I. Tổng quan

Ngày nay rất nhiều hệ thống và ứng dụng được phát triển bới các ngôn ngữ phổ biến như Java và .NET. Khóa học thảo luận về các vấn đề liên quan đến việc phát triển các ứng dụng Java và .NET một cách bảo mật. Khóa học sẽ tập trung nhiều vào phần thực hành và bao hàm những chủ đề liên quan phát triển ứng dụng an toàn cho Java và .NET, thảo luận các lỗ hổng hay lỗi thường gặp khi lập trình và đề xuất các phương án khắc phục, nâng cao tính an toàn của hệ thống. Đây là khoá học được tổng hợp từ 2 khoá học CASE .NET và CASE .JAVA nổi tiếng của EC-Council.

II. Thời lượng: 5 ngày (40 giờ)

III. Hình thức đào tạo:

-          Đào tạo trực tiếp tại lớp học hoặc đào tạo tại văn phòng khách hàng theo yêu cầu.

IV. Mục tiêu:

Sau khi hoàn tất khóa học, học viên sẽ có khả năng:

-       Có khả năng suy nghĩ độc lập và hiểu biết về các vấn đề liên quan đến tính an toàn thông tin của hệ thống.

-       Học viện có khả năng nhận diện các lỗ hổng thường gặp và đề xuất các phương án giải quyết các lỗ hổng trên Java và .Net, tích hợp vào quá trình phát triển phần mềm an toàn.

-       Có khả năng phát triển các ứng dụng an toàn trên Java và .Net.

-       Kiến thức về Top 10 của OWASP

V. Đối tượng tham gia:

-       Học viên là lập trình viên Java và .Net muốn phát triển phần mềm Java và .Net an toàn hoặc các kỹ sư ATTT muốn tìm hiểu về ATTT trên Java và .Net.

-       Có kiến thức nền tảng Hệ Điều Hành, Mạng Máy Tính, Kiến Trúc Máy Tính.

-       Có khả năng đọc tài liệu tiếng Anh ở mức cơ bản (để tham khảo tài liệu)

-       Có khả năng sử dụng Linux cơ bản (không bắt buộc nhưng khuyến khích trang bị)

VI.  Nội dung khóa học:

1. Understanding Application Security, Threats, and Attacks

After completing this course, students will be able to:

• Understand the need and benefits of application security
• Demonstrate the understanding of common application-level attacks
• Explain the causes of application-level vulnerabilities
• Explain various components of comprehensive application security
• Explain the need and advantages of integrating security in Software Development Life Cycle (SDLC)
• Differentiate functional vs security activities in SDLC
• Explain Microsoft Security Development Lifecycle (SDL)
• Demonstrate the understanding of various software security reference standards, models, and frameworks

2. Security Requirements Gathering

After completing this course, students will be able to:

• Understand the importance of gathering security requirements
• Explain security requirement Engineering (SRE) and its phases
• Demonstrate the understanding of Abuse Cases and Abuse Case Modeling
• Demonstrate the understanding of Security Cases and Security Case Modeling
• Demonstrate the understanding of Abuser and Security Stories
• Explain Security Quality Requirement Engineering (SQUARE) model
• Explain Operationally Critical Threat Asset, and Vulnerability Evaluation (OCTAVE) Model

3. Secure Application Design and Architecture

After completing this course, students will be able to:

• Understanding the importance of secure application design
• Explain various secure design principles
• Demonstrate the understanding of threat modeling
• Explain threat modeling process
• Explain STRIDE and DREAD Model
• Demonstrate the understanding of Secure Application Architecture Design

4. Secure Coding Practices for Input Validation

4.1  NET

After completing this course, students will be able to:

• Understand the importance of robust input validation
• Demonstrate understanding of secure input validation techniques in Web Forms, ASP.NET Core and MVC
• Demonstrate the understanding of defensive coding techniques against SQL Injection attacks
• Demonstrate understanding of defensive coding techniques against Parameter Tampering attacks
• Demonstrate understanding of defensive coding techniques against Directory Traversal attacks
• Demonstrate understanding of defensive coding techniques against Open Redirect vulnerabilities

4.2 JAVA

After completing this course, students will be able to:

• Understand the need of input validation
• Explain data validation techniques
• Explain data validation in strut framework
• Explain data validation in Spring framework
• Demonstrate the knowledge of common input validation errors
• Demonstrate the knowledge of common secure coding practices for input validation

5. Secure Coding Practices for Authentication and Authorization

5.1 .NET

 After completing this course, students will be able to:

• Understand authentication and authorization issues
• Explain authentication and authorization in Web Forms
• Explain authentication and authorization in ASP.NET Core
• Explain authentication and authorization in MVC
• Demonstrate understanding authentication and authorization techniques in Web Forms
• Demonstrate understanding authentication and authorization techniques in ASP.NET Core
• Demonstrate understanding authentication and authorization techniques in MVC

5.2 JAVA

 After completing this course, students will be able to:

• Understand authentication concepts
• Explain authentication implementation in Java
• Demonstrate the knowledge of authentication weaknesses and prevention
• Understand authorization concepts
• Explain Access Control Model
• Explain EJB authorization
• Explain Java Authentication and Authorization (JAAS)
• Demonstrate the knowledge of authorization common mistakes and countermeasures
• Explain Java EE security
• Demonstrate the knowledge of authentication and authorization in Spring Security Framework
• Demonstrate the knowledge of defensive coding practices against broken authentication and authorization

6. Secure Coding Practices for Cryptography

6.1 .NET

After completing this course, students will be able to:

• Understanding cryptography in .NET
• Explain symmetric encryption
• Demonstrate the understanding of defensive coding practices using symmetric encryption.
• Explain asymmetric encryption
• Demonstrate the understanding of defensive coding practices using asymmetric encryption
• Explain Hashing
• Explain Digital Signatures
• Explain Digital Certificates
• Demonstrate the understanding of ASP.NET Core-Specific secure cryptography practices

6.2 JAVA

After completing this course, students will be able to:

• Understanding fundamental concepts and need of cryptography in Java
• Explain encryption and secret keys
• Demonstrate the knowledge of cipher class implementation
• Demonstrate the knowledge of digital signature and its implementation
• Demonstrate the knowledge of Secure socket Layer (SSL) and its implementation
• Explain Secure Key Management
• Demonstrate the knowledge of digital certificate and its implementation
• Demonstrate the knowledge of Hash Implementation
• Explain Java Card Cryptography
• Explain Crypto Module in Spring Security
• Demonstrate the understanding of Do’s and Don’ts in Java Cryptography

7. Secure Coding Practices for Session Management

7.1 .NET

 After completing this course, students will be able to:

• Understand session management concepts
• Explain various session management techniques
• Demonstrate the understanding of defensive coding practices against session hijacking attacks
• Demonstrate the understanding of defensive coding practices against session replay and session fixation attacks
• Demonstrate the understanding of techniques to prevent sessions from cross-site scripting, client-side scripts, and CSRE attacks
• Demonstrate the understanding of ASP.NET Core Specific secure session management techniques

7.2 JAVA

 After completing this course, students will be able to:

• Explain various session management Java
• Demonstrate the knowledge of session management in Spring framework
• Demonstrate the knowledge of session vulnerabilities and their mitigation techniques
• Demonstrate the knowledge of best practices and guidelines for secure session management

8. Secure Coding Practices for Error Handling

8.1 .NET

After completing this course, students will be able to:

• Understand error and exception handling concepts
• Explain the need of secure exception handling
• Demonstrate understanding of defensive coding practices against information disclosure
• Demonstrate understanding of defensive coding practices against improper error handling
• Demonstrate the understanding of secure error handling practices in ASP.NET Core
• Explain secure auditing and logging best practices

8.2 JAVA

After completing this course, students will be able to:

• Explain Exception and Error Handling in Java
• Explain erroneous exceptional behaviors
• Demonstrate the knowledge of do’s and don’ts in error handling
• Explain Spring MVC error handling
• Explain Exception Handling in struts2
• Demonstrate the knowledge of best practices for error handling
• Explain to Logging in Java
• Demonstrate the knowledge of Log4j for logging
• Demonstrate the knowledge of coding techniques for secure logging
• Demonstrate the knowledge of best practices for logging

 9. Static and Dynamic Application Security Testing (SAST & DAST)

After completing this course, students will be able to:

• Explain Static Application Security Testing (SAST) concepts
• Demonstrate the understanding of manual secure code review techniques for common vulnerabilities
• Explain Dynamic Application Security testing
• Demonstrate the knowledge of automated application vulnerability scanning tools to perform DAST
• Demonstrate the knowledge of proxy-based security testing tools to perform DAST

 10.  Secure Deployment and Maintenance

10.1 .NET

After completing this course, students will be able to:

• Understanding the importance of secure deployment
• Explain security practices at host level
• Explain security practices at network level
• Explain security practices at application level
• Explain security practices at IIS level
• Explain security practices at .NET level
• Explain security practices at SQL server level
• Demonstrate the knowledge of security maintenance and monitoring activities

10.2 JAVA

After completing this course, students will be able to:

• Understanding the importance of secure deployment
• Explain security practices at host level
• Explain security practices at network level
• Explain security practices at application level
• Explain security practices at web container level (Tomcat)
• Explain security practices at Oracle database level
• Explain security practices at SQL server level
• Demonstrate the knowledge of security maintenance and monitoring activities