2. SECURITY EDUCATION CATALOGUE
INTRODUCTION
The human factor—what employees do or don’t do—is the biggest
threat to an organization’s information security, yet it’s often the most
overlooked. Whether they are swiping credit cards, handling clients’
personal information, or developing software solutions for your
business, your employees are ripe targets for information thieves
seeking access to your sensitive data—if you do not help them learn to
protect it. Arm yourself with security education for staff and partners.
Use this catalogue to browse Trustwave’s security education offerings,
including security awareness training for all staff and secure software
development courses for technical staff. If you have questions, reach
out to your Trustwave account manager or use the “Contact Us” section
of the Trustwave website.
4. SECURITY EDUCATION CATALOGUE
Security Awareness Education (SAE)
Every Trustwave Security Awareness Education (SAE) program is
customized for you, the client. Your options include how your online security
awareness training course will be set up and what additional print-based
materials you would like to order to reinforce your program all year round.
This section is designed to help guide you through these options and choose
the program that is right for you and your organization.
SAE Course Catalogue
Use these pages to browse our growing library of security awareness lessons. Categorized by areas of interest, each
lesson’s catalogue code, topic and objectives are listed here to help you decide which topics are most appropriate for
your target audience(s). Most lessons are available in English, Spanish, Portuguese, French and Swedish. You may
also view all of our lessons in the Trustwave SAE Portal itself - contact your Trustwave account manager if you would
like to receive a free trial account on our service.
SAE Custom Course Builder
This page lists the lessons included in each of our course offerings for the most common types of organizational roles
targeted for security awareness training. If these combinations don’t fit your organization’s needs just right, or you’d like
to include additional materials such as quizzes or your organization’s own information security policies as part of the
course, use the interactive spaces at the bottom of the page to identify the contents of the course(s) you would like us
to build.
SAE Pamphlets
Do you employ cashiers and servers who do not have ready access to computers at work? Do you hire temporary
workers whose schedules don’t allow much time for training? No problem. Instead of enrolling this population in our
online service, you can order our security awareness training pamphlets suitable for front-line workers. The content
of the brochures is the same as what is included in our online course. Pamphlets are currently available in English,
Spanish and Portuguese.
SAE Posters
Often, organizations administer a formal security awareness training only once per year. Including SAE posters in your
office environment helps keep employees aware of their security responsibilities year-round.
2
5. SAE Course Catalogue
Each course in your Security Awareness Education (SAE) program can be comprised of one or more of the following lessons. Use this guide to
identify the lessons you would like to include in each course. If you have any questions, or if you would like to receive a free trial account on the
Trustwave SAE Portal, contact your Trustwave account manager for more information.
Compliance Overviews
COM lessons cover the basic principles of various compliance standards mandating training and other information security measures.
Lesson Name
Lesson Objectives
COM-01
PCI Overview
Recognize how the Payment Card Industry (PCI)
self-regulates to protect cardholder data.
• Recognize the key PCI stakeholders, and common merchant acceptance channels and classifications.
• Recognize the cycle of a credit card transaction.
• Describe the PCI regulatory environment and recognize high level compliance requirements.
COM-02
HIPAA Overview
Recognize how U.S. HIPAA and HITECH laws
protect the privacy and security of protected
health information (PHI).
• Recognize key HIPAA and HITECH stakeholders.
• Recognize the purpose and scope of HIPAA privacy and security rules.
• Describe the HIPAA regulatory environment and recognize high level compliance requirements.
#
Core Concepts
#
COR-01
COR-02
Supporting Objectives
COR lessons cover basic security awareness concepts that all employees should understand. We recommend including these 5-minute lessons for all your staff.
Lesson Name
Lesson Objectives
Introduction to Security
Awareness
Demonstrate basic knowledge of security
awareness.
• Define security awareness and recognize the importance of protecting information.
Social Engineering
Define social engineering and recognize common
threats to information security and how to avoid
becoming a victim.
• Define social engineering, recognize who is at risk of becoming victims and list the types of information
targeted by social engineers.
• List the most common channels for social engineering, and recognize popular ploys.
• List best practices to avoid becoming a victim of social engineering.
SECURITY AWARENESS TOPICS
Supporting Objectives
SAT lessons cover best practices for common types of tools and activities on the job. Include all those that apply to your employees’ work activities.
#
Lesson Name
Lesson Objectives
SAT-01
Physical Security
Define physical security, recognize common
threats and list best practices.
• Define physical security, recognize the importance of physical security and list the information at risk.
• Recognize common attacks on physical security.
• Recognize physical security vulnerabilities and best practices for securing your workplace.
PC Security
Define PC security, recognize common threats
and list best practices.
• Define PC security and recognize the risks of leaving your computer unprotected.
• List and describe common PC attacks, vulnerabilities, and user mistakes that put your information and
systems at risk.
• List and describe critical PC security measures and best practices.
Email Security
Define email security, recognize common threats
and list best practices.
• Define email security and recognize the risk to information security if secure email practices are not in
place.
• Recognize the most common email scams and the measures you can take to avoid becoming a victim.
• List best practices for using email securely.
SAT-02
SAT-03
Supporting Objectives
3
6. SECURITY EDUCATION CATALOGUE
#
Lesson Name
Lesson Objectives
SAT-04
Password Security
Define password security, recognize common
threats and list best practices.
• Define password security and recognize the importance of keeping passwords protected.
• List the ways password protection may be used to keep information secure.
• List basic rules for building a strong password and recognize best practices for effective password use.
SAT-05
HIPAA Overview
Define Web browsing security, recognize
common threats and list best practices.
• Define Web browsing security and recognize the risks of visiting unknown and unsecure websites.
• List the most common Web security threats and recognize how you may put your organization’s
information at risk.
• List and describe best practices for browsing the Web securely.
SAT-06
Mobile Device Security
Define mobile device security, recognize common
threats and list best practices.
• Define mobile device security and recognize the risks of leaving your device unprotected.
• Recognize common mobile device attacks and user mistakes that put information at risk.
• List and describe common mobile device security measures.
BEST PRACTICES FOR JOB ROLES
Supporting Objectives
JRT lessons target specific job roles within an organization. Each course may contain one JRT lesson to cover best practices for the target role.
Lesson Name
Lesson Objectives
JRT-01
Secure Practices for
Retail Associates
Recognize the security awareness responsibilities
of retail associates and the laws, regulations,
methods and best practices that help keep
information secure in the retail environment.
• Recognize the information security responsibilities of retail associates and the related laws and
regulations that impact the retail environment.
• List and describe information security responsibilities and best practices of retail associates.
JRT-02
Secure Practices for
Retail Managers
Recognize the security awareness
responsibilities of retail managers and the laws,
regulations, methods and best practices that help
keep information secure in the retail environment.
• Recognize the security responsibilities of retail managers or owners and the information security laws
and regulations that impact the retail environment.
• List and describe information security responsibilities and best practices of retail managers.
JRT-03
Secure Practices for
Call Center Employees
Recognize the security awareness
responsibilities of call center employees and the
laws, regulations, methods and best practices
that help to keep information secure.
• Recognize the information security laws and regulations that impact the call center environment.
• Recognize the responsibility of call center employees to protect the information they work with each day.
• List and describe the information security responsibilities and best practices of call center employees.
JRT-04
Secure Practices for
Call Center Managers
Recognize the security awareness responsibilities
of call center managers and the laws, regulations,
methods and best practices that help keep
information secure in the call center.
• Recognize the information security responsibilities of call center managers and the related laws and
regulations that impact the call center environment.
• List and describe information security responsibilities and best practices of call center managers.
JRT-05
Secure Practices for
Enterprise Employees
Recognize the security awareness
responsibilities of enterprise employees and the
laws, regulations, methods and best practices
that help keep information secure.
• Recognize the security responsibilities of enterprise employees and the information security laws and
regulations that impact the enterprise environment.
• List and describe information security responsibilities and best practices of enterprise employees.
Secure Practices for IT
and Engineering Staff
Recognize the security awareness
responsibilities of IT and engineering staff and
the laws, regulations, methods and best practices
that help keep information secure.
• Recognize the information security-related laws and regulations that impact the IT and application
development environment and the responsibility of personnel to protect the information they work with
each day.
• List and describe the information security responsibilities of IT and engineering staff.
• List best practices for IT and engineering staff to help keep information secure.
#
JRT-06
4
Supporting Objectives
7. ADVANCED SECURITY TOPICS
#
Lesson Name
ADV lessons cover a wide range of topics for managers and technical personnel.
Lesson Objectives
Supporting Objectives
ADV-01
PCI Forensic
Investigations
Recognize how the PCI forensic investigation
process works and identify how a breach is
discovered, investigated and remediated.
• Identify common ways breaches are discovered and the high level steps employees should take if a
breach is discovered.
• Describe the Trustwave PCI forensic investigation process and a breached organization’s responsibility
to report and remediate security deficiencies.
• Recognize common security threats and the importance of continuous compliance to protect against
them.
ADV-02
Exploring Security
Trends
Recognize key findings of Trustwave’s annual
Global Security Report and list ways to improve
security this year based on last year’s trends.
• Recognize the purpose and contents of Trustwave’s Global Security Report.
• Recognize key findings of the current Global Security Report.
• List security best practices that help organizations avoid the security pitfalls of last year.
5
8. SECURITY EDUCATION CATALOGUE
Security Awareness Course Builder
Po
Do licy
cu
me
n
iz
Qu
AD
V-0
2
AD
V-0
1
JR
T-0
6
JR
T-0
5
JR
T-0
4
JR
T-0
3
JR
T-0
1
JR
T-0
2
BA
N01
BA
N0
BA 2
N03
SA
T-0
5
SA
T-0
6
SA
T-0
4
SA
T-0
3
SA
T-0
1
SA
T-0
2
R02
R01
CO
CO
M02
CO
CO
M01
t
This page lists the lessons included in our basic Security Awareness Education courses. These courses are targeted to
common roles that fit most organizations’ needs. Select the course(s) that fit your target audience(s) by clicking inside
the box beside it, or build your own course using the blank spaces below. Descriptions of each lesson in our library can
be found in the SAE Course Catalogue.
Security Awareness for
Retail Associates
Security Awareness for
Retail Managers
Security Awareness for
Call Center Employees
Security Awareness for
Call Center Managers
Security Awareness for
Enterprise Employees
Security Awareness for
IT and Engineering Staff
Security Awareness for
Health Care Workers
Security Awareness for
Bank Workers
Create your Own
6
Use this section to mix and match lessons to build up to five courses of your own. Just use the interactive checkboxes below to select course content.
9. SAE Print Material
POSTERS
Augment your Security Awareness Education with posters specific to your target audience. Click the check box to
select the poster(s) you want. Use the “total” field to specify how many of each poster you want. Posters are available
only in English. Contact your Trustwave account manager if you have questions.
Retail
Total:
Total:
Total:
Call Center
Total:
Total:
Total:
Office
Total:
Total:
Total:
Total:
Total:
Total:
Total:
Web
Total:
Total:
Total:
SAE Pamphlets
Trustwave’s SAE Pamphlets are perfect for employees who do not have ready
access to computers at work, or a lot of time to devote to training. The pamphlets can
be cobranded to include your logo and company name, and are available in English,
Spanish and Portuguese. Use the “total” field to specify how many pamphlets you
would like to order. Each pamphlet consumes a single SAE license.
Total:
7
10. SECURITY EDUCATION CATALOGUE
Banking Security
Online banking has soared in popularity, not only for businesses but for consumers who depend on banks for their
everyday financial needs. While you are taking steps to protect their customers from identity theft and financial crimes,
customers themselves must also implement security best practices when accessing online banking on their personal
or business computers. Providing resources to customers to educate them about best practices for securing their
information online demonstrates your commitment to securing your customers’ information, improves security for you
and your customers and helps satisfy FFIEC requirements for customer education.
BANKING SECURITY
BAN lessons target the specific security awareness needs of bank customers who use online accounts to manage their finances.
Lesson Name
Lesson Objectives
BAN-01
Online Banking Security
Recognize the risks and threats that come with
online banking, as well as the technology and
security best practices available to help combat
such threats.
• Recognize ways information is stolen from online accounts.
• Recognize the monetary risk of security incidents and the top attack targets used by criminals.
• Describe how banks and their customers work together to protect valuable information.
BAN-02
Protecting Online
Accounts for
Businesses
Recognize a business’s role in helping to secure
its own online systems and accounts, and identify
the security best practices businesses can follow
to do so.
• Recognize a business’s role in keeping their sensitive information secure online.
• List best practices for businesses to use to protect their sensitive information.
BAN-03
Protecting Online
Accounts for
Consumers
Recognize the individual’s role in helping to
secure their own online accounts, and identify
the security best practices individuals can follow
to do so.
• Recognize an individual consumer’s role in keeping their sensitive information secure online.
• List best practices consumers can use to protect their sensitive information.
#
8
Supporting Objectives
11. Secure Development Training (SDT)
Trustwave offers a suite of Web-based technical courses that introduce your
solution development staff to theory and best practices around planning and
writing secure code. You can choose to enroll employees in just one of the
courses that is most relevant to them, or to give them access to the full suite of
Secure Coding Design courses we offer. Whichever option you select, this
section will help you decide which course(s) are right for your staff.
Secure Development Course Catalogue
Use these pages to browse our library of Secure Development courses. Categorized by the stages of the software
development life cycle, each course’s catalogue code, topic and prerequisites (if any) are listed here to help you decide
which topics are most appropriate for your target audience(s).
Secure Development Course Builder
This page defines the course bundles available to SDT customers. Use this worksheet to note which courses you would like
to offer to your staff.
9
12. SECURITY EDUCATION CATALOGUE
SDT Course Catalogue
SECURITY AWARENESS AND PROCESS COURSES
#
Lesson Name
Lesson Objectives
Time
Supporting Objectives
AWA 101
Fundamentals of
Application Security
Upon course completion, students will be able to understand and recognize threats to
applications, leverage the OWASP top 10 list to create more secure Web applications and
conduct specific activities at each development phase to ensure maximum hardening of
your applications.
AWA 102
Protecting Online
Accounts for Businesses
By the end of this course, students will be familiar with the main characteristics of a secure
software development lifecycle and the activities that an organization should perform to
develop secure software. Additionally, students will recognize the need to address software
security in their everyday work.
1 hour
• Basic knowledge of software development
processes and technologies.
AWA 103
Six Fundamentals of
Information Security
By the end of this course, students will be familiar with the main characteristics of a secure
software development lifecycle and the activities that an organization should perform to
develop secure software. Additionally, students will recognize the need to address software
security in their everyday work.
1 hour
• None
AWA 104
Fundamentals of the
PCI-DSS
This course is designed to meet the PCI-DSS requirement and will provide such
awareness as well as an basic understanding of each of the PCI-DSS requirements
addressing cardholder data security.
1 hour
• None
AWA 105
Fundamentals of Security
Awareness - Mobile and
Social Media
This security awareness course focuses on how sensitive data and confidential information
can be compromised with the use of social media and mobile devices by today’s work
force. Using a fun and interactive computer based format, the viewer is made aware of the
risks associated with these technologies, and how to use them safely.
30 minutes
• None
2 Hours
• Understanding of the software development
lifecycle and technologies; basic understanding
of software security.
SECURITY ENGINEERING COURSES
#
Lesson Name
Lesson Objectives
Time
Supporting Objectives
ENG 102
Introduction to the
Microsoft SDL
The goal of this course is to help students understand and identify the Security
Development Life Cycle (SDL) requirements for building and deploying secure software
applications. The course demonstrates the benefits teams gain by following the SDL, and it
provides managers with information regarding their role and responsibilities in ensuring the
team follows the SDL.
ENG 201
SDLC Gap Analysis and
Remediation Techniques
Upon completion of this course, the participant will be able to identify the benefits of the
Security Development Lifecycle, recognize the importance of the Final Security Review,
follow the necessary steps to meet SDL requirements and identify the appropriate tools
required by the SDL.
1 hour
• Knowledge of the software development
lifecycle.
ENG 211
How to Create
Application Security
Design Requirement
This course provides an understanding of the goals, processes and best practices
for auditing software security processes within the context of the Microsoft Security
Development Life Cycle.
45 minutes
• Introduction to the Microsoft SDL (ENG 102),
Fundamentals of Application Security (AWA 101).
ENG 301
How to Create an
Application Security
Threat Model
This course provides an understanding of the goals, processes and best practices
for auditing software security processes within the context of the Microsoft Security
Development Life Cycle.
1 hour
• Fundamentals of Application Security (AWA 101).
10
1 hour
• Knowledge of the software development
lifecycle.
13. ENG 311
Attack Surface Analysis
and Reduction
In this course, students will learn to identify the goals of threat modeling and the
corresponding SDL requirements, identify the roles and responsibilities involved in the
threat modeling process, recognize when and what to threat model and identify the tools
that help with threat modeling. Students will also learn to use the threat modeling process
to accurately identify, mitigate and validate threats.
ENG 312
How to Preform a
Security Code Review
Course provides an understanding of the goals and methodologies of attackers,
identification of attack vectors and how to minimize the attack surface of an application.
ENG 391
How to Create an
Application Security
Threat Model for
Embedded Systems
This course provides students with guidance on how to best organize code reviews,
prioritize those code segments that will be reviewed, best practices for reviewing source
code and maximize security resources.
1 hour
• Fundamentals of Secure Architecture
(DES 101), How to Create Application Security
Design Requirements (ENG 211), How to Create
an Application Security Threat Model (ENG 301),
Creating Secure Code – ASP.Net (COD 311) OR
C/C++ (COD 312) OR J2EE (COD 313).
ENG 392
Attack Surface Analysis
and Reduction for
Embedded Systems
This course module provides additional training on How to Create an Application Security
Threat Model of particular importance to embedded software engineers. It includes
mapping of content to specific compliance and regulatory requirements, links to key
reference resources that support the topics covered in the module and a “Knowledge
Check” quiz that assesses mastery of key concepts.
30 minutes
• How to Create an Application Security Threat
Model (ENG 301).
ENG 393
How to Perform a
Security Code Review for
Embedded Systems
This course module provides additional training on Attack Surface Analysis and Reduction
of particular importance to embedded software engineers.
30 minutes
• Attack Surface Analysis and Reduction
(ENG 311).
Secure DESIGN
#
1 hour
• Fundamentals of Secure Development
(COD 101), Architecture Risk Analysis and
Remediation (DES 212).
1 hour
• Fundamentals of Secure Development
(COD 101), Architecture Risk Analysis and
Remediation (DES 212).
DES courses cover topics in secure software architecture and design, to help plan security into applications before any code is written.
Lesson Name
Lesson Objectives
Time
Supporting Objectives
DES 101
Fundamentals of Secure
Architecture
Understand the state of the software industry from a security perspective, by learning from
past software security errors and how to avoid repeating those mistakes. They will also be
able to recognize and use confidentiality, integrity and availability (CIA) as the three main
tenets of information security.
DES 211
OWASP Top 10 - Threats
and Mitigations
Recognize best practices for understanding, identifying and mitigating the risk of
vulnerabilities and attacks within the OWASP Top 10.
2 hour
• None
DES 212
Architecture Risk Analysis
and Remediation
Recognize concepts, methods and techniques for analyzing the architecture and design of
a software system for security flaws.
1 hour
• Fundamentals of Secure Architecture (DES 101).
DES 213
Introduction to Security
Tools and Technologies
This course is designed to educate architects and developers on the technologies available
to create more secure systems.
2 hour
• Fundamentals of Security Testing (TST 101).
DES 301
Introduction to
Cryptography
Recognize the problems that cryptography can address, the threats that apply to two
communicating parties, the appropriate cryptographic solutions to mitigate these threats, and
how to describe the mechanisms behind cryptographic protocols. Learners will also be able
to recognize how to follow cryptographic best practices and locate cryptography resources.
1 hour
• Fundamentals of Secure Development
(COD 101).
• Architecture Risk Analysis and Remediation
(DES 212).
DES 311
Creating Secure
Application Architecture
Recognize key security principles that can be used to improve the security of application
architecture and design. Demonstrate how to apply defenses to harden applications and
make them more difficult for intruders to breach, reducing the amount of damage an
attacker can accomplish.
2 hours
1 hour
• None
• Fundamentals of Secure Architecture (DES 101).
• Architecture Risk Analysis and Remediation
(DES 212).
11
14. SECURITY EDUCATION CATALOGUE
Secure Coding
#
COD courses cover security topics in the implementation stage of the software development life cycle, when code is actually being written.
Lesson Name
Lesson Objectives
Time
Supporting Objectives
COD 101
Fundamentals of Secure
Development
Recognize the latest trends in software security, as well as the importance of software
security for business. Demonstrate how to perform threat modeling to identify threats
proactively, create threat trees for application components, use threat tress to find and
classify vulnerabilities and perform risk analysis and prioritize security fixes.
COD 110
Fundamentals of Secure
Mobile Development
This course introduces some of the common mobile application risks and the best
development practices that you should follow for development to overcome risks. The
course also explains how to create a mobile application threat model.
2 hours
• None
COD 111
Fundamentals of Web
2.0 Security
This course introduces you to the fundamentals of secure Web 2.0 development. The
course begins with a discussion about Web 2.0, its evolution, and the technologies
behind it. The course describes common Web 2.0 attacks that can cause significant loss
to organizations. It reviews the best practices that you should incorporate to mitigate the
risks from Web 2.0 attacks, as well as practices to avoid. The course concludes with a
walk-through of a software system scenario that can help you better understand Web 2.0
attacks and apply the best practices discussed in the course.
2 hours
• None
COD 201
Fundamentals of Secure
Database Development
This course will demonstrate database development best practices for software architects
and developers.
2 hours
• Fundamentals of Secure Development
(COD 101).
COD 211
Understanding Secure
Code - JRE
Recognize and remediate common Java Web software security vulnerabilities. Define data
leakage, injection attacks, client/server protocol manipulation attacks, and authentication
exploitations and mitigate these security vulnerabilities.
1 hour
• Fundamentals of Secure Development
(COD 101).
COD 212
Understanding Secure
Code - C/C++
Recognize how to write secure code in C/C++ for Windows and Unix platforms, robust
code development and secure socket programming. Demonstrate how to apply time-tested
defensive coding principles to develop secure applications. Recognize the nine defensive
coding principles and how to use them to prevent common security vulnerabilities.
75 minutes
• Fundamentals of Secure Development
(COD 101).
COD 213
Understanding Secure
Code - Windows 7
Define Windows 7 security features and build applications that leverage Windows 7’s builtin security mechanisms.
2 hours
• Basic knowledge of Windows programming and
memory management, and knowledge of basic
security features of Windows versions prior to
Windows 7.
Understanding Secure
Code - .NET 4.0
Recognize .NET 4.0 security features, including concepts such as Code Access Security
(CAS) and .NET cryptographic technologies. Recognize security changes in .NET 4.0
including level 2 security transparency, the new sandboxing and permission model,
introduction of conditional APTCA and changes to evidence objects and collections. Define
secure coding best practices that will enable students to build more secure applications in
.NET 4.0.
2 hours
• Fundamentals of Secure Development
(COD 101).
COD 215
12
1 hour
• None
15. #
Lesson Name
Lesson Objectives
Time
Supporting Objectives
COD 216
Understanding Secure
Code - NET 2.0
Define .NET 2.0 security features, including concepts such as Code Access Security (CAS)
and .NET cryptographic technologies. Recognize secure coding best practices that will
enable students to build more secure applications in .NET 2.0.
2 hours
• Fundamentals of Secure Development
(COD 101).
COD 217
Creating Secure Code iPhone Foundations
Learn to develop and deploy secure iPhone applications by leveraging Apple’s security
services and following Web application secure coding best practices.
1 hour
• Fundamentals of Secure Mobile Development
(COD 110).
COD 218
Creating Secure Code Android Foundations
Learn to develop secure Android applications by applying Android-specific secure
development best practices and techniques. The course emphasizes key Android security
features that can help you prevent common application vulnerabilities.
90 minutes
• Fundamentals of Secure Mobile Development
(COD 110).
COD 221
Web Vulnerabilities Threats and Mitigations
Recognize, avoid and mitigate the risks posed by Web vulnerabilities. Define the most
common and recent attacks against Web-based applications, such as cross-site scripting
attacks and cross-site request forgery attacks. Demonstrate how to avoid and/or mitigate
Web vulnerabilities using real-world examples.
1 hour
• Creating Secure Code – J2EE Web Applications
(COD 313) OR Creating Secure Code – ASP.
NET (COD 311).
COD 222
PCI Best Practices for
Developers
Recognize application security issues within the PCI DSS and best practices for
addressing each requirement. Recognize how addressing the PCI DSS requirements
during the design and build stages of the development life cycle will improve application
security and will simplify compliance.
1 hour
• Fundamentals of Secure Architecture (DES 101).
COD 231
Introduction to CrossSite Scripting - With JSP
Examples
Recognize the mechanisms behind cross-site scripting vulnerabilities, describe cross-site
scripting vulnerabilities and their consequences, and apply secure coding best practices to
prevent cross-site scripting vulnerabilities.
20 minutes
• Basic knowledge of Web technologies, and Java
Server Pages (JSP).
COD 232
Introduction to Cross-Site
Scripting - With ASP.NET
Examples
Recognize the mechanisms behind cross-site scripting vulnerabilities, describe cross-site
scripting vulnerabilities and their consequences and apply secure coding best practices to
prevent cross-site scripting vulnerabilities.
20 minutes
• Basic knowledge of Web technologies, and Java
Server Pages (JSP).
Creating Secure Code ASP .NET
Demonstrate the development of secure web applications in C#. Recognize common web
application vulnerabilities and demonstrate ways to avoid those vulnerabilities in C# code.
In the hands-on section, students will discover the vulnerabilities for themselves and find
ways to address them, greatly enhancing the security of their code. Upon completion of
this class, participants will be able to recognize the need to follow secure coding best
practices, follow secure coding best practices and locate additional resources on secure
coding best practices for ASP.NET.
4 hours
• Understanding Secure Code - .Net 4.0
(COD 215).
Creating Secure Code C/C++
Define application security risks and secure coding standards for C and C++ applications,
and the different types of errors that can be introduced while coding. Recognize the
importance of detecting these errors and remediating them as early as possible to avoid
security issues. Define real-world best practices and techniques, and static analysis tools
to detect and resolve security vulnerabilities in code.
90 minutes
• Understanding Secure Code – C/C++
(COD 212).
COD 311
COD 312
13
16. SECURITY EDUCATION CATALOGUE
#
Lesson Name
Lesson Objectives
Time
Supporting Objectives
COD 313
Create Secure Code J2EE Web Applications
Demonstrate development of secure web applications in Java. Recognize common web
application vulnerabilities and define ways to avoid those vulnerabilities in Java code. In
the hands-on section, students will discover the vulnerabilities themselves and find ways to
address them, greatly enhancing the security of their code. Upon completion of this course,
participants will be able to recognize why software security matters to their business,
recognize the root causes of the more common vulnerabilities, identify the symptoms of
common vulnerabilities and use security best practices to prevent common vulnerabilities.
COD 314
Creating Secure C#
Code
This course will provide a deep understanding of application security risks and secure
coding standards for C# applications. The main lesson guides students through the
concepts underlying the coding principles and illustrates real-world best practices and
techniques and the labs allow students to test what they have learned
3 hours
• Understanding Secure Code - .NET 4.0
Foundations (COD 215)
COD 315
Creating Secure PHP
Code
This course introduces best practices for developing secure PHP code. The course also
identifies common PHP vulnerabilities that attackers can exploit to gain access to critical
information. In addition, the course explains mitigation techniques that you can use to avoid
common PHP vulnerabilities and write secure code.
2 hours
• Fundamentals of Secure Development
(COD101)
COD 321
Creating Secure Code Oracle Foundations
This course provides the student with an understanding of the scope and requirements of
database security as well as the risks presented by insecure database applications. After
taking this course, the student will be able to understand the risks to database applications;
apply security best practices when developing database applications; understand common
database attacks; code applications with countermeasures to common database attacks.
2 hours
• Fundamentals of Secure Database Development
(COD 201)
COD 322
Creating Secure Code SQL Server Foundations
This course provides the student with an understanding of the scope and requirement of
database security as well as the risks presented by unsecure database applications. After
taking this course, the student will be able to understand the risks to database applications;
apply security best practices when developing database applications; understand common
database attacks; code applications with countermeasures to common database attacks.
90 minutes
• Fundamentals of Secure Database Development
(COD 201)
COD 411
Integer Overflows
- Attacks and
Countermeasures
An integer overflow is a programming error that can severely impact a computer system’s
security. Due to the subtlety of this bug, integer overflows are often overlooked during
development. This course covers the security concepts, testing techniques and best
practices that will enable students to develop robust applications that are secure against
integer overflow vulnerabilities.
1 hour
• Basic understanding of the C, C++, and C#
programming languages.
COD 412
Buffer Overflows
- Attacks and
Countermeasures
Recognize how to avoid and mitigate the risks posed by buffer overflows. Recognize
protections provided by the Microsoft complier and the Windows operation system, and
advice on how to avoid buffer overflows during the design, development and verification
phase of the software development life cycle.
2 hours
• Basic knowledge of Windows programming and
memory management in Windows.
14
2 hours
• Understanding Secure Code – JRE (COD 211)
17. Security Testing
#
TST courses cover topics in testing software for security flaws and remediating defects before release.
Lesson Name
Lesson Objectives
Time
Supporting Objectives
Fundamentals of Security
Testing
Define security-testing concepts and processes that will help students analyze an
application from a security perspective and to conduct effective security testing. Recognize
different categories of security vulnerabilities and the various testing approaches that
target these classes of vulnerabilities. Several manual and automated testing techniques
are presented which will help identify common security issues during testing and uncover
security vulnerabilities.
2 hours
• None
TST 201
Classes of Security
Defects
Recognize how to create a robust defense against common security defects. Students will
learn why and how security defects are introduced into software, and will be presented with
common classes of attacks, which will be discussed in detail. Along with examples of real
life security bugs, students will be shown techniques and best practices that will enable the
team to identify, eliminate and mitigate each class of security defects. Additional mitigation
techniques and technologies are described for each class of security defect.
3 hours
• None
TST 211
How to Test for the
OWASP Top 10
The Open Web Application Security Project (OWASP) Top Ten is a listing of critical security
flaws found in web applications. Recognize how these flaws occur and demonstrate testing
strategies to identify the flaws in web applications.
1 hour
• Fundamentals of Security Testing (TST 101)
TST 301
Software Testing - Tools
and Techniques
This course introduces the tools and techniques used during software security testing.
After taking this course, the student will be able to create a software security test plan;
decide which software security testing tools to use; know how to apply the testing tools;
understand and apply penetration testing techniques.
90 minutes
• None
TST 401
Advanced Software
Security Testing
Techniques
This course delves deeply into the techniques for testing specific security weaknesses.
After taking this course, the student will be able to understand the ten types of
attacks; know which tools to use to test for these attacks; test software applications for
susceptibility to the ten specific attacks; describe the expected mitigations required to
prevent these attacks.
2 hours
• Software Testing - Tools and Techniques (TST
301)
TST 411
Exploiting Buffer
Overflows
Recognize the threats posed by buffer-overflow exploits, and the mechanisms behind
exploitation of stack-based and heap-based buffer overflows. Define challenges faced by
exploit code and how different exploitation techniques overcome environmental limitations.
2 hours
• Creating Secure Code – C/C++ (COD 312)
TST 101
• Fundamentals of Security Testing (TST 101)
15
18. SECURITY EDUCATION CATALOGUE
Secure Development Course Bundles
Use this checklist to determine which course(s) you want to provide for your staff. Descriptions of each course in the
SDT library can be found in the SDT Course Catalogue on the previous pages. Custom bundles, consisting of up to six
(6) courses or twelve (12) hours of content, can be set up on request. Contact your Trustwave account representative if
you would like to configure a custom bundle.
Java Developer
PHP Developer
Project Manager
• AWA-101 Fundamentals of Application Security
• AWA-101 Fundamentals of Application Security
• ENG-101 Microsoft SDL for Managers
• COD-101 Fundamentals of Secure Development
• COD-101 Fundamentals of Secure Development
• COD-221 Web Vulnerabilities – Threats & Mitigations
• COD-221 Web Vulnerabilities – Threats & Mitigations
• ENG-201 SDLC Gap Analysis and Remediation
Techniques
• COD-211 Creating Secure Code – JRE Foundations
• COD-315 Creating Secure PHP Code
• COD-313 Creating Secure J2EE Code
.NET Developer
• AWA-101 Fundamentals of Application Security
• COD-101 Fundamentals of Secure Development
• COD-221 Web Vulnerabilities – Threats & Mitigations
• COD-215 Creating Secure Code - .NET 4.0
Foundations (or .NET 2.0 version)
• COD-311 Creating Secure ASP.NET Code
C/C++ Developer
Mobile Applications
• AWA-105 Security Awareness – Mobile & Social
Media
• COD-110 Fundamentals of Secure Mobile
Development
• COD-217 Creating Secure Code – iPhone
Foundations
• COD-218 Creating Secure Code – Android
Foundations
Software Architect
• AWA-101 Fundamentals of Application Security
• AWA-101 Fundamentals of Application Security
• COD-101 Fundamentals of Secure Development
• DES-101 Fundamentals of Secure Architecture
• COD-312 Creating Secure Code – C/C++
Foundations
• DES-212 Architecture Risk Analysis and Remediation
• COD-392 Creating Secure C/C++ Code
• DES-311 Creating Secure Application Architecture
• ENG-301 How to Create an Application Security
Threat Model
• ENG-311 Attack Surface Analysis and Reduction
16
• ENG-211 How to Create Application Security Design
Requirements
• COD-101 Fundamentals of Secure Development
• DES-101 Fundamentals of Secure Architecture
Test/QA
• TST-101 Fundamentals of Security Testing
• TST-201 Classes of Security Defects
• TST-211 How to Test for the OWASP Top 10
• TST-301 Software Security Testing – Tools &
Techniques
• TST-401 Advanced Software Security Testing