Training
Services
Are you looking for world-class security training,
delivered by seasoned professionals who have spent years
practicing what they train? We specialize in small
classroom, instructor-lead heavily hands-on training that
is tailored and customizable to our
customers' needs. Since our classes are generally on-site
at customer locations, and since we charge per class, and
not per student, we can help you get the most out of your
training budget. The on-site training also minimizes down
time that your employees will spend away from their
offices.
Our training philosophy is to clearly present various
technical topics, and then to drive them home through a
series of hands-on exercises that reinforce the lecture
content and help the students internalize what they've
learned. This allows them to take concepts and immediately
put them into practice.
We have a small cadre of highly qualified instructors who
have years of experience in the field. By maintaining these
standards, we have built a substantial track record of
successful deliveries and maintaining the highest levels of
customer satisfaction.
Course
Catalog
The list below contains brief summaries of our primary
course offerings. Detailed descriptions, including course
outlines and pricing options, are available upon request.
(NEW for
2011!) The Art of Building
Bulletproof Applications for Mobile Devices:
iOS OR Android (2 or 2 1/2 days
each - 12 hours of class time)
Course Description - This pair of classes covers
the major security issues for developing secure mobile
applications on the iOS (iPhone, iPad, and iPod Touch) and
Google Android platforms, respectively. Each class begins
with an overview of, and hands-on exercises using OWASP’s iGoat tool, that demonstrate the
major security pitfalls on each platform. They then
showcase the major security features of each platform,
complete with source code examples of how to make use
of them. Next, the principal security building blocks
for such vital mechanisms as authentication, session
management, protecting sensitive data, and such are
discussed, again with detailed source code examples
and discussions. Lastly, putting these topics into
practice through threat modeling, source code review,
and security testing are covered.
OPTIONAL: There is an additional 1/2-day coding lab
available for this course. In the coding lab, students are
required to implement all the remediations in each of
iGoat’s exercises. Each exercise and its remediation is
described and discussed at length, including how to
properly implement similar remediations in
production-quality apps.
Intended Audience - The ideal student for this
class is a hands-on iOS or Android app developer, security
architect, or technical manager who is looking for a solid
understanding of the best practices for developing secure
apps.
(NEW for
2011!) Managing the iPad/iPhone in
the Enterprise (1 day - 7 hours of class
time)
Course Description - This class helps the IT
security team learn what it takes to properly manage a
fleet of iOS devices--iPhones and/or iPads--in a modern
enterprise environment. The course begins by delving deeply
into the problems encountered with deploying iOS in large
numbers. It then looks into how to analyze an iOS app to
determine whether it should be allowed into the enterprise
or not. Next, the course covers how to create custom
tailored configuration profiles on iOS devices, and how to
deploy them across an entire fleet of devices. Where
applicable, hands-on exercises are used to clearly
illustrate the topics being covered.
Intended Audience - The ideal student for this
class is an IT or IT Security manager or tech leader.
Pervasive Web Application Security Defects and
How to Avoid Them (3 or 4 days - 18 or 24
hours of class time)
Course Description - This class starts with a
description of the security problems faced by today's
software developer, as well as a detailed description of
today's most common web application security defects,
following the venerable OWASP Top-10 (2010) list, along with
a few additional weaknesses not found on the OWASP
list. Each security defect is presented along with a
hands-on exercise in which each student gets to see
the vulnerability first hand, in order to thoroughly
internalize the issues. Remediation techniques and
strategies, complete with source code examples, are
also covered for most of the defects (where
applicable). Following this, attention is turned to
effective techniques that can be used during software
design, coding, and security testing.
This class is available in two versions: Java EE and C#.
The primary difference in the versions is the source code
examples used throughout the class.
If you are looking for PCI-DSS training for your software
developers, consider this course.
OPTIONAL: There is also an
optional 1-day Java coding lab addition to our 3-day web
application security class. This optional day includes 3
in-depth coding labs for Java developers to fine tune their
Java EE skills. The labs include patching existing Java EE
code to make it resilient to cross-site scripting (XSS) and
SQL injection flaws, as well as adding various role-based
access control code to some existing web servlets.
Additionally, in this 1-day add-on, students will get
hands-on exposure to a commercial static code analysis tool
by analyzing some existing open source Java
software. Familiarity with software development
in Java is strongly recommended. NOTE: The optional coding lab is not
currently available in C#.
Intended Audience - The ideal student for this
class is a hands-on web application developer or architect
who is looking for a fundamental understanding of today's
best practices in secure software development.
Intrusion Detection Using Snort,
Hands-on (3 days - 18 hours of class time)
Course Description - This class provides a rock
solid foundation for the intrusion detection practitioner.
It describes the background and basics of IDS/IPS, how they
work, how they are commonly deployed, and such. It then
uses extensive hands-on labs to demonstrate to the students
how to install and configure the popular open source
Snort IDS/IPS engine. Hands-on labs
include attacking a Snort equipped virtual machine
with commonly used attack tools and methods. The
attacks include both operating system and application
level methods. The Snort IDS is used to detect the
attacks, the results of which are then checked and
discussed. Students also learn how to create
customized Snort rules. Lastly, common pitfalls and
how to avoid them, along with practical tips for how
to deploy an IDS network are discussed.
Intended Audience - The ideal student for this
class is a hands-on IT security practitioner, with a solid
working knowledge of TCP/IP networking and common operating
systems.