vulnerability assessments and prototype development. Previous to MITRE, he worked in a world-class managed security service SOC as a Security Analyst. Derek holds a BS in Information Technology from Rochester Institute of Technology and is currently enrolled in a Masters program in Information Assurance at Capitol College.

TSV436: Secure Code Review

Course Description: This course is designed to help developers bring a secure coding mindset into typical project peer reviews. The course briefly talks about the development lifecycle and the importance of peer reviews in delivering a quality product. How to perform this review is discussed and how to keep secure coding a priority during the review is stressed. A variety of hands-on exercises will address common coding mistakes, what to focus on during a review, and how to manage limited time.

Throughout the course, the class will break out into pairs and perform example peer reviews on sample code. Perl will be used for the hands-on exercises; however every attempt will be made to generalize the code such that anyone with an understanding of a coding language will be comfortable.

Course Objectives:

• Describe how peer reviews fit into the software development process • Start a peer review and gain the necessary background about the code • Identifty techniques for making sense of a large amount of code • Review common secure coding mistakes • Create report findings that go back to the developer

Format: Lecture plus team exercises

Prerequisites: TSV100 Introduction to Secure Coding

Target Audience: Developers

Length: One day (7 hours)

Schedule: 29-Jan-2015 (Session 0005)

Instructor: Drew Buttner has been at MITRE since 2001 and is one of the leaders of MITRE's software assurance work program in support of both MITRE internal and its Government sponsors. His experience and technical expertise is in the areas of code development, standardization, and static code analysis. The past couple of years he has provided support to both the Department of Defense and NIST in their research of static analysis tools. Currently he is working to establish a secure code review practice for the MITRE Community.