SC460: Secure Architecture and Design

Agenda:

• Security design principles – Introduction, application and measurability

• Trust / Trust principals
  • "Never trust the Client"
  • "Zero trust"
  • "Trusted 3rd party"
    
    
• Secure design - Authentication
  • Secure identifiers / Identities
  • Password-Based authentication
  • Secure implementation of cryptographic methods
  • Kerkhof's principal
    
    
• Secure design principles: Authorization
  • "Segregation of duties"
  • "Least privilege"
  • "Avoid broadly generic functions"
  • "Authorize close to the source"
  • "Extension of Kerkhoffs-Principle"
    
    
• Additional principles overview
  • "Do not be chatty"
  • "Encrypt high"
  • "Decrease visibility"
    
    
• Secure Design – Input / Output / Communication
  • "Input validation"
  • "Output validation"
  • "Black-Listing / White-Listing"
  • "Do not interpret – discard"
  • "Intercept – do not process"
  • "Don't call me – I call you!"
  • "Resilient design"
    
    
• Secure Design – "Miscellaneous"
  • "Visibility"
  • "Default is tight"
  • "Fail safe"
  • "Double book-keeping"
  • "No filesystem"
    
    
• Threat modelling
  • Introduction, application, history, fundamentals
    
    
• Threat modelling methods
  • Misuse-Cases
  • Attack-Trees
  • STRIDE
  • EoP-Card-Game
  • Tools
  • Application-Level-Threat-Modelling
    
    
• Vulnerabilities and practical exercise
  • Identity management
  • Authentication
  • Authorization
    
    
• Vulnerabilities
  • Communication
  • Memory
  • Input-Attacks
  • Attacks by privileged users
  • Attack detection
  • Traceability
  • Attacks via infrastructure
  • Data protection
  • Open-Source-Security
  • Attacks on software lifecycle
  • Attacks on cryptography
  • Attacks on error situations
    
    
• Vulnerability assessment
  • Attack vector
  • CVSS
  • Risk assessment
    
    
• Conducting and documenting workshops
  
  
• Workshop facilitation
  
  
• Final exercise
  • Threat modelling
  • Risk assessment of findings
  • Analyze secure design measures
    
    
• Many practical exercises for individual modules
  
  

Objectives:

The training SC460 Secure Architecture and Design has the following course objectives:

• Knowledge and application of common security design principles
• Skills to conduct a threat modeling workshop
• Knowledge of common design vulnerabilities and their remediation

Target audience:

The training SC460 Secure Architecture and Design is ideally suited for:

• Software Developers
• Software Architects
• Cloud Architects

Prerequisites:

To be able to follow the course content and learning pace in the workshop SC460 Secure Architecture and Design effectively, you should bring the following prerequisites:

• basic IT knowledge
• basic IT security terminology

Description:

The world is changing at a rapid pace and with it the demand for new technologies. This also increases the risk for digital threats and the importance of cybersecurity rises. Organizations and enterprises require a variety of complex systems and measures to ensure the protection and security of large data volumes and critical assets. Through outdated and incomplete security architecture, companies become targets for internal and external hacker attacks. For this reason, architecture concepts must be developed in such a way that they provide the smallest possible attack surface. The workshop SC460 Secure Architecture and Design enables you to counteract such threats.

Secure Architecture and Design is a basic requirement to build a secure application. A secure architecture can be achieved through different approaches, either using a classic, somewhat "mechanical" method in which BSI™-Grundschutz is applied or alternatively through somewhat freer risk-based methods.

In this seminar, the focus is on two essential perspectives: In the Best Practice perspective, the application of generally recognized design principles is examined more closely. The threat perspective, in turn, makes clear what can go wrong. In this context, you will learn about Threat Modeling. With this very valuable conceptual analysis technique, potential vulnerabilities and risks can be identified early in the development of applications and required measures can be derived.

The course places special emphasis on practical applications by offering numerous exercises that enable participants to directly implement and consolidate their acquired knowledge.

The course is part of the "qSkills™ Secure Software Quadrant", consisting of:

• SC460 Secure Architecture and Design
• SC470 Secure Development Principles
• SC475 OWASP Security Champion
• SC480 Secure Operations