Training with Iverson classes

Training is not a commodity – all training centres are not the same. Iverson Associates Sdn Bhd is the most established, the most reputable, and the top professional IT training provider in Malaysia. With a large pool of experienced and certified trainers, state-of-the-art facilities, and well-designed courseware, Iverson offers superior training, a more impactful learning experience and highly effective results.

At Iverson, our focus is on providing high-quality IT training to corporate customers, meeting their learning needs and helping them to achieve their training objectives. Iverson has the flexibility to provide training solutions whether for a single individual or the largest corporation in a well-paced or accelerated training programme.

Our courses continue to evolve along with the fast-changing technological advances. Our instructor-led training services are available on a public and a private (in-company) basis. Some of our courses are also available as online, on demand, and hybrid training.

Are you getting ready to administer database security policies? Learn how to configure Guardium V10 to discover, classify, analyze, protect, and control access to sensitive data. You will learn to perform vulnerability assessment, and how to monitor data and file activity. This course also teaches you how to create reports, audits, alerts, metrics, and compliance oversight processes.

Additional Info

  • Certification Course only
  • Course Code 8G100G
  • Price RM5700
  • Exam Price Exclude
  • Duration 3 Days
  • Principals IBM
  • Schedule

    20-22 Apr 2020

    5-7 Oct 2020

  • Audience

    Database administrators, security administrators, security analysts, security technical architects, and professional services using IBM Guardium.

  • Prerequisities

    Before taking this course, make sure that you have the following skills:
     Working knowledge of SQL queries for IBM DB2 and other databases
     Working knowledge of UNIX commands
     Familiarity with data protection standards such as HIPAA and CPI

  • At Course Completion

     Identify the primary functions of IBM Guardium
     Apply key Guardium architecture components
     Navigate the Guardium user interface and command line interface
     Manage user access to Guardium
     Use the administration console to manage Guardium components
     Build and populate Guardium groups
     Configure policy rules that process the information gathered from database and file servers
     Use the configuration auditing system, Vulnerability Assessment application, and Database Discovery to perform data security tasks
     Create queries and reports to examine trends and gather data
     Automate compliance workflow processes
     Use file acess monitoring to keep track of the files on your servers

  • Module 1 Title Course Outline
  • Module 1 Content

     Unit 1: IBM Guardium: Overview
     Unit 2: IBM Guardium: Architecture
     Unit 3: IBM Guardium: User interface
     Unit 4: IBM Guardium: Access management
     Unit 5: IBM Guardium: System view and data management
     Unit 6: IBM Guardium: Groups
     Unit 7: IBM Guardium: Policy management
     Unit 8: IBM Guardium: Auditing, vulnerability assessment, and discovery
     Unit 9: IBM Guardium: Custom queries and reports
     Unit 10: IBM Guardium: Compliance workflow automation
     Unit 11: IBM Guardium: File activity monitoring

RM5,700.00(+RM342.00 Tax)
* Training Dates:

The CISA Boot Camp is specifically designed to provide CISA candidates with the effective skills necessary to develop, manage, and supervise programs to defend against unauthorized admittance to information.

Additional Info

  • Certification Course & Certificate
  • Course Code CISA
  • Price RM8000
  • Exam Price Include
  • Duration 5 Days
  • CertificationInfo Certified Information System Auditor
  • Principals EC-Council
  • Schedule

    2-6 Dec 2019

    24-28 Feb 2020

    20-24 Apr 2020

    15-19 Jun 2020

    22-26 Jun 2020 (Penang)

    24-28 Aug 2020

    5-9 Oct 2020

    14-18 Dec 2020

  • Audience

    This training is only intended for individuals preparing for the CISA Certification exam. A minimum of five years of professional information systems auditing, control or security work experience is required for certification.

  • Module 1 Title The IS Audit Process
  • Module 1 Content
    • ISACA IS Auditing Standards, Guidelines and Procedures and Code of Professional Ethics
    • IS auditing practices and techniques
    • Techniques to gather information and preserve evidence (e.g., observation, inquiry, interview, CAATs, electronic media)
    • The evidence life cycle (e.g., the collection, protection, chain of custody)
    • Control objectives and controls related to IS (e.g., CobiT)
    • Risk assessment in an audit context
    • Audit planning and management techniques
    • Reporting and communication techniques (e.g., facilitation, negotiation, conflict resolution)
    • Control self-assessment (CSA)
    • Continuous audit techniques
       
  • Module 2 Title IT Governance
  • Module 2 Content
    • The purpose of IT strategies, policies, standards and procedures for an organization and the essential elements of each
    • IT governance frameworks
    • The processes for the development, implementation and maintenance of IT strategies, policies, standards and procedures (e.g., protection of information assets, business continuity and disaster recovery, systems and infrastructure lifecycle management, IT service delivery and support)
    • Quality management strategies and policies
    • Organizational structure, roles and responsibilities related to the use and management of IT
    • Generally accepted international IT standards and guidelines
    • Enterprise IT architecture and its implications for setting long-term strategic directions
    • Risk management methodologies and tools
    • The use of control frameworks (e.g., CobiT, COSO, ISO 17799)
    • The use of maturity and process improvement models (e.g., CMM, CobiT)
    • Contracting strategies, processes and contract management practices 2.12 practices for monitoring and reporting of IT performance (e.g., balanced scorecards, key performance indicators [KPI])
    • Relevant legislative and regulatory issues (e.g., privacy, intellectual property, corporate governance requirements)
    • IT human resources (personnel) management
    • IT resource investment and allocation practices (e.g., portfolio management return on investment (ROI))
  • Module 3 Title Systems and Infrastructure Life Cycle
  • Module 3 Content
    • Benefits management practices, (e.g., feasibility studies, business cases)
    • Project governance mechanisms (e.g., steering committee, project oversight board)
    • Project management practices, tools, and control frameworks
    • Risk management practices applied to projects
    • Project success criteria and risks
    • Configuration, change and release management in relation to development and maintenance of systems and/or infrastructure
    • Control objectives and techniques that ensure the completeness, accuracy, validity, and authorization of transactions and data within IT systems applications
    • Enterprise architecture related to data, applications, and technology (e.g., distributed applications, web-based applications, web services, n-tier applications)
    • Requirements analysis and management practices (e.g., requirements verification, traceability, gap analysis)
    • Acquisition and contract management processes (e.g., evaluation of vendors, preparation of contracts, vendor management, escrow)
    • System development methodologies and tools and an understanding of their strengths and weaknesses (e.g., agile development practices, prototyping, rapid application development [RAD], object-oriented design techniques)
    • Quality assurance methods
    • The management of testing processes (e.g., test strategies, test plans, test environments, entry and exit criteria)
    • Data conversion tools, techniques, and procedures
    • System and/or infrastructure disposal procedures
    • Software and hardware certification and accreditation practices
    • Post-implementation review objectives and methods (e.g., project closure, benefits realization, performance measurement)
    • System migration and infrastructure deployment practices
  • Module 4 Title IT Service Delivery and Support
  • Module 4 Content
    • Service level management practices
    • Operations management best practices (e.g., workload scheduling, network services management, preventive maintenance)
    • Systems performance monitoring processes, tools, and techniques (e.g., network analyzers, system utilization reports, load balancing)
    • The functionality of hardware and network components (e.g., routers, switches, firewalls, peripherals)
    • Database administration practices
    • The functionality of system software including operating systems, utilities, and database management systems Capacity planning and monitoring techniques
    • Processes for managing scheduled and emergency changes to the production systems and/or infrastructure including change, configuration, release, and patch management practices
    • Incident/problem management practices (e.g., help desk, escalation procedures, tracking)
    • Software licensing and inventory practices
    • System resiliency tools and techniques (e.g., fault tolerant hardware, elimination of single point of failure, clustering)
  • Module 5 Title Protection of Information Assets
  • Module 5 Content
    • The techniques for the design, implementation and monitoring of security (e.g., threat and risk assessment, sensitivity analysis, privacy impact assessment)
    • Logical access controls for the identification, authentication, and restriction of users to authorized functions and data (e.g., dynamic passwords, challenge/response, menus, profiles)
    • Logical access security architectures (e.g., single sign-on, user identification strategies, identity management)
    • Attack methods and techniques (e.g., hacking, spoofing, Trojan horses, denial of service, spamming)
    • Processes related to monitoring and responding to security incidents (e.g., escalation procedures, emergency incident response team)
    • Network and Internet security devices, protocols, and techniques (e.g., SSL, SET, VPN, NAT)
    • Intrusion detection systems and firewall configuration, implementation, operation, and maintenance
    • Encryption algorithm techniques (e.g., AESRSA)
    • Public key infrastructure (PKI) components (e.g., certification authorities, registration authorities) and digital signature techniques
    • Virus detection tools and control techniques
    • Security testing and assessment tools (e.g., penetration testing, vulnerability scanning)
    • Environmental protection practices and devices (e.g., fire suppression, cooling systems, water sensors)
    • Physical security systems and practices (e.g., biometrics, access cards, cipher locks, tokens)
    • Data classification schemes (e.g., public, confidential, private, and sensitive data)
    • Voice communications security (e.g., voice over IP)
    • The processes and procedures used to store, retrieve, transport, and dispose of confidential information assets
    • Controls and risks associated with the use of portable and wireless devices (e.g., PDAs, USB devices, Bluetooth devices)
  • Module 6 Title Business Continuity and Disaster Recovery
  • Module 6 Content
    • Data backup, storage, maintenance, retention and restoration processes, and practices
    • Regulatory, legal, contractual, and insurance issues related to business continuity and disaster recovery
    • Business impact analysis (BIA)
    • The development and maintenance of the business continuity and disaster recovery plans
    • Business continuity and disaster recovery testing approaches and methods
    • Human resources management practices as related to business continuity and disaster recovery (e.g., evacuation planning, response teams)
    • Processes used to invoke the business continuity and disaster recovery plans
    • Types of alternate processing sites and methods used to monitor the contractual agreements (e.g., hot sites, warm sites, cold sites)
RM8,000.00(+RM480.00 Tax)
* Training Dates:

Additional Info

  • Certification Course & Certificate
  • Course Code CISM
  • Price RM8000
  • Exam Price Include
  • Duration 4 Days
  • CertificationInfo Certified Information Security Manager
  • Principals EC-Council
  • Schedule

    17-20 Mar 2020

    8-11 Jun 2020

    13-16 Jul 2020

    28 Sep – 1 Oct 2020

    23-26 Nov 2020

  • Module 1 Title Testing-Taking Tips and Study Techniques*
  • Module 1 Content
    • Preparation for the CISM exam
    • Submitting Required Paperwork
    • Resources and Study Aids
    • Passing the Exam the First Time
  • Module 2 Title Information Security Governance*
  • Module 2 Content
    • Asset Identification
    • Risk Assessment
    • Vulnerability Assessments
    • Asset Management
  • Module 3 Title Information Risk Management*
  • Module 3 Content
    • Asset Classification and Ownership
    • Structured Information Risk Assessment Process
    • Business Impact Assessments
    • Change Management
  • Module 4 Title Information Security Program Development*
  • Module 4 Content
    • Information Security Strategy
    • Program Alignment of Other Assurance Functions
    • Development of Information Security Architectures
    • Security Awareness, Training, and Education
    • Communication and Maintenance of Standards, Procedures, and Other
    • Documentation
    • Change Control
    • Lifecycle Activities
    • Security Metrics
  • Module 5 Title Information Security Program Management*
  • Module 5 Content
    • Security Program Management Overview
    • Planning
    • Security Baselines
    • Business Processes
    • Security Program Infrastructure
    • Lifecycle Methodologies
    • Security Impact on Users
    • Accountability
    • Security Metrics
    • Managing Resources
  • Module 6 Title Incident Management and Response*
  • Module 6 Content
    • Response Management Overview
    • Importance of Response Management
    • Performing a Business Impact Analysis
    • Developing Response and Recovery Plans
    • The Incident Response Process
    • Implementing Response and Recovery Plans
    • Response Documentation
    • Post-Event Reviews
  • Module 7 Title Review and Q&A Session*
  • Module 7 Content
    • Final Review and Test Prep
RM8,000.00(+RM480.00 Tax)
* Training Dates:

Gain core knowledge and experience to successfully implement and manage security programs in this official (ISC)2 CISSP course.


This course is the most comprehensive review of information security concepts and industry best practices, and covers the eight domains of the official CISSP CBK (Common Body of Knowledge). You will gain knowledge in information security that will increase your ability to successfully implement and manage security programs in any organization or government entity. You will learn how to determine who or what may have altered data or system information, potentially affecting the integrity of those asset and match an entity, such as a person or a computer system, with the actions that entity takes against valuable assets, allowing organizations to have a better understanding of the state of their security posture. Policies, concepts, principles, structures, and standards used to establish criteria for the protection of information assets are also covered in this course.


This five-day program is comprised of a total of eight domains and includes:
• Official (ISC)2 Guide to the CISSP Common Body of Knowledge® (CBK)
• Official (ISC)2 CISSP Training Handbook
• Official (ISC)2 CISSP Flash Cards
• CISSP Certification Exam Voucher

Additional Info

  • Certification Course & Certificate
  • Course Code CISSP
  • Price RM7500
  • Exam Price Include
  • Duration 5 Days
  • CertificationInfo Certified Information Systems Security Professional
  • Principals EC-Council
  • Schedule

    13-17 Jan 2020

    20-24 Apr 2020

    20-24 Jul 2020

    3-7 Aug 2020 (Penang)

    5-9 Oct 2020

  • Audience
    • Anyone whose position requires CISSP certification
    • Individuals who want to advance within their current computer security careers or migrate to a related career
  • Prerequisities

    Professionals with at least five years of experience and who demonstrate a globally recognized level of competence, as defined in the CISSP Common Body of Knowledge (CBK) in two or more of the eight security domains.

  • At Course Completion

    In-depth coverage of the eight domains required to pass the CISSP exam:
    1. Security and Risk Management
    2. Asset Security
    3. Security Engineering
    4. Communications and Network Security
    5. Identity and Access Management
    6. Security Assessment and Testing
    7. Security Operations
    8. Software Development Security

  • Module 1 Title Domain 1 Security and Risk Management
  • Module 1 Content

    1.1 Understand and apply concepts of confidentiality, integrity, and availability
    1.2 Evaluate and apply security governance principles
    1.3 Determine compliance requirements
    1.4 Understand legal and regulatory issues that pertain to information security in a global context
    1.5 Understand, adhere to, and promote professional ethics
    1.6 Develop, document, and implement security policy, standards, procedures, and guidelines
    1.7 Identify, analyze, and prioritize Business Continuity (BC) requirements
    1.8 Contribute to and enforce personnel security policies and procedures
    1.9 Understand and apply risk management concepts
    1.10 Understand and apply threat modeling concepts and methodologies
    1.11 Apply risk-based management concepts to the supply chain
    1.12 Establish and maintain a security awareness, education, and training program

  • Module 2 Title Domain 2 Asset Security
  • Module 2 Content

    2.1 Identify and classify information and assets
    2.2 Determine and maintain information and asset ownership
    2.3 Protect privacy
    2.4 Ensure appropriate asset retention
    2.5 Determine data security controls
    2.6 Establish information and asset handling requirements

  • Module 3 Title Domain 3 Security Architecture and Engineering
  • Module 3 Content

    3.1 Implement and manage engineering processes using secure design principles
    3.2 Understand the fundamental concepts of security models
    3.3 Select controls based upon systems security requirements
    3.4 Understand security capabilities of information systems (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption)
    3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements

  • Module 4 Title Domain 4 Communication and Network Security
  • Module 4 Content

    4.1 Implement secure design principles in network architectures
    4.2 Secure network components
    4.3 Implement secure communication channels according to design

  • Module 5 Title Domain 5 Identity and Access Management (IAM)
  • Module 5 Content

    5.1 Control physical and logical access to assets
    5.2 Manage identification and authentication of people, devices, and services
    5.3 Integrate identity as a third-party service
    5.4 Implement and manage authorization mechanisms
    5.5 Manage the identity and access provisioning lifecycle

  • Module 6 Title Domain 6 Security Assessment and Testing
  • Module 6 Content

    6.1 Design and validate assessment, test, and audit strategies
    6.2 Conduct security control testing
    6.3 Collect security process data (e.g., technical and administrative)
    6.4 Analyze test output and generate report
    6.5 Conduct or facilitate security audits

  • Module 7 Title Domain 7 Security Operations
  • Module 7 Content

    7.1 Understand and support investigations
    7.2 Understand requirements for investigation types
    7.3 Conduct logging and monitoring activities
    7.4 Securely provisioning resources
    7.5 Understand and apply foundational security operations concepts
    7.6 Apply resource protection techniques
    7.7 Conduct incident management
    7.8 Operate and maintain detective and preventative measures
    7.9 Implement and support patch and vulnerability management
    7.10 Understand and participate in change management processes
    7.11 Implement recovery strategies
    7.12 Implement Disaster Recovery (DR) processes
    7.13 Test Disaster Recovery Plans (DRP)
    7.14 Participate in Business Continuity (BC) planning and exercises
    7.15 Implement and manage physical security
    7.16 Address personnel safety and security concerns

  • Module 8 Title Domain 8 Software Development Security
  • Module 8 Content

    8.1 Understand and integrate security in the Software Development Life Cycle (SDLC)
    8.2 Identify and apply security controls in development environments
    8.3 Assess the effectiveness of software security
    8.4 Assess security impact of acquired software
    8.5 Define and apply secure coding guidelines and standards

RM7,500.00(+RM450.00 Tax)
* Training Dates:

This course teaches you the methods in identifying vulnerabilities and takes appropriate countermeasures to prevent and mitigate failure risks for an organization. It also provides the networking professional with a foundation in disaster recovery principles, including preparation of a disaster recovery plan, assessment of risks in the enterprise, development of policies, and procedures, and understanding of the roles and relationships of various members of an organization, implementation of the plan, and recovering from a disaster. This course takes an enterprise-wide approach to developing a disaster recovery plan. Students will learn how to create a secure network by putting policies and procedures in place, and how to restore a network in the event of a disaster. EDRP course was certified for meeting the CNSS 4016 Advanced Level training standard for Risk Analyst by the United States Government National Security Agency (NSA).

Additional Info

  • Certification Course & Certificate
  • Course Code EDRP
  • Price RM4982
  • Exam Price Include
  • Exam Code 312-76
  • Duration 5 Days
  • CertificationInfo EC-Council Disaster Recovery Professional
  • Principals EC-Council
  • Schedule

    2-6 Dec 2019

    9-13 Mar 2020

    21-25 Sep 2020

    14-18 Dec 2020

  • Audience

    Network server administrators, firewall administrators, systems administrators, application developers, and IT security officers.

  • Module 1 Title Introduction to Disaster Recovery and Business Continuity
  • Module 2 Title Nature and Causes of Disasters
  • Module 3 Title Emergency Management
  • Module 4 Title Laws and Acts
  • Module 5 Title Business Continuity Management
  • Module 6 Title Disaster Recovery Planning Process
  • Module 7 Title Risk Management
  • Module 8 Title Facility Protection
  • Module 9 Title Data Recovery
  • Module 10 Title System Recovery
  • Module 11 Title Backup and Recovery
  • Module 12 Title Centralized and Decentralized System Recovery
  • Module 13 Title Windows Data Recovery Tools
  • Module 14 Title Linux, Mac and Novell Netware Data Recovery Tools
  • Module 15 Title Incident Response
  • Module 16 Title Role of Public Services in Disaster
  • Module 17 Title Organizations Providing Services during Disasters
  • Module 18 Title Organizations Providing Disaster Recovery Solutions
  • Module 19 Title Case Studies
RM4,700.00(+RM282.00 Tax)
* Training Dates:

The Certified Application Security Engineer (CASE) credential is developed in partnership with large application and software development experts globally.
The CASE credential tests the critical security skills and knowledge required throughout a typical software development life cycle (SDLC), focusing on the importance of the implementation of secure methodologies and practices in today’s insecure operating environment.


The CASE certified training program is developed concurrently to prepare software professionals with the necessary capabilities that are expected by employers and academia globally.It is designed to be a hands-on, comprehensive application security course that will help software professionals create secure applications.
The training program encompasses security activities involved in all phases of the Software Development Lifecycle (SDLC): planning, creating, testing, and deploying an application.


Unlike other application security trainings, CASE goes beyond just the guidelines on secure coding practices and includes secure requirement gathering, robust application design, and handling security issues in post development phases of application development.
This makes CASE one of the most comprehensive certifications on the market today. It is desired by software application engineers, analysts, testers globally, and respected by hiring authorities.

The Purpose of CASE Is

  • To ensure that application security is no longer an afterthought but a foremost one.
  • To lay the foundation required by all application developers and development organizations, to produce secure applications with greater stability and fewer security risks to the consumer, therefore, making security a foremost thought.
  • To ensure that the organizations mitigate the risk of losing millions due to security compromises that may arise with every step of application development process.
  • To help individuals develop the habit of giving importance to security sacrosanct of their job role in the SDLC, therefore opening security as the main domain for testers, developers, network administrator etc.

Additional Info

  • Certification Course & Certificate
  • Course Code CASE.NET
  • Price RM4700
  • Exam Price Include
  • Exam Code 312-93
  • Duration 3 Days
  • CertificationInfo Certified Application Security Engineer
  • Principals EC-Council
  • Schedule

    16-18 Dec 2019

    10-12 Feb 2020

    20-22 Apr 2020

    10-12 Aug 2020

    14-16 Dec 2020

  • Audience
    • .NET Developers with a minimum of 2 years of experience and individuals who want to become application security engineers/analysts/testers
    • Individuals involved in the role of developing, testing, managing, or protecting wide area of applications
  • Module 1 Title Understanding Application Security, Threats, and Attacks
  • Module 1 Content
    • What is a Secure Application
    • Need for Application Security 
    • Most Common Application Level Attacks
      • SQL Injection Attacks 
      • Cross-site Scripting (XSS) Attacks
      • Parameter Tampering
      • Directory Traversal
      • Cross-site Request Forgery (CSRF) Attack
      • Denial-of-Service (DoS) Attack
    • Denial-of-Service (DoS): Examples
      • Session Attacks
    • Cookie Poisoning Attacks
    • Session Fixation
    • Why Applications become Vulnerable to Attacks
      • Common Reasons for Existence of Application Vulnerabilities
      • Common Flaws Existed due to Insecure Coding Techniques
      • Improper Input Validation
      • Insufficient Transport Layer Protection
      • Improper Error Handling
      • Insecure Cryptographic Storage
      • Broken Authentication and Session Management
      • Unvalidated Redirects and Forwards
      • Insecure Direct Object References
      • Failure to Restrict URL Access
    • What Constitutes a Comprehensive Application Security?
      • Application Security Frame
      • 3W’s in Application Security
    • Insecure Application: A Software Development Problem
      • Solution: Integrating Security in Software Development Life Cycle (SDLC)
      • Functional vs Security Activities in SDLC
      • Advantages of Integrating Security in SDLC
      • Microsoft Security Development Lifecycle (SDL)
    • Software Security Standards, Models, and Frameworks
      • The Open Web Application Security Project (OWASP)
      • OWASP TOP 10 Attacks-2017
      • The Web Application Security Consortium (WASC)
      • WASC Threat Classification
      • Software Security Framework
    • Software Assurance Maturity Model (SAMM)
    • Building Security in Maturity Model (BSIMM)
      • BSIMM vs OpenSAMM 
  • Module 2 Title Security Requirements Gathering
  • Module 2 Content
    • Importance of Gathering Security Requirements
      • Security Requirements
      • Gathering Security Requirements
      • Why We Need Different Approach for Security Requirements Gathering
      • Key Benefits of Addressing Security at Requirement Phase
      • Stakeholders Involvement in Security Requirements Gathering 
      • Characteristics of Good Security Requirement: SMART
      • Types of Security Requirements
      • Functional Security Requirements
      • Security Drivers
    • Security Requirement Engineering (SRE)
    • SRE Phases
      • Security Requirement Elicitation
      • Security Requirement Analysis
      • Security Requirement Specification
      • Security Requirement Management
    • Common Mistakes Made in Each Phase of SRE
    • Different Security Requirement Engineering Approaches/Model 
    • Abuse Case and Security Use Case Modeling
    • Abuse Cases
    • Threatens Relationship
    • Abuse Case Modeling Steps
    • Abuse Cases: Advantages and Disadvantages
    • Abuse Case Template
    • Security Use Cases
    • Security Use Cases are Abuse Case Driven
    • Modeling Steps for Security Use Cases
    • Mitigates Relationship
    • Abuse Case vs Security Use Case
    • Security Use Case: Advantages and Disadvantages
    • Security Use Case Template
    • Security Use Case Guidelines
    • Example 1: Use Case for Online Bidding System
    • Example 1: Abuse Case for Online Bidding System
    • Example 1: Security Use Case for Online Bidding System
    • Example 2: Use Case for ATM System
    • Example 2: Abuse Case for ATM System
    • Example 2: Security Use Case for ATM System
    • Example 3: Use Case for E-commerce System
    • Example 3: Abuse Case for E-commerce System
    • Example 3: Security Use Case for E-commerce System
    • Effectiveness of Abuse and Security Case
    • Abuser and Security Stories
    • Textual Description Template: Abuser Stories and Security Stories
    • Examples: Abuser Stories and Security Stories
    • Effectiveness of Abuser and Security Stories
    • Abuser Stories: Advantages and Disadvantages
    • Security Quality Requirements Engineering (SQUARE)
      • SQUARE Effectiveness
      • SQUARE Process
      • SQUARE: Advantages and Disadvantages 
    • Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
      • OCTAVE Effectiveness
      • OCTAVE Steps
      • OCTAVE: Advantages and Disadvantages
  • Module 3 Title Secure Application Design and Architecture
  • Module 3 Content
    • Relative Cost of Fixing Vulnerabilities at Different Phases of SDLC
    • Secure Application Design and Architecture
    • Goal of Secure Design Process
    • Secure Design Actions
    • Security Requirement Specifications 
    • Secure Design Principles
    • Threat Modeling 
    • Secure Application Architecture 
    • Secure Design Principles
    • Define Secure Design principles
    • Secure Design Principles
    • Security through obscurity
    • Secure the Weakest Link
    • Use Least Privilege Principle
    • Secure by Default
    • Fail Securely
    • Apply Defense in Depth
    • Do Not Trust User Input
    • Reduce Attack Surface
    • Enable Auditing and Logging
    • Keep Security Simple
    • Separation of Duties
    • Fix Security Issues Correctly
    • Apply Security in Design Phase
    • Protect Sensitive Data
    • Exception Handling
    • Secure Memory Management
    • Protect Memory or Storage Secrets
    • Fundamentals of Control Granularity
    • Fault Tolerance
    • Fault Detection
    • Fault Removal
    • Fault Avoidance
    • Loose Coupling
    • High Cohesion
    • Change Management and Version Control
    • Threat Modeling
    • Threat Modeling Phases 
    • Attack Surface Evaluation
    • Threat Identification
    • Impact Analysis
    • Control Recommendations
    • Threat Modeling Process
    • Identify Security Objective
    • Application Overview
    • Decompose Application
    • Identify Threats
    • Identify Vulnerabilities
    • Identify Security Objective
    • How to Identify Security Objectives
    • Create an Application Overview
    • Draw the End-to-End Deployment Architecture
    • Identify Various User Roles
    • Identify Use Cases Scenarios
    • Identify Technologies
    • Identify Application Security Mechanisms
    • Decompose Application
      • Prepare and Document Threat Model Information
    • Example: Threat Model Information
      • Identify the External Dependencies
    • External Dependencies: Example
      • Identify the Entry Points
    • Entry Points: Example
      • Identify the Assets
    • Assets: Example
      • Identify the Trust Levels
    • Trust Levels: Example
      • Define Trust Levels to Entry points 
      • Define Trust Levels to Assets
      • Perform Application Modelling using Data Flow Diagrams (DFDs)
      • Determine the Threats: Identify the Goal of an Attacker and Create Threat Profile 
    • Example: Attacker’s Goal/Threat Profile and Vulnerabilities Associated
      • Determine the Threats: Create a Security Profile 
      • Identify the Threats
    • The STRIDE Model
      • Example: Threat Categorized and Identified using STRIDE 
    • Determine Countermeasures and Mitigation Security Controls 
    • Document the Threats
    • Rating the Threats
    • Rating the Threats: DREAD Model
    • Secure Application Architecture
    • Design Secure Application Architecture
  • Module 4 Title Secure Coding Practices for Input Validation
  • Module 4 Content
    • Input Validation
    • Why Input Validation?
    • Input Validation Specification
    • Input Validation Approaches
    • Client-side Input Validation
    • Server-side Input Validation
    • Client-Server Input Validation Reliability
    • Input Filtering
    • Input Filtering Technique o Black Listing  o White Listing
    • Input Filtering using a Regular Expression
    • Secure Coding Practices for Input Validation: Web Forms
    • ASP.NET Validation Controls
    • Set of ASP.NET Validation Controls
    • Required Field Validation Control
    • Range Validation Control
    • Comparison Validation Control
    • Regular Expression Validation Control
    • Custom Validation Control
    • Validation Summary Control
    • SQL Injection Attack Defensive Techniques 
    • Using Parameterized Queries
    • Using Parameterized Stored Procedures
    • Using Escape Routines to Handle Special Input Characters
    • Using a Least-privileged Database Account
    • Constraining Input
    • XSS Attack Defensive Techniques
    • Output Encoding
    • Encoding Unsafe Output using HtmlEncode
    • Encoding Unsafe Output using UrlEncode 
    • Anti-XSS Library
    • Encoding Output using Anti-XSS Library
    • Directory Traversing Defensive Technique
    • Additional Techniques to Prevent Directory Traversal
    • Secure Coding Practices for Input Validation: ASP.NET Core
    • Input Validation using ModelState Object
    • Input Validation using Data Annotation
    • Input Validation using Custom Validation Attributes
    • Input Validation using Remote Validation
    • SQL Injection Attack Defensive Techniques
    • Sanitize Inputs using Casting
    • Using Parameterized Queries
    • Using Stored Procedures
    • Using ORM (Object Relation Model)
    • XSS Defensive Techniques
      • Enable Content Security Policy
      • URL Encoding User Input
    • Open Redirect Defensive Techniques
      • Implement LocalRedirect()
      • Disable X-Frame-Options
      • Enable Cross Origin Request Sharing
      • Enable Cross Origin Request Sharing (CORS) with Middleware
        • Guidelines for Secure (CORS) Configuration
    • Directory Traversing Defensive Techniques
    • Disable Directory Listing
    • Disable Non-standard Content Types
    • Secure Static Files
    • Secure Coding Practices for Input Validation: MVC
    • XSS Defensive Techniques
    • Enable Content Security Policy
    • MVC Output Encoding
    • Output Encoding using Anti-XSS Library
    • Parameter Tampering Defensive Techniques
    • Accept Data from Trusted Sources
    • Encrypt and Decrypt Key Values
    • Implement LocalRedirect()
    • Open Redirect Defensive Techniques
  • Module 5 Title Secure Coding Practices for Authentication and Authorization
  • Module 5 Content
    • Authentication and Authorization
    • Authentication
    • Authorization
    • Common Threats on User Authentication and Authorization
    • Account Hijacking
    • Man-in-the-middle 
    • Phishing
    • Unauthorized Access
    • Information Leakage
    • Privilege Escalation
    • Sniffing
    • Authentication and Authorization: Web Forms
    • .NET Authentication and Authorization
    • Different Level of Authentication 
    • ASP.NET Authentication
    • Enterprise Services Authentication
    • SQL Server Authentication
    • ASP.NET Authentication
    • ASP.NET Authentication Modes 
      • Forms Authentication
      • Passport Authentication
      • Custom Authentication
        • Implementing Custom Authentication Scheme
      • Windows Authentication
        • Basic Authentication
        • Digest Authentication
        • Integrated Windows Authentication
        • Certificate Authentication
        • Anonymous Authentication
    • Selecting an Appropriate Authentication Method
    • Determining an Authentication Method
    • Enterprise Services Authentication
    • SQL Server Authentication
    • Mixed Mode Authentication
    • Windows Authentication
    • Different Level of Authorization 
    • ASP.NET Authorization 
    • Enterprise Services Authorization
    • SQL Server Authorization
    • ASP.NET Authorization 
    • URL Authorization
    • File Authorization
    • What is Impersonation?
    • Impersonation Options
    • Impersonation is Disabled
    • Impersonation Enabled
    • Impersonation Enabled for a specific Identity
    • Delegation
    • Code-based Authorization
    • Explicit Authorization
    • Declarative Authorization
    • Imperative Authorization
    • Authorization using ASP.NET Roles
    • Enterprise Services Authorization
    • SQL Server Authorization
    • User-defined Database Roles
    • Application Roles 
    • Fixed Database Roles
    • Authentication and Authorization: ASP.NET Core
    • ASP.NET Core Authentication
    • AspNetCore.Identity
    • ASP.NET Core Authentication
    • Implementing Identity on ASP.NET Core (Templates)
    • ASP.NET Core External Provider Authentication
    • Open Source Authentication Providers
    • Enabling ASP.Net Core Identity
    • Asp.Net Core Token-based Authentication
    • JWT-JSON Web Token
    • Configuring JSON Web Token Authentication
    • Creating JWT Authentication
    • Using Jquery to Access JWT
    • IdentityServer4 Authentication
    • Implement ASP.NET Identity with IdentityServer
    • Configure Windows Authentication
    • Windows Authentication
    • Impersonation
    • ASP.NET Core Authorization  
    • ASP.NET Core Role-based Authorization
    • ASP.NET Core Role Authorization Policy
    • Claim-based Authorization 
    • Custom Policy-based Authorization 
    • Resource-based Authorization
    • View-based Authorization
    • Authentication and Authorization: MVC
    • Authentication and Authorization
    • MVC Authentication Filter
    • Implementing Single Sign-On
    • Authentication using Third-party Identity Provider
    • Implement Page Access Control with Standard Action Filters
    • Authentication and Authorization Defensive Techniques: Web Forms
    • Securing Forms Authentication Tickets
    • Use Strong Hashing Algorithms to Validate Data
    • Use Strong Encryption Algorithm to Secure Form Authentication Data
    • Secure Form Authentication Cookies using SSL
    • Securing Forms Authentication Credentials 
    • Preventing Session Hijacking using Cookieless Authentication
    • Avoiding Forms Authentication Cookies from Persisting using DisplayRememberMe Property 
    • Avoiding Forms Authentication Cookies from Persisting using  RedirectFromLoginPage Method
    • Avoiding Forms Authentication Cookies from Persisting using SetAuthCookie Method 
    • Avoiding Forms Authentication Cookies from Persisting using GetRedirectUrl Method 
    • Avoiding Forms Authentication Cookies from Persisting using  FormsAuthenticationTicket Constructor
    • Securing Passwords with minRequiredPasswordLength
    • Securing Passwords with minRequiredNonalphanumericCharacters 
    • Securing Passwords with passwordStrengthRegularExpression
    • Restricting Number of Failed Logon Attempts
    • Securing Application by using Absolute URLs for Navigation
    • Securing Applications from Authorization Bypass Attacks
    • Creating Separate Folder for Secure Pages in Application
    • Validating Passwords on CreateUserWizard Control using Regular Expressions
    • Authentication and Authorization Defensive Techniques: ASP.NET Core
    • Configure Identity Services
      • Password Policy
      • User Lockout
      • Sign in 
      • Configure Identity User Validation Settings
      • Configure Application's Cookie Settings
      • Configure Identity Services: Cookie Settings
      • Enforcing SSL
      • HTTP Strict Transport Security (HSTS) 
    • Authentication and Authorization Defensive Techniques: MVC
      • Implement AllowXRequestsEveryXSecondsAttribute to Prevent Brute Force Attack
      • MVC Page Access Control: Custom Security Filter
      • Page Access Control: Third-party Libraries
      • Implementing Control-level Protection
      • Implementing Account Lockout
    • Forcing HTTPS Protocol using [RequireHttps]  Implement AllowAnonymous Action Filter
  • Module 6 Title Secure Coding Practices for Cryptography
  • Module 6 Content
    • Cryptographic 
    • Ciphers
    • Block Cipher Modes
    • Symmetric Encryption Keys
    • Asymmetric Encryption Keys
    • Functions of Cryptography
    • Use of Cryptography to Mitigate Common Application Security Threats
    • Cryptographic Attacks
    • Techniques Attackers Use to Steal Cryptographic Keys
    • What should you do to Secure .NET Applications from Cryptographic Attacks?
    • .NET Cryptography Namespaces
    • .NET Cryptographic Class Hierarchy
    • Symmetric Encryption
    • SymmetricAlgorithm Class
    • Members of the SymmetricAlgorithm Class
    • Programming Symmetric Data Encryption and Decryption in .NET
    • Symmetric Encryption: Defensive Coding Techniques
    • Securing Information with Strong Symmetric Encryption Algorithm
    • Vulnerability in using ECB Cipher Mode
    • Padding
      • Padding Modes
    • None
    • Zero Padding
    • PKCS #7 Padding 
    • ANSIX923 Padding
    • ISO10126 Padding
      • Problem with Zeros Padding
    • Securing Symmetric Encryption Keys from Brute Force Attacks
    • Resisting Cryptanalysis Attack using Large Block Size
    • Generating Non-Predictable Cryptographic Keys using RNGCryptoServiceProvider
    • Storing Secret Keys and Storing Options
      • Protecting Secret Keys with Access Control Lists (ACLs)
      • Protecting Secret Keys with DPAPI
    • Self Protection for Cryptographic Application
    • Encrypting Data in the Stream using CryptoStream Class 
    • Asymmetric Encryption
    • AsymmetricAlgorithm Class
    • Members of the AsymmetricAlgorithm Class
    • Programming Asymmetric Data Encryption and Decryption in .NET
    • Asymmetric Encryption: Defensive Coding Techniques
    • Securing Asymmetric Encryption using Large Key Size
    • Storing Private Keys Securely
    • Problem with Exchanging Public Keys
    • Exchanging Public Keys Securely
    • Asymmetric Data Padding
    • Protecting Communications with SSL
    • Hashing
    • Hashing Algorithms Class Hierarchy in .NET
    • Hashing in .Net 
    • Members of the HashAlgorithm Class
    • Programming Hashing for Memory Data
    • Programming Hashing for Streamed Data
    • Imposing Limits on Message Size for Hash Code Security
    • Setting Proper Hash Code Length for Hash Code Security
    • Message Sizes and Hash Code Lengths Supported by the .NET Framework Hashing Algorithms  
    • Securing Hashing using Keyed Hashing Algorithms
    • Digital Signatures
    • Attacker's Target Area on Digital Signatures
    • Security Features of Digital Signatures 
    • .NET Framework Digital Signature Algorithms
    • Digital Certificates
    • .NET Support for Digital Certificates
    • X509Store
    • X509Certificate and X509Certificate2
    • X509Certificate2 Collection
    • Programming Digital Signatures using Digital Certificates
    • XML Signatures
    • Need for Securing XML Files 
    • Securing XML Files using Digital Signatures
    • Programming a Digital Signature for a Sample XML File
    • ASP.NET Core Specific Secure Cryptography Practices
    • ASP.NET Core Data Protection
    • Data Protection Machine-wide Policy
    • Data Protection Configuration
    • Key Persistence
    • Key Lifetime
    • Application Name
    • Automatic Key Generation
    • Algorithm
    • Generating a Random String
    • Hashing String
    • Storing App Secrets in Secure Place
    • Securing Application settings using Azure Key Vault
  • Module 7 Title Secure Coding Practices for Session Management
  • Module 7 Content
    • Session Management
    • Types of Tokens
    • Session Tokens
    • Authentication Tokens
    • Basic Security Principles for Session Management Tokens
    • Common Threats to Session Management
    • Session Hijacking Attack 
    • Account Hopping Attack 
    • Session Fixation Attack
    • Token Prediction Attack
    • Token Brute-force Attack
    • Cross-site Request Forgery Attack
    • Cross-site Scripting Attack
    • Session Replay Attack
    • Token Manipulation Attack
    • Phishing Attack
    • ASP.NET Session Management Techniques
    • Client-Side State Management
    • Client-Side State Management using Cookies
    • Client-Side State Management using Hidden Fields
    • Client-Side State Management using ViewState
    • Client-Side State Management using Control State
    • Client-Side State Management using Query Strings 
    • Server-Side State Management
    • Server-Side State Management using Application Object 
    • Server-Side State Management using Session Object
      • In Process Mode
      • Out-of-Process Session Mode (State Server Mode)
      • SQL-backed Session State o Server-side State Management Using Profile Properties
    • Defensive Coding Practices against Broken Session Management
    • Session Hijacking
    • Securing ASP.NET Application from Session Hijacking
    • Implementing SSL to Encrypt Cookies
    • Setting a Limited Time Period for Expiration
    • Avoid using Cookieless Sessions
    • Avoid using UseUri Cookieless Sessions
    • Avoid Specifying Cookie Modes to AutoDetect
    • Avoid Specifying Cookie Modes to UseDeviceProfile
    • Enabling regenerateExpiredSessionID for Cookieless Sessions
    • Resetting the Session when User Logs Out
    • Token Prediction Attack
    • Generating Lengthy Session Keys to Prevent Guessing
    • Session Replay Attack
    • Defensive Techniques for Session Replay Attack
    • Session Fixation
    • Session Fixation Attack

              -      Securing ASP.NET Application from Session Fixation Attack

    • Cross-site Script Attack on Sessions
    • Preventing Cross-site Scripting Attack using URL Rewriting
    • Rewrite the application URL for each session
    • Expiring application URLs automatically
    • Preventing Session Cookies from Client-side Scripts Attacks
    • Cross-site Request Forgery Attack
    • Implementing the Session Token to Mitigate CSRF Attacks
    • Additional Defensive Techniques to Mitigate CSRF Attack
    • Cookie-based Session Management
    • Persistent Cookies Information Leakage
    • Avoid Setting the Expire Attribute to Ensure Cookie Security
    • Ensuring Cookie Security using the Secure Attribute
    • Ensuring Cookie Security using the HttpOnly Attribute
    • ViewState-based Session Management
    • ViewState Data Tampering Attack
    • ViewState oneClick Attacks
    • Securing ViewState
    • Securing ViewState with Hashing
    • Securing ViewState with Encryption
    • Securing ViewState by Assigning User-specific Key 
    •  ASP.NET CORE: Secure Session Management Practices
    • Enabling Session State 
    • Implementing the CSRF Token to Mitigate CSRF Attacks
    • Mitigating CSRF Attacks in JavaScript, AJAX and Single Page Applications
    • Angular-Antiforgery Integration -AJAX
    • Improve Session Security with Nwebsec Session Security Library 

    Checklist for Secure Session Management

  • Module 8 Title Secure Coding Practices for Error Handling
  • Module 8 Content
    • What are Exceptions/Runtime Errors?
    • Handled Exceptions
    • Unhandled Exceptions
    • Need of Secure Error/Exception Handling 
    • Consequences of Detailed Error Message
    • Exposing Detailed Error Messages
    • Considerations: Designing Secure Error Messages
    • Secure Exception Handling
    • Handling Exceptions in an Application 
    • Code-Level Exception Handling
    • Page-Level Exception Handling
    • Application-Level Exception Handling
    • Defensive Coding practices against Information Disclosure
      • Avoid Displaying Detailed Error Messages
    • Defensive Coding practices against Improper Error Handling
    • Avoid Throwing Generic Exceptions 
    • Avoid Catching Generic Exceptions
    • Avoid Swallowing the Exceptions
    • Cleanup Code Vulnerability 
    • Vulnerability in Re-throwing Exception
    • Managing Unhandled Errors
    • Unobserved Exception Vulnerability
    • ASP.NET Core: Secure Error Handling Practices
    • ASP.NET Core Error Handling
    • Inspect Exception During Development
    • Implement Custom Error Handler
    • Configure Pages with HTTP Status Codes
    • Startup Exception Handling
    • Do’s and Don’ts in Exception Handling
    • Checklist for Proper Exception Handling
    • Secure Auditing and logging
    • What is Logging and Auditing?
    • Need of Secure Logging and Auditing
    • Common Threats to Logging and Auditing
    • Denial of Service
    • Log Wiping 
    • Log Bypass 
    • Log Tampering  
    • What Should be Logged?
    • What Should NOT be Logged?
    • Where to Perform Event Logging?
    • File-System-based Logging System
    • Database-based Logging System
    • Performing Log Throttling in ASP.NET Health Monitoring System 
    • Tracing in .NET
    • Writing Trace Output to Windows Event Log using EventLogTraceListener
    • Tracing Security Concerns and Recommendations
    • Secure Auditing and Logging Best Practices
    • Protecting Log Records
      • Fixing the Logs
    • Auditing and Logging Security Checklists
  • Module 9 Title Static and Dynamic Application Security Testing (SAST & DAST)
  • Module 9 Content
    • Static Application Security Testing
    • Static Application Security Testing (SAST)
    • Objectives of SAST
    • Why SAST
    • Skills required for SAST
    • What to look for in SAST
    • Common Vulnerabilities Identified Through SAST
    • Types of SAST
    • Automated Source Code Analysis
    • Manual Source Code Review
    • Where does Secure Code Review Fit in SDLC?
    • SAST Steps
    • SAST Activities-flow Chart
    • Recommendation for Effective SAST
    • SAST Deliverable
    • Automated Source Code Analysis
    • Static Code Analysis Using Checkmarx Static Code Analysis
    • Static Code Analysis Using Visual Code Grepper (VCG)
    • Static Code Analysis Using HP Fortify
    • Static Code Analysis Using Rational AppScan Source Edition
    • Selecting Static Analysis Tool
    • Manual Secure Code Review
    • Manual Secure Code Review for Most Common Vulnerabilities
    • Code Review for PCI DSS Compliance
    • Code Review for Blacklisting Validation Approach
    • Code Review for Client Side Validation Approach
    • Code Review for Non-parametrized SQL Query
    • Review Code for Non-parameterized Stored Procedure
    • Code Review for XSS Vulnerability
    • Review Code for Unvalidated Redirects and Forwards
    • Code Review for Weak Password Authentication 
    • Code Review for Hard-Coded Passwords
    • Code Review for Clear-text credentials in for Authentication 
    • Code Review for Unencrypted Form Authentication Tickets
    • Code Review for Clear-text Connection strings
    • Code Review for Weak Password Length
    • Code Review for Inappropriate Authorization 
    • Code Review for use of Weak Hashing Algorithm
    • Code Review for use of Weak Encryption Algorithm
    • Code Review for Use of SSL 
    • Code Review for use of URL for Storing Session Tokens
    • Code Review for Cookies Persistence
    • Code Review for Allowing More Number of Failed Login attempts
    • Code Review for providing Relative path to Redirect Method
    • Code Review for Use of Server.Transfer() Method
    • Code Review for Keeping both Public and Restricted pages in Same folder 
    • Code Review for use of Weak Encryption Algorithm 
    • Code Review for use of ECB Cipher Mode 
    • Code Review for use of Zero Padding
    • Code Review for use of Small Key Size
    • Code Review for use of Small Block Size
    • Code Review for Cryptographic Keys Generation Mechanism
    • Code Review for Sensitive Information Leakage
    • Code Review for Generic Exception Throwing and Catching
    • Code Review for use of Unencrypted Cookies
    • Code Review for Overly Long Sessions
    • Code Review for Cookieless Sessions
    • Code Review for regeneration of Expired Sessions
    • Code Review for weak Session Key Generation Mechanism
    • Code Review for Cookies Vulnerable to Client-side Scripts attacks 
    • Code Review for Cookies Vulnerable to CSRF Attacks
    • Code Review for ViewState Security
    • Code Review for allowOverride Attribute
    • Code Review for Enabling Trace feature
    • Code Review for Enabling Debug feature
    • Code Review for Validate Request 
    • Code Review: Check List Approach
    • Sample Checklist
    • Imput Validation 
    • Authentication 
    • Authorization
    • Session Management
    • Cryptography o Exception Handling
    • Logging
    • SAST Finding
    • SAST Report
    • SAST Reporting
    • Dynamic Application Security Testing
    • Types of DAST
    • Automated Application Vulnerability Scanning
    • Manual Application Penetration Testing
    • SAST vs DAST
    • Automated Application Vulnerability Scanning Tools
    • Web Application Security Scanners
    • WebInspect 
    • IBM SecurityAppScan 
    • Additional Web Application Vulnerability Scanners 
    • Proxy-based Security Testing Tools 
    • Burp Suite
    • OWASP Zed Attack Proxy (ZAP)
    • Additional Proxy-based Security Testing Tools
    • Choosing Between SAST and DAST
  • Module 10 Title Secure Deployment and Maintenance
  • Module 10 Content
    • Secure Deployment
    • Prior Deployment Activity
    • Check the Integrity of Application Package Before Deployment
    • Review the Deployment Guide Provided by the Software Vendor
    • Deployment Activities: Ensuring Security at Various Levels
    • Host Level Deployment Security
    • IIS level Deployment Security
    • SQL Server Level Deployment Security 
    • Ensuring Security at Host Level
    • Check and Configure the Security of Machine Hosting Web Server, Application Server, Database Server and Network Devices
    • Physical Security
    • Host Level Security
    • Ensuring Security at Network Level
    • Network level Security
    • Router
    • Firewall
    • Switch
    • Ensuring Security at Application Level 
    • Web Application Firewall (WAF)
    • Benefits of WAF
    • WAF Limitations
    • WAF Vendors
    • Ensuing Security at IIS level
    • Configure IIS Server Request Filtering Feature
    • Editing Request Filtering and Request Limits
    • Allowing or Denying a File Name Extension in Request Filtering
    • Adding a Hidden Segment in Request Filtering
    • Adding Limits for HTTP Headers in Request Filtering
    • Denying an HTTP Verbs in Request Filtering
    • Setting Request Filtering Attributes using appcmd  Sites and Virtual Directories
    • Website Location
    • Script Mapping
    • Anonymous Internet User Account
    • Auditing and Logging
    • Web Permissions
    • IP Address and Domain Name Restrictions
    • Authentication
    • Parent Path Setting
    • Microsoft FrontPage Server Extensions
    • ISAPI Filters
    • Ensuring Security at .NET Level
    • Web.config and Machine.config Deployment Security Settings
    • Verify the Configuration Settings
    • Verify Lock Per-machine Settings
    • Verify trace Element Setting
    • Verify CustomError Settings
    • Verify maxRequestLength Setting
    • Verify debug Settings
    • Verify protection Setting 
    • Verify timeout Setting
    • Verify requireSSL Setting
    • Verify passwordFormat Setting 
    • Verify slideExpiration Setting
    • Verify Name and Path Attribute Setting
    • Verify Authorization Element Setting
    • Verify Identity Element Setting
    • Verify roleManager Setting 
    • Verify cookieProtection Setting
    • Verify cookieRequireSSL Setting
    • Verify cookieTimeout Setting 
    • Verify createPersistentCookie Setting 
    • Verify sessionState Settings
    • Verify decryptionKey and validationKey Setting
    • Verify decryptionKey and validationKey Setting in Web Farm
    • Verify validation Setting
    • Verify trust Element Setting
    • Verify httphandlers Settings
    • Verify processModel Settings
    • Verify healthMonitoring Setting
    • Ensuring Security at SQL Server Level
    • Selecting Authentication Mode in SQL Server
    • Secure Mixed Mode Authentication 
    • Configure Password Enforcement Options for Standard SQL Server Logins
    • Delete or Disable Unused Accounts
    • Turn Off SQL Server Browser Service
    • Disable Unnecessary Features and Services
    • Service Account Management and Selection
    • Manage Privileged Access
    • Hiding SQL Server Instance
    • Implement Encryption
    • Implement Transparent Data Encryption
    • Configure SSL in SQL Server
    • Secure the Auditing Process
    • Security Maintenance and Monitoring
    • Post Deployment Activities: Security Maintenance and Monitoring
    • Security Maintenance Activities at OS level
    • Security Maintenance Activities at IIS level
    • Security Maintenance Activities at Application level
RM4,700.00(+RM282.00 Tax)
* Training Dates:

The Certified Application Security Engineer (CASE) credential is developed in partnership with large application and software development experts globally.
The CASE credential tests the critical security skills and knowledge required throughout a typical software development life cycle (SDLC), focusing on the importance of the implementation of secure methodologies and practices in today’s insecure operating environment.


The CASE certified training program is developed concurrently to prepare software professionals with the necessary capabilities that are expected by employers and academia globally.It is designed to be a hands-on, comprehensive application security course that will help software professionals create secure applications.


The training program encompasses security activities involved in all phases of the Software Development Lifecycle (SDLC): planning, creating, testing, and deploying an application.
Unlike other application security trainings, CASE goes beyond just the guidelines on secure coding practices and includes secure requirement gathering, robust application design, and handling security issues in post development phases of application development.


This makes CASE one of the most comprehensive certifications on the market today. It is desired by software application engineers, analysts, testers globally, and respected by hiring authorities.

The Purpose of CASE Is

  • To ensure that application security is no longer an afterthought but a foremost one.
  • To lay the foundation required by all application developers and development organizations, to produce secure applications with greater stability and fewer security risks to the consumer, therefore, making security a foremost thought.
  • To ensure that the organizations mitigate the risk of losing millions due to security compromises that may arise with every step of application development process.
  • To help individuals develop the habit of giving importance to security sacrosanct of their job role in the SDLC, therefore opening security as the main domain for testers, developers, network administrator etc.

Additional Info

  • Certification Course & Certificate
  • Course Code CASE.JAVA
  • Price RM4700
  • Exam Price Include
  • Exam Code 312-94
  • Duration 3 Days
  • CertificationInfo Certified Application Security Engineer
  • Principals EC-Council
  • Schedule

    18-20 Nov 2019

    13-15 Jan 2020

    8-10 Jun 2020

    17-19 Aug 2020

    16-18 Nov 2020

  • Audience
    • Java Developers with a minimum of 2 years of experience  and individuals who want to become application security engineers/analysts/testers
    • Individuals involved in the role of developing, testing, managing, or protecting wide area of applications
  • At Course Completion

     

    Immediate Credibility: The CASE program affirms that you are indeed an expert in application security. It also demonstrates the skills that you possess for employers globally.
    Pertinent Knowledge: Through the CASE certification and training program, you will be able to expand your application security knowledge.
    Multifaceted Skills: CASE can be applied to a wide variety of platforms, such as, mobile applications, web applications, IoT devices, and many more.
    A Holistic Outlook: Ranging from pre-deployment to post-deployment security techniques, covering every aspect of secure – software development life cycle, CASE arms you with the necessary skills to build a secure application.
    Better Protect and Defend: By making an application more secure you are also helping defend both organizations and individuals globally. As a CASE, it is in your hands to protect and defend and ultimately help build a safer world.
     

  • Module 1 Title Understanding Application Security, Threats, and Attacks
  • Module 1 Content
    • What is a Secure Application
    • Need for Application Security 
    • Most Common Application Level Attacks
      • SQL Injection Attacks 
      • Cross-site Scripting (XSS) Attacks
      • Parameter Tampering
      • Directory Traversal
      • Cross-site Request Forgery (CSRF) Attack
      • Denial-of-Service (DoS) Attack
    • Denial-of-Service (DoS): Examples
      • Session Attacks
    • Cookie Poisoning Attacks
    • Session Fixation
    • Why Applications become Vulnerable to Attacks
      • Common Reasons for Existence of Application Vulnerabilities
      • Common Flaws Existed due to Insecure Coding Techniques
      • Improper Input Validation
      • Insufficient Transport Layer Protection
      • Improper Error Handling
      • Insecure Cryptographic Storage
      • Broken Authentication and Session Management
      • Unvalidated Redirects and Forwards
      • Insecure Direct Object References
      • Failure to Restrict URL Access
    • What Constitutes a Comprehensive Application Security?
      • Application Security Frame
      • 3W’s in Application Security
    • Insecure Application: A Software Development Problem
      • Solution: Integrating Security in Software Development Life Cycle (SDLC)
      • Functional vs Security Activities in SDLC
      • Advantages of Integrating Security in SDLC
      • Microsoft Security Development Lifecycle (SDL)
    • Software Security Standards, Models, and Frameworks
      • The Open Web Application Security Project (OWASP)
      • OWASP TOP 10 Attacks-2017
      • The Web Application Security Consortium (WASC)
      • WASC Threat Classification
      • Software Security Framework
    • Software Assurance Maturity Model (SAMM)
    • Building Security in Maturity Model (BSIMM)
      • BSIMM vs OpenSAMM 
  • Module 2 Title Security Requirements Gathering
  • Module 2 Content
    • Importance of Gathering Security Requirements
      • Security Requirements
      • Gathering Security Requirements
      • Why We Need Different Approach for Security Requirements Gathering
      • Key Benefits of Addressing Security at Requirement Phase
      • Stakeholders Involvement in Security Requirements Gathering 
      • Characteristics of Good Security Requirement: SMART
      • Types of Security Requirements
      • Functional Security Requirements
      • Security Drivers
    • Security Requirement Engineering (SRE)
    • SRE Phases
      • Security Requirement Elicitation
      • Security Requirement Analysis
      • Security Requirement Specification
      • Security Requirement Management
    • Common Mistakes Made in Each Phase of SRE
    • Different Security Requirement Engineering Approaches/Model 
    • Abuse Case and Security Use Case Modeling
    • Abuse Cases
    • Threatens Relationship
    • Abuse Case Modeling Steps
    • Abuse Cases: Advantages and Disadvantages
    • Abuse Case Template
    • Security Use Cases
    • Security Use Cases are Abuse Case Driven
    • Modeling Steps for Security Use Cases
    • Mitigates Relationship
    • Abuse Case vs Security Use Case
    • Security Use Case: Advantages and Disadvantages
    • Security Use Case Template
    • Security Use Case Guidelines
    • Example 1: Use Case for Online Bidding System
    • Example 1: Abuse Case for Online Bidding System
    • Example 1: Security Use Case for Online Bidding System
    • Example 2: Use Case for ATM System
    • Example 2: Abuse Case for ATM System
    • Example 2: Security Use Case for ATM System
    • Example 3: Use Case for E-commerce System
    • Example 3: Abuse Case for E-commerce System
    • Example 3: Security Use Case for E-commerce System
    • Effectiveness of Abuse and Security Case
    • Abuser and Security Stories
    • Textual Description Template: Abuser Stories and Security Stories
    • Examples: Abuser Stories and Security Stories
    • Effectiveness of Abuser and Security Stories
    • Abuser Stories: Advantages and Disadvantages
    • Security Quality Requirements Engineering (SQUARE)
      • SQUARE Effectiveness
      • SQUARE Process
      • SQUARE: Advantages and Disadvantages 
    • Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
      • OCTAVE Effectiveness
      • OCTAVE Steps
      • OCTAVE: Advantages and Disadvantages
  • Module 3 Title Secure Application Design and Architecture
  • Module 3 Content
    • Relative Cost of Fixing Vulnerabilities at Different Phases of SDLC
    • Secure Application Design and Architecture
    • Goal of Secure Design Process
    • Secure Design Actions
    • Security Requirement Specifications 
    • Secure Design Principles
    • Threat Modeling 
    • Secure Application Architecture 
    • Secure Design Principles
    • Define Secure Design principles
    • Secure Design Principles
    • Security through obscurity
    • Secure the Weakest Link
    • Use Least Privilege Principle
    • Secure by Default
    • Fail Securely
    • Apply Defense in Depth
    • Do Not Trust User Input
    • Reduce Attack Surface
    • Enable Auditing and Logging
    • Keep Security Simple
    • Separation of Duties
    • Fix Security Issues Correctly
    • Apply Security in Design Phase
    • Protect Sensitive Data
    • Exception Handling
    • Secure Memory Management
    • Protect Memory or Storage Secrets
    • Fundamentals of Control Granularity
    • Fault Tolerance
    • Fault Detection
    • Fault Removal
    • Fault Avoidance
    • Loose Coupling
    • High Cohesion
    • Change Management and Version Control
    • Threat Modeling
    • Threat Modeling Phases 
    • Attack Surface Evaluation
    • Threat Identification
    • Impact Analysis
    • Control Recommendations
    • Threat Modeling Process
    • Identify Security Objective
    • Application Overview
    • Decompose Application
    • Identify Threats
    • Identify Vulnerabilities
    • Identify Security Objective
    • How to Identify Security Objectives
    • Create an Application Overview
    • Draw the End-to-End Deployment Architecture
    • Identify Various User Roles
    • Identify Use Cases Scenarios
    • Identify Technologies
    • Identify Application Security Mechanisms
    • Decompose Application
      • Prepare and Document Threat Model Information
    • Example: Threat Model Information
      • Identify the External Dependencies
    • External Dependencies: Example
      • Identify the Entry Points
    • Entry Points: Example
      • Identify the Assets
    • Assets: Example
      • Identify the Trust Levels
    • Trust Levels: Example
      • Define Trust Levels to Entry points 
      • Define Trust Levels to Assets
      • Perform Application Modelling using Data Flow Diagrams (DFDs)
      • Determine the Threats: Identify the Goal of an Attacker and Create Threat Profile 
    • Example: Attacker’s Goal/Threat Profile and Vulnerabilities Associated
      • Determine the Threats: Create a Security Profile 
      • Identify the Threats
    • The STRIDE Model
      • Example: Threat Categorized and Identified using STRIDE 
    • Determine Countermeasures and Mitigation Security Controls 
    • Document the Threats
    • Rating the Threats
    • Rating the Threats: DREAD Model
    • Secure Application Architecture
    • Design Secure Application Architecture
  • Module 4 Title Secure Coding Practices for Input Validation
  • Module 4 Content
    • Input Validation
    • Why Input Validation?
    • Input Validation Specification
    • Input Validation Approaches
    • Validation and Security Issues
    • Impact of Invalid Data Input
    • Data Validation Techniques
    • Input Validation using Frameworks and APIs
    • Open Source Validation Framework for Java
    • Servlet Filters
    • Validation Filters for Servlet
    • Data Validation using OWASP ESAPI
    • Data Validation: Struts Framework
    • Struts Validator
    • Struts Validation and Security
    • Data Validation using Struts Validator
    • Avoid Duplication of Validation Forms
    • Secure and Insecure Struts Validation Code
    • Struts Validator Class
    • Secure and Insecure Code for Struts Validator Class
    • Enable the Struts Validator
    • Secure and Insecure Struts Validator Code
    • Struts 2 Framework Validator
    • Struts 2 Framework: Built-in Data Validators
    • Struts 2 Framework Annotation Based Validators
    • Struts 2 Custom Validation: Workflow Interceptor
    • Struts 2 Ajax Validation: jsonValidation Interceptor
    • Data Validation: Spring Framework
    • Spring Validator
    • Data Validation: Spring MVC Framework
    • Implementing Validator
    • JSR 380 Bean Validator API
    • Configuring JSR 380
    • Custom Validator Implementation in Spring
    • Spring Validation and Security
    • Input Validation Errors
    • Improper Sanitization of Untrusted Data
    • Improper Validation of Strings
    • Improper Logging of User Inputs
    • Improper Incorporation of Malicious Inputs into Format Strings
    • Inappropriate Use of Split Characters in Data Structures
    • Improper Validation of Non-Character Code Points
    • Improper Use of String Modification
    • Improper Comparison of Locale-dependent Data
    • Best Practices for Input Validation
    • Common Secure Coding Practices
    • SQL Injection
    • Prepared Statement
    • Stored Procedures
    • Vulnerable and Secure Code for Stored Procedures
    • Stored Procedure for Securing Input Validation
    • Cross-site Scripting (XSS)
    • Whitelisting vs Blacklisting
    • Vulnerable and Secure Code for Blacklisting & Whitelisting
    • Regular Expressions
    • Vulnerable and Secure Code for Regular Expressions
    • Character Encoding
    • Vulnerable and Secure Code for Character Encoding
    • Checklist for Character Encoding
    • Cross-site Scripting (XSS) Countermeasures
    •  HTML Encoding
    • Vulnerable and Secure Code for HTML Encoding
    • HTML Encoding using ESAPI Encoder
    • Cross-site Request Forgery (CSRF)
    • Cross-site Request Forgery (CSRF) Countermeasures
    • Directory Traversal
    • Directory Traversal Countermeasures
    • HTTP Response Splitting
    • HTTP Response Splitting Countermeasures
    • Parameter Manipulation and Countermeasures
    • Protecting Application from Log Injection Attack
    • XML Injection
    • Command Injection
    • LDAP Injection
    • XML External Entity Attack
    • Unrestricted File Upload Attack
    • Prevent Unrestricted File Upload: Validate File Extension
    • Injection Attacks Countermeasures
    • CAPTCHA
    • Sample Code for Creating CAPTCHA
    • Sample Code for CAPTCHA Verification
    • Sample Code for Displaying CAPTCHA

    Best Practices for Input Validation

  • Module 5 Title Secure Coding Practices for Authentication and Authorization
  • Module 5 Content
    • Introduction to Authentication 
    • Java Container Authentication
    • Authorization Mechanism Implementation
    • Types of Authentication
    • Declarative vs Programmatic Authentication
    • Declarative Security Implementation
    • Programmatic Security Implementation
    • Java EE Authentication Implementation Example
    • Basic Authentication
    • How to Implement Basic Authentication?
    • Form-based Authentication
    • Form-based Authentication Implementation
    • Implementing Kerberos-Based Authentication
    • Secured Kerberos Implementation
    • Client Certificate Authentication
    • Certificate Generation with Keytool
    • Implementing Encryption and Certificates in Client Application
    • Authentication Weaknesses and Prevention
    • Brute Force Attack
    • Web-based Enumeration Attack
    • Weak Password Attacks  
    • Introduction to Authorization
    • JEE Based Authorization
    • Declarative
    • Programmatic
    • Access Control Model
    • Discretionary Access Control (DAC)
    • Mandatory Access Control (MAC)
    • Role-based Access Control (RBAC)
    • Servlet Container
    • Authorizing Users by Servlets
    • EJB Authorization
    • EJB Authorization Controls
    • Declarative Security with EJBs
    • Programmatic Security with EJBs 
    • Java Authentication and Authorization (JAAS)
    • JAAS Features
    • JAAS Architecture
    • Pluggable Authentication Module (PAM) Framework
    • JAAS Classes
    • JAAS Subject and Principal
    • Authentication in JAAS
    • Authentication Steps in JAAS
    • Authorization in JAAS
    • Authorization Steps in JAAS
    • Subject Methods doAs() and doAsPrivileged()
    • Impersonation in JAAS
    • JAAS Permissions
    • LoginContext in JAAS
    • Creating LoginContext
    • LoginContext Instantiation
    • JAAS Configuration
    • Locating JAAS Configuration File
    • JAAS CallbackHandler and Callbacks
    • Login to Standalone Application
    • JAAS Client
    • LoginModule Implementation in JAAS
    • Methods Associated with LoginModule
    • LoginModule Example
    • Phases in Login Process
    • Java EE Security
    • Java EE Application Architecture
    • Java EE Servers as Code Hosts
    • Declaring Roles
    • HTTP Authentication Schemes
    • Authorization Common Mistakes and Countermeasures
    • Common Mistakes
    • Authentication and Authorization in Spring Security Framework
    • Spring Security Framework
    • Spring Security Modules
    • Spring Authentication
    • Storing Username and Password
    • Securing Authentication Provider
    • Implementing HTTP Basic Authentication
    • Form-based Authentication
    • Implementing Digest Authentication
    • Security Expressions
    • URL-based Authorization
    • JSP Page Content Authorization
    • JSP Page Content Authorization with Domain Object’s ACL
    • Method Authorization
    • Configuring Anonymous Login
    • Logout Feature Configuration
    • Remember-Me Authentication
    • Integrating Spring Security with JAAS
    • Spring JAAS Implementation
    • Defensive Coding Practices against Broken Authentication and Authorization
    • Do Not Store Password in Java String Object
    • Avoid Cookie based Remember-Me Use Persistent Remember-Me
    • Implement Appropriate Session Timeout
    • Prevent Session Stealing by Securing SessionID Cookie
    • Secure Development Checklists: Broken Authentication and Session Management
  • Module 6 Title Secure Coding Practices for Cryptography
  • Module 6 Content
    • Java Cryptography
    • Need for Java Cryptography
    • Java Security with Cryptography
    • Java Cryptography Architecture (JCA)
    • Java Cryptography Extension (JCE)
    • Encryption and Secret Keys
    • Attack Scenario: Inadequate/Weak Encryption
    • Encryption: Symmetric and Asymmetric Key
    • Encryption/Decryption Implementation Methods
    • SecretKeys and KeyGenerator
    • Implementation Methods of KeyGenerator Class
    • Creating SecretKeys with KeyGenerator Class
    • Cipher Class
    • The Cipher Class
    • Implementation Methods of Cipher Class
    • Insecure Code for Cipher Class using DES Algorithm
    • Secure Code for Cipher Class using AES Algorithm
    • Digital Signatures
    • Attack Scenario: Man-in-the-Middle Attack
    • Digital Signatures
    • The Signature Class
    • Implementation Methods of Signature Class
    • The SignedObjects
    • Implementing Methods of SignedObjects
    • The SealedObjects
    • Implementation Methods of SealedObject
    • Insecure and Secure Code for Signed/Sealed Objects
    • Java XML Digital Signature
    • Secure Socket Layer (SSL)
    • Java Secure Socket Extension (JSSE)
    • SSL and Security: Example 1
    • SSL and Security: Example 2
    • JSSE and HTTPS
    • Insecure HTTP Server Code
    • Secure HTTP Server Code
    • Key Management
    • Attack Scenario: Poor Key Management
    • Keys and Certificates
    • Key Management System
    • KeyStore
    • Implementation Method of KeyStore Class
    • KeyStore: Persistent Data Stores
    • Key Management Tool: KeyTool
    • Digital Certificates
    • Certification Authorities
    • Signing Jars
    • Signing JAR Tool: Jarsigner
    • Signed Code Sources
    • Insecure Code for Signed Code Sources
    • Secure Code for Signed Code Sources
    • Hashing
    • Hashing Algorithms
    • Securing Hashed Password with Salt
    • Implementing Hashing with Salt in Spring Security
    • Java Card Cryptography
    • Spring Security: Crypto Module
    • Crypto Module
    • Spring Security Crypto Module
    • Key Generators
    • PasswordEncoder
    • Implementing BCryptPasswordEncoder()
    • Configuring BCryptPasswordEncoder() in Spring Security
    • JavaScript Object Signing and Encryption (JOSE)
    • Attacks against JWT, JWS and JWE
    • Implementing JWS using Jose4J
    • Implementing JWE using Jose4J
    • Implementing JWK using Jose4J
    • Dos and Don’ts in Java Cryptography
    • Dos and Don’ts
    • Avoid using Insecure Cryptographic Algorithms
    • Avoid using Statistical PRNG, Inadequate Padding and Insufficient Key Size
    • Implement Strong Entropy
    • Implement Strong Algorithms
    • Best Practices for Java Cryptography
  • Module 7 Title Secure Coding Practices for Session Management
  • Module 7 Content
    • Session Management
    • Session Tracking
    •  Session Tracking Methods
    • HttpSession
    • Cookies

    - Setting a Limited Time Period for Session Expiration

    - Preventing Session Cookies from Client-Side Scripts Attacks

    • URL Rewriting

    - Example Code for URL Rewriting

    • Hidden Fields
    • Session Objects
    • Session Management in Spring Security
    • Spring Session Management
    • Session Management using Spring Security
    • Restricting Concurrent Sessions per User using Spring Security
    • Controlling Session Timeout
    • Prevent using URL Parameters for Session Tracking
    • Prevent Session Fixation with Spring Security
    • Use SSL for Secure Connection
    • Session Vulnerabilities and their Mitigation Techniques
    • Session Vulnerabilities
    • Types of Session Hijacking Attacks
    • Countermeasures for Session Hijacking
    • Countermeasures for Session ID Protection
    • Best Practices and Guidelines for Secured Sessions Management
    • Best Coding Practices for Session Management
    • Checklist to Secure Credentials and Session IDs

    Guidelines for Secured Session Management

  • Module 8 Title Secure Coding Practices for Error Handling
  • Module 8 Content
    • Introduction to Exceptions
    • Exception and Error Handling
    • Checked Exceptions
    • Unchecked Exceptions
    • Example of an Exception
    • Handling Exceptions in Java
    • Exception Classes Hierarchy
    • Exceptions and Threats
    • Erroneous Exceptional Behaviors
    • Suppressing or Ignoring Checked Exceptions
    • Disclosing Sensitive Information
    • Logging Sensitive Data
    • Restoring Objects to Prior State, if a Method Fails
    • Avoid using Statements that Suppress Exceptions
    • Prevent Access to Untrusted Code that Terminates JVM
    • Never Catch java.lang.NullPointerException
    • Never Allow methods to Throw RuntimeException, Exception, or Throwable
    • Never Throw Undeclared Checked Exceptions
    • Never Let Checked Exceptions Escape from Finally Block
    • Dos and Don'ts in Error Handling
    • Dos and Don'ts in Exception Handling
    • Avoid using Log Error and Throw exception at Same Time
    • Spring MVC Error Handling
    • Handling Controller Exceptions with @ExceptionHandler Annotation
    • Handling Controller Exceptions with HandlerExceptionResolver
    • Spring MVC: Global Exception Handling
    • Global Exception Handling: HandlerExceptionResolver
    • Mapping Custom Exceptions to Statuscode with @ResponseStatus
    • Configure Custom Error Page in Spring MVC
    • Exception Handling in Struts 2
    • Exception Handling: Struts 2
    • Best Practices for Error Handling
    • Best Practices for Handling Exceptions in Java
    • Introduction to Logging
    • Logging in Java
    • Example for Logging Exceptions
    • Logging Levels
    • Logging using Log4j
    • Log4j and Java Logging API
    • Java Logging using Log4j
    • Secure Coding in Logging
    • Vulnerabilities in Logging
    • Logging: Vulnerable Code and Secure Code
    • Secured Practices in Logging

     

  • Module 9 Title Static and Dynamic Application Security Testing (SAST & DAST)
  • Module 9 Content
    • Static Application Security Testing
    • Static Application Security Testing (SAST)
    • Objectives of SAST
    • Why SAST
    • Skills required for SAST
    • What to look for in SAST
    • Common Vulnerabilities Identified Through SAST
    • Types of SAST
    • Automated Source Code Analysis
    • Manual Source Code Review
    • Where does Secure Code Review Fit in SDLC?
    • SAST Steps
    • SAST Activities-flow Chart
    • Recommendation for Effective SAST
    • SAST Deliverable
    • Automated Source Code Analysis
    • Static Code Analysis Using Checkmarx Static Code Analysis
    • Static Code Analysis Using Visual Code Grepper (VCG)
    • Static Code Analysis Using HP Fortify
    • Static Code Analysis Using Rational AppScan Source Edition
    • Selecting Static Analysis Tool
    • Manual Secure Code Review
    • Manual Secure Code Review for Most Common Vulnerabilities
    • Code Review for PCI DSS Compliance
    • Code Review for Blacklisting Validation Approach
    • Code Review for Client Side Validation Approach
    • Code Review for Non-parametrized SQL Query
    • Review Code for Non-parameterized Stored Procedure
    • Code Review for XSS Vulnerability
    • Review Code for Unvalidated Redirects and Forwards
    • Code Review for Weak Password Authentication 
    • Code Review for Hard-Coded Passwords
    • Code Review for Clear-text credentials in for Authentication 
    • Code Review for Unencrypted Form Authentication Tickets
    • Code Review for Clear-text Connection strings
    • Code Review for Weak Password Length
    • Code Review for Inappropriate Authorization 
    • Code Review for use of Weak Hashing Algorithm
    • Code Review for use of Weak Encryption Algorithm
    • Code Review for Use of SSL 
    • Code Review for use of URL for Storing Session Tokens
    • Code Review for Cookies Persistence
    • Code Review for Allowing More Number of Failed Login attempts
    • Code Review for providing Relative path to Redirect Method
    • Code Review for Use of Server.Transfer() Method
    • Code Review for Keeping both Public and Restricted pages in Same folder 
    • Code Review for use of Weak Encryption Algorithm 
    • Code Review for use of ECB Cipher Mode 
    • Code Review for use of Zero Padding
    • Code Review for use of Small Key Size
    • Code Review for use of Small Block Size
    • Code Review for Cryptographic Keys Generation Mechanism
    • Code Review for Sensitive Information Leakage
    • Code Review for Generic Exception Throwing and Catching
    • Code Review for use of Unencrypted Cookies
    • Code Review for Overly Long Sessions
    • Code Review for Cookieless Sessions
    • Code Review for regeneration of Expired Sessions
    • Code Review for weak Session Key Generation Mechanism
    • Code Review for Cookies Vulnerable to Client-side Scripts attacks 
    • Code Review for Cookies Vulnerable to CSRF Attacks
    • Code Review for ViewState Security
    • Code Review for allowOverride Attribute
    • Code Review for Enabling Trace feature
    • Code Review for Enabling Debug feature
    • Code Review for Validate Request 
    • Code Review: Check List Approach
    • Sample Checklist
    • Imput Validation 
    • Authentication 
    • Authorization
    • Session Management
    • Cryptography o Exception Handling
    • Logging
    • SAST Finding
    • SAST Report
    • SAST Reporting
    • Dynamic Application Security Testing
    • Types of DAST
    • Automated Application Vulnerability Scanning
    • Manual Application Penetration Testing
    • SAST vs DAST
    • Automated Application Vulnerability Scanning Tools
    • Web Application Security Scanners
    • WebInspect 
    • IBM SecurityAppScan 
    • Additional Web Application Vulnerability Scanners 
    • Proxy-based Security Testing Tools 
    • Burp Suite
    • OWASP Zed Attack Proxy (ZAP)
    • Additional Proxy-based Security Testing Tools
    • Choosing Between SAST and DAST
  • Module 10 Title Secure Deployment and Maintenance
  • Module 10 Content
    • Secure Deployment
    • Prior Deployment Activity
    • Check the Integrity of Application Package Before Deployment
    • Review the Deployment Guide Provided by the Software Vendor
    • Deployment Activities: Ensuring Security at Various Levels
    • Host Level Deployment Security
    • IIS level Deployment Security
    • SQL Server Level Deployment Security 
    • Ensuring Security at Host Level
    • Check and Configure the Security of Machine Hosting Web Server, Application Server, Database Server and Network Devices
    • Physical Security
    • Host Level Security
    • Ensuring Security at Network Level
    • Network level Security
    • Router
    • Firewall
    • Switch
    • Ensuring Security at Application Level 
    • Web Application Firewall (WAF)
    • Benefits of WAF
    • WAF Limitations
    • WAF Vendors
    • Ensuring Security at Web Container Level
    • Install and Configure Tomcat Securely
    • Remove Server Banner
    • Start Tomcat with Security Manager
    • Configure Default Servlet Not to Serve Index Pages
    • Replace Default Error Page
    • Replace Default server.xml
    • Protect Shutdown Port
    • Restrict Access to Tomcat Manager Applications
    • Protecting Resources with Realms
    • Store Passwords as Digest
    • Do Not Run Tomcat as Root
    • Configure Restricted Datasets
    • Session Handling using App Mode in Tomcat
    • Role Based Security
    • Securing Tomcat at Network level
    • Java Runtime Security Configurations
    • Tomcat General Security Setting
    • Verify Trace Element Setting in sever.xml
    • Verify CustomError Settings in web.xml
    • Verify maxPostSize Setting
    • Tomcat Security Checklist
    • Checklist for Security Configuration in server.xml File in Apache Tomcat
    • Tomcat High Availability
    • Best Practices for Securing Tomcat
    • Ensuring Security in Oracle
    • Oracle Database General Security Overview
    • Methods of Authentication in Oracle
    • Authentication by Oracle Database
    • Oracle Security Features
    • Default Database Installation and Configuration Security
    • Managing User Accounts Securely for the Site
    • Securing User Accounts
    • Password Management
    • Lock all Expired Accounts
    • Assign Users to Password Profile
    • Disable Remote Operating System Authentication
    • Securing Data
    • Restrict Access to Operating System Directories
    • Securing Database Installation and Configuration
    • Securing Network
    • How to Configure Encryption on the Client and the Server
    • Control Access Data
    • Virtual Private Database
    • Oracle Label Security
    • Database Vault
    • Management and Reports
    • Disabling the Recycle Bin
    • Audit Vault
    • Built-in Audit Tools
    • Standard Database Auditing

              - Standard Auditing Enable Network Auditing

    • Value Based Auditing
    • Fine Grained Auditing (FGA)
    • Recommended Audit Settings
    • Security Maintenance and Monitoring
    • Post Deployment Activities: Security Maintenance and Monitoring
    • Security Maintenance Activities at OS Level
    • Security Maintenance Activities at Web Container Level
    • Security Maintenance Activities at Application Level
RM4,700.00(+RM282.00 Tax)
* Training Dates:

This latest iteration of EC-Council’s Certified Incident Handler (E|CIH) program has been designed and developed in collaboration with cybersecurity and incident handling and response practitioners across the globe.

It is a comprehensive specialist-level program that imparts knowledge and skills that organizations need to effectively handle post breach consequences by reducing the impact of the incident, from both a financial and a reputational perspective.

Following a rigorous development which included a careful Job Task Analysis (JTA) related to incident handling and incident first responder jobs, EC-Council developed a highly interactive, comprehensive, standards-based, intensive 3-day training program and certification that provides a structured approach to learning real-world incident handling and response requirements.

Professionals interested in pursuing incident handling and response as a career require comprehensive training that not only imparts concepts but also allows them to experience real-scenarios. The E|CIH program includes hands-on learning delivered through labs within the training program. True employability after earning a certification can only be achieved when the core of the curricula maps to and is compliant with government and industry-published incident and response frameworks.

E|CIH is a method-driven program that uses a holistic approach to cover vast concepts concerning organizational incident handling and response from preparing and planning the incident handling response process to recovering organizational assets after a security incident. These concepts are essential for handling and responding to security incidents to protect organizations from future threats or attacks.

Additional Info

  • Certification Course & Certificate
  • Course Code ECIH
  • Price RM4700
  • Exam Price Include
  • Exam Code 212-89
  • Duration 3 Days
  • CertificationInfo EC-Council Certified Incident Handler
  • Principals EC-Council
  • Schedule

    27-29 Apr 2020 (Penang)

    1-3 Jun 2020

    7-8 Sep 2020 (Penang)

    5-7 Oct 2020

  • Audience

    The incident handling skills taught in E|CIH are complementary to the job roles below as well as many other cybersecurity jobs:

    • Penetration Testers
    • Vulnerability Assessment Auditors
    • Risk Assessment Administrators
    • Network Administrators
    • Application Security Engineers
    • Cyber Forensic Investigators/ Analyst and SOC Analyst
    • System Administrators/Engineers
    • Firewall Administrators and Network Managers/IT Managers
  • At Course Completion
    • Understand the key issues plaguing the information security world
    • Learn to combat different types of cybersecurity threats, attack vectors, threat actors and their motives
    • Learn the fundamentals of incident management including the signs and costs of an incident
    • Understand the fundamentals of vulnerability management, threat assessment, risk management, and incident response automation and orchestration
    • Master all incident handling and response best practices, standards, cybersecurity frameworks, laws, acts, and regulations
    • Decode the various steps involved in planning an incident handling and response program
    • Gain an understanding of the fundamentals of computer forensics and forensic readiness
    • Comprehend the importance of the first response procedure including evidence collection, packaging, transportation, storing, data acquisition, volatile and static evidence collection, and evidence analysis
    • Understand anti-forensics techniques used by attackers to find cybersecurity incident cover-ups
    • Apply the right techniques to different types of cybersecurity incidents in a systematic manner including malware incidents, email security incidents, network security incidents, web application security incidents, cloud security incidents, and insider threat-related incidents
  • Module 1 Title Introduction to Incident Handling and Response
  • Module 2 Title Incident Handling and Response Process
  • Module 3 Title Forensic Readiness and First Response
  • Module 4 Title Handling and Responding to Malware Incidents
  • Module 5 Title Handling and Responding to Email Security Incidents
  • Module 6 Title Handling and Responding to Network Security Incidents
  • Module 7 Title Handling and Responding to Web Application Security Incidents
  • Module 8 Title Handling and Responding to Cloud Security Incidents
  • Module 9 Title Handling and Responding to Insider Threats
RM4,700.00(+RM282.00 Tax)
* Training Dates:

Digital forensic practices stem from forensic science, the science of collecting and examining evidence or materials. Digital or computer forensics focuses on the digital domain including computer forensics, network forensics, and mobile forensics. As the cyber security profession evolves, organizations are learning the importance of employing digital forensic practices into their everyday activities. Computer forensic practices can help investigate attacks, system anomalies, or even help System administrators detect a problem by defining what is normal functional specifications and validating system information for irregular behaviors.

In the event of a cyber-attack or incident, it is critical investigations be carried out in a manner that is forensically sound to preserve evidence in the event of a breach of the law. Far too many cyber-attacks are occurring across the globe where laws are clearly broken and due to improper or non-existent forensic investigations, the cyber criminals go either unidentified, undetected, or are simply not prosecuted.

Cyber Security professionals who acquire a firm grasp on the principles of digital forensics can become invaluable members of Incident Handling and Incident response teams. The Computer Hacking Forensic Investigator course provides a strong baseline knowledge of key concepts and practices in the digital forensic domains relevant to today’s organizations. CHFI provides its attendees a firm grasp on the domains of digital forensics.

Additional Info

  • Certification Course & Certificate
  • Course Code CHFI
  • Price RM6000
  • Exam Price Include
  • Exam Code 312-49
  • Duration 5 Days
  • CertificationInfo Computer Hacking Forensics Investigator (CHFI)
  • Principals EC-Council
  • Schedule

    25-29 Nov 2019

    9-13 Mar 2020

    23-27 Mar 2020 (Penang)

    8-12 Jun 2020

    20-24 Jul 2020

    3-7 Aug 2020 (Penang)

    28 Sep – 2 Oct 2020

    23-27 Nov 2020

  • Audience

    The CHFI program is designed for all IT professionals involved with information system security, computer forensics, and incident response.

    • Police and other law enforcement personnel
    • Defense and Military personnel
    • e-Business Security professionals
    • Systems administrators
    • Legal professionals
    • Banking, Insurance and other professionals
    • Government agencies
    • IT managers
  • Module 1 Title Computer Forensics in Today’s World
  • Module 2 Title Computer Forensics Investigation Process
  • Module 3 Title Understanding Hard Disks and File Systems
  • Module 4 Title Operating System Forensics
  • Module 5 Title Defeating Anti-Forensics Techniques
  • Module 6 Title Data Acquisition and Duplication
  • Module 7 Title Network Forensics
  • Module 8 Title Investigating Web Attacks
  • Module 8 Content

     

     

  • Module 9 Title Database Forensics
  • Module 10 Title Cloud Forensics
  • Module 11 Title Malware Forensics
  • Module 12 Title Investigating Email Crimes
  • Module 13 Title Mobile Forensics
  • Module 14 Title Investigative Reports
RM6,000.00(+RM360.00 Tax)
* Training Dates:

The purpose of the CSCU training program is to provide students with the necessary knowledge and skills to protect their information assets. This class will immerse students into an interactive environment where they will acquire fundamental understanding of various computer and network security threats such as identity theft, credit card fraud, online banking phishing scams, virus and backdoors, emails hoaxes, sex offenders lurking online, loss of confidential information, hacking attacks and social engineering. More importantly, the skills learnt from the class helps students take the necessary steps to mitigate their security exposure. 

Additional Info

  • Certification Course & Certificate
  • Course Code CSCUv2
  • Price RM1749
  • Exam Price Include
  • Exam Code 112-12
  • Duration 2 Days
  • CertificationInfo Certified Secure Computer User (CSCU)
  • Principals EC-Council
  • Schedule

    6-7 Jan 2020

    20-21 Jan 2020 (Penang)

    2-3 Mar 2020

    13-14 Apr 2020

    6-7 Apr 2020 (Penang)

    22-23 Jun 2020

    24-25 Aug 2020

    17-18 Aug 2020 (Penang)

    7-8 Sep 2020

    23-24 Nov 2020

  • Audience

    This course is specifically designed for todays' computer users who uses the internet and the www extensively to work, study and play.

  • At Course Completion
    • Personal computer security
    • Passwords
    • Social engineering
    • Identity theft
    • Email security
    • Safe browsing
    • Data protection
    • Encryption
    • Physical Security
    • Online transaction security
    • Digital signature & certificates
    • Data backup
    • Social networking
    • Antiviruses protection
    • Disaster recovery
    • Internet security
    • Credit card frauds
    • Monitoring kids online
    • Wireless & home network security
    • Bluetooth security
    • Smartphone security
    • Mobile device security
    • Windows OS & Mac OS X Security
    • Compliance
  • Module 1 Title Foundations of Security
  • Module 2 Title Securing Operating Systems
  • Module 3 Title Protecting Systems Using Antiviruses
  • Module 4 Title Data Encryption
  • Module 5 Title Data Encryption
  • Module 6 Title Data Backup and Disaster Recovery
  • Module 7 Title Internet Security
  • Module 8 Title Securing Network Connections
  • Module 8 Content

     

     

  • Module 9 Title Securing Online Transactions
  • Module 10 Title Securing Email Communications
  • Module 11 Title Social Engineering and Identity Theft
  • Module 12 Title Security on Social Networking Sites
  • Module 13 Title Information Security and Legal Compliance
  • Module 14 Title Securing Mobile Devices
RM1,650.00(+RM99.00 Tax)
* Training Dates:

Page 1 of 2

PMP, Project Management Professional (PMP), CAPM, Certified Associate in Project Management (CAPM) are registered marks of the Project Management Institute, Inc.

We are using cookies to give you the best experience on our site. By continuing to use our website without changing the settings, you are agreeing to use of cookies.
Ok Decline