Secure System Acquisition and Development

This training is taught in English.

Building security and privacy into the software acquisition, development and management practices of an organisation can be a daunting task. There are many factors that must be considered when charting your path forward, including: company structure, stakeholder priorities, technology stacks, tools and processes, and existing technical debt. How does security fit into waterfall, agile and DevOps ways of working? Which frameworks can help you to achieve this?

When evaluating, purchasing, or developing systems and applications, or use cloud services, how do you make sure correct and relevant security requirements are documented and checked before the application or service is bought or developed?

In modern, cloud-based infrastructures, CI/CD (Continuous Integration / Delivery) pipelines are the way to go. But what exactly does this mean? What are the security advantages of automation?

How do you make sure that the security requirements you set in the beginning of the project are implemented. What kind of security testing possibilities are there? Learn more about SAST, DAST and IAST and how you can use them to make sure security has been built in as required.

With this Secure System Acquisition and Development module we will teach you to set up and improve a Secure Software Program (SSP) to manage the identification, analysis, and specification of information security requirements, securing application services in development and support processes, technical review restrictions on changes to software packages, secure system engineering principles, secure development environment, outsourced development, system security testing, and protection of test data.

Why take this course?

By the end of this course, you’ll have a firm grasp on:

• The Software Security Program
• Security / Privacy by design & by default
• Setting security requirements
• Securing CI/CD pipelines & automation
• Security Testing

Target group

Who is the Certified CISO programme’s ‘Secure System Acquisition and Development’ module intended for? This module targets information and cybersecurity officers, managers, and security professionals tasked with starting or improving a software security program. Those working in software management also benefit from this course.

Learning goals

What you’ll learn in a nutshell:

• Understand modern software development practices
• Start and improve a Secure Software Program (SSP)
• Define and manage secure software metrics
• Understand the why and what of threat modeling
• Align threat modeling with stakeholders
• Integrate security and privacy by design and default in your SSP
• Manage security requirements in a four-step process
• Align security requirements with software suppliers
• Understand the CI/CD pipeline and its components
• Embed security controls in CI/CD pipelines
• Understand and integrate different security testing in your SSP
• How to manage software vulnerabilities
• Create a security testing strategy

Learning approach

When it comes to establishing and running a Secure Software Programme, there are a variety of approaches. A one-size-fits-all formula doesn’t apply.

And it’s for that reason that this course has a two-fold objective. It aims to introduce you to the current frameworks and best practices available and to supply you with the practical skills required to apply them correctly within your organisation.

To accomplish this, we’ve lined up highly skilled professionals who have been in the trenches for years. They share practical advice and teach you the core of what you need to know. The course itself blends theoretical models, frameworks, and best practices to give you an overview of what’s out there, combined with practical hands-on exercises for applying what you’ve learnt in real-life situations.

• Theory: Best practices in DevSecOps and AppSec.
• Case Study: You act as the security advisor for a development team building a new app feature , ensuring user stories have security criteria.
• Practical Assignment: Execute a Threat Model on a specific user story or design a security test strategy.
• Feedback: Presentation and refinement of your model during the online session.

End product

You’ll be awarded a certificate of completion at the end of the course. This module does not entail any exams or official certification.

Your bonus training package includes:

• Training material (printed and PDF format): handouts of the presentations with notes
• Extra online training materials
• A list of useful links with additional information on standards and frameworks discussed during class

The exercises and their solutions (where applicable)

How to prepare yourself

This is a classroom-based, non-technical course. Bring something along (e.g. a laptop, notebook, tablet) to take additional notes.

Course prerequisites:

• A basic understanding of IT and software development
• Some experience in a corporate environment as a manager could be beneficial but is not essential.

Between the two in-person training days and the online follow up session, you will have homework:

• Complete the online knowledge assessment
• Prepare an assignment for discussion during the online session.