Catalogue | Kaïna-com Academy

Prérequis

Avoir une solide compréhension des réseaux TCP / IP et maîtriser au moins un langage de programmation - C / C ++, C #, PHP, Java ou JavaScript.
Un niveau d'anglais business moyen est requis car la formation sera dispensée en anglais.

Public

Si vous développez des produits logiciels qui se connectent à un réseau - des produits tels que des dispositifs médicaux, des applications SaaS ou des applications médicales mobiles - vous devriez y assister.

Objectifs

«Des menaces au code» est une introduction concentrée et rapide au développement de code sécurisé pour toute l'équipe de développement logiciel, du manager à l'ingénieur d'implémentation.
Nous introduisons une approche analytique des menaces basées sur la compréhension des menaces qui comptent vraiment et le deuxième jour, nous nous penchons sur la bonne évaluation de la sécurité logicielle et le codage sécurisé pour atténuer les menaces telles que le Shellcode et les attaques par débordement de tampon.

Ideology

· Why bother modeling?

· Why security defenses don’t work

· Why risk management is broken

· Bridging the valley of death between IT and security

· A secure SDLC (software development life-cycle) for an unsecure world

Security metrics

· Escaping the hamster wheel of pain

· Defining security metrics

How to measure anything

· Asset valuation

· Threat damage to asset

· Probability of occurrence

Threat modeling and analysis objectives and drivers

· Qualitative or quantitative?

· Is there ROI on security?

· Compliance drivers: Industry, Government, Vendor-neutral standards

Threat modeling building blocks

· Threats / attack scenarios

· Assets

· Vulnerabilities

· Countermeasures

Analyzing your threat model

· Analyzing your threat model and building a cost-effective security countermeasure plan

Pulling it all together

· A class exercise

Software vulnerability fundamentals

· Vulnerabilities

· Classifying vulnerabilities

· Common threads

Design review

· Software design fundamentals

· Enforcing security policy

· Threat modeling of software

Operational review

· Exposure

· Countermeasures

Software vulnerabilities

· Buffer overflows

· Shellcode

· Protection mechanisms

· Address space layout

Windows objects and the file system

· Processes and threads

· File access

Windows messaging

· Window messages

· Shatter attack

Network vulnerabilities in practice

· TCP connections, an overview

· TCP streams

The End

· Summary

· Q&A

· Evaluation

David Movshovitz

Lecturer at LOGTEL

A propos

Dr. David Movshovitz is a senior lecturer at LOGTEL. David brings with him 30 years of experience in information security with a broad view of the range of topics necessary to build a comprehensive and efficient data protection system for product / system it must protect. He is software engineering and information security expert, and is teaching academic courses on Web-Application-Security and on Developing Secure Applications in Inter Disciplinary Center (IDC) in Herzalia and in Michlelet Tel-Aviv. Dr. Movshovitz headed a R&D team in the IDF that has earned the Israeli Defense Award for professional excellence. After his departure from the military, Dr. Movshovitz has served in senior R&D positions in the Hi-Tech industry (e.g. Elscint, Taldor Group, F5 Networks). Dr. Movshovitz was a co-founder and VP R&D at Algotec Systems Ltd. that was acquired by Kodak, a CTO and VP R&D of Magnifire Ltd. that was acquired by F5 Networks, and a CTO of Navajo Systems Ltd. that has been acquired by Salesforce.com. Dr. Movshovitz earned his doctorate in Physics from Bar-Ilan University.

Des menaces au code

Prérequis

Public

Objectifs

Des questions ?

Nos autres formations sur le même thème

Êtes-vous un particulier ?