InDepth Assessment Techniques

= In-depth Assessment Techniques: Design, Code, and Runtime =

Course: In-depth Assessment Techniques: Design, Code, and Runtime Course ID: SB1DIAT Instructor: Fyodor Yarochkin, Armorize CPE Credits: 7 CPE’s Duration: 1 Day Date: November 20th, 2009 (9 AM – 6 PM)

Who should attend? • Anyone who is interested in advancing their software assessment skills • Security Architects &amp; Consultants wanting to learn advanced secure design concepts • Team leads and developers interested in learning more about Design reviews, code reviews and Runtime code analysis • Penetration Testers and security testers

Class Pre-requisite: • The tutorial has a primary focus on intermediate/advanced assessment and testing concepts for architects and developers. • Prior experience in Penetration testing or software security assessment preferred.

Class Requirement: No laptop required.

Course Description:

This tutorial is targeted at those wanting to enhance their software assessment skills. Specifically, the tutorial teaches attendees techniques for design analysis, code review, and penetration testing that uncovers a wide variety of vulnerabilities and weaknesses in applications. If you have pre-existing skills and want to learn more than this course is perfect. The tutorial will generally focus on web applications, but most information applies to software of any type. In addition, attendees will learn general methods for protecting against the security issues uncovered by each assessment technique.

The tutorial topics include: • System decomposition for analysis • Lightweight threat/risk modeling • Identifying interfaces/attack surface • Testing business logic and edge cases • Assessing for provision of security mechanisms • Assessing for key vulnerability classes • Risk classification and weighting • Root cause analysis and patching

The tutorial has a primary focus on intermediate/advanced assessment and testing concepts for architects and developers. Automated security assessment tools will be discussed in context, but not demoed.