Internal Audit Training, IT Audit Training Courses, Information Security Training - CPE Interactive

Continuing Professional Education for Audit, Assurance, & Info Security

View Training Register Now

Course Description

The Application Development group in any enterprise is critical to IT’s mission. However, at the same time, the security risks associated with software development are legendary. We see continual examples of successful attacks on production code by intruders, exploiting known vulnerabilities, such as buffer overflows, use of non-secure code libraries, directory traversing, untested paths in the code, and more. In addition, development shops often do not have security policies related to the development process and lack tools such as code analyzers to automate the process of discovering security vulnerabilities before code is deployed into production.

Given these risks and the business risk related to software development, it is critical for you to understand the issues in a development shop and assess the related business risk.
This session is intended to provide you with the knowledge and tools to be able to assess critically the levels of security and risk inherent in a corporate software development shop.

We will discuss:

  • How attackers exploit vulnerabilities due to software defects
  • Why network defenses are no longer enough
  • Salient differences between secure and non-secure development methodologies
    The software assurance maturity model
  • Software security metrics
  • Security requirements in the design, secure software architecture, code reviews, design analysis, code reviews, security testing, and vulnerability management

Learning Objectives:

  • Identify application vulnerabilities
  • Identify metrics to evaluate secure development
  • Apply a maturity model to the evaluation of development security

Course Outline

Overview of software development lifecycle and security

  • Why do we need to assess App Development shop?
  • What is the objective of the review?
  • Demonstration: How attacker exploit App vulnerabilities
  • Why network defenses are no longer enough?
  • Why security is different from other requirements?
  • Workshop: Take a vocation vacation – be a hacker or a developer for a day
  • Results of a security review of an App Development shop

Measuring security maturity in software development lifecycle

  • A survey of development methodologies
  • A survey of secure development models
  • A detailed look into a software assurance maturity model by measuring these security practices
    • Strategy & Metrics
    • Policy & Compliance
    • Education & Guidance
    • Threat Assessment
    • Security Requirements
    • Secure Architecture
    • Design Analysis
    • Code Review
    • Security Testing
    • Vulnerability Management
    • Environment Hardening
    • Operational Enablement

Setting maturity levels in the software development lifecycle

  • How to set a goal for app development maturing level
  • Workshop: Setting the goal for an online retailer and a car rental company
  • How to plan a successful path to achieve the maturity goal
  • How to estimate the cost of achieving the maturity goal

Additional Information

Who Should Attend

Audit managers and audit staff involved with assessing audit risk associated with a software development shop and conducting an operational audit of that function.

Level

Intermediate

Delivery

Group-Live & Group Internet-Based

Field

Auditing

Advanced Preparation

None

Recommended Prerequisites

General understanding of IT development methodologies

Session Duration

Online: Four 3 hour sessions

On Site: 2 day

CPE Credits: 14