The Information Assurance (STIG) Overview is a comprehensive two-day course that delves into the realm of Information Assurance, empowering you to enhance your cybersecurity skills, understand the essentials of STIGs, and discover cutting-edge web application security practices. The course focuses on the intricacies of best practices for design, implementation, and deployment, inspired by the diverse and powerful STIGs, ultimately helping participants become more proficient in application security. Throughout the course, you'll also explore the fundamentals of application security and development, including checklists, common practices, and secure development lifecycle (SDL) processes. You’ll learn from recent incidents and acquire actionable strategies to strengthen your project teams and IT organizations. You'll also have the opportunity to explore asset analysis and design review methodologies to ensure your organization is prepared to face future cybersecurity challenges.

starstarstarstarstar_outline

* Actual course outline may vary depending on offering center. Contact your sales representative for more information.

Learning Objectives

Working in an interactive learning environment, guided by our application security expert, you’ll explore:
The concepts and terminology behind defensive coding
Threat Modeling as a tool in identifying software vulnerabilities based on realistic threats against meaningful assets
The entire spectrum of threats and attacks that take place against software applications in today’s world
The role that static code reviews and dynamic application testing to uncover vulnerabilities in applications
The vulnerabilities of programming languages as well as how to harden installations
The basics of Cryptography and Encryption and where they fit in the overall security picture
The requirements and best practices for program management as specified in the STIGS
The processes and measures associated with the Secure Software Development (SSD)
The basics of security testing and planning
Understand the concepts and terminology behind defensive coding
Understand Threat Modeling as a tool in identifying software vulnerabilities based on realistic threats against meaningful assets
Learn the entire spectrum of threats and attacks that take place against software applications in today’s world
Discuss the role that static code reviews and dynamic application testing to uncover vulnerabilities in applications
Understand the vulnerabilities of programming language as well as how to harden installations
Understand the basics of Cryptography and Encryption and where they fit in the overall security picture
Understand the fundamentals of XML Digital Signature and XML Encryption as well as how they are used within the web services arena
Understand the requirements and best practices for program management as specified in the STIGS
Understand the processes and measures associated with the Secure Software Development (SSD)
Understand the basics of security testing and planning

1

  • DISA'S SECURITY TECHNICAL IMPLEMENTATION GUIDES (STIGS)

  • The motivations behind STIGs

    Requirements that the various software development roles must meet

    Implementing STIG requirements and guidelines

2

  • WHY HUNT BUGS?

  • The Language of CyberSecurity

    The Changing Cybersecurity Landscape

    AppSec Dissection of SolarWinds

    The Human Perimeter

    Interpreting the 2021 Verizon Data Breach Investigation Report

    First Axiom in Web Application Security Analysis

    First Axiom in Addressing ALL Security Concerns

    Lab: Case Study in Failure

3

  • SAFE AND APPROPRIATE BUG HUNTING/HACKING

  • Working Ethically

    Respecting Privacy

    Bug/Defect Notification

    Bug Bounty Programs

    Bug Hunting Mistakes to Avoid

4

  • PRINCIPLES OF INFORMATION SECURITY

  • Secuity Is a Lifecycle Issue

    Minimize Attack Surface Area

    Layers of Defense: Tenacious D

    Compartmentalize

    Consider All Application States

    Do NOT Trust the Untrusted

5

  • IDENTIFICATION AND AUTHENTICATION FAILURES

  • Applicable STIGs

    Quality and Protection of Authentication Data

    Proper hashing of passwords

    Handling Passwords on Server Side

    Session Management

    HttpOnly and Security Headers

    Lab: STIG Walk-Throughs

6

  • INJECTION

  • Applicable STIGs

    Injection Flaws

    SQL Injection Attacks Evolve

    Drill Down on Stored Procedures

    Other Forms of Server-Side Injection

    Minimizing Injection Flaws

    Client-side Injection: XSS

    Persistent, Reflective, and DOM-Based XSS

    Best Practices for Untrusted Data

    Lab: STIG Walk-Throughs

7

  • APPLICATIONS: WHAT NEXT?

  • Common Vulnerabilities and Exposures

    CWE/SANS Top 25 Most Dangerous SW Errors

    Strength Training: Project Teams/Developers

    Strength Training: IT Organizations

8

  • CRYPTOGRAPHIC FAILURES

  • Applicable STIGs

    Identifying Protection Needs

    Evolving Privacy Considerations

    Options for Protecting Data

    Transport/Message Level Security

    Weak Cryptographic Processing

    Keys and Key Management

    Threats of Quantum Computing

    Steal Now, Crack Later Threat

    Lab: STIG Walk-Throughs

9

  • APPLICATION SECURITY AND DEVELOPMENT CHECKLISTS

  • Checklist Overview, Conventions, and Best Practices

    Leveraging Common AppSec Practices and Control

    Actionable Application Security

    Additional Tools for the Toolbox

    Strength Training: Project Teams/Developers

    Strength Training: IT Organizations

    Lab: Recent Incidents

10

  • SDL OVERVIEW

  • Attack Phases: Offensive Actions and Defensive Controls

    Secure Software Development Processes

    Shifting Left

    Actionable Items Moving Forward

    Lab: Design Study Review

11

  • ASSET ANALYSIS

  • Asset Analysis Process

    Types of Application-Related Assets

    Adding Risk Escalators

    Discovery and Recon

12

  • DESIGN REVIEW

  • Asset Inventory and Design

    Assets, Dataflows, and Trust Boundaries

    Risk Escalators in Designs

    Risk Mitigation Options

Audience

This immersive experience is tailored for IT professionals, developers, project teams, technical leads, project managers, testing/QA personnel, and other key stakeholders who seek to expand their knowledge and expertise in the evolving cybersecurity landscape.

Language

English

Prerequisites

While specific prerequisites may vary depending on the course provider and the targeted audience, a general set of prerequisites for attending a course on Information Assurance and STIGs could include: Basic understanding of information security concepts and terminology. Familiarity with web application architecture and development. Knowledge of networking and web protocols (e.g., HTTP, HTTPS, TCP/IP). Experience with programming languages commonly used in web application development, such as JavaScript, Python, Java, or C# would be helpful but not required, as this is not a hands-on class A general understanding of operating systems, databases, and web servers

$1,995

Length: 2.0 days (16 hours)

Level:

Not Your Location? Change

Course Schedule:

Schedule select
13
Nov
Monday
10:00 AM ET -
6:00 PM ET
Filling Fast
Available
Loading...