Randy Rice's Software Testing Site

Security Testing for the Enterprise and the Web

3 Days 

This is a practical computer-based interactive workshop designed to provide a foundation for security testing. You will learn the terminology, the unique issues, and the process for testing security in web and enterprise applications. As a result of attending this seminar, you should be able to understand security issues and have an increased comfort level in testing the security of web-based and enterprise applications.

Security Testing for the Enterprise and the Web will help you become more comfortable and confident in dealing with security testing issues. You will emerge from this three-day session knowing how to develop a security testing strategy and security test plan. You will learn the details of how attackers break into system and how to design tests to validate that security is adequate to prevent such attacks. You will also have an understanding of how hackers and crackers think.

The information that your company obtains and stores is perhaps its most valuable corporate asset. Learn how to protect it and make sure protection measures are working in this course.

Return on Investment

Who Will Benefit

The program requires basic IT and testing knowledge or experience

Program Information

This course is presented on an in-house basis only unless offered as a special public course. Contact us for information about how to bring this course into your organization.

Content and Structure

Day 1 - 6.5 hrs

Module SECA - Introduction to Computer Security (45 Mins.)

Introduces the student to basic concepts of information security in a variety of environments, including web-based and internal corporate systems. Security will be examined in the light of risks, benefits and threats.

Module SECB - Understanding the Attackers (1 Hr.)

By understanding how computer crooks think, security professionals and testers can leverage that information to effective audit and test systems.

Module SECC - Understanding the Technology (3 Hrs.)

Before we can make sense of testing techniques and cracker exploits, we must understand the underlying technologies that allow access to systems. This module is somewhat technical, but is aimed at people with little or no technical expertise in networking and systems administration.

Module SECD - Security Protocols and Techniques (1 Hr.)

There are a variety of security protocols and techniques that are commonly in use. This module examines those techniques and how they work.

Module SECE - Internet Privacy and Information Privacy (45 mins.)

There is considerable debate as to whether there is such a thing as privacy in the digital age. Even with an assumed level of lack of privacy, there are still significant privacy concerns that individuals and organizations need to be aware of. Lack of attention to privacy concerns can hurt a company's online business or can cause an individual personal losses.

Module SECF - A Process for Security Testing (.5 Hr.)

This module presents a process for planning, conducting and evaluating security testing.

Day 2 - 6.75 hrs.

Module SECG - How to Develop a Security Testing Strategy (1 Hr.)

Like other forms of testing, the test strategy is an effective way to define the test objectives, the scope of testing, and the attributes that make testing a particular system or web site unique.

Module SECH - How to Perform a Security Assessment (45 mins.)

One of the basic activities in computer security in the security assessment. This is a verification of an organization's security efforts and helps to identify strengths and weaknesses. This module walks you through the process of performing a security assessment, analyzing the findings, and reporting the results.

Module SECI - Writing a Security Test Plan (1 Hr.)

This module describes how to customize your own security test plan standard and how to use that standard in developing security test plans.

Module SECJ - Testing External Network Attacks (1 Hr.)

It's difficult to test anything until you understand it. This module is an extensive coverage of some of the most popular and destructive network-based attacks, how they are performed, how they can be prevented and how you can test to assure that the prevention measures have been adequately applied. Topics include:

Module SECK - Testing for Language-based Vulnerabilities (1 Hr.)

This module covers some of the most popular and destructive language-based attacks, how they are performed, how they can be prevented and how you can test to see if your applications are vulnerable to these kinds of attacks.

Module SECL - Testing for Backdoors and Trojan Horses (1 Hr.)

This module covers sneak attack techniques such as backdoors and Trojan horses, how they are placed into a system, how they can be prevented and how you can test to assure that the prevention measures have been adequately applied.

Module SECM - Testing Denial-of-Service Attacks (1 Hr.)

This module covers one of the most difficult attacks to prevent, the denial-of-service attack. You will learn how denial-of-service attacks are performed, how they can be prevented and how you can test to assure that the prevention measures have been adequately applied.

Day 3 - 6.25 hrs.

Module SECN - Testing Virus and Password Attacks (1 Hr.)

This module covers virus and password attacks, how they are performed, how they can be prevented and how you can test to assure that the prevention measures have been adequately applied.

Module SECO - Testing Web Application Attacks (1 Hr.)

An attacker can cause a lot of damage by exploiting techniques used in many web applications to gain access to data and other assets. In this module, we will learn about these kinds of attacks and how to see if your applications are vulnerable.

Module SECP - Performing Security Tests (1.5 Hrs.)

Performing security testing can be a difficult and risky effort. This module discusses things to consider in establishing the test environment, communicating the performance of the test, how to view the test results and how to stay out of trouble in performing the test.

Module SECQ - Reporting the Results of Security Testing (.5 Hr.)

This module presents a standard for security test reporting and a sample security test report.

Module SECR - Security Testing Tools (45 mins.)

There are a variety of tools that can be used to detect network vulnerabilities, excessive load levels and other cracker exploits.

Module SECS - How to Write a Security Response and Recovery Plan (30 min.)

You've done all you can to prevent an attack, but how will your organization respond to a new type of attack? This module presents a standard for a security response and recovery plan. A sample security response and recovery plan will be reviewed and it's applicability determined in light of a case study.

Module SECT - Protecting Intellectual Property in the Digital Age (30 mins.)

In a digital world, it becomes easy to take someone else's proprietary content and use them as your own without regard for copyright laws. This applies to all sorts of content - software, intellectual property (IP) , music, just to name a few. This module discusses some of the issue surrounding this topic and some things that are being done to protect IP rights.

Module SECU - Developing an Action Plan for Security (30 mins.)

In this module, you will develop an action plan for yourself and your organization to address security testing.



All materials on this site copyright 1996 - 2009, Rice Consulting Services, Inc.

Rice Consulting Services, Inc.
P.O. Box 892003
Oklahoma City, OK  73189