Certified Application Security Engineer Java (CASE JAVA)

Overview:

The Certified Application Security Engineer (CASE) credential was developed in partnership with application and software development experts globally.

The CASE credential tests the critical security skills and knowledge required throughout a typical software development life cycle (SDLC), focusing on the importance of the implementation of secure methodologies and practices in today’s insecure operating environment.

The CASE certified training program was developed to prepare software professionals with the capabilities that are expected by employers and academia globally. It is designed to be a hands-on, comprehensive application security training course to teach software professionals to create secure applications.

The training program encompasses security activities involved in all phases of the secure SDLC: planning, creating, testing, and deploying an application.

Unlike other application security trainings, CASE goes beyond just the guidelines on secure coding practices and includes secure requirement gathering, robust application design, and handling security issues in the post development phases of application development.

This makes CASE one of the most comprehensive application security certifications for secure software development on the market today. It’s desired by software application engineers, analysts, and testers from around the world and is respected by hiring authorities.

Duration:

24 hours.

Objectives:

After completing this course, students will be able to:

- In-depth understanding of secure SDLC and secure SDLC models

- Knowledge of OWASP Top 10, threat modelling, SAST and DAST

- Capturing security requirements of an application in development

- Defining, maintaining, and enforcing application security best practices

- Performing manual and automated code review of application

- Conducting application security testing for web applications to assess the vulnerabilities

- Driving development of a holistic application security program

- Rating the severity of defects and publishing comprehensive reports, detailing associated risks and mitigations

- Working in teams to improve security posture

- Application security scanning technologies such as AppScan, Fortify, WebInspect, static application security testing (SAST), dynamic application security testing (DAST), single sign on, and encryption

- Following secure coding standards that are based on industry-accepted best practices such as

- OWASP Guide, or CERT Secure Coding to address common coding vulnerabilities.

- Creating a software source code review process that is a part of the development cycles (SDLC, Agile, CI/CD)

Intended Audience:

- Java Developers with a minimum of 2 years of experience and individuals who want to become application security engineers, analysts, or testers.

- Individuals involved in the role of developing, testing, managing, or protecting applications

Course outlines:

1. Understanding Application Security, Threats, and Attacks

After completing this course, students will be able to:

Understand the need and benefits of application security
Demonstrate the understanding of common application-level attacks
Explain the causes of application-level vulnerabilities
Explain various components of comprehensive application security
Explain the need and advantages of integrating security in Software Development Life Cycle (SDLC)
Differentiate functional vs security activities in SDLC
Explain Microsoft Security Development Lifecycle (SDL)
Demonstrate the understanding of various software security reference standards, models, and frameworks

2. Security Requirements Gathering

After completing this course, students will be able to:

Understand the importance of gathering security requirements
Explain security requirement Engineering (SRE) and its phases
Demonstrate the understanding of Abuse Cases and Abuse Case Modeling
Demonstrate the understanding of Security Cases and Security Case Modeling
Demonstrate the understanding of Abuser and Security Stories
Explain Security Quality Requirement Engineering (SQUARE) model
Explain Operationally Critical Threat Asset, and Vulnerability Evaluation (OCTAVE) Model

3. Secure Application Design and Architecture

After completing this course, students will be able to:

Understanding the importance of secure application design
Explain various secure design principles
Demonstrate the understanding of threat modeling
Explain threat modeling process
Explain STRIDE and DREAD Model
Demonstrate the understanding of Secure Application Architecture Design

4. Secure Coding Practices for Input Validation

After completing this course, students will be able to:

Understand the need of input validation
Explain data validation techniques
Explain data validation in strut framework
Explain data validation in Spring framework
Demonstrate the knowledge of common input validation errors
Demonstrate the knowledge of common secure coding practices for input validation

5. Secure Coding Practices for Authentication and Authorization

After completing this course, students will be able to:

Understand authentication concepts
Explain authentication implementation in Java
Demonstrate the knowledge of authentication weaknesses and prevention
Understand authorization concepts
Explain Access Control Model
Explain EJB authorization
Explain Java Authentication and Authorization (JAAS)
Demonstrate the knowledge of authorization common mistakes and countermeasures
Explain Java EE security
Demonstrate the knowledge of authentication and authorization in Spring Security Framework
Demonstrate the knowledge of defensive coding practices against broken authentication and authorization

6. Secure Coding Practices for Cryptography

After completing this course, students will be able to:

Understanding fundamental concepts and need of cryptography in Java
Explain encryption and secret keys
Demonstrate the knowledge of cipher class implementation
Demonstrate the knowledge of digital signature and its implementation
Demonstrate the knowledge of Secure socket Layer (SSL) and its implementation
Explain Secure Key Management
Demonstrate the knowledge of digital certificate and its implementation
Demonstrate the knowledge of Hash Implementation
Explain Java Card Cryptography
Explain Crypto Module in Spring Security
Demonstrate the understanding of Do’s and Don’ts in Java Cryptography

7. Secure Coding Practices for Session Management

After completing this course, students will be able to:

Explain various session management Java
Demonstrate the knowledge of session management in Spring framework
Demonstrate the knowledge of session vulnerabilities and their mitigation techniques
Demonstrate the knowledge of best practices and guidelines for secure session management

8. Secure Coding Practices for Error Handling

After completing this course, students will be able to:

Explain Exception and Error Handling in Java
Explain erroneous exceptional behaviors
Demonstrate the knowledge of do’s and don’ts in error handling
Explain Spring MVC error handling
Explain Exception Handling in struts2
Demonstrate the knowledge of best practices for error handling
Explain to Logging in Java
Demonstrate the knowledge of Log4j for logging
Demonstrate the knowledge of coding techniques for secure logging
Demonstrate the knowledge of best practices for logging

9. Static and Dynamic Application Security Testing (SAST & DAST)

After completing this course, students will be able to:

Understanding Static Application Security Testing (SAST)
Demonstrate the knowledge of manual secure code review techniques for most common vulnerabilities
Explain Dynamic Application Security testing
Demonstrate the knowledge of automated application vulnerability scanning tools to DAST
Demonstrate the knowledge of proxy-based security testing tools to DAST

10. Secure Deployment and Maintenance

After completing this course, students will be able to: