22-26 Apr 2024

7-11 Oct 2024

The CCISO program is for executives looking to hone their skills & learn to better align their information security programs to the goals of organization as well as aspiring CISOs. Other information security management certification programs focus on middle management. CCISO focuses on exposing middle managers to executive-level content as well as encouraging existing CISOs to continually improve their own processes & programs.

Domain 1 covers Policy, Legal, and Compliance issues involved in the executive management of an Information Security Program.

Domain 2 is concerned with Audit and Risk Management, including understanding your organization’s risk tolerance and managing accordingly.

Domain 3 covers many of the day-today aspects of the CISO job including project, technology, and operations management.

Domain 4 delves into the technology of the CISO’s role, but from an executive perspective.

Domain 5 covers Finance and Strategic management, some of the key skills that help CISOs rise to the level of their peer C-Level executives.

The C|CISO Exam was developed by practicing CISOs and based on the real-world scenarios professionals from across industries have faced while securing some of the most prestigious organizations in the world. Applicant’s knowledge in all five of the C|CISO Domains will be tested on the exam that focuses on scenario-based questions and requires applicants to apply their real-world experience in order to answer successfully. To that end, in order to qualify to sit for the C|CISO Exam after taking the C|CISO class, applicants have at least 5 years of information security experience in 3 or more of the C|CISO Domains. Any student lacking this experience may take the ECCouncil Information Security Management exam and earn the EISM certification. In order to sit for the C|CISO exam and earn the certification, candidates must meet the basic C|CISO requirements. Candidates who do not yet meet the C|CISO requirements but are interested in information security management can pursue the EC-Council Information Security Management (EISM) certification.

EXAM TITLE : EC-Council Certified CISO

EXAM CODE : 712-50

# OF QUESTIONS : 150

DURATION :2.5 Hours

AVAILABILITY : ECC Exam Portal

TEST FORMAT : Scenario-based multiple choice

PASSING SCORE : 72%

These audiences may be interested in becoming a Red Hat Certified Specialist in Directory Services and Authentication:

• Any Red Hat Certified Engineer (RHCE) who wishes to become a Red Hat Certified Architect (RHCA).
• System administrators who want to demonstrate the ability to configure authentication services and link other products to those services.

These audiences may be interested in becoming a Red Hat Certified Specialist in Security: Linux:

• System administrators responsible for managing large enterprise environments
• System administrators responsible for securing their organization's infrastructure
• Red Hat Certified Engineers interested in pursuing the Red Hat Certified Architect (RHCA) credential

Available upon request

• SOC Analysts (Tier I and Tier II)
• Network and Security Administrators, Network and Security Engineers, Network Defense Analyst, Network Defense Technicians, Network Security Specialist, Network Security Operator, and any security professional handling network security operations
• Cybersecurity Analyst
• Entry-level cybersecurity professionals
• Anyone who wants to become a SOC Analyst.

29 Jan 2024 - 2 Feb 2024

4-8 Mar 2024

15-19 Apr 2024

10-14 Jun 2024

22-26 Jul 2024

9-13 Sep 2024

11-15 Nov 2024

This training course is intended for professionals who have at least five years of cumulative, paid work experience in two or more of the eight domains of the (ISC)2 CISSP CBK and are pursuing CISSP training and certification to acquire the credibility and mobility to advance within their current information security careers. The training seminar is ideal for those working in positions such as, but not limited to:

• Security Consultant
• Security Manager
• IT Director/Manager
• Security Auditor
• Security Architect
• Security Analyst
• Security Systems Engineer
• Chief Information Security Officer
• Security Director
• Network Architect

After completing this course, the student will be able to:

• Apply fundamental concepts and methods related to the fields of information technology and security.

• Align overall organizational operational goals with security functions and implementations.

• Determine how to protect assets of the organization as they go through their lifecycle.

• Leverage the concepts, principles, structures, and standards used to design, implement, monitor, and secure operating systems, equipment, networks, applications, and those controls used to enforce various levels of confidentiality, integrity, and availability.

• Apply security design principles to select appropriate mitigations for vulnerabilities present in common information system types and architectures.

• Explain the importance of cryptography and the security services it can provide in today’s digital and information age.

• Evaluate physical security elements relative to information security needs.

• Evaluate the elements that comprise communication and network security relative to information security needs.

• Leverage the concepts and architecture that define the associated technology and implementation systems and protocols at Open Systems Interconnection (OSI) model layers 1–7 to meet information security needs.

• Determine appropriate access control models to meet business security requirements.

• Apply physical and logical access controls to meet information security needs.

• Differentiate between primary methods for designing and validating test and audit strategies that support information security requirements.

• Apply appropriate security controls and countermeasures to optimize an organization’s operational function and capacity.

• Assess information systems risks to an organization’s operational endeavors.

• Determine appropriate controls to mitigate specific threats and vulnerabilities.

• Apply information systems security concepts to mitigate the risk of software and systems vulnerabilities throughout the systems’ lifecycles.

• Justify an organizational code of ethics.

• Relate confidentiality, integrity, availability, non-repudiation, authenticity, privacy and safety to due care and due diligence.

• Relate information security governance to organizational business strategies, goals, missions, and objectives.

• Apply the concepts of cybercrime to data breaches and other information security compromises.

• Relate legal, contractual, and regulatory requirements for privacy and data protection to information security objectives.

• Relate transborder data movement and import-export issues to data protection, privacy, and intellectual property protection.

• Relate the IT asset management and data security lifecycle models to information security.

• Explain the use of information classification and categorization, as two separate but related processes.

• Describe the different data states and their information security considerations.

• Describe the different roles involved in the use of information, and the security considerations for these roles.

• Describe the different types and categories of information security controls and their use.

• Select data security standards to meet organizational compliance requirements.

• Explain the identity lifecycle as it applies to human and nonhuman users.

• Compare and contrast access control models, mechanisms, and concepts.

• Explain the role of authentication, authorization, and accounting in achieving information security goals and objectives.

• Explain how IAM implementations must protect physical and logical assets.

• Describe the role of credentials and the identity store in IAM systems.

• Describe the major components of security engineering standards.

• Explain major architectural models for information security.

• Explain the security capabilities implemented in hardware and firmware.

• Apply security principles to different information systems architectures and their environments.

• Determine the best application of cryptographic approaches to solving organizational information security needs.

• Manage the use of certificates and digital signatures to meet organizational information security needs.

• Discover the implications of the failure to use cryptographic techniques to protect the supply chain.

• Apply different cryptographic management solutions to meet the organizational information security needs.

• Verify cryptographic solutions are working and meeting the evolving threat of the real world.

• Describe defenses against common cryptographic attacks.

• Develop a management checklist to determine the organization’s cryptologic state of health and readiness.

• Describe the architectural characteristics, relevant technologies, protocols and security considerations of each of the layers in the OSI model.

• Explain the application of secure design practices in developing network infrastructure.

• Describe the evolution of methods to secure IP communications protocols.

• Explain the security implications of bound (cable and fiber) and unbound (wireless) network environments.

• Describe the evolution of, and security implications for, key network devices.

• Evaluate and contrast the security issues with voice communications in traditional and VoIP infrastructures.

• Describe and contrast the security considerations for key remote access technologies.

• Explain the security implications of software-defined networking (SDN) and network virtualization technologies.

• Recognize the many software elements that can put information systems security at risk.

• Identify and illustrate major causes of security weaknesses in source code.

• Illustrate major causes of security weaknesses in database and data warehouse systems.

• Explain the applicability of the OWASP framework to various web architectures.

• Select malware mitigation strategies appropriate to organizational information security needs.

• Contrast the ways that different software development methodologies, frameworks, and guidelines contribute to systems security.

• Explain the implementation of security controls for software development ecosystems.

• Choose an appropriate mix of security testing, assessment, controls, and management methods for different systems and applications environments.

• Describe the purpose, process, and objectives of formal and informal security assessment and testing.

• Apply professional and organizational ethics to security assessment and testing.

• Explain internal, external, and third-party assessment and testing.

• Explain management and governance issues related to planning and conducting security assessments.

• Explain the role of assessment in data-driven security decision-making.

• Show how to efficiently and effectively gather and assess security data.

• Explain the security benefits of effective change management and change control.

• Develop incident response policies and plans.

• Link incident response to needs for security controls and their operational use.

• Relate security controls to improving and achieving required availability of information assets and systems.

• Understand the security and safety ramifications of various facilities, systems, and infrastructure characteristics.

• Explain how governance frameworks and processes relate to the operational use of information security controls.

• Relate the process of conducting forensic investigations to information security operations.

• Relate business continuity and disaster recovery preparedness to information security operations.

• Explain how to use education, training, awareness, and engagement with all members of the organization as a way to strengthen and enforce information security processes.

• Show how to operationalize information systems and IT supply chain risk management.

26 Feb - 1 Mar 2024

13-17 May 2024

24-28 Jun 2024

2-6 Sep 2024

• IT Professionals in the BC/DR or System Administration domain

• Business Continuity and Disaster Recovery Consultants

• Individuals wanting to establish themselves in the field of IT Business Continuity and Disaster Recovery

• IT Risk Managers and Consultants

• CISOs and IT Directors

8-10 Jan 2024

1-3 Apr 2024

10-12 Jul 2024

7-9 Oct 2024

Individuals involved in the role of developing, testing, managing, or protecting wide area of applications

• What is a Secure Application
• Need for Application Security 
• Most Common Application Level Attacks
  • SQL Injection Attacks 
  • Cross-site Scripting (XSS) Attacks
  • Parameter Tampering
  • Directory Traversal
  • Cross-site Request Forgery (CSRF) Attack
  • Denial-of-Service (DoS) Attack

• Denial-of-Service (DoS): Examples
  • Session Attacks
• Cookie Poisoning Attacks
• Session Fixation

• Why Applications become Vulnerable to Attacks
  • Common Reasons for Existence of Application Vulnerabilities
  • Common Flaws Existed due to Insecure Coding Techniques
  • Improper Input Validation
  • Insufficient Transport Layer Protection
  • Improper Error Handling
  • Insecure Cryptographic Storage
  • Broken Authentication and Session Management
  • Unvalidated Redirects and Forwards
  • Insecure Direct Object References
  • Failure to Restrict URL Access
• What Constitutes a Comprehensive Application Security?
  • Application Security Frame
  • 3W’s in Application Security
• Insecure Application: A Software Development Problem
  • Solution: Integrating Security in Software Development Life Cycle (SDLC)
  • Functional vs Security Activities in SDLC
  • Advantages of Integrating Security in SDLC
  • Microsoft Security Development Lifecycle (SDL)
• Software Security Standards, Models, and Frameworks
  • The Open Web Application Security Project (OWASP)
  • OWASP TOP 10 Attacks-2017
  • The Web Application Security Consortium (WASC)
  • WASC Threat Classification
  • Software Security Framework

• Software Assurance Maturity Model (SAMM)
• Building Security in Maturity Model (BSIMM)
  • BSIMM vs OpenSAMM 

• Importance of Gathering Security Requirements
  • Security Requirements
  • Gathering Security Requirements
  • Why We Need Different Approach for Security Requirements Gathering
  • Key Benefits of Addressing Security at Requirement Phase
  • Stakeholders Involvement in Security Requirements Gathering 
  • Characteristics of Good Security Requirement: SMART
  • Types of Security Requirements
  • Functional Security Requirements
  • Security Drivers
• Security Requirement Engineering (SRE)

• SRE Phases
  • Security Requirement Elicitation
  • Security Requirement Analysis
  • Security Requirement Specification
  • Security Requirement Management
• Common Mistakes Made in Each Phase of SRE
• Different Security Requirement Engineering Approaches/Model 

• Abuse Case and Security Use Case Modeling

• Abuse Cases
• Threatens Relationship
• Abuse Case Modeling Steps
• Abuse Cases: Advantages and Disadvantages
• Abuse Case Template
• Security Use Cases
• Security Use Cases are Abuse Case Driven
• Modeling Steps for Security Use Cases
• Mitigates Relationship
• Abuse Case vs Security Use Case
• Security Use Case: Advantages and Disadvantages
• Security Use Case Template
• Security Use Case Guidelines
• Example 1: Use Case for Online Bidding System
• Example 1: Abuse Case for Online Bidding System
• Example 1: Security Use Case for Online Bidding System
• Example 2: Use Case for ATM System
• Example 2: Abuse Case for ATM System
• Example 2: Security Use Case for ATM System
• Example 3: Use Case for E-commerce System
• Example 3: Abuse Case for E-commerce System
• Example 3: Security Use Case for E-commerce System
• Effectiveness of Abuse and Security Case

• Abuser and Security Stories

• Textual Description Template: Abuser Stories and Security Stories
• Examples: Abuser Stories and Security Stories
• Effectiveness of Abuser and Security Stories
• Abuser Stories: Advantages and Disadvantages

• Security Quality Requirements Engineering (SQUARE)
  • SQUARE Effectiveness
  • SQUARE Process
  • SQUARE: Advantages and Disadvantages 
• Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
  • OCTAVE Effectiveness
  • OCTAVE Steps
  • OCTAVE: Advantages and Disadvantages

• Relative Cost of Fixing Vulnerabilities at Different Phases of SDLC
• Secure Application Design and Architecture
• Goal of Secure Design Process
• Secure Design Actions

• Security Requirement Specifications 
• Secure Design Principles
• Threat Modeling 
• Secure Application Architecture 

• Secure Design Principles

• Define Secure Design principles
• Secure Design Principles

• Security through obscurity
• Secure the Weakest Link
• Use Least Privilege Principle
• Secure by Default
• Fail Securely
• Apply Defense in Depth
• Do Not Trust User Input
• Reduce Attack Surface
• Enable Auditing and Logging
• Keep Security Simple
• Separation of Duties
• Fix Security Issues Correctly
• Apply Security in Design Phase
• Protect Sensitive Data
• Exception Handling
• Secure Memory Management
• Protect Memory or Storage Secrets
• Fundamentals of Control Granularity
• Fault Tolerance
• Fault Detection
• Fault Removal
• Fault Avoidance
• Loose Coupling
• High Cohesion
• Change Management and Version Control

• Threat Modeling

• Threat Modeling Phases 

• Attack Surface Evaluation
• Threat Identification
• Impact Analysis
• Control Recommendations

• Threat Modeling Process

• Identify Security Objective
• Application Overview
• Decompose Application
• Identify Threats
• Identify Vulnerabilities

• Identify Security Objective

• How to Identify Security Objectives

• Create an Application Overview
• Draw the End-to-End Deployment Architecture
• Identify Various User Roles
• Identify Use Cases Scenarios
• Identify Technologies
• Identify Application Security Mechanisms

• Decompose Application
  • Prepare and Document Threat Model Information

• Example: Threat Model Information
  • Identify the External Dependencies
• External Dependencies: Example
  • Identify the Entry Points
• Entry Points: Example
  • Identify the Assets
• Assets: Example
  • Identify the Trust Levels
• Trust Levels: Example
  • Define Trust Levels to Entry points 
  • Define Trust Levels to Assets
  • Perform Application Modelling using Data Flow Diagrams (DFDs)
  • Determine the Threats: Identify the Goal of an Attacker and Create Threat Profile 
• Example: Attacker’s Goal/Threat Profile and Vulnerabilities Associated
  • Determine the Threats: Create a Security Profile 
  • Identify the Threats
• The STRIDE Model
  • Example: Threat Categorized and Identified using STRIDE 

• Determine Countermeasures and Mitigation Security Controls 
• Document the Threats
• Rating the Threats

• Rating the Threats: DREAD Model

• Secure Application Architecture

• Design Secure Application Architecture

• Input Validation
• Why Input Validation?
• Input Validation Specification
• Input Validation Approaches
• Client-side Input Validation
• Server-side Input Validation
• Client-Server Input Validation Reliability
• Input Filtering
• Input Filtering Technique o Black Listing  o White Listing
• Input Filtering using a Regular Expression
• Secure Coding Practices for Input Validation: Web Forms
• ASP.NET Validation Controls
• Set of ASP.NET Validation Controls
• Required Field Validation Control
• Range Validation Control
• Comparison Validation Control
• Regular Expression Validation Control
• Custom Validation Control
• Validation Summary Control
• SQL Injection Attack Defensive Techniques 
• Using Parameterized Queries
• Using Parameterized Stored Procedures
• Using Escape Routines to Handle Special Input Characters
• Using a Least-privileged Database Account
• Constraining Input
• XSS Attack Defensive Techniques
• Output Encoding
• Encoding Unsafe Output using HtmlEncode
• Encoding Unsafe Output using UrlEncode 
• Anti-XSS Library
• Encoding Output using Anti-XSS Library
• Directory Traversing Defensive Technique
• Additional Techniques to Prevent Directory Traversal
• Secure Coding Practices for Input Validation: ASP.NET Core
• Input Validation using ModelState Object
• Input Validation using Data Annotation
• Input Validation using Custom Validation Attributes
• Input Validation using Remote Validation
• SQL Injection Attack Defensive Techniques
• Sanitize Inputs using Casting
• Using Parameterized Queries
• Using Stored Procedures
• Using ORM (Object Relation Model)
• XSS Defensive Techniques
  • Enable Content Security Policy
  • URL Encoding User Input
• Open Redirect Defensive Techniques
  • Implement LocalRedirect()
  • Disable X-Frame-Options
  • Enable Cross Origin Request Sharing
  • Enable Cross Origin Request Sharing (CORS) with Middleware
    • Guidelines for Secure (CORS) Configuration
• Directory Traversing Defensive Techniques
• Disable Directory Listing
• Disable Non-standard Content Types
• Secure Static Files
• Secure Coding Practices for Input Validation: MVC
• XSS Defensive Techniques
• Enable Content Security Policy
• MVC Output Encoding
• Output Encoding using Anti-XSS Library
• Parameter Tampering Defensive Techniques
• Accept Data from Trusted Sources
• Encrypt and Decrypt Key Values
• Implement LocalRedirect()
• Open Redirect Defensive Techniques

• Authentication and Authorization
• Authentication
• Authorization
• Common Threats on User Authentication and Authorization
• Account Hijacking
• Man-in-the-middle 
• Phishing
• Unauthorized Access
• Information Leakage
• Privilege Escalation
• Sniffing
• Authentication and Authorization: Web Forms
• .NET Authentication and Authorization
• Different Level of Authentication 
• ASP.NET Authentication
• Enterprise Services Authentication
• SQL Server Authentication
• ASP.NET Authentication
• ASP.NET Authentication Modes 
  • Forms Authentication
  • Passport Authentication
  • Custom Authentication
    • Implementing Custom Authentication Scheme
  • Windows Authentication
    • Basic Authentication
    • Digest Authentication
    • Integrated Windows Authentication
    • Certificate Authentication
    • Anonymous Authentication
• Selecting an Appropriate Authentication Method
• Determining an Authentication Method
• Enterprise Services Authentication
• SQL Server Authentication
• Mixed Mode Authentication
• Windows Authentication
• Different Level of Authorization 
• ASP.NET Authorization 
• Enterprise Services Authorization
• SQL Server Authorization
• ASP.NET Authorization 
• URL Authorization
• File Authorization
• What is Impersonation?
• Impersonation Options
• Impersonation is Disabled
• Impersonation Enabled
• Impersonation Enabled for a specific Identity
• Delegation
• Code-based Authorization
• Explicit Authorization
• Declarative Authorization
• Imperative Authorization
• Authorization using ASP.NET Roles
• Enterprise Services Authorization
• SQL Server Authorization
• User-defined Database Roles
• Application Roles 
• Fixed Database Roles
• Authentication and Authorization: ASP.NET Core
• ASP.NET Core Authentication
• AspNetCore.Identity
• ASP.NET Core Authentication
• Implementing Identity on ASP.NET Core (Templates)
• ASP.NET Core External Provider Authentication
• Open Source Authentication Providers
• Enabling ASP.Net Core Identity
• Asp.Net Core Token-based Authentication
• JWT-JSON Web Token
• Configuring JSON Web Token Authentication
• Creating JWT Authentication
• Using Jquery to Access JWT
• IdentityServer4 Authentication
• Implement ASP.NET Identity with IdentityServer
• Configure Windows Authentication
• Windows Authentication
• Impersonation
• ASP.NET Core Authorization  
• ASP.NET Core Role-based Authorization
• ASP.NET Core Role Authorization Policy
• Claim-based Authorization 
• Custom Policy-based Authorization 
• Resource-based Authorization
• View-based Authorization
• Authentication and Authorization: MVC
• Authentication and Authorization
• MVC Authentication Filter
• Implementing Single Sign-On
• Authentication using Third-party Identity Provider
• Implement Page Access Control with Standard Action Filters
• Authentication and Authorization Defensive Techniques: Web Forms
• Securing Forms Authentication Tickets
• Use Strong Hashing Algorithms to Validate Data
• Use Strong Encryption Algorithm to Secure Form Authentication Data
• Secure Form Authentication Cookies using SSL
• Securing Forms Authentication Credentials 
• Preventing Session Hijacking using Cookieless Authentication
• Avoiding Forms Authentication Cookies from Persisting using DisplayRememberMe Property 
• Avoiding Forms Authentication Cookies from Persisting using  RedirectFromLoginPage Method
• Avoiding Forms Authentication Cookies from Persisting using SetAuthCookie Method 
• Avoiding Forms Authentication Cookies from Persisting using GetRedirectUrl Method 
• Avoiding Forms Authentication Cookies from Persisting using  FormsAuthenticationTicket Constructor
• Securing Passwords with minRequiredPasswordLength
• Securing Passwords with minRequiredNonalphanumericCharacters 
• Securing Passwords with passwordStrengthRegularExpression
• Restricting Number of Failed Logon Attempts
• Securing Application by using Absolute URLs for Navigation
• Securing Applications from Authorization Bypass Attacks
• Creating Separate Folder for Secure Pages in Application
• Validating Passwords on CreateUserWizard Control using Regular Expressions
• Authentication and Authorization Defensive Techniques: ASP.NET Core
• Configure Identity Services
  • Password Policy
  • User Lockout
  • Sign in 
  • Configure Identity User Validation Settings
  • Configure Application's Cookie Settings
  • Configure Identity Services: Cookie Settings
  • Enforcing SSL
  • HTTP Strict Transport Security (HSTS) 
• Authentication and Authorization Defensive Techniques: MVC
  • Implement AllowXRequestsEveryXSecondsAttribute to Prevent Brute Force Attack
  • MVC Page Access Control: Custom Security Filter
  • Page Access Control: Third-party Libraries
  • Implementing Control-level Protection
  • Implementing Account Lockout
• Forcing HTTPS Protocol using [RequireHttps]  Implement AllowAnonymous Action Filter

• Cryptographic 
• Ciphers
• Block Cipher Modes
• Symmetric Encryption Keys
• Asymmetric Encryption Keys
• Functions of Cryptography
• Use of Cryptography to Mitigate Common Application Security Threats
• Cryptographic Attacks
• Techniques Attackers Use to Steal Cryptographic Keys
• What should you do to Secure .NET Applications from Cryptographic Attacks?
• .NET Cryptography Namespaces
• .NET Cryptographic Class Hierarchy
• Symmetric Encryption
• SymmetricAlgorithm Class
• Members of the SymmetricAlgorithm Class
• Programming Symmetric Data Encryption and Decryption in .NET
• Symmetric Encryption: Defensive Coding Techniques
• Securing Information with Strong Symmetric Encryption Algorithm
• Vulnerability in using ECB Cipher Mode
• Padding
  • Padding Modes
• None
• Zero Padding
• PKCS #7 Padding 
• ANSIX923 Padding
• ISO10126 Padding
  • Problem with Zeros Padding
• Securing Symmetric Encryption Keys from Brute Force Attacks
• Resisting Cryptanalysis Attack using Large Block Size
• Generating Non-Predictable Cryptographic Keys using RNGCryptoServiceProvider
• Storing Secret Keys and Storing Options
  • Protecting Secret Keys with Access Control Lists (ACLs)
  • Protecting Secret Keys with DPAPI
• Self Protection for Cryptographic Application
• Encrypting Data in the Stream using CryptoStream Class 
• Asymmetric Encryption
• AsymmetricAlgorithm Class
• Members of the AsymmetricAlgorithm Class
• Programming Asymmetric Data Encryption and Decryption in .NET
• Asymmetric Encryption: Defensive Coding Techniques
• Securing Asymmetric Encryption using Large Key Size
• Storing Private Keys Securely
• Problem with Exchanging Public Keys
• Exchanging Public Keys Securely
• Asymmetric Data Padding
• Protecting Communications with SSL
• Hashing
• Hashing Algorithms Class Hierarchy in .NET
• Hashing in .Net 
• Members of the HashAlgorithm Class
• Programming Hashing for Memory Data
• Programming Hashing for Streamed Data
• Imposing Limits on Message Size for Hash Code Security
• Setting Proper Hash Code Length for Hash Code Security
• Message Sizes and Hash Code Lengths Supported by the .NET Framework Hashing Algorithms  
• Securing Hashing using Keyed Hashing Algorithms
• Digital Signatures
• Attacker's Target Area on Digital Signatures
• Security Features of Digital Signatures 
• .NET Framework Digital Signature Algorithms
• Digital Certificates
• .NET Support for Digital Certificates
• X509Store
• X509Certificate and X509Certificate2
• X509Certificate2 Collection
• Programming Digital Signatures using Digital Certificates
• XML Signatures
• Need for Securing XML Files 
• Securing XML Files using Digital Signatures
• Programming a Digital Signature for a Sample XML File
• ASP.NET Core Specific Secure Cryptography Practices
• ASP.NET Core Data Protection
• Data Protection Machine-wide Policy
• Data Protection Configuration
• Key Persistence
• Key Lifetime
• Application Name
• Automatic Key Generation
• Algorithm
• Generating a Random String
• Hashing String
• Storing App Secrets in Secure Place
• Securing Application settings using Azure Key Vault

• Session Management

• Types of Tokens

• Session Tokens
• Authentication Tokens

• Basic Security Principles for Session Management Tokens
• Common Threats to Session Management

• Session Hijacking Attack 
• Account Hopping Attack 
• Session Fixation Attack
• Token Prediction Attack
• Token Brute-force Attack
• Cross-site Request Forgery Attack
• Cross-site Scripting Attack
• Session Replay Attack
• Token Manipulation Attack
• Phishing Attack

• ASP.NET Session Management Techniques

• Client-Side State Management

• Client-Side State Management using Cookies
• Client-Side State Management using Hidden Fields
• Client-Side State Management using ViewState
• Client-Side State Management using Control State
• Client-Side State Management using Query Strings 

• Server-Side State Management

• Server-Side State Management using Application Object 
• Server-Side State Management using Session Object
  • In Process Mode
  • Out-of-Process Session Mode (State Server Mode)
  • SQL-backed Session State o Server-side State Management Using Profile Properties

• Defensive Coding Practices against Broken Session Management

• Session Hijacking

• Securing ASP.NET Application from Session Hijacking
• Implementing SSL to Encrypt Cookies
• Setting a Limited Time Period for Expiration
• Avoid using Cookieless Sessions
• Avoid using UseUri Cookieless Sessions
• Avoid Specifying Cookie Modes to AutoDetect
• Avoid Specifying Cookie Modes to UseDeviceProfile
• Enabling regenerateExpiredSessionID for Cookieless Sessions
• Resetting the Session when User Logs Out

• Token Prediction Attack

• Generating Lengthy Session Keys to Prevent Guessing

• Session Replay Attack

• Defensive Techniques for Session Replay Attack

• Session Fixation

• Session Fixation Attack

          -      Securing ASP.NET Application from Session Fixation Attack

• Cross-site Script Attack on Sessions

• Preventing Cross-site Scripting Attack using URL Rewriting

• Rewrite the application URL for each session
• Expiring application URLs automatically

• Preventing Session Cookies from Client-side Scripts Attacks

• Cross-site Request Forgery Attack

• Implementing the Session Token to Mitigate CSRF Attacks
• Additional Defensive Techniques to Mitigate CSRF Attack

• Cookie-based Session Management

• Persistent Cookies Information Leakage
• Avoid Setting the Expire Attribute to Ensure Cookie Security
• Ensuring Cookie Security using the Secure Attribute
• Ensuring Cookie Security using the HttpOnly Attribute

• ViewState-based Session Management

• ViewState Data Tampering Attack
• ViewState oneClick Attacks
• Securing ViewState

• Securing ViewState with Hashing
• Securing ViewState with Encryption
• Securing ViewState by Assigning User-specific Key 

•  ASP.NET CORE: Secure Session Management Practices

• Enabling Session State 
• Implementing the CSRF Token to Mitigate CSRF Attacks
• Mitigating CSRF Attacks in JavaScript, AJAX and Single Page Applications
• Angular-Antiforgery Integration -AJAX
• Improve Session Security with Nwebsec Session Security Library 

Checklist for Secure Session Management

• What are Exceptions/Runtime Errors?
• Handled Exceptions
• Unhandled Exceptions
• Need of Secure Error/Exception Handling 
• Consequences of Detailed Error Message
• Exposing Detailed Error Messages
• Considerations: Designing Secure Error Messages
• Secure Exception Handling
• Handling Exceptions in an Application 
• Code-Level Exception Handling
• Page-Level Exception Handling
• Application-Level Exception Handling
• Defensive Coding practices against Information Disclosure
  • Avoid Displaying Detailed Error Messages
• Defensive Coding practices against Improper Error Handling
• Avoid Throwing Generic Exceptions 
• Avoid Catching Generic Exceptions
• Avoid Swallowing the Exceptions
• Cleanup Code Vulnerability 
• Vulnerability in Re-throwing Exception
• Managing Unhandled Errors
• Unobserved Exception Vulnerability
• ASP.NET Core: Secure Error Handling Practices
• ASP.NET Core Error Handling
• Inspect Exception During Development
• Implement Custom Error Handler
• Configure Pages with HTTP Status Codes
• Startup Exception Handling
• Do’s and Don’ts in Exception Handling
• Checklist for Proper Exception Handling
• Secure Auditing and logging
• What is Logging and Auditing?
• Need of Secure Logging and Auditing
• Common Threats to Logging and Auditing
• Denial of Service
• Log Wiping 
• Log Bypass 
• Log Tampering  
• What Should be Logged?
• What Should NOT be Logged?
• Where to Perform Event Logging?
• File-System-based Logging System
• Database-based Logging System
• Performing Log Throttling in ASP.NET Health Monitoring System 
• Tracing in .NET
• Writing Trace Output to Windows Event Log using EventLogTraceListener
• Tracing Security Concerns and Recommendations
• Secure Auditing and Logging Best Practices
• Protecting Log Records
  • Fixing the Logs
• Auditing and Logging Security Checklists

• Static Application Security Testing
• Static Application Security Testing (SAST)
• Objectives of SAST
• Why SAST
• Skills required for SAST
• What to look for in SAST
• Common Vulnerabilities Identified Through SAST
• Types of SAST
• Automated Source Code Analysis
• Manual Source Code Review
• Where does Secure Code Review Fit in SDLC?
• SAST Steps
• SAST Activities-flow Chart
• Recommendation for Effective SAST
• SAST Deliverable
• Automated Source Code Analysis
• Static Code Analysis Using Checkmarx Static Code Analysis
• Static Code Analysis Using Visual Code Grepper (VCG)
• Static Code Analysis Using HP Fortify
• Static Code Analysis Using Rational AppScan Source Edition
• Selecting Static Analysis Tool
• Manual Secure Code Review
• Manual Secure Code Review for Most Common Vulnerabilities
• Code Review for PCI DSS Compliance
• Code Review for Blacklisting Validation Approach
• Code Review for Client Side Validation Approach
• Code Review for Non-parametrized SQL Query
• Review Code for Non-parameterized Stored Procedure
• Code Review for XSS Vulnerability
• Review Code for Unvalidated Redirects and Forwards
• Code Review for Weak Password Authentication 
• Code Review for Hard-Coded Passwords
• Code Review for Clear-text credentials in for Authentication 
• Code Review for Unencrypted Form Authentication Tickets
• Code Review for Clear-text Connection strings
• Code Review for Weak Password Length
• Code Review for Inappropriate Authorization 
• Code Review for use of Weak Hashing Algorithm
• Code Review for use of Weak Encryption Algorithm
• Code Review for Use of SSL 
• Code Review for use of URL for Storing Session Tokens
• Code Review for Cookies Persistence
• Code Review for Allowing More Number of Failed Login attempts
• Code Review for providing Relative path to Redirect Method
• Code Review for Use of Server.Transfer() Method
• Code Review for Keeping both Public and Restricted pages in Same folder 
• Code Review for use of Weak Encryption Algorithm 
• Code Review for use of ECB Cipher Mode 
• Code Review for use of Zero Padding
• Code Review for use of Small Key Size
• Code Review for use of Small Block Size
• Code Review for Cryptographic Keys Generation Mechanism
• Code Review for Sensitive Information Leakage
• Code Review for Generic Exception Throwing and Catching
• Code Review for use of Unencrypted Cookies
• Code Review for Overly Long Sessions
• Code Review for Cookieless Sessions
• Code Review for regeneration of Expired Sessions
• Code Review for weak Session Key Generation Mechanism
• Code Review for Cookies Vulnerable to Client-side Scripts attacks 
• Code Review for Cookies Vulnerable to CSRF Attacks
• Code Review for ViewState Security
• Code Review for allowOverride Attribute
• Code Review for Enabling Trace feature
• Code Review for Enabling Debug feature
• Code Review for Validate Request 
• Code Review: Check List Approach
• Sample Checklist
• Imput Validation 
• Authentication 
• Authorization
• Session Management
• Cryptography o Exception Handling
• Logging
• SAST Finding
• SAST Report
• SAST Reporting
• Dynamic Application Security Testing
• Types of DAST
• Automated Application Vulnerability Scanning
• Manual Application Penetration Testing
• SAST vs DAST
• Automated Application Vulnerability Scanning Tools
• Web Application Security Scanners
• WebInspect 
• IBM SecurityAppScan 
• Additional Web Application Vulnerability Scanners 
• Proxy-based Security Testing Tools 
• Burp Suite
• OWASP Zed Attack Proxy (ZAP)
• Additional Proxy-based Security Testing Tools
• Choosing Between SAST and DAST

• Secure Deployment
• Prior Deployment Activity
• Check the Integrity of Application Package Before Deployment
• Review the Deployment Guide Provided by the Software Vendor
• Deployment Activities: Ensuring Security at Various Levels
• Host Level Deployment Security
• IIS level Deployment Security
• SQL Server Level Deployment Security 
• Ensuring Security at Host Level
• Check and Configure the Security of Machine Hosting Web Server, Application Server, Database Server and Network Devices
• Physical Security
• Host Level Security
• Ensuring Security at Network Level
• Network level Security
• Router
• Firewall
• Switch
• Ensuring Security at Application Level 
• Web Application Firewall (WAF)
• Benefits of WAF
• WAF Limitations
• WAF Vendors
• Ensuing Security at IIS level
• Configure IIS Server Request Filtering Feature
• Editing Request Filtering and Request Limits
• Allowing or Denying a File Name Extension in Request Filtering
• Adding a Hidden Segment in Request Filtering
• Adding Limits for HTTP Headers in Request Filtering
• Denying an HTTP Verbs in Request Filtering
• Setting Request Filtering Attributes using appcmd  Sites and Virtual Directories
• Website Location
• Script Mapping
• Anonymous Internet User Account
• Auditing and Logging
• Web Permissions
• IP Address and Domain Name Restrictions
• Authentication
• Parent Path Setting
• Microsoft FrontPage Server Extensions
• ISAPI Filters
• Ensuring Security at .NET Level
• Web.config and Machine.config Deployment Security Settings
• Verify the Configuration Settings
• Verify Lock Per-machine Settings
• Verify trace Element Setting
• Verify CustomError Settings
• Verify maxRequestLength Setting
• Verify debug Settings
• Verify protection Setting 
• Verify timeout Setting
• Verify requireSSL Setting
• Verify passwordFormat Setting 
• Verify slideExpiration Setting
• Verify Name and Path Attribute Setting
• Verify Authorization Element Setting
• Verify Identity Element Setting
• Verify roleManager Setting 
• Verify cookieProtection Setting
• Verify cookieRequireSSL Setting
• Verify cookieTimeout Setting 
• Verify createPersistentCookie Setting 
• Verify sessionState Settings
• Verify decryptionKey and validationKey Setting
• Verify decryptionKey and validationKey Setting in Web Farm
• Verify validation Setting
• Verify trust Element Setting
• Verify httphandlers Settings
• Verify processModel Settings
• Verify healthMonitoring Setting
• Ensuring Security at SQL Server Level
• Selecting Authentication Mode in SQL Server
• Secure Mixed Mode Authentication 
• Configure Password Enforcement Options for Standard SQL Server Logins
• Delete or Disable Unused Accounts
• Turn Off SQL Server Browser Service
• Disable Unnecessary Features and Services
• Service Account Management and Selection
• Manage Privileged Access
• Hiding SQL Server Instance
• Implement Encryption
• Implement Transparent Data Encryption
• Configure SSL in SQL Server
• Secure the Auditing Process
• Security Maintenance and Monitoring
• Post Deployment Activities: Security Maintenance and Monitoring
• Security Maintenance Activities at OS level
• Security Maintenance Activities at IIS level
• Security Maintenance Activities at Application level

15-17 Jan 2024

15-17 Apr 2024

15-17 Jul 2024

14-16 Oct 2024

Individuals involved in the role of developing, testing, managing, or protecting wide area of applications

Immediate Credibility: The CASE program affirms that you are indeed an expert in application security. It also demonstrates the skills that you possess for employers globally.
Pertinent Knowledge: Through the CASE certification and training program, you will be able to expand your application security knowledge.
Multifaceted Skills: CASE can be applied to a wide variety of platforms, such as, mobile applications, web applications, IoT devices, and many more.
A Holistic Outlook: Ranging from pre-deployment to post-deployment security techniques, covering every aspect of secure – software development life cycle, CASE arms you with the necessary skills to build a secure application.
Better Protect and Defend: By making an application more secure you are also helping defend both organizations and individuals globally. As a CASE, it is in your hands to protect and defend and ultimately help build a safer world.
 

• What is a Secure Application
• Need for Application Security 
• Most Common Application Level Attacks
  • SQL Injection Attacks 
  • Cross-site Scripting (XSS) Attacks
  • Parameter Tampering
  • Directory Traversal
  • Cross-site Request Forgery (CSRF) Attack
  • Denial-of-Service (DoS) Attack

• Denial-of-Service (DoS): Examples
  • Session Attacks
• Cookie Poisoning Attacks
• Session Fixation

• Why Applications become Vulnerable to Attacks
  • Common Reasons for Existence of Application Vulnerabilities
  • Common Flaws Existed due to Insecure Coding Techniques
  • Improper Input Validation
  • Insufficient Transport Layer Protection
  • Improper Error Handling
  • Insecure Cryptographic Storage
  • Broken Authentication and Session Management
  • Unvalidated Redirects and Forwards
  • Insecure Direct Object References
  • Failure to Restrict URL Access
• What Constitutes a Comprehensive Application Security?
  • Application Security Frame
  • 3W’s in Application Security
• Insecure Application: A Software Development Problem
  • Solution: Integrating Security in Software Development Life Cycle (SDLC)
  • Functional vs Security Activities in SDLC
  • Advantages of Integrating Security in SDLC
  • Microsoft Security Development Lifecycle (SDL)
• Software Security Standards, Models, and Frameworks
  • The Open Web Application Security Project (OWASP)
  • OWASP TOP 10 Attacks-2017
  • The Web Application Security Consortium (WASC)
  • WASC Threat Classification
  • Software Security Framework

• Software Assurance Maturity Model (SAMM)
• Building Security in Maturity Model (BSIMM)
  • BSIMM vs OpenSAMM 

• Importance of Gathering Security Requirements
  • Security Requirements
  • Gathering Security Requirements
  • Why We Need Different Approach for Security Requirements Gathering
  • Key Benefits of Addressing Security at Requirement Phase
  • Stakeholders Involvement in Security Requirements Gathering 
  • Characteristics of Good Security Requirement: SMART
  • Types of Security Requirements
  • Functional Security Requirements
  • Security Drivers
• Security Requirement Engineering (SRE)

• SRE Phases
  • Security Requirement Elicitation
  • Security Requirement Analysis
  • Security Requirement Specification
  • Security Requirement Management
• Common Mistakes Made in Each Phase of SRE
• Different Security Requirement Engineering Approaches/Model 

• Abuse Case and Security Use Case Modeling

• Abuse Cases
• Threatens Relationship
• Abuse Case Modeling Steps
• Abuse Cases: Advantages and Disadvantages
• Abuse Case Template
• Security Use Cases
• Security Use Cases are Abuse Case Driven
• Modeling Steps for Security Use Cases
• Mitigates Relationship
• Abuse Case vs Security Use Case
• Security Use Case: Advantages and Disadvantages
• Security Use Case Template
• Security Use Case Guidelines
• Example 1: Use Case for Online Bidding System
• Example 1: Abuse Case for Online Bidding System
• Example 1: Security Use Case for Online Bidding System
• Example 2: Use Case for ATM System
• Example 2: Abuse Case for ATM System
• Example 2: Security Use Case for ATM System
• Example 3: Use Case for E-commerce System
• Example 3: Abuse Case for E-commerce System
• Example 3: Security Use Case for E-commerce System
• Effectiveness of Abuse and Security Case

• Abuser and Security Stories

• Textual Description Template: Abuser Stories and Security Stories
• Examples: Abuser Stories and Security Stories
• Effectiveness of Abuser and Security Stories
• Abuser Stories: Advantages and Disadvantages

• Security Quality Requirements Engineering (SQUARE)
  • SQUARE Effectiveness
  • SQUARE Process
  • SQUARE: Advantages and Disadvantages 
• Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
  • OCTAVE Effectiveness
  • OCTAVE Steps
  • OCTAVE: Advantages and Disadvantages

• Relative Cost of Fixing Vulnerabilities at Different Phases of SDLC
• Secure Application Design and Architecture
• Goal of Secure Design Process
• Secure Design Actions

• Security Requirement Specifications 
• Secure Design Principles
• Threat Modeling 
• Secure Application Architecture 

• Secure Design Principles

• Define Secure Design principles
• Secure Design Principles

• Security through obscurity
• Secure the Weakest Link
• Use Least Privilege Principle
• Secure by Default
• Fail Securely
• Apply Defense in Depth
• Do Not Trust User Input
• Reduce Attack Surface
• Enable Auditing and Logging
• Keep Security Simple
• Separation of Duties
• Fix Security Issues Correctly
• Apply Security in Design Phase
• Protect Sensitive Data
• Exception Handling
• Secure Memory Management
• Protect Memory or Storage Secrets
• Fundamentals of Control Granularity
• Fault Tolerance
• Fault Detection
• Fault Removal
• Fault Avoidance
• Loose Coupling
• High Cohesion
• Change Management and Version Control

• Threat Modeling

• Threat Modeling Phases 

• Attack Surface Evaluation
• Threat Identification
• Impact Analysis
• Control Recommendations

• Threat Modeling Process

• Identify Security Objective
• Application Overview
• Decompose Application
• Identify Threats
• Identify Vulnerabilities

• Identify Security Objective

• How to Identify Security Objectives

• Create an Application Overview
• Draw the End-to-End Deployment Architecture
• Identify Various User Roles
• Identify Use Cases Scenarios
• Identify Technologies
• Identify Application Security Mechanisms

• Decompose Application
  • Prepare and Document Threat Model Information

• Example: Threat Model Information
  • Identify the External Dependencies
• External Dependencies: Example
  • Identify the Entry Points
• Entry Points: Example
  • Identify the Assets
• Assets: Example
  • Identify the Trust Levels
• Trust Levels: Example
  • Define Trust Levels to Entry points 
  • Define Trust Levels to Assets
  • Perform Application Modelling using Data Flow Diagrams (DFDs)
  • Determine the Threats: Identify the Goal of an Attacker and Create Threat Profile 
• Example: Attacker’s Goal/Threat Profile and Vulnerabilities Associated
  • Determine the Threats: Create a Security Profile 
  • Identify the Threats
• The STRIDE Model
  • Example: Threat Categorized and Identified using STRIDE 

• Determine Countermeasures and Mitigation Security Controls 
• Document the Threats
• Rating the Threats

• Rating the Threats: DREAD Model

• Secure Application Architecture

• Design Secure Application Architecture

• Input Validation
• Why Input Validation?
• Input Validation Specification
• Input Validation Approaches
• Validation and Security Issues
• Impact of Invalid Data Input
• Data Validation Techniques
• Input Validation using Frameworks and APIs
• Open Source Validation Framework for Java
• Servlet Filters
• Validation Filters for Servlet
• Data Validation using OWASP ESAPI
• Data Validation: Struts Framework

• Struts Validator

• Struts Validation and Security
• Data Validation using Struts Validator
• Avoid Duplication of Validation Forms
• Secure and Insecure Struts Validation Code
• Struts Validator Class
• Secure and Insecure Code for Struts Validator Class
• Enable the Struts Validator
• Secure and Insecure Struts Validator Code
• Struts 2 Framework Validator
• Struts 2 Framework: Built-in Data Validators
• Struts 2 Framework Annotation Based Validators
• Struts 2 Custom Validation: Workflow Interceptor
• Struts 2 Ajax Validation: jsonValidation Interceptor

• Data Validation: Spring Framework

• Spring Validator
• Data Validation: Spring MVC Framework
• Implementing Validator
• JSR 380 Bean Validator API
• Configuring JSR 380
• Custom Validator Implementation in Spring
• Spring Validation and Security

• Input Validation Errors

• Improper Sanitization of Untrusted Data
• Improper Validation of Strings
• Improper Logging of User Inputs
• Improper Incorporation of Malicious Inputs into Format Strings
• Inappropriate Use of Split Characters in Data Structures
• Improper Validation of Non-Character Code Points
• Improper Use of String Modification
• Improper Comparison of Locale-dependent Data
• Best Practices for Input Validation

• Common Secure Coding Practices

• SQL Injection
• Prepared Statement
• Stored Procedures

• Vulnerable and Secure Code for Stored Procedures

• Stored Procedure for Securing Input Validation
• Cross-site Scripting (XSS)
• Whitelisting vs Blacklisting

• Vulnerable and Secure Code for Blacklisting & Whitelisting

• Regular Expressions

• Vulnerable and Secure Code for Regular Expressions

• Character Encoding

• Vulnerable and Secure Code for Character Encoding
• Checklist for Character Encoding

• Cross-site Scripting (XSS) Countermeasures
•  HTML Encoding

• Vulnerable and Secure Code for HTML Encoding

• HTML Encoding using ESAPI Encoder
• Cross-site Request Forgery (CSRF)

• Cross-site Request Forgery (CSRF) Countermeasures

• Directory Traversal

• Directory Traversal Countermeasures

• HTTP Response Splitting

• HTTP Response Splitting Countermeasures

• Parameter Manipulation and Countermeasures
• Protecting Application from Log Injection Attack
• XML Injection
• Command Injection
• LDAP Injection
• XML External Entity Attack
• Unrestricted File Upload Attack
• Prevent Unrestricted File Upload: Validate File Extension
• Injection Attacks Countermeasures
• CAPTCHA

• Sample Code for Creating CAPTCHA
• Sample Code for CAPTCHA Verification
• Sample Code for Displaying CAPTCHA

Best Practices for Input Validation

• Introduction to Authentication 

• Java Container Authentication
• Authorization Mechanism Implementation

• Types of Authentication

• Declarative vs Programmatic Authentication
• Declarative Security Implementation
• Programmatic Security Implementation
• Java EE Authentication Implementation Example
• Basic Authentication
• How to Implement Basic Authentication?
• Form-based Authentication
• Form-based Authentication Implementation
• Implementing Kerberos-Based Authentication
• Secured Kerberos Implementation
• Client Certificate Authentication
• Certificate Generation with Keytool
• Implementing Encryption and Certificates in Client Application

• Authentication Weaknesses and Prevention

• Brute Force Attack
• Web-based Enumeration Attack
• Weak Password Attacks  

• Introduction to Authorization

• JEE Based Authorization

• Declarative
• Programmatic

• Access Control Model

• Discretionary Access Control (DAC)
• Mandatory Access Control (MAC)
• Role-based Access Control (RBAC)
• Servlet Container
• Authorizing Users by Servlets

• EJB Authorization

• EJB Authorization Controls
• Declarative Security with EJBs
• Programmatic Security with EJBs 

• Java Authentication and Authorization (JAAS)

• JAAS Features
• JAAS Architecture
• Pluggable Authentication Module (PAM) Framework
• JAAS Classes
• JAAS Subject and Principal
• Authentication in JAAS

• Authentication Steps in JAAS

• Authorization in JAAS

• Authorization Steps in JAAS

• Subject Methods doAs() and doAsPrivileged()
• Impersonation in JAAS
• JAAS Permissions
• LoginContext in JAAS
• Creating LoginContext
• LoginContext Instantiation
• JAAS Configuration
• Locating JAAS Configuration File
• JAAS CallbackHandler and Callbacks
• Login to Standalone Application
• JAAS Client
• LoginModule Implementation in JAAS
• Methods Associated with LoginModule
• LoginModule Example
• Phases in Login Process

• Java EE Security

• Java EE Application Architecture
• Java EE Servers as Code Hosts
• Declaring Roles
• HTTP Authentication Schemes

• Authorization Common Mistakes and Countermeasures

• Common Mistakes

• Authentication and Authorization in Spring Security Framework

• Spring Security Framework
• Spring Security Modules
• Spring Authentication
• Storing Username and Password
• Securing Authentication Provider
• Implementing HTTP Basic Authentication
• Form-based Authentication
• Implementing Digest Authentication
• Security Expressions
• URL-based Authorization
• JSP Page Content Authorization
• JSP Page Content Authorization with Domain Object’s ACL
• Method Authorization
• Configuring Anonymous Login
• Logout Feature Configuration
• Remember-Me Authentication
• Integrating Spring Security with JAAS
• Spring JAAS Implementation

• Defensive Coding Practices against Broken Authentication and Authorization

• Do Not Store Password in Java String Object
• Avoid Cookie based Remember-Me Use Persistent Remember-Me
• Implement Appropriate Session Timeout
• Prevent Session Stealing by Securing SessionID Cookie
• Secure Development Checklists: Broken Authentication and Session Management

• Java Cryptography

• Need for Java Cryptography
• Java Security with Cryptography
• Java Cryptography Architecture (JCA)
• Java Cryptography Extension (JCE)

• Encryption and Secret Keys

• Attack Scenario: Inadequate/Weak Encryption
• Encryption: Symmetric and Asymmetric Key
• Encryption/Decryption Implementation Methods
• SecretKeys and KeyGenerator
• Implementation Methods of KeyGenerator Class
• Creating SecretKeys with KeyGenerator Class

• Cipher Class

• The Cipher Class
• Implementation Methods of Cipher Class
• Insecure Code for Cipher Class using DES Algorithm
• Secure Code for Cipher Class using AES Algorithm

• Digital Signatures

• Attack Scenario: Man-in-the-Middle Attack
• Digital Signatures
• The Signature Class
• Implementation Methods of Signature Class
• The SignedObjects
• Implementing Methods of SignedObjects
• The SealedObjects
• Implementation Methods of SealedObject
• Insecure and Secure Code for Signed/Sealed Objects
• Java XML Digital Signature

• Secure Socket Layer (SSL)

• Java Secure Socket Extension (JSSE)
• SSL and Security: Example 1
• SSL and Security: Example 2
• JSSE and HTTPS
• Insecure HTTP Server Code
• Secure HTTP Server Code

• Key Management

• Attack Scenario: Poor Key Management
• Keys and Certificates
• Key Management System
• KeyStore
• Implementation Method of KeyStore Class
• KeyStore: Persistent Data Stores
• Key Management Tool: KeyTool

• Digital Certificates

• Certification Authorities
• Signing Jars
• Signing JAR Tool: Jarsigner

• Signed Code Sources

• Insecure Code for Signed Code Sources
• Secure Code for Signed Code Sources

• Hashing

• Hashing Algorithms
• Securing Hashed Password with Salt
• Implementing Hashing with Salt in Spring Security

• Java Card Cryptography
• Spring Security: Crypto Module

• Crypto Module
• Spring Security Crypto Module

• Key Generators
• PasswordEncoder

• Implementing BCryptPasswordEncoder()
• Configuring BCryptPasswordEncoder() in Spring Security
• JavaScript Object Signing and Encryption (JOSE)
• Attacks against JWT, JWS and JWE
• Implementing JWS using Jose4J
• Implementing JWE using Jose4J
• Implementing JWK using Jose4J

• Dos and Don’ts in Java Cryptography

• Dos and Don’ts

• Avoid using Insecure Cryptographic Algorithms
• Avoid using Statistical PRNG, Inadequate Padding and Insufficient Key Size
• Implement Strong Entropy
• Implement Strong Algorithms
• Best Practices for Java Cryptography

• Session Management
• Session Tracking

•  Session Tracking Methods

• HttpSession
• Cookies

- Setting a Limited Time Period for Session Expiration

- Preventing Session Cookies from Client-Side Scripts Attacks

• URL Rewriting

- Example Code for URL Rewriting

• Hidden Fields
• Session Objects

• Session Management in Spring Security

• Spring Session Management
• Session Management using Spring Security
• Restricting Concurrent Sessions per User using Spring Security
• Controlling Session Timeout
• Prevent using URL Parameters for Session Tracking
• Prevent Session Fixation with Spring Security
• Use SSL for Secure Connection

• Session Vulnerabilities and their Mitigation Techniques

• Session Vulnerabilities
• Types of Session Hijacking Attacks
• Countermeasures for Session Hijacking
• Countermeasures for Session ID Protection

• Best Practices and Guidelines for Secured Sessions Management

• Best Coding Practices for Session Management

• Checklist to Secure Credentials and Session IDs

Guidelines for Secured Session Management

• Introduction to Exceptions

• Exception and Error Handling

• Checked Exceptions
• Unchecked Exceptions

• Example of an Exception
• Handling Exceptions in Java
• Exception Classes Hierarchy
• Exceptions and Threats

• Erroneous Exceptional Behaviors

• Suppressing or Ignoring Checked Exceptions
• Disclosing Sensitive Information
• Logging Sensitive Data
• Restoring Objects to Prior State, if a Method Fails
• Avoid using Statements that Suppress Exceptions
• Prevent Access to Untrusted Code that Terminates JVM
• Never Catch java.lang.NullPointerException
• Never Allow methods to Throw RuntimeException, Exception, or Throwable
• Never Throw Undeclared Checked Exceptions
• Never Let Checked Exceptions Escape from Finally Block

• Dos and Don'ts in Error Handling

• Dos and Don'ts in Exception Handling
• Avoid using Log Error and Throw exception at Same Time

• Spring MVC Error Handling

• Handling Controller Exceptions with @ExceptionHandler Annotation
• Handling Controller Exceptions with HandlerExceptionResolver
• Spring MVC: Global Exception Handling
• Global Exception Handling: HandlerExceptionResolver
• Mapping Custom Exceptions to Statuscode with @ResponseStatus
• Configure Custom Error Page in Spring MVC

• Exception Handling in Struts 2

• Exception Handling: Struts 2

• Best Practices for Error Handling

• Best Practices for Handling Exceptions in Java

• Introduction to Logging

• Logging in Java
• Example for Logging Exceptions
• Logging Levels

• Logging using Log4j

• Log4j and Java Logging API
• Java Logging using Log4j

• Secure Coding in Logging

• Vulnerabilities in Logging
• Logging: Vulnerable Code and Secure Code

• Secured Practices in Logging

• Static Application Security Testing

• Static Application Security Testing (SAST)
• Objectives of SAST
• Why SAST
• Skills required for SAST
• What to look for in SAST
• Common Vulnerabilities Identified Through SAST
• Types of SAST

• Automated Source Code Analysis
• Manual Source Code Review

• Where does Secure Code Review Fit in SDLC?

• SAST Steps
• SAST Activities-flow Chart
• Recommendation for Effective SAST
• SAST Deliverable
• Automated Source Code Analysis

• Static Code Analysis Using Checkmarx Static Code Analysis
• Static Code Analysis Using Visual Code Grepper (VCG)
• Static Code Analysis Using HP Fortify
• Static Code Analysis Using Rational AppScan Source Edition

• Selecting Static Analysis Tool
• Manual Secure Code Review

• Manual Secure Code Review for Most Common Vulnerabilities

• Code Review for PCI DSS Compliance
• Code Review for Blacklisting Validation Approach
• Code Review for Client Side Validation Approach
• Code Review for Non-parametrized SQL Query
• Review Code for Non-parameterized Stored Procedure
• Code Review for XSS Vulnerability
• Review Code for Unvalidated Redirects and Forwards
• Code Review for Weak Password Authentication 
• Code Review for Hard-Coded Passwords
• Code Review for Clear-text credentials in for Authentication 
• Code Review for Unencrypted Form Authentication Tickets
• Code Review for Clear-text Connection strings
• Code Review for Weak Password Length
• Code Review for Inappropriate Authorization 
• Code Review for use of Weak Hashing Algorithm
• Code Review for use of Weak Encryption Algorithm
• Code Review for Use of SSL 
• Code Review for use of URL for Storing Session Tokens
• Code Review for Cookies Persistence
• Code Review for Allowing More Number of Failed Login attempts
• Code Review for providing Relative path to Redirect Method
• Code Review for Use of Server.Transfer() Method
• Code Review for Keeping both Public and Restricted pages in Same folder 
• Code Review for use of Weak Encryption Algorithm 
• Code Review for use of ECB Cipher Mode 
• Code Review for use of Zero Padding
• Code Review for use of Small Key Size
• Code Review for use of Small Block Size
• Code Review for Cryptographic Keys Generation Mechanism
• Code Review for Sensitive Information Leakage
• Code Review for Generic Exception Throwing and Catching
• Code Review for use of Unencrypted Cookies
• Code Review for Overly Long Sessions
• Code Review for Cookieless Sessions
• Code Review for regeneration of Expired Sessions
• Code Review for weak Session Key Generation Mechanism
• Code Review for Cookies Vulnerable to Client-side Scripts attacks 
• Code Review for Cookies Vulnerable to CSRF Attacks
• Code Review for ViewState Security
• Code Review for allowOverride Attribute
• Code Review for Enabling Trace feature
• Code Review for Enabling Debug feature
• Code Review for Validate Request 

• Code Review: Check List Approach

• Sample Checklist

• Imput Validation 
• Authentication 
• Authorization
• Session Management
• Cryptography o Exception Handling
• Logging

• SAST Finding
• SAST Report

• SAST Reporting

• Dynamic Application Security Testing

• Types of DAST

• Automated Application Vulnerability Scanning
• Manual Application Penetration Testing

• SAST vs DAST

• Automated Application Vulnerability Scanning Tools

• Web Application Security Scanners

• WebInspect 
• IBM SecurityAppScan 

• Additional Web Application Vulnerability Scanners 

• Proxy-based Security Testing Tools 

• Burp Suite
• OWASP Zed Attack Proxy (ZAP)
• Additional Proxy-based Security Testing Tools

• Choosing Between SAST and DAST

• Secure Deployment
• Prior Deployment Activity

• Check the Integrity of Application Package Before Deployment
• Review the Deployment Guide Provided by the Software Vendor

• Deployment Activities: Ensuring Security at Various Levels

• Host Level Deployment Security
• IIS level Deployment Security
• SQL Server Level Deployment Security 

• Ensuring Security at Host Level

• Check and Configure the Security of Machine Hosting Web Server, Application Server, Database Server and Network Devices
• Physical Security
• Host Level Security

• Ensuring Security at Network Level

• Network level Security

• Router
• Firewall
• Switch

• Ensuring Security at Application Level 

• Web Application Firewall (WAF)

• Benefits of WAF
• WAF Limitations
• WAF Vendors

• Ensuring Security at Web Container Level

• Install and Configure Tomcat Securely
• Remove Server Banner
• Start Tomcat with Security Manager
• Configure Default Servlet Not to Serve Index Pages
• Replace Default Error Page
• Replace Default server.xml
• Protect Shutdown Port
• Restrict Access to Tomcat Manager Applications
• Protecting Resources with Realms
• Store Passwords as Digest
• Do Not Run Tomcat as Root
• Configure Restricted Datasets
• Session Handling using App Mode in Tomcat
• Role Based Security
• Securing Tomcat at Network level
• Java Runtime Security Configurations

• Tomcat General Security Setting
• Verify Trace Element Setting in sever.xml
• Verify CustomError Settings in web.xml
• Verify maxPostSize Setting
• Tomcat Security Checklist
• Checklist for Security Configuration in server.xml File in Apache Tomcat
• Tomcat High Availability
• Best Practices for Securing Tomcat

• Ensuring Security in Oracle

• Oracle Database General Security Overview
• Methods of Authentication in Oracle
• Authentication by Oracle Database
• Oracle Security Features
• Default Database Installation and Configuration Security
• Managing User Accounts Securely for the Site
• Securing User Accounts
• Password Management
• Lock all Expired Accounts
• Assign Users to Password Profile
• Disable Remote Operating System Authentication
• Securing Data
• Restrict Access to Operating System Directories
• Securing Database Installation and Configuration
• Securing Network
• How to Configure Encryption on the Client and the Server
• Control Access Data
• Virtual Private Database
• Oracle Label Security
• Database Vault

• Management and Reports
• Disabling the Recycle Bin

• Audit Vault
• Built-in Audit Tools

• Standard Database Auditing

          - Standard Auditing Enable Network Auditing

• Value Based Auditing
• Fine Grained Auditing (FGA)

• Recommended Audit Settings

• Security Maintenance and Monitoring

• Post Deployment Activities: Security Maintenance and Monitoring
• Security Maintenance Activities at OS Level
• Security Maintenance Activities at Web Container Level
• Security Maintenance Activities at Application Level

25-27 Mar 2024

10-12 Jun 2024

18-20 Sep 2024

18-20 Nov 2024

The incident handling skills taught in E|CIH are complementary to the job roles below as well as many other cybersecurity jobs:

• Penetration Testers
• Vulnerability Assessment Auditors
• Risk Assessment Administrators
• Network Administrators
• Application Security Engineers
• Cyber Forensic Investigators/ Analyst and SOC Analyst
• System Administrators/Engineers
• Firewall Administrators and Network Managers/IT Managers

• Understand the key issues plaguing the information security world
• Learn to combat different types of cybersecurity threats, attack vectors, threat actors and their motives
• Learn the fundamentals of incident management including the signs and costs of an incident
• Understand the fundamentals of vulnerability management, threat assessment, risk management, and incident response automation and orchestration
• Master all incident handling and response best practices, standards, cybersecurity frameworks, laws, acts, and regulations
• Decode the various steps involved in planning an incident handling and response program
• Gain an understanding of the fundamentals of computer forensics and forensic readiness
• Comprehend the importance of the first response procedure including evidence collection, packaging, transportation, storing, data acquisition, volatile and static evidence collection, and evidence analysis
• Understand anti-forensics techniques used by attackers to find cybersecurity incident cover-ups
• Apply the right techniques to different types of cybersecurity incidents in a systematic manner including malware incidents, email security incidents, network security incidents, web application security incidents, cloud security incidents, and insider threat-related incidents

5-9 Feb 2024

15-19 Apr 2024

6-10 May 2024

27-31 May 2024

1-5 Jul 2024

19-23 Aug 2024

14-18 Oct 2024

18-22 Nov 2024 (Penang)

The CHFI program is designed for all IT professionals involved with information system security, computer forensics, and incident response.

• Police and other law enforcement personnel
• Defense and Military personnel
• e-Business Security professionals
• Systems administrators
• Legal professionals
• Banking, Insurance and other professionals
• Government agencies
• IT managers
• Digital Forensics Service Providers

How you will benefit

A BREACH can be BRUTAL. Investing in building an expert in-house forensics team with CHFI training and certification is a strategic move for enterprises looking to safeguard their stakeholders’ interests as well as their own. CHFI empowers their existing team with learning the latest investigation practices.

The course aligns with all the crucial forensic job roles across the globe.

It is an ANSI 17024 accredited Certification Program, mapped to the NICE 2.0 framework.

The course focuses on the latest technologies including IoT Forensics, Dark Web Forensics, Cloud Forensics (including Azure and AWS), Network Forensics, Database Forensics, Mobile Forensics, Malware Forensics (including Emotet and Eternal Blue), OS Forensics, RAM forensics and Tor Forensics, CHFI v10 covers the latest tools, techniques, and methodologies along with ample crafted evidence files.

The CHFI certification is awarded after successfully passing exam EC0 312-49. CHFI EC0 312-49 exams are available at ECC exam centers around the world.

• Number of Questions: 150
• Test Duration: 4 hours
• Test Format: Multiple choice
• Test Delivery: ECC exam portal
• Passing Score: In order to maintain the high integrity of our certification exams, EC-Council Exams are provided in multiple forms (i.e., different question banks). Each form is carefully analyzed through beta testing with an appropriate sample group under the purview of a committee of subject matter experts, ensuring that each of our exams is not only academically sound but also has “real world” applicability. We apply an internal process to determine the difficulty rating of each question. The individual rating then contributes to an overall “Cut Score” for each exam form. To ensure each form has equal assessment standards, cut scores are set on a “per exam form” basis. Depending on which exam form is challenged, cut scores can range from 60% to 78%.