Trainer:Dan Cornell (Denim Group)

Duration: 2 days

Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely-available tools that can be used to help implement the activities involved in such a program. The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Featured tools include: ESAPI, Microsoft Web Protection Library, FindBugs, FxCop, CAT.NET, Brakeman, Agnitio, Arachini, w3af, ZAProxy, ThreadFix as well as other educational resources from OWASP. Attendees should finish the course with a solid understanding of the various components of acomprehensive software security program as well as hands-on experience with a variety of freely-available tools that they can use to implement portions of these programs.

Outline:

·    So You Want To Roll Out A Software Security Program?

·    The Software Assurance Maturity Model (OpenSAMM)

·    ThreadFix: Overview

·    Governance: Strategy and Metrics

o ThreadFix: Reporting

·    Governance: Policy and Compliance

·    Governance: Education and Guidance

o OWASP Development Guide

o OWASP Cheat Sheets

o OWASP Secure Coding Practices

·    Construction: Threat Assessment

·    Construction: Security Requirements

·    Construction: Secure Architecture

o ESAPI overview

o Microsoft Web Protection Library (Anti-XSS) overview

·    Verification: Design Review

o Microsoft Threat Analysis and Modeling Tool

·    Verification: Code Review

o FindBugs

o FxCop

o CAT.NET

o Brakeman

o Agnitio

·    Verification: Security Testing

o Arachni

o w3af

o ZAProxy

·    Deployment: Vulnerability Management

o ThreadFix: Defect Tracker Integration

·    Deployment: Environment Hardening

o Microsoft Baseline Security Analyzer (MBSA)

·    Deployment: Operational Enablement

o mod_security