Information Security Master's Degrees: MSISE

Information Security Master's Degrees:

The Master of Science Degree in Information Security Engineering Course Catalog/Curriculum

PROGRAM GOALS: This MSISE (Engineering) program will prepare students to head teams of technologists who are responsible for information security assessments, architectures, operations, monitoring, auditing, and lead information security programs. Graduates will be qualified to seek positions such as technical director for information security, senior security analyst, senior security administrator, information systems security manager, information systems security officer, information security manager, and chief information security officer. The program focuses primarily on the technical and problem-solving skills associated with security implementation, but adds instruction on project management and effective communications to help graduates prepare to take responsibility for the work of other technologists. Many of the courses below except the electives include writing assignments called GIAC Gold or Written Assignment. More information about GIAC Gold can be found at the GIAC Gold page.

MSISE Core, mandatory courses:

Below is a list of the mandatory courses. (Earlier admitted STI students should refer to http://www.sans.edu/about/archive/ to view the version of the curriculum that applied when they were admitted to STI.)

An "overview" of the courses is provided below this list. For more details about the course, click on the course below, or go to the SANS Security Training course list.

Course Delivery Options. If students wish to take some courses in other than a conference/residential institute setting, they should click on the tab above called "Course Delivery Options" to see which course delivery options are acceptable for master's students.

 
Course Credits
MGT 305: Technical Communications and Presentation Skills for Security Professionals, Assessment 1
SEC 401: SANS Security Essentials Bootcamp Style, GIAC GSEC Gold
- It is recommended that student take SEC 401; but a current CISSP Certification may be substituted for taking SEC 401 as follows. Student still must pass the GSEC certification exam, and pass the GSEC Gold paper. Student will receive a Supplemental Study package for a charge in an amount equal to a 1 credit hour charge that will cover hard copies only, GIAC exam registration, and Gold paper registration.
4
MGT 433: Building and Deploying an Effective Security Awareness Program, Exam/Substitute, Written Assignment 1
SEC 503: Intrusion Detection in Depth, GIAC GCIA Gold 4
SEC 504: Hacker Techniques, Exploits, and Incident Handling, GIAC GCIH Cert, NetWars Tournament
- NetWars Tournament is described at http://www.sans.org/cyber-ranges/netwars.
The STI student must work on the student's own, rather than collaborating in a team; and the passing level/passing point that student must obtain is 1/3 or more of the points in Level 3.
4
MGT 525: IT Project Management, Effective Communications, and PMP Exam Prep, GIAC GCPM Cert (no gold paper required)

- A current Project Management Institute PMP Certification can be substituted for GCPM
- It is highly recommended that MGT 525 be completed before the Joint Written Project is started.
3
MGT 421: SANS Leadership and Management Competencies, Exam/Substitute, Written Assignment
Note: This may become part of another larger course, MGT 514 IT Security Strategic Planning, Policy, and Leadership; you would take the applicable leadership & management competencies day of that other course.
1
OPTION of EITHER:
FOR 508: Advanced Computer Forensic Analysis and Incident Response, GIAC GCFA Gold 4
OR
SOFTWARE SECURITY TRAINING*, Gold(s)

* Software Security Training is a rapidly evolving field that affects course development. Before starting Software Security Training, check with college for latest requirement.

(A) At least "six-days" of course(s) from the following:
Example: If a student is interested in a particular three-day course below, then such student also will need to take another: three-day course OR a two-day course and a one-day course OR three one-day courses.

(B) Exams for each chosen course. If GIAC exam(s) is not available, substitute exam(s)/assignment(s) will be given.

(C) Software Security Training Gold(s), or Written Assignment(s) if Gold is not available.
Exception: For SEC 542-GIAC GWAPT, student can "opt" to do an "additional" NetWars Tournament in place of doing a Gold paper for GWAPT. NetWars Tournament is described at http://www.sans.org/cyber-ranges/netwars. Student must work on NetWars Tournament on student's own rather than collaborating in a team, and student must reach level four in NetWars Tournament. (Clarification: This means that student must get to a point where Level 4 becomes unlocked for student by reaching the threshold score within Level 3; student does not have to complete Level 3, but student has to complete about 80% of Level 3 to get Level 4 unlocked).

TWO ELECTIVES (no gold required) from the following options:

For students interested in Forensics, we have established a "Forensics Focus" that allows students to take the following courses for their elective requirement:

Or students who do not wish to pursue the "Forensics Focus" can choose 2 elective courses with at least one being a major (six-day) SEC / DEV / FOR 500/600/700 level, GIAC Certification. Students can choose the other elective from the following:

6
COMMUNITY PROJECT REQUIREMENTS must be completed:
CPR 580 Group Discussion & Written Project - 2 credit hours
CPR 582 Presentation One - 1 credit hour
CPR 583 Presentation Two - 1 credit hour
CPR 581 Joint Written Project - 2 credit hours
GSE - required but no credit hours assigned
CPR 586 Awareness Talk - required but no credit hours assigned

For more information, see the See the STI community project requirements page.

6
INDEPENDENT STUDY OPTION
Student has the "option" of requesting one Independent Study in place of another course in the MSISE Program. Student would need to submit the proposal to the MSISE Program Director who would review it and determine if it should be authorized, confirm what course it should substitute for, and the credit hours that should be assigned. The Program Director would assign it to a senior certified instructor who would manage the process and grade it.
Total Credit Hours 34

Each exam score must be at least 80 (or 80 average if it was a two-part exam).

If a GIAC exam is a requirement but is not available, then the college provides a substitute exam/assignment/other requirement.

See the tab titled Recertification Policy that discusses whether or not recertification is required.

When a GIAC Gold Paper/Written Assignment/Assessment/other requirement is required, the student must also pass the GIAC Gold/Written Assignment/other requirement before the grade can be assigned.

For more details about the course, click on the target="_blank" full course overview for each course, or go to the SANS security training course list.


MGT 305: Technical Communications & Presentation Skills for Security Professionals

Full Course Overview

This course is designed for every IT professional in your organization. In this course we cover the top techniques that will show any attendee how to research and write professional quality reports, how to create outstanding presentation materials, and as an added bonus, how to write expert witness reports. Attendees will also get a crash course on advanced public speaking skills.

Writing reports is a task that many IT professionals struggle with, sometimes from the perspective of writing the report and other times from the perspective of having to read someone else's report! In the morning material we cover step by step how to work through the process of identifying critical ideas, how to properly research them, how to develop a strong argument in written form, and how to put it all down on paper. We also discuss some of the most common mistakes that can negatively impact the reception of your work and show how to avoid them. Attendees can expect to see the overall quality of their reports improve significantly as a result of this material.

After writing a meaningful report, it is not uncommon to find that we must present the key findings from that report before an audience, whether that audience is our department, upper management, or perhaps even the entire organization. How do you transform an excellent report into a powerful presentation? We will work through a process that works to either condense a report into a presentation or can even be used to write a presentation from scratch that communicates your important thoughts in a meaningful and interesting way.

Writing the presentation is only half of the battle, though. How do you stand up in front of a group of five or even five thousand and speak? In the afternoon we will share tips and techniques of top presenters that you can apply to give the best presentation of your career. Additionally, students will have the opportunity to work up and deliver a short presentation to the class followed by some personal feedback from one of SANS' top speakers.

SEC 401: SANS Security Essentials

Full Course Overview

You will learn the language and underlying theory of computer security. At the same time you will learn the essential, current knowledge and skills required for effective performance if you are given the responsibility for securing systems and/or organizations.

SANS Security Essentials Course Topics Sampling

  • Risk Assessment and Auditing
  • Host and Network Based Intrusion Detection
  • Honeypots, Firewalls and Perimeter Protection
  • Security Policy
  • Password Management
  • Security Incident Handling - The Six Steps
  • Information Warfare
  • Web Security
  • Network Fundamentals and IP Concepts and Behavior
  • Cisco Router Filters
  • Four Primary Threats for Perimeter Protection
  • PGP, Steganography
  • Anti-Viral Tools
  • Windows (XP, 2003, Vista, 2008 and Windows 7) Security Administration and Auditing
  • IIS Security
  • Unix Security Fundamentals

MGT 433: Securing The Human: Building and Deploying an Effective Security Awareness Program

Full Course Overview

For years now organizations have invested in information security. Unfortunately almost all of this effort has been focused on securing technology, with little if any effort given to securing the human factor. As a result, the human is now the weakest link. Employees will happily click on almost any link, install any software, open any attachment or share any USB stick they find. The simplest way for cyber attackers to bypass your security and hack your organization is to target your employees. The only way you can secure your employees is with an effective security awareness program.

In this challenging course you will learn the key concepts and skills to plan, implement, and maintain an effective security awareness program that makes your organization both more secure and compliant. In addition you will learn how to measure your program's impact with metrics you can use and show to senior management. Finally, through a series of labs and exercises, you will develop your own customized project plan so you can implement your awareness program upon returning to your office.

DAY 1 - PLANNING AND BUILDING

  • Defining the three elements of risk and their role in awareness
  • Why your employees are so vulnerable and how cyber attackers exploit these vulnerabilities
  • Defining Awareness, Training and Education
  • Determining the goals of your security awareness program
  • Building a business case for your program, including a budget
  • How to structure a large, enterprise solution that scales for multiple business units
  • Developing your project plan, specifically WHO, WHAT, HOW, and WHEN
  • WHO - Identifying the different targets of your awareness program
  • WHAT - Identifying and prioritizing the topics that will have both the greatest impact for your awareness program and ensure you are compliant, while eliminating topics that potentially waste employees' time.
  • Creating and documenting lesson objectives for your awareness topics.

DAY 2 - IMPLEMENT AND MAINTAIN

  • HOW - Identify the most effective methods for your organization's culture to communicate your awareness program
  • The two different communication methods, 'Primary' and 'Reinforcement'
  • The advantages, disadvantages and what works for the two different primary methods - 'Instructor Led' and 'Computer Based' training
  • The options for deploying computer based training and their advantages and disadvantages, including use of a LMS
  • Different reinforcement methods, including newsletters, posters and screensavers
  • Leveraging imagery for your awareness program
  • How to present, including ten key steps to success and ten mistakes to avoid
  • WHEN - Building your awareness deployment plan, including scheduling primary training, reinforcement training, launching your own awareness week.
  • How to enforce your awareness program
  • Designing and using metrics to track both the compliance and the impact of your program, including awareness assessments.
  • Updating and improving your program.

SEC 503: Intrusion Detection in Depth

Full Course Overview

Learn practical hands-on intrusion detection and traffic analysis from top practitioners/authors in the field. This is the most advanced program in network intrusion detection that has ever been taught. All of the courses are either new or just updated to reflect the latest attack patterns. This series is jam packed with network traces and analysis tips.

The emphasis of this course is on increasing students' understanding of the workings of TCP/IP, methods of network traffic analysis, and one specific network intrusion detection system (NIDS) - Snort. This is not a comparison or demonstration of multiple NIDSs. Instead, the knowledge provided here allows students to better understand the qualities that go into a sound NIDS and the whys behind them, and thus, to be better equipped to make a wise selection for their site's particular needs. This is a fast-paced course, and students are expected to have a basic working knowledge of TCP/IP in order to fully understand the topics that will be discussed. Although others may benefit from this course, it is most appropriate for students who are or who will become intrusion detection analysts. Students generally range from novices with some TCP/IP background all the way to seasoned analysts. The challenging, hands-on exercises are specially designed to be valuable for all experience levels. We strongly recommend that you spend some time getting familiar with TCPdump, WINdump, or another network analyzer output before coming to class.

SEC 504: Hacker Techniques, Exploits, and Incident Handling

Full Course Overview

If your organization has an Internet connection or one or two disgruntled employees (and whose doesn't!), your computer systems will get attacked. From the five, ten, or even one hundred daily probes against your Internet infrastructure to the malicious insider slowly creeping through your most vital information assets, attackers are targeting your systems with increasing viciousness and stealth.

By helping you understand attackers' tactics and strategies in detail, giving you hands-on experience in finding vulnerabilities and discovering intrusions, and equipping you with a comprehensive incident handling plan, the in-depth information in this course helps you turn the tables on computer attackers. This course addresses the latest cutting-edge insidious attack vectors and the "oldie-but-goodie" attacks that are still so prevalent, and everything in between. Instead of merely teaching a few hack attack tricks, this course includes a time-tested, step-by-step process for responding to computer incidents; a detailed description of how attackers undermine systems so you can prepare, detect, and respond to them; and a hands-on workshop for discovering holes before the bad guys do. Additionally, the course explores the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence.

This challenging course is particularly well suited to individuals who lead or are a part of an incident handling team. Furthermore, general security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to prevent, detect, and respond to attacks.

It is imperative that you get written permission from the proper authority in your organization before using these tools and techniques on your company's system and also that you advise your network and computer operations teams of your testing.

MGT 525: IT Project Management, Effective Communications, and PMP Exam Prep

Full Course Overview

We will cover all aspects of project management from initiating and planning projects through managing cost, time, and quality while your project is active to completing, closing, and documenting as your project finishes. This course follows the basic project management structure from the Project Management Institute's Guide to the Project Management Body of Knowledge (PMBOK® Guide) and also offers specific insight and techniques to help you get the job done. You will leave this course with specific tools that can be utilized immediately in your work environment. A copy of the Guide (Fourth Edition) is provided to all participants. You can reference the PMBOK® Guide and use your course material along with the knowledge you gain in class to solidify your preparation for the updated Project Management Professional (PMP®) Exam and the GIAC Certified Project Manager Exam.

The project management process is broken down into core process groups that can be applied across multiple areas of any project. This course covers cost, time, quality, and risk management, but not only from the point of view of projects that create final products. Keeping in line with prevalent needs from the InfoSec industry, we look at projects that create and maintain services and cover in depth how cost, time, quality, and risk affect IT Security and the services we provide to others both inside and outside of our organizational boundaries. We go into great detail covering human resource management as well as effective communication and conflict resolution. People are the most valuable resource we have on a project, and the communication and conflict resolution techniques presented can be used in all areas of professional work. Above all, projects fail or succeed because of the people involved. You want to make sure the people involved with the development and execution of your project build a strong team and communicate effectively.

PMBOK® and PMP® are registered trademarks of the Project Management Institute.

MGT 421: SANS Leadership and Management Competencies

Full Course Overview

Note: This may become part of another larger course, MGT 514 IT Security Strategic Planning, Policy, and Leadership; you would take the applicable leadership & management competencies day of that other course.

Leadership is a capability that must be learned and developed to better ensure organizational success. The more techniques we learn, the better our leadership capability becomes. It is brought primarily through selfless devotion to the organization and staff, tireless effort in setting the example, and the vision to see and effectively use available resources toward the end goal. Leaders and followers influence each other toward the goal, identified through a two-way street where all parties perform their function to reach the overall objective.

Leadership entails the ability to persuade team members to accomplish their objectives while removing obstacles and resistance, and facilitates the well-being of the team in support of the organizations mission. Grooming effective leaders is critical to all types of organizations, as the most effective teams are cohesive teams that work together toward common goals with camaraderie and can-do spirit!

Our focus is purely leadership-centric, we are not security-centric or technology-centric with this training opportunity. We help an individual develop leadership skills that apply to commercial business, non-profit, not-for-profit, or other organization. This course is designed to develop existing and new supervisors and managers who aspire to go beyond being the boss and build leadership skills to enhance their organizational climate through team-building to enhance the organizational mission through growth in productivity, workplace attitude / satisfaction, and staff and customer relationships.

The manager/supervisor will learn vital, up-to-date knowledge and skills required to shift team paradigms to create a more positive and cooperative atmosphere in the workplace. Essential leadership topics covered in this management track include: Leadership Development, Coaching and Training, Employee Involvement, Conflict Resolution, Change Management, Vision Development, Motivation, Communication Skills, Self-Direction, Brainstorming Techniques, Benefits, and the ten core Leadership competencies. In a nutshell, this course covers critical processes that should be employed to develop the skills and techniques to select, train, equip, and develop a team into a single cohesive unit with defined roles that operate together in harmony toward team-objective accomplishment. There are three goals for this course:

  • Establish a minimum standard for knowledge, skills, and abilities required to develop leadership.
  • Understand and leverage the motivational requirements of employees.
  • Establish a baseline understanding of the skills necessary to migrate from being a manager to being a leader.

FOR 508: Advanced Computer Forensic Analysis and Incident Response

Full Course Overview

This course will give the student a firm understanding of advanced incident response and computer forensics tools and techniques to investigate data breach intrusions, tech-savvy rogue employees, advanced persistent threats, and complex digital forensic cases. Utilizing advances in spear phishing, web application attacks, and persistent malware these new sophisticated attackers advance rapidly through your network. Incident Responders and Digital Forensic investigators must master a variety of operating systems, investigation techniques, incident response tactics, and even legal issues in order to solve challenging intrusion cases. This course will teach you critical forensic analysis techniques and tools in a hands-on setting for both Windows-based and Linux-based investigations.

Learning more than just how to use a forensic tool, by taking this course you will be able to demonstrate how the tool functions at a low level. You will become skilled with new tools, such as the Sleuthkit, Foremost, and the HELIX3 Pro Forensics Live CD. SANS hands-on technical course arms you with a deep understanding of the forensic methodology, tools, and techniques to solve advanced computer forensics cases.

ELECTIVES - (general parameters described in course list above):

For students interested in Forensics, we have established a "Forensics Focus" that allows students to take the following courses for their elective requirement:

FOR 408: Computer Forensic Investigations - Windows In-Depth, Exam/Substitute

Full Course Overview

Computer Forensic Essentials focuses on the critical knowledge that a computer forensic investigator must know to investigate computer crime incidents successfully. You will learn how computer forensic analysts focus on collecting and analyzing data from computer systems to track user-based activity that could be used internally or in civil/criminal litigation.

This course covers the fundamental steps of the in-depth computer forensic methodology so that each student will have the complete qualifications to work as a computer forensic investigator in the field helping solve and fight crime. In addition to in-depth technical digital forensic, knowledge on Windows Digital Forensics (Windows XP through Windows 7 and Server 2008) you will be exposed to well known computer forensic tools so such as FTK, Registry Analyzers, FTK Imager, Prefetch Analyzers, and much more.

FOR 610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques

Full Course Overview

This unique course provides a rounded approach to reverse-engineering by covering both behavioral and code analysis aspects of the analysis. As a result, the course makes the topic accessible even to individuals with a limited exposure to programming concepts. The materials do not assume that the students are familiar with malware analysis; however, the complexity of concepts and techniques increases as the course progresses. The course begins by covering fundamental aspects of malware analysis. You will learn how to set up an inexpensive and flexible laboratory for understanding inner-workings of malicious software, and will understand how it can be used to explore characteristics of real-world specimens. You will then learn to examine the program's behavioral patterns and code. You will experiment with reverse-engineering compiled Windows executables and browser-based malware.

The course continues by discussing essential x86 assembly language concepts. You will learn to examine malicious code to understand the program's key components and execution flow. You will also learn to identify common malware characteristics by looking at Windows API use patterns, and will examine excerpts from bots, rootkits, key loggers, and downloaders. You will understand how to work with PE headers and handle DLL interactions. You will also learn tools and techniques for bypassing anti-analysis capabilities of armored malware, experimenting with packed executables and obfuscated browser scripts.

Hands-on workshop exercises are a critical aspect of this course, and allow you to apply reverse-engineering techniques by examining malware in a controlled environment. When performing the exercises, you will study the supplied specimen's behavioral patterns, and examine key portions of its code. You will examine malware on a Windows virtual machine that you will infect during the course, and will use the supplied Linux virtual machine that includes tools for examining and interacting with Windows and browser malware.

Students who do not wish to pursue the "Forensics Focus" can choose 2 elective courses with at least one being a major SEC / DEV 500/600/700 level, GIAC Certification (see the full SANS courses list at the SANS courses page.
Students can choose the other elective from the following:

AUD 507 Auditing Networks, Perimeters, and Systems, (possible elective)

Full Course Overview

One of the most significant obstacles facing many auditors today is how exactly to go about auditing the security of an enterprise. What systems really matter? How should the firewall and routers be configured? What settings should be checked on the various systems under scrutiny? Is there a set of processes that can be put into place to allow an auditor to focus on the business processes rather than the security settings? All of these questions and more will be answered by the material covered in this course.

This course is organized specifically to provide a risk driven method for tackling the enormous task of designing an enterprise security validation program. After covering a variety of high-level audit issues and general audit best practice, the students will have the opportunity to dive deep into the technical how-to for determining the key controls that can be used to provide a level of assurance to an organization. Tips on how to repeatedly verify these controls and techniques for automatic compliance validation will be given from real-world examples.

One of the struggles that IT auditors face today is assisting management to understand the relationship between the technical controls and the risks to the business that these affect. In this course these threats and vulnerabilities are explained based on validated information from real-world situations. The instructor will take the time to explain how this can be used to raise the awareness of management and others within the organization to build an understanding of why these controls specifically and auditing in general is important. From these threats and vulnerabilities, we will explain how to build the ongoing compliance monitoring systems and how to automatically validate defenses through instrumentation and automation of audit checklists.

You'll be able to use what you learn immediately. Five of the six days in the course will either produce or provide you directly with a general checklist that can be customized for your audit practice. Each of these days includes hands-on exercises with a variety of tools discussed during the lecture sections so that you will leave knowing how to verify each and every control described in the class and know what to expect as audit evidence. Each of the five hands-on days gives you the chance to perform a thorough technical audit of the technology being considered by applying the checklists provided in class to sample audit problems in a virtualized environment. Each student is invited to bring a Windows XP Professional or higher laptop for use during class. Macintosh computers running OS X may also be used with VMWare Fusion.

A great audit is more than marks on a checklist; it is the understanding of what the underlying controls are, what the best practices are, and why. Sign up for this course and experience the mix of theory, hands-on, and practical knowledge.

SOFTWARE SECURITY TRAINING - it has choices noted below:

- DEV 541: Secure Coding in Java/JEE: Developing Defensible Applications (among choices)

Full Course Overview

Great programmers have traditionally distinguished themselves by the elegance, effectiveness, and reliability of their code. That's still true, but elegance, effectiveness, and reliability have now been joined by security. Major financial institutions and government agencies have informed their internal development teams and outsourcers that programmers must demonstrate mastery of secure coding skills and knowledge through reliable third-party testing or lose their right to work on assignments for those organizations. More software buyers are joining the movement every week.

Such buyer and management demands create an immediate response from programmers, "Where can I learn what is meant by secure coding?" This unique SANS course allows you to bone up on the skills and knowledge required to prevent your applications from getting hacked.

This is a comprehensive course covering a huge set of skills and knowledge. It's not a high-level theory course. It's about real programming. In this course you will examine actual code, work with real tools, build applications, and gain confidence in the resources you need for the journey to improving the security of Java applications.

Rather than teaching students to use a set of tools, we're teaching students concepts of secure programming. This involves looking at a specific piece of code, identifying a security flaw, and implementing a fix for flaws found on the Top 10 and CWE/SANS Top 25 Most Dangerous Programming Errors.

The class culminates in a Secure Development Challenge where you perform a security review of a real-world open source application. You will conduct a code review, perform security testing to actually exploit real vulnerabilities, and finally, using the secure coding techniques that you have learned in class, implement fixes for these issues.

Pre-requisites: Students should have at least one year's experience working with the JEE platform and should have thorough knowledge of Java language and Web technology.

- DEV 522: Defending Web Application Security Essentials (among choices)

Full Course Overview

Defending Web Application Security Essentials

Traditional network defenses such as firewalls fail to secure Web applications which have to be available to large user communities. The amount and importance of data entrusted to Web applications is growing, and defenders need to learn how to secure it. DEV422 covers the OWASP Top 10 and will help you to better understand Web application vulnerabilities, thus enabling you to properly defend your organization's Web assets.

Mitigation strategies from an infrastructure, architecture, and coding perspective will be discussed alongside real-world implementations that really work. The testing aspect of vulnerabilities will also be covered so you can ensure your application is tested for the vulnerabilities discussed in class.

The class goes beyond classic Web applications and includes coverage of Web 2.0 technologies like AJAX and web services.

To maximize the benefit for a wider range of audiences, the discussions in this course will be programming language agnostic. Focus will be maintained on security strategies rather than coding level implementation.

This course is intended for anyone tasked with implementing, managing or protecting Web applications. It is particularly well suited to application security analysts, developers, application architects, pen testers and auditors who are interested in recommending proper mitigations to Web security issues, and infrastructure security professionals who have an interest in better defending their Web applications.

- SEC 542: Web Application Penetration Testing & Ethical Hacking (among choices)

Full Course Overview

Assess Your Web Apps in Depth. Web applications are a major point of vulnerability in organizations today. Web app holes have resulted in the theft of millions of credit cards, major financial and reputational damage for hundreds of enterprises, and even the compromise of thousands of browsing machines that visited Web sites altered by attackers. In this intermediate to advanced level class, you'll learn the art of exploiting Web applications so you can find flaws in your enterprise's Web apps before the bad guys do. Through detailed, hands-on exercises and training from a seasoned professional, you will be taught the four-step process for Web application penetration testing. You will inject SQL into back-end databases, learning how attackers exfiltrate sensitive data. You will utilize Cross-Site Scripting attacks to dominate a target infrastructure in our unique hands-on laboratory environment. And you will explore various other Web app vulnerabilities in depth with tried-and-true techniques for finding them using a structured testing regimen. You will learn the tools and methods of the attacker, so that you can be a powerful defender.

On day one, we will study the attacker's view of the Web as well as learn an attack methodology and how the pen-tester uses JavaScript within the test. On day two, we will study the art of reconnaissance, specifically targeted to Web applications. We will also examine the mapping phase as we interact with a real application to determine its internal structure. During day three we will continue our test by starting the discovery phase using the information we gathered on day two. We will focus on application/server-side discovery. On day four we will continue discovery, focusing on client-side portions of the application, such as Flash objects and Java applets. On day five, we will move into the final stage of exploitation. Students will use advanced exploitation methods to gain further access within the application. Day six will be a Capture the Flag event where the students will be able to use the methodology and techniques explored during class to find and exploit the vulnerabilities within an intranet site.

Throughout the class, you will learn the context behind the attacks so that you intuitively understand the real-life applications of our exploitation. In the end, you will be able to assess your own organization's Web applications to find some of the most common and damaging Web application vulnerabilities today.

By knowing your enemy, you can defeat your enemy. General security practitioners, as well as Web site designers, architects, and developers, will benefit from learning the practical art of Web application penetration testing in this class.

- DEV 544: Secure coding in .Net: Developing Defensible Applications (among choices)

Full Course Overview

ASP.NET and the .NET framework have provided web developers with tools that allow them an unprecedented degree of flexibility and productivity. On the other hand, these sophisticated tools make it easier than ever to miss the little details that allow security vulnerabilities to creep into an application. Since ASP.NET, 2.0 Microsoft has done a fantastic job of integrating security into the ASP.NET framework, but the onus is still on application developers to understand the limitations of the framework and ensure that their own code is secure.

During this four-day course we will analyze the defensive strategies and technical underpinnings of the ASP.NET framework and learn where, as a developer, you can leverage defensive technologies in the framework, where you need to build security in by hand. We'll also examine strategies for building applications that will be secure both today and in the future.

Rather than focusing on traditional web attacks from the attacker's perspective, this class will show developers first how to think like an attacker, and will then focus on the latest defensive techniques specific to the ASP.NET environment. The emphasis of the class is a hands-on examination of the practical aspects of securing .NET applications during development.

Have you ever wondered if ASP.NET Request Validation is effective? Have you been concerned that XML web services might be introducing unexamined security issues into your application? Should you feel un-easy relying solely only on the security controls built into the ASP.NET framework? Secure Coding in ASP.NET will answer these questions and far more.


COMMUNITY PROJECT REQUIREMENTS must be completed.