Information Security Master's Degrees: MSISM

Information Security Master's Degrees:

The Master of Science Degree in Information Security Management

The MSISM (Management) Program is designed to help a candidate become the highest-ranking management employee in an IT Security organization. In the government this is often called the Designated Approving Authority, or Information Assurance Manager (IAM). In the industry, titles such as Chief Security Officer or Chief Information Security Officer are often used. In addition to the strong writing skills the program produces through the GIAC Gold program or the Writing Assignments for all courses, the community project requirements training includes teamwork and oral presentation practice. More information about GIAC Gold can be found at the GIAC site.

MSISM Core, mandatory courses

Version 1.9 December 14, 2009

Previous Mandatory Course: 1.8 Nov. 20, 2009
Previous Mandatory Course: 1.7 May 1, 2009 - Nov. 19, 2009
Previous Mandatory Course: 1.6 September 15, 2008 - February 25, 2009
Previous Mandatory Course: 1.5 May 22, 2008 - September 14, 2008
Previous Mandatory Course: 1.4 August 10, 2007 - May 21, 2008
Previous Mandatory Course: 1.3 February 29, 2007 - August 9, 2007
Previous Mandatory Course: 1.2 October 4, 2006 - February 28, 2007
Previous Mandatory Course: 1.1 March 20, 2006 - October 3, 2006
Previous Mandatory Course: 1.0 December 2005 - March 19, 2006

MANDATORY COURSES:
Below is a list of the mandatory courses. An "overview" of the courses is provided below this list. For more details about the course, click on the course below, or go to the training courses list on the SANS site.

Course Delivery Options. If students wish to take some courses in other than a conference setting, they should click on the tab above called "Course Delivery Options" to see which course delivery options are acceptable for master's students.

Course Credits
MGT 512: SANS Security Leadership Essentials For Managers with Knowledge Compression™, GIAC GSLC Gold 3
SEC 504: Hacker Techniques, Exploits, and Incident Handling, GIAC GCIH Gold 4
MGT 404: Fundamentals of Info Sec Policy, Exam/Substitute, Written Assignment
1
MGT 438: How to Establish a Sec Awareness Program, Exam/Substitute, Written Assignment
(formerly the above 2 courses were called MGT 524 Sec Policy & Awareness-GSPA)
1
MGT 421: SANS Leadership and Management Competencies, Exam/Substitute, Written Assignment 1
MGT 525: Project Management and Effective Communications for Security Professionals and Managers, GIAC GCPM Gold 4
- Project Management Institute Certification can be substituted for GCPM
- It is recommended that MGT 525 be completed before the Joint Written Project is started.
LEG 523: Legal Issues in Information Technology & Information Security, GIAC GLEG Gold 3
MGT 411: SANS 27000 Implementation & Management, GIAC G7799 Gold 4
AUDIT REQUIREMENT: one of Audit 507 Auditing Networks, Perimeters, & Systems, GIAC GSNA Gold; or successful completion of CISA exam and the Written Assignment 4
SOFTWARE SECURITY TRAINING* 3
* This rapidly evolving field affects course development. Before starting, check with college for latest requirement.

(A) At least "six-days" of course(s) from the following:

Example: If a student is interested in a particular three-day course below, then such student also will need to take another: three-day course OR a two-day course and a one-day course OR three one-day courses.

- DEV 422: Web Application Security Essentials or DEV 522: Defending Web Application Security Essentials
- DEV 542: Web Application Penetration Testing & Ethical Hacking, GIAC GWAPT
- DEV 536: Secure Coding for PCI Compliance
- DEV 538: Web App Pentesting Hands on Immersion
- DEV 545: Secure coding in PHP: Developing Defensible Applications
- DEV 534: Secure Code Review for Java Web Apps
- DEV 544: Secure coding in .Net: Developing Defensible Applications
- DEV 320: Intro to Microsoft Security Development Lifecycle
- DEV - - -: Software Security Project (independent study). Student will develop a proposed software security project topic, ask a SANS faculty member (certified/senior/fellows faculty) if he/she is willing to act as adviser. That adviser will submit the proposed topic to STI for review and determination of how many credits will be attributed to the independent study, will provide guidance to the student, and will grade it as pass/fail.

(B) Exams for each chosen course (but not for the DEV - - - Software Security Project). If GIAC exam(s) is not available, substitute exam(s) / assignment(s) will be given.

(C) Except for DEV --- Software Security Project, a Written Assignment is NOT required [unless written assignment(s) are required as "substitute assignment(s)" when GIAC exam(s) are not available.]

COMMUNITY PROJECT REQUIREMENTS must be completed. See the STI community project requirements page. 3
Total: 31 credit hours

Each exam score must be at least 80 (or 80 average if applicable).

The final course grade will be based on the latest recert scores just before graduation requirements are met. See the tab above titled Recertification Policy that discusses whether or not recertification is required.

When a GIAC Gold Paper/Written Assignment is required, the student must also pass the GIAC Gold/Written Assignment before the grade can be assigned.

If a GIAC exam is a requirement but is not available, then the college provides a substitute exam/assignment.

COURSE OVERVIEWS are below.

(For more details about the course, click on the course, or go to the SANS Security Training List.

MGT 512: SANS Security Leadership Essentials For Managers with Knowledge Compression™

This completely updated course is designed to empower advancing managers who want to get up to speed quickly on information security issues and terminology. You don't just learn about security, you learn how to manage security. Lecture sections are intense; the most common student comment is that it's like drinking from a fire hose. The diligent manager will learn vital, up-to-date knowledge and skills required to supervise the security component of any information technology project. Additionally, the course has been engineered to incorporate the NIST Special Papers 800 guidance so that it can be particularly useful to US Government managers and supporting contractors.

Essential security topics covered in this management track include: Network Fundamentals and Applications, Power, Cooling and Safety, Architectural Approaches to Defense in Depth, Cyber Attacks, Vulnerability Assessment and Management, Security Policies, Contingency and Continuity Planning, Awareness Management, Risk Management Analysis, Incident Handling, Web Application Security, Offensive and Defensive Information Warfare, culminating with our Management Practicum. The material uses Knowledge Compression™, special charts, and other proprietary SANS techniques to help convey the key points of critical slides and keep the information flow rate at a pace senior executives demand every teaching hour of the course. The course has been evaluated and approved by CompTIA's CAQC program for Security + 2008 to ensure that managers and their direct reports have a common baseline for security terminology and concepts. You will be able to put what you learn into practice, the day you get back into the office.

Who should attend:

  • All newly appointed information security officers
  • Technically skilled administrators that have recently been given leadership responsibilities
  • Seasoned managers that want to understand what your technical people are telling you

There are three goals for this track and certification.

  1. Establish a minimum standard for IT Security knowledge, skills and abilities. In a nutshell this course covers all of the non-operating system topics that are in SANS Security Essentials, though not to the same level of depth. The goal is to enable managers and auditors to speak the same language as System, Security, and Network administrators.
  2. Establish a minimum standard for IT Management knowledge, skills and abilities. I keep running into managers that don't know TCP/IP and that is OK, but then they don't know how to calculate Total Cost of Ownership (TCO) leaving me quietly wondering what do they know.
  3. Save the up and coming generation of senior and rapidly advancing managers a world of pain by sharing the things we wish someone had shared with us. As the saying goes, it is OK to make mistakes, just make new ones.

SEC 504: Hacker Techniques, Exploits, and Incident Handling

If your organization has an Internet connection or one or two disgruntled employees (and whose doesn't!), your computer systems will get attacked. From the five, ten, or even one hundred daily probes against your Internet infrastructure to the malicious insider slowly creeping through your most vital information assets, attackers are targeting your systems with increasing viciousness and stealth.

By helping you understand attackers' tactics and strategies in detail, giving you hands-on experience in finding vulnerabilities and discovering intrusions, and equipping you with a comprehensive incident handling plan, the in-depth information in this course helps you turn the tables on computer attackers. This course addresses the latest cutting-edge insidious attack vectors and the "oldie-but-goodie" attacks that are still so prevalent, and everything in between. Instead of merely teaching a few hack attack tricks, this course includes a time-tested, step-by-step process for responding to computer incidents; a detailed description of how attackers undermine systems so you can prepare, detect, and respond to them; and a hands-on workshop for discovering holes before the bad guys do. Additionally, the course explores the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence.

This challenging course is particularly well suited to individuals who lead or are a part of an incident handling team. Furthermore, general security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to prevent, detect, and respond to attacks.

It is imperative that you get written permission from the proper authority in your organization before using these tools and techniques on your company's system and also that you advise your network and computer operations teams of your testing.

MGT 404: Fundamentals of Info Sec Policy

This course is designed for IT professionals recently assigned security duties which include responsibility for creating and maintaining policy and procedures.

The Fundamentals of Information Security Policy course focuses on how to write basic security policies that are issue or system specific. The student will have a hands-on practical assignment writing a policy template not currently offered as one of SANS policy templates.

Business needs change, the environment changes, new risks are always on the horizon, and critical systems are continually exposed to new vulnerabilities. Policy development and assessment is a never ending process. This is a hands-on, exercise intensive course on writing, implementing and assessing security policies. This course is for anyone who is responsible for writing security policies and procedures.

MGT 438: How to Establish a Sec Awareness Program

Security awareness is a never ending process. We must invest in teaching our users what to do and what not to do when using the Internet in order to achieve an acceptable level of risk. MGT438: How to Establish a Security Awareness Program includes certification in SEC351: Computer and Network Security Awareness and a license to teach SEC351 at your organization free for one year, with a reasonable site fee thereafter. This course is based on NIST SP 800-50, "Building an Information Technology Security Awareness and Training Program."

Being able to design, implement, and manage an effective security awareness program is difficult at best. MGT438 walks trainers and security managers through the architecture and design of a successful security awareness program. It helps the student to document and design a clear cut strategy, approach, and implementation plan.

The student will learn how to present the three-hour SANS course Security 351: Computer and Network Security Awareness which teaches people with little or no security experience important concepts and technology that every Internet user should know. Topics include threats, antivirus programs, firewalls, anti-spyware, identity theft, and phishing. SEC351 will raise the students' awareness and offer them the basic skills needed to protect themselves from various threats on the Internet. All MGT438 attendees will study a section of SEC351 and present it to the class. Once certified in SEC351, they will be licensed to teach it.

MGT 421: SANS Leadership and Management Competencies

Leadership is a capability that must be learned and developed to better ensure organizational success. The more techniques we learn, the better our leadership capability becomes. It is brought primarily through selfless devotion to the organization and staff, tireless effort in setting the example, and the vision to see and effectively use available resources toward the end goal. Leaders and followers influence each other toward the goal, identified through a two-way street where all parties perform their function to reach the overall objective.

Leadership entails the ability to persuade team members to accomplish their objectives while removing obstacles and resistance, and facilitates the well-being of the team in support of the organizations mission. Grooming effective leaders is critical to all types of organizations, as the most effective teams are cohesive teams that work together toward common goals with camaraderie and can-do spirit!

Our focus is purely leadership-centric, we are not security-centric or technology-centric with this training opportunity. We help an individual develop leadership skills that apply to commercial business, non-profit, not-for-profit, or other organization. This course is designed to develop existing and new supervisors and managers who aspire to go beyond being the boss and build leadership skills to enhance their organizational climate through team-building to enhance the organizational mission through growth in productivity, workplace attitude / satisfaction, and staff and customer relationships.

The manager/supervisor will learn vital, up-to-date knowledge and skills required to shift team paradigms to create a more positive and cooperative atmosphere in the workplace. Essential leadership topics covered in this management track include: Leadership Development, Coaching and Training, Employee Involvement, Conflict Resolution, Change Management, Vision Development, Motivation, Communication Skills, Self-Direction, Brainstorming Techniques, Benefits, and the ten core Leadership competencies. In a nutshell, this course covers critical processes that should be employed to develop the skills and techniques to select, train, equip, and develop a team into a single cohesive unit with defined roles that operate together in harmony toward team-objective accomplishment. There are three goals for this course:

  • Establish a minimum standard for knowledge, skills, and abilities required to develop leadership.
  • Understand and leverage the motivational requirements of employees.
  • Establish a baseline understanding of the skills necessary to migrate from being a manager to being a leader.

MGT 525: Project Management and Effective Communications for Security Professionals and Managers

We will cover all aspects of project management from initiating and planning projects through managing cost, time, and quality while your project is active to completing, closing, and documenting as your project finishes. This course follows the basic project management structure from the Project Management Institute's Guide to the Project Management Body of Knowledge (PMBOK® Guide) and also offers specific insight and techniques to help you get the job done. You will leave this course with specific tools that can be utilized immediately in your work environment. A copy of the Guide (Fourth Edition) is provided to all participants. You can reference the PMBOK® Guide and use your course material along with the knowledge you gain in class to solidify your preparation for the updated Project Management Professional (PMP®) Exam and the GIAC Certified Project Manager Exam.

The project management process is broken down into core process groups that can be applied across multiple areas of any project. This course covers cost, time, quality, and risk management, but not only from the point of view of projects that create final products. Keeping in line with prevalent needs from the InfoSec industry, we look at projects that create and maintain services and cover in depth how cost, time, quality, and risk affect IT Security and the services we provide to others both inside and outside of our organizational boundaries. We go into great detail covering human resource management as well as effective communication and conflict resolution. People are the most valuable resource we have on a project, and the communication and conflict resolution techniques presented can be used in all areas of professional work. Above all, projects fail or succeed because of the people involved. You want to make sure the people involved with the development and execution of your project build a strong team and communicate effectively.

PMBOK® and PMP® are registered trademarks of the Project Management Institute.

LEG 523: Legal Issues in Information Technology & Information Security

New law on privacy, e-discovery, and data security is creating an urgent need for professionals who can bridge the gap between the legal department and the IT department. The needed professional training is uniquely available in SANS' LEG523 series of courses, including skills in the analysis and use of contracts, policies, and records management procedures.

This course covers the law of business, contracts, fraud, crime, IT security, IT liability and IT policy -- all with a focus on electronically stored and transmitted records.

MGT 411: SANS 27000 Implementation & Management

The International Standards Organization (ISO) has recently revised what has become the de facto document for creating and maintaining a secure enterprise, today known as the ISO/IEC 27000 standard.

The strength of this document is derived from the meticulous attention to detail provided by the many contributing authors and organizations as well as the applicability of the standard to the realities of doing business today. The standard seeks to offer best practice guidance regarding all manner of security issues and can assist any organization that chooses to adopt it to develop a truly security minded corporate culture. Using our tested method for developing and applying controls using the ISO 27000 standard, you will learn to implement the guidance contained in ISO-27000 with step-by-step pragmatic examples to move quickly into compliance with the specification.

This track is designed for information security officers or other management professionals who are looking for a how-to guide for implementing ISO-27000 effectively and quickly. While the standard is very well written, anyone who has actually tried to shift to an ISO-27000 structured security organization knows that there can be some significant hurdles to overcome. This track will give you the information you need to go back to your organization with a plan of action to get the job done! This course has proven especially valuable for organizations whose 27000 implementation is currently "stuck in the mud" or is simply taking longer than management would like.

AUDIT REQUIREMENT (general parameters described in course list above):

- Audit 507 Auditing Networks, Perimeters, & Systems (probably choice)

One of the most significant obstacles facing many auditors today is how exactly to go about auditing the security of an enterprise. What systems really matter? How should the firewall and routers be configured? What settings should be checked on the various systems under scrutiny? Is there a set of processes that can be put into place to allow an auditor to focus on the business processes rather than the security settings? All of these questions and more will be answered by the material covered in this course.

This course is organized specifically to provide a risk driven method for tackling the enormous task of designing an enterprise security validation program. After covering a variety of high-level audit issues and general audit best practice, the students will have the opportunity to dive deep into the technical how-to for determining the key controls that can be used to provide a level of assurance to an organization. Tips on how to repeatedly verify these controls and techniques for automatic compliance validation will be given from real-world examples.

One of the struggles that IT auditors face today is assisting management to understand the relationship between the technical controls and the risks to the business that these affect. In this course these threats and vulnerabilities are explained based on validated information from real-world situations. The instructor will take the time to explain how this can be used to raise the awareness of management and others within the organization to build an understanding of why these controls specifically and auditing in general is important. From these threats and vulnerabilities, we will explain how to build the ongoing compliance monitoring systems and how to automatically validate defenses through instrumentation and automation of audit checklists.

You'll be able to use what you learn immediately. Five of the six days in the course will either produce or provide you directly with a general checklist that can be customized for your audit practice. Each of these days includes hands-on exercises with a variety of tools discussed during the lecture sections so that you will leave knowing how to verify each and every control described in the class and know what to expect as audit evidence. Each of the five hands-on days gives you the chance to perform a thorough technical audit of the technology being considered by applying the checklists provided in class to sample audit problems in a virtualized environment. Each student is invited to bring a Windows XP Professional or higher laptop for use during class. Macintosh computers running OS X may also be used with VMWare Fusion.

A great audit is more than marks on a checklist; it is the understanding of the what the underlying controls are, what the best practices are, and why. Sign up for this course and experience the mix of theory, hands-on, and practical knowledge.

- CISA Exam completed successfully and the Written Assignment (possible choice)

SOFTWARE SECURITY TRAINING - it has choices noted below:

- DEV 422/DEV 522: Web Application Security Essentials (among choices)

Defending Web applications is critical!

Traditional network defenses such as firewalls fail to secure Web applications which have to be available to large user communities. The amount and importance of data entrusted to Web applications is growing, and defenders need to learn how to secure it. DEV422 covers the OWASP Top 10 and will help you to better understand Web application vulnerabilities, thus enabling you to properly defend your organization's Web assets.

Mitigation strategies from an infrastructure, architecture, and coding perspective will be discussed alongside real-world implementations that really work. The testing aspect of vulnerabilities will also be covered so you can ensure your application is tested for the vulnerabilities discussed in class.

The class goes beyond classic Web applications and includes coverage of Web 2.0 technologies like AJAX and web services.

To maximize the benefit for a wider range of audiences, the discussions in this course will be programming language agnostic. Focus will be maintained on security strategies rather than coding level implementation.

This course is intended for anyone tasked with implementing, managing or protecting Web applications. It is particularly well suited to application security analysts, developers, application architects, pen testers and auditors who are interested in recommending proper mitigations to Web security issues, and infrastructure security professionals who have an interest in better defending their Web applications.

- DEV 542: Web Application Penetration Testing & Ethical Hacking (among choices)

Assess Your Web Apps in Depth. Web applications are a major point of vulnerability in organizations today. Web app holes have resulted in the theft of millions of credit cards, major financial and reputational damage for hundreds of enterprises, and even the compromise of thousands of browsing machines that visited Web sites altered by attackers. In this intermediate to advanced level class, you'll learn the art of exploiting Web applications so you can find flaws in your enterprise's Web apps before the bad guys do. Through detailed, hands-on exercises and training from a seasoned professional, you will be taught the four-step process for Web application penetration testing. You will inject SQL into back-end databases, learning how attackers exfiltrate sensitive data. You will utilize Cross-Site Scripting attacks to dominate a target infrastructure in our unique hands-on laboratory environment. And you will explore various other Web app vulnerabilities in depth with tried-and-true techniques for finding them using a structured testing regimen. You will learn the tools and methods of the attacker, so that you can be a powerful defender.

On day one, we will study the attacker's view of the Web as well as learn an attack methodology and how the pen-tester uses JavaScript within the test. On day two, we will study the art of reconnaissance, specifically targeted to Web applications. We will also examine the mapping phase as we interact with a real application to determine its internal structure. During day three we will continue our test by starting the discovery phase using the information we gathered on day two. We will focus on application/server-side discovery. On day four we will continue discovery, focusing on client-side portions of the application, such as Flash objects and Java applets. On day five, we will move into the final stage of exploitation. Students will use advanced exploitation methods to gain further access within the application. Day six will be a Capture the Flag event where the students will be able to use the methodology and techniques explored during class to find and exploit the vulnerabilities within an intranet site.

Throughout the class, you will learn the context behind the attacks so that you intuitively understand the real-life applications of our exploitation. In the end, you will be able to assess your own organization's Web applications to find some of the most common and damaging Web application vulnerabilities today.

By knowing your enemy, you can defeat your enemy. General security practitioners, as well as Web site designers, architects, and developers, will benefit from learning the practical art of Web application penetration testing in this class.

- DEV 536: Secure Coding for PCI Compliance (among choices)

The audit procedure documents for PCI 1.2 tell the auditor that they should look for evidence that web application programmers in a PCI environment have had "training for secure coding techniques." The problem that many business are facing, however, is, "What is that and where can I get it?" This course packs a thorough explanation and examination of the OWASP top ten issues, which are the foundation of the PCI requirement, into a two day course.

Throughout the course we will look at examples of the types of flaws that secure coding protects against, examine how the flaw might be exploited and then focus on how to correct that code. Coupled with the lectures, there are more than ten hands on exercises where the students will have the opportunity to test out their new skills identifying flaws in code, fixing code and writing secure code. All of the exercises are available in Perl, PHP, C/C++, Ruby and Java. This will allow the student to try their hand at any of the major web application coding languages that they work with in addition to some of the supporting languages that might be at work behind the scenes. Students are not required to be familiar with all of these languages but should be proficient in at least one of them. Lectures are presented using a more or less code-neutral format.

Pre-requisites: Students should have at least several months of coding experience, preferably web application coding experience. It is best if the student is familiar with one of the following languages: Perl, PHP, C, C++, Java or Ruby.

- DEV 538: Web App Pentesting Hands on Immersion (among choices)

In the first half of 2008, five million Web sites were compromised by automated SQL injection attacks. The hackers' goal was to inject links to malicious content in order to infect the users of the Web application. These automated attacks do not show any sign of stopping and will likely visit your Web applications in the near future. Don't want to be a part of the statistics? Performing runtime testing is essential to making your Web site secure. Developer 538 is a two-day course focusing on up-to-date, hands-on testing of Web application security.

This fast-paced course is ideal for students who have a basic understanding of Web application security vulnerabilities and testing methodologies and are looking to refresh and upgrade their skill set in pen testing Web applications. It is also well suited to infrastructure pen testers who are expanding testing scope to Web applications. If you are going to be testing Web applications in the next few months, this course will help you brush up on your Web application security testing knowledge. Whatever your level is, it will give you confidence to know that you have the hands-on experience to perform testing against common vulnerabilities.

This action-packed, two-day course has a strong, hands-on focus -- exercises are designed to give you experience with real-world vulnerabilities. Throughout the two days, you will be using various testing concepts to test vulnerable Web applications. The target applications are as realistic as possible. The labs are structured so both novices and intermediate students can enjoy the learning experience.

- DEV 545: Secure coding in PHP: Developing Defensible Applications (among choices)

This course targets PHP programmers interested in learning more about how to code in PHP securely. It does require a good understanding of PHP and some experience writing PHP code. The code targets both beginning and advanced PHP programmers, but it is not appropriate for those who have not written any PHP code yet. We will not cover how to program PHP, only how to program PHP securely.

PHP as a programming language has a very easy learning curve. You can get started in minutes writing complex Web sites. Sadly, this ease of use and code-as-you-go approach frequently leads to insecure code. PHP provides a lot of freedom to do things wrong. Coding securely in PHP requires some extra thought and knowledge, which we will provide in this class. Coding in PHP without this knowledge can lead to problems, as insecure coding means exposing your data and your customers.

In our work at the SANS Internet Storm Center, not a day goes by that we do not receive a note about yet another Web site having been compromised and customer data stolen. How would you feel if an exploit was placed on your Web site and you then had to tell your customers that they may have been infected by malware simply because they accessed your site? But we do not just work the exploits. DShield.org, a big part of the Internet Storm Center, was written entirely in PHP, and the code has been available for public inspection. Lessons learned from our own mistakes have been incorporated into this course.

SEC545 covers all aspects of what is needed to code securely. We will not spend a lot of time explaining how to code in PHP. Instead we will dive right into the more advanced concepts, starting with additional PHP modules, like Suhosin, and how they can be used to harden your PHP application. We will not just tell you that input validation is important; instead, we will show you real code on how to do it right.

Hands-on exercises are used to reinforce what you have learned. You will be asked to review code. You will have to find errors and fix them yourself. We will talk about different options to authenticate users, from simple methods built into your server and browser to more complex custom authentication schemes. You will learn how to use sessions securely and how to provide access control to resources. How to log your users' actions is another quick chapter in the course. We even included a section on how to connect to Web services and how to offer your own, again, with the emphasis on how to do so securely. Want to learn more on how to avoid SQL injection? During day 2, that's exactly what we will cover. At the end of the course, we will go over some particularly tricky tasks step by step, showing you lots of sample code. How to deal with uploaded files? How to securely handle credit cards? How to send e-mail and PGP sign or encrypt it? How to execute shell commands securely? You'll learn all this. We even included a chapter on detecting attacks and shunning attackers.

The course uses a Linux virtual machine for exercises with PHP 5, Apache, and MySQL. But our focus will be on PHP. Users of Apache/PHP on Windows or users of other databases, like Oracle and Postgresql, will find that 90% of the course applies to them as well. If this is the case, you are free to bring your own set of tools to the class. Please make sure you have VMWare Workstation, VMWare Player, or VMWare Fusion (for Mac) available. VMWAre Server will not work! See the laptop requirements for details.

- DEV 534: Secure Code Review for Java Web Apps (among choices)

All software development projects produce at least one artifact - CODE! Conducting security focused code reviews can be one of the most effective methods of finding severe application vulnerabilities and is becoming an integral part of many secure software development processes.

This course focuses on web application vulnerabilities and shows you how to conduct code reviews for security by examining open source web applications built with Java. You will learn how to manually spot security issues and how to use an automated static analysis tool to speed up the code review process. You will also learn some practical approaches to integrating security code review into your Software Development Life Cycle (SDLC). This hands-on class culminates in a Code Review Challenge where you test what you've learned to find security issues in a real-world application.

- DEV 544: Secure coding in .Net: Developing Defensible Applications (among choices)

ASP.NET and the .NET framework have provided web developers with tools that allow them an unprecedented degree of flexibility and productivity. On the other hand, these sophisticated tools make it easier than ever to miss the little details that allow security vulnerabilities to creep into an application. Since ASP.NET, 2.0 Microsoft has done a fantastic job of integrating security into the ASP.NET framework, but the onus is still on application developers to understand the limitations of the framework and ensure that their own code is secure.

During this four-day course we will analyze the defensive strategies and technical underpinnings of the ASP.NET framework and learn where, as a developer, you can leverage defensive technologies in the framework, where you need to build security in by hand. We'll also examine strategies for building applications that will be secure both today and in the future.

Rather than focusing on traditional web attacks from the attacker's perspective, this class will show developers first how to think like an attacker, and will then focus on the latest defensive techniques specific to the ASP.NET environment. The emphasis of the class is a hands-on examination of the practical aspects of securing .NET applications during development.

Have you ever wondered if ASP.NET Request Validation is effective? Have you been concerned that XML web services might be introducing unexamined security issues into your application? Should you feel un-easy relying solely only on the security controls built into the ASP.NET framework? Secure Coding in ASP.NET will answer these questions and far more.

- DEV - - -: Software Security Project (independent study). (among choices)

Student will develop a proposed software security project topic, ask a SANS faculty member (certified/senior/fellows faculty) if he/she is willing to act as adviser. That adviser will submit the proposed topic to STI for review and determination of how many credits will be attributed to the independent study, will provide guidance to the student, and will grade it as pass/fail.

COMMUNITY PROJECT REQUIREMENTS must be completed.