Overview Next training
Our teachers for the training: Security leader: Secure System Acquisition and Development
Module 3 Secure System Acquisition and Development - presentation video
Find out from our teacher, Sebastien Deleersnyder, what this module is about!
This training is taught in English.
As the main software security stakeholder, the Chief Information Security Officer (CISO) is responsible for software security from the governance, compliance, and risk perspectives.
Building security and privacy into an organization’s software acquisition, development, and management practices can be daunting. Many factors must be considered when charting your path forward, including company structure, stakeholder priorities, technology stacks, tools and processes, and existing technical debt. How does security fit into waterfall, agile, and DevOps working methods? Which frameworks can help you to achieve this?
When evaluating, purchasing, or developing systems and applications or using cloud services, how do you ensure correct and relevant security requirements are documented and checked before the application or service is bought or developed?
In modern, cloud-based infrastructures, CI/CD (Continuous Integration / Delivery) pipelines are the way to go. But what exactly does this mean? And what do you need to know about them as CISOs? What are the security advantages of automation?
How do you ensure that the security requirements you set at the beginning of the project are implemented? What kind of security testing possibilities are there? Learn more about SAST, DAST, and IAST and how you can use them to ensure security is built in as required.
With this Secure System Acquisition and Development module, we will teach you to set up and improve a Secure Software Program (SSP) to manage the identification, analysis, and specification of information security requirements, securing application services in development and support processes, technical review restrictions on changes to software packages, secure system engineering principles, secure development environment, outsourced development, system security testing, and protection of test data.
Why take this course?
By the end of this course, you’ll have a firm grasp on:
- The Software Security Program
- Security / Privacy by design & by default
- Setting security requirements
- Securing CI/CD pipelines & automation
- Security Testing
This course is a module in a unique program intended to lead to formal CISO certification. To check out other modules, download this file: CISO Brochure download.
Target group
What is intended for the Certified CISO program’s ‘Secure System Acquisition and Development’ module? This module targets information and cybersecurity officers, managers, and security professionals tasked with starting or improving a software security program. Those working in software management also benefit from this course.
Learning goals
What you’ll learn in a nutshell:
- Understand modern software development practices
- Start and improve a Secure Software Program (SSP)
- Define and manage secure software metrics
- Understand the why and what of threat modeling
- Align threat modeling with stakeholders
- Integrate security and privacy by design and default in your SSP
- Manage security requirements in a four-step process
- Align security requirements with software suppliers
- Understand the CI/CD pipeline and its components
- Embed security controls in CI/CD pipelines
- Understand and integrate different security testing in your SSP
- How to manage software vulnerabilities
- Create a security testing strategy
Learning approach
There are various approaches to establishing and running a Secure Software Programme. A one-size-fits-all formula doesn’t apply.
For that reason, this course has a two-fold objective. It aims to introduce you to the current frameworks and best practices available and supply you with the practical skills required to apply them correctly within your organization.
We’ve lined up highly skilled professionals in the trenches for years to accomplish this. They share practical advice and teach you the core of what you need to know. The course blends theoretical models, frameworks, and best practices to give you an overview of what’s out there and practical hands-on exercises for applying what you’ve learned in real-life situations.
End product
At the end of the course, you will be awarded a certificate of completion. This module does not entail any exams or official certification.
Note: Have you got plans to pursue the entire ‘Certified CISO’ programme? In that case, you’ll need a certificate of completion for all modules, and they must have been obtained within the past two years. The first six modules must be completed to start the 7th and final module, the ‘Master Project’, where you will apply the content of the previous modules to a single integrated project. Once finished, and if you obtain a positive evaluation, you’ll be awarded the ‘Certified CISO’ certificate.
Your bonus training package includes the following:
- Training material (printed and PDF format): handouts of the presentations with notes
- A list of useful links with additional information on standards and frameworks discussed during class
- The exercises and their solutions (where applicable)
How to prepare yourself
This is a classroom-based, non-technical course. Bring something (e.g., a laptop, notebook, tablet) to take additional notes.
Course prerequisites:
- A basic understanding of IT and software development
- Some experience in a corporate environment as a manager could be beneficial but is not essential.
Click here for more information about our teachers.
Day 1
1| The Secure Software Program (SSP)
- Modern software development (agile, DevOps, containers, cloud, technologies, products, …)
- The need for secure software
- The OWASP Top 10, and beyond
- Secure software development frameworks
- Secure software metrics
- Define your software security policy
- Hands-on: Start and improve your SSP with OWASP SAMM
2| Security / privacy by design & by default
- Compliance and best practice drivers for security and privacy by design
- Threat modeling introduction
- Security principles (and use as step towards DTAP environments)
- Security and Privacy by design patterns
- Hands-on: Implement GDPR security and design patterns on a case
3| Security at DevOps speed
- Tension between security and modern development (agile & DevOps)
- Strategies to deal with security as speed
- Security principles (and use as step towards DTAP environments)
- Example practices
- Hands-on: Structure threat modeling for agile development
Day 2
4| Setting security requirements
- Sources and types of security requirements
- Requirements for security requirements
- The four steps of managing security requirements
- OWASP ASVS
- Hands-on: manage security requirements with your supplier
5| Securing CI/CD pipelines & automation
- The CI/CD pipeline and its components
- Embedding security controls in CI/CD
- Dependency checking and SBOMs
- Securing infrastructure as code
- Hands-on: map vulnerabilities and controls in a CI/CD pipeline
6| Security testing
- Types of security testing & link to standards (like ASVS)
- Managing security penetration testing
- Bug bounties and responsible disclosure
- Software security vulnerability management
- Hands-on: create a security test strategy for DevOps
Price
€1.395
VAT exclusive
Certificate
"CISO Certificate of Completion"
Lunch, coffee, refreshments and course material included.
SME portfolio Flanders - higher subsidy for theme CYBERSECURITY: 45% for small and 35% for medium-sized enterprises.
Book a Call
Schedule 2024 & 2025
Name
Date
Location
Language
Register
Security leader: Secure System Acquisition and Development
10 June until 11 June 2024
Security leader: Secure System Acquisition and Development
25 November until 26 November 2024
Security leader: Secure System Acquisition and Development
3 June until 4 June 2025
Security leader: Secure System Acquisition and Development
17 June until 18 June 2025
Security leader: Secure System Acquisition and Development
24 November until 25 November 2025