Overview:

The Certified Application Security Engineer (CASE) credential was developed in partnership with application and software development experts globally.

The CASE credential tests the critical security skills and knowledge required throughout a typical software development life cycle (SDLC), focusing on the importance of the implementation of secure methodologies and practices in today’s insecure operating environment.

The CASE certified training program was developed to prepare software professionals with the capabilities that are expected by employers and academia globally. It is designed to be a hands-on, comprehensive application security training course to teach software professionals to create secure applications.

The training program encompasses security activities involved in all phases of the secure SDLC: planning, creating, testing, and deploying an application.

Unlike other application security trainings, CASE goes beyond just the guidelines on secure coding practices and includes secure requirement gathering, robust application design, and handling security issues in the post development phases of application development.

This makes CASE one of the most comprehensive application security certifications for secure software development on the market today. It’s desired by software application engineers, analysts, and testers from around the world and is respected by hiring authorities.

Duration: 

24 hours.

Objectives:

After completing this course, students will be able to:

-       In-depth understanding of secure SDLC and secure SDLC models

-       Knowledge of OWASP Top 10, threat modelling, SAST and DAST

-       Capturing security requirements of an application in development

-       Defining, maintaining, and enforcing application security best practices

-       Performing manual and automated code review of application

-       Conducting application security testing for web applications to assess the vulnerabilities

-       Driving development of a holistic application security program

-       Rating the severity of defects and publishing comprehensive reports, detailing associated risks and mitigations

-       Working in teams to improve security posture

-       Application security scanning technologies such as AppScan, Fortify, WebInspect, static application security testing (SAST), dynamic application security testing (DAST), single sign on, and encryption

-       Following secure coding standards that are based on industry-accepted best practices such as

-       OWASP Guide, or CERT Secure Coding to address common coding vulnerabilities.

-       Creating a software source code review process that is a part of the development cycles (SDLC, Agile, CI/CD)

Intended Audience:

-       .NET Developers with a minimum of 2 years of experience and individuals who want to become application security engineers, analysts, or testers.

-       Individuals involved in the role of developing, testing, managing, or protecting applications

Course outlines:

1.      Understanding Application Security, Threats, and Attacks

After completing this course, students will be able to:

• Understand the need and benefits of application security
• Demonstrate the understanding of common application-level attacks
• Explain the causes of application-level vulnerabilities
• Explain various components of comprehensive application security
• Explain the need and advantages of integrating security in Software Development Life Cycle (SDLC)
• Differentiate functional vs security activities in SDLC
• Explain Microsoft Security Development Lifecycle (SDL)
• Demonstrate the understanding of various software security reference standards, models, and frameworks

2.      Security Requirements Gathering

After completing this course, students will be able to:

• Understand the importance of gathering security requirements
• Explain security requirement Engineering (SRE) and its phases
• Demonstrate the understanding of Abuse Cases and Abuse Case Modeling
• Demonstrate the understanding of Security Cases and Security Case Modeling
• Demonstrate the understanding of Abuser and Security Stories
• Explain Security Quality Requirement Engineering (SQUARE) model
• Explain Operationally Critical Threat Asset, and Vulnerability Evaluation (OCTAVE) Model

3.      Secure Application Design and Architecture

After completing this course, students will be able to:

• Understanding the importance of secure application design
• Explain various secure design principles
• Demonstrate the understanding of threat modeling
• Explain threat modeling process
• Explain STRIDE and DREAD Model
• Demonstrate the understanding of Secure Application Architecture Design

4.      Secure Coding Practices for Input Validation

After completing this course, students will be able to:

• Understand the importance of robust input validation
• Demonstrate understanding of secure input validation techniques in Web Forms, ASP.NET Core and MVC
• Demonstrate the understanding of defensive coding techniques against SQL Injection attacks
• Demonstrate understanding of defensive coding techniques against Parameter Tampering attacks
• Demonstrate understanding of defensive coding techniques against Directory Traversal attacks
• Demonstrate understanding of defensive coding techniques against Open Redirect vulnerabilities

5.       Secure Coding Practices for Authentication and Authorization

 After completing this course, students will be able to:

• Understand authentication and authorization issues
• Explain authentication and authorization in Web Forms
• Explain authentication and authorization in ASP.NET Core
• Explain authentication and authorization in MVC
• Demonstrate understanding authentication and authorization techniques in Web Forms
• Demonstrate understanding authentication and authorization techniques in ASP.NET Core
• Demonstrate understanding authentication and authorization techniques in MVC

6.      Secure Coding Practices for Cryptography

After completing this course, students will be able to:

• Understanding cryptography in .NET
• Explain symmetric encryption
• Demonstrate the understanding of defensive coding practices using symmetric encryption.
• Explain asymmetric encryption
• Demonstrate the understanding of defensive coding practices using asymmetric encryption
• Explain Hashing
• Explain Digital Signatures
• Explain Digital Certificates
• Demonstrate the understanding of ASP.NET Core-Specific secure cryptography practices

7.      Secure Coding Practices for Session Management

 After completing this course, students will be able to:

• Understand session management concepts
• Explain various session management techniques
• Demonstrate the understanding of defensive coding practices against session hijacking attacks
• Demonstrate the understanding of defensive coding practices against session replay and session fixation attacks
• Demonstrate the understanding of techniques to prevent sessions from cross-site scripting, client-side scripts, and CSRE attacks
• Demonstrate the understanding of ASP.NET Core Specific secure session management techniques

8.      Secure Coding Practices for Error Handling

After completing this course, students will be able to:

• Understand error and exception handling concepts
• Explain the need of secure exception handling
• Demonstrate understanding of defensive coding practices against information disclosure
• Demonstrate understanding of defensive coding practices against improper error handling
• Demonstrate the understanding of secure error handling practices in ASP.NET Core
• Explain secure auditing and logging best practices

9.      Static and Dynamic Application Security Testing (SAST & DAST)

After completing this course, students will be able to:

• Explain Static Application Security Testing (SAST) concepts
• Demonstrate the understanding of manual secure code review techniques for common vulnerabilities
• Explain Dynamic Application Security testing
• Demonstrate the knowledge of automated application vulnerability scanning tools to perform DAST
• Demonstrate the knowledge of proxy-based security testing tools to perform DAST

10.  Secure Deployment and Maintenance

After completing this course, students will be able to:

• Understanding the importance of secure deployment
• Explain security practices at host level
• Explain security practices at network level
• Explain security practices at application level
• Explain security practices at IIS level
• Explain security practices at .NET level
• Explain security practices at SQL server level
• Demonstrate the knowledge of security maintenance and monitoring activities