Use this catalog to browse Trustwave’s security education offerings, including security awareness training for all staff and secure software development courses for technical staff. If you have questions please contact us.
2. CYBERSECURITY EDUCATION CATALOG
Introduction
The human factor – what employees do or don’t do – is the biggest
threat to an organization’s information security, yet it’s often the most
overlooked. Whether they are processing credit cards, handling clients’
personal information, or developing software solutions for your business,
your employees are ripe targets for information thieves seeking access to
your sensitive data, unless you help them learn how to protect against
and respond to security incidents. It’s vital to your business to provide
security education to your employees and partners.
Trustwave offers two key types of security education:
• Security Awareness Education for all staff
• Secure Developer Training for technical staff
Use this catalog to browse these security education offerings. If you have
questions, reach out to your Trustwave account manager or use the
Contact Us section of the Trustwave website at www.trustwave.com.
4. CYBERSECURITY EDUCATION CATALOG
2
SecurityAwareness Education
Every Trustwave Security Awareness Education (SAE) program is customized for
you, the client. Your options include how your online security education courses
will be set up and which additional print-based materials you would like to order
to reinforce your program year-round. This section is designed to guide you
through the program and help you choose the options that are right for you and
your organization.
SAE Lessons
Use the SAE Lessons list to browse our library of security awareness lessons. Categorized by areas of interest, each
lesson’s catalog code, topic, and objectives are listed to help you decide which topics are most appropriate for your
target audience(s). Most lessons are available in English, Spanish, Portuguese and French and can be localized in
to additional languages. The portal is English by default and may be configured in Spanish, French and Portuguese
as well as many other languages. You may also view our lessons in the Trustwave Cybersecurity Education portal.
Contact your Trustwave account manager if you would like to receive a free trial.
Security Awareness Course Builder
The Security Awareness Course Builder page lists the lessons included in each course offering, tailored for common
organizational roles requiring security awareness training. If these lesson combinations don’t fit your organization’s
needs, or if you’d like to include additional materials such as quizzes or your organization’s own information security
policies, use the table at the bottom of the Security Awareness Course Builder page to identify the course content you
would like us to build.
SAE Posters
Often, organizations administer formal security awareness training only once per year. Including SAE posters in your
office environment helps keep employees aware of their security responsibilities year-round.
5. 3
SAE Lessons
Each course in your Security Awareness Education program may be comprised of one or more of the following lessons. Use this guide to identify
the lessons you would like to include in each course. If you have any questions, or if you would like to receive a free trial, contact your Trustwave
account manager.
Compliance Lessons These lessons cover the basic principles of various compliance standards mandating training and other information security measures.
# Lesson Name Lesson Objectives Supporting Objectives
COM-01 PCI Overview
Recognize how the Payment Card Industry
(PCI) Data Security Standard (DSS) protects
cardholder data.
• Recognize the key PCI stakeholders, and common merchant acceptance channels and
classifications.
• Recognize high-level compliance requirements.
• Describe the PCI regulatory environment and recognize high level compliance requirements.
COM-02 HIPAA Overview
Recognize how the U.S. Health Insurance
Portability and Accountability Act (HIPAA) and
Health Information Technology for Economic
and Clinical Health Act (HITECH) laws protect
the privacy and security of protected health
information (PHI).
• Recognize key HIPAA and HITECH stakeholders.
• Recognize the purpose and scope of HIPAA privacy and security rules.
• Recognize high-level compliance requirements.
COM-03 PCI for Retail Managers
Recognize how the PCI DSS affects managers
and their role in enacting PCI compliance
strategies.
• Recognize credit card features and security elements.
• Recognize indicators of credit card fraud or tampering.
• Understand how to respond in the case of suspicious or fraudulent payment activity.
COM-04
PCI Essentials
(abbreviated version of
PCI Overview)
Recognize how PCI self-regulates to protect
cardholder data.
• Recognize the cycle of a credit card transaction.
• Recognize high-level compliance requirements.
Core Concepts These lessons cover basic security awareness concepts that all employees should understand.
# Lesson Name Lesson Objectives Supporting Objectives
COR-01
Introduction to Security
Awareness
Demonstrate basic knowledge of security
awareness.
• Understand the definition of security awareness.
• Recognize the importance of protecting information.
COR-02 Social Engineering
Recognize how common social engineering
tactics threaten information security.
• Define social engineering, recognize who is at risk of becoming a victim and list the types of
information targeted by social engineers.
• Understand the definition of security awareness, recognize the most common channels for social
engineering, and recognize popular social engineering ploys.
• List best practices to avoid becoming a victim of social engineering.
6. CYBERSECURITY EDUCATION CATALOG
4
SecurityAwareness Topics These lessons cover best practices for common types of tools and activities on the job. Include all those that apply to your employees’ work activities.
# Lesson Name Lesson Objectives Supporting Objectives
SAT-01 Physical Security
Define physical security, recognize common
threats and list best practices.
• Recognize the importance of physical security and list the information at risk.
• Recognize common attacks on physical security.
• Recognize physical security vulnerabilities and best practices for securing your workplace.
SAT-02 PC Security
Define PC security, recognize common threats
and list best practices.
• Recognize the risks of leaving your computer unprotected.
• List and describe common PC attacks, vulnerabilities, and user mistakes that put your information
and systems at risk.
• List and describe critical PC security measures and best practices.
SAT-03 Email Security
Define email security, recognize common threats
and list best practices.
• Recognize the risk to information security if secure email practices are not in place.
• Recognize the most common email scams and the measures you can take to avoid becoming a victim.
• List best practices for using email securely.
SAT-04 Password Security
Define password security, recognize common
threats and list best practices.
• Recognize the importance of keeping passwords protected.
• List the ways password protection may be used to keep information secure.
• List basic rules for building a strong password and recognize best practices for effective password
use.
SAT-05 Web Browsing Security
Define web browsing security, recognize
common threats and list best practices.
• Recognize the risks of visiting unknown and unsecure websites.
• List the most common web security threats and recognize how you may put your organization’s
information at risk.
• List and describe best practices for browsing the web securely.
SAT-06 Mobile Device Security
Define mobile device security, recognize
common threats and list best practices.
• Recognize the risks of leaving your device unprotected.
• Recognize common mobile device attacks and user mistakes that put information at risk.
• List and describe common mobile device security measures.
Best Practices forJob Roles These lessons target specific job roles within an organization. Each course you create should contain one of these JRT (Job Role Training) lessons,
depending on your role and industry.
# Lesson Name Lesson Objectives Supporting Objectives
JRT-01
Secure Practices for
Retail Associates
Recognize the security awareness responsibilities
of retail associates and the laws, regulations,
methods and best practices that help keep
information secure in the retail environment.
• Recognize the information security responsibilities of retail associates that impact the retail
environment.
• List and describe information security responsibilities and best practices of retail associates.
JRT-02
Secure Practices for
Retail Managers
Recognize the security awareness
responsibilities of retail managers and the
laws, regulations, methods and best practices
that help keep information secure in the retail
environment.
• Recognize the security responsibilities of retail managers or owners that impact the retail environment.
• List and describe information security responsibilities and best practices of retail managers.
7. 5
# Lesson Name Lesson Objectives Supporting Objectives
JRT-03
Secure Practices for
Call Center Employees
Recognize the security awareness
responsibilities of call center employees and the
laws, regulations, methods and best practices
that help to keep information secure.
• Recognize the information security laws and regulations that impact the call center environment.
• Recognize the responsibility of call center employees to protect the information they work with each
day.
• List and describe the information security responsibilities and best practices of call center employees.
JRT-04
Secure Practices for
Call Center Managers
Recognize the security awareness responsibilities
of call center managers and the laws, regulations,
methods and best practices that help keep
information secure in the call center.
• Recognize the information security responsibilities of call center managers and the related laws and
regulations that impact the call center environment.
• List and describe information security responsibilities and best practices of call center managers.
JRT-05
Secure Practices for
Office Employees
Recognize the security awareness
responsibilities of office employees and the laws,
regulations, methods and best practices that
help keep information secure.
• Recognize the security responsibilities of enterprise employees and the information security laws and
regulations that impact the enterprise environment.
• List and describe information security responsibilities and best practices of office employees.
JRT-06
Secure Practices for IT
and Engineering Staff
Recognize the security awareness
responsibilities of IT and engineering staff
and the laws, regulations, methods and best
practices that help keep information secure.
• Recognize the information security-related laws and regulations that impact the IT and application
development environment and the responsibilities of personnel to protect the information they work
with each day.
• List and describe the information security responsibilities of IT and engineering staff.
• List best practices for IT and engineering staff to help keep information secure.
Advanced SecurityTopics These lessons cover a wide range of advanced topics for managers and technical personnel.
# Lesson Name Lesson Objectives Supporting Objectives
ADV-01
PCI Forensic
Investigations
Recognize how the PCI forensic investigation
process works and identify how a breach is
discovered, investigated and remediated.
• Identify common ways breaches are discovered and the high level steps employees should take if a
breach is discovered.
• Learn about the Trustwave PCI forensic investigation process and a breached organization’s
responsibility to report and remediate security deficiencies.
• Recognize common security threats and the importance of continuous compliance to protect against
them.
ADV-02
Exploring Security
Trends
Recognize key findings of Trustwave’s annual
Global Security Report and list ways to improve
security this year based on last year’s trends.
• Recognize the purpose and contents of Trustwave’s Global Security Report.
• Recognize key findings of the current Global Security Report.
• List security best practices that help organizations avoid the security pitfalls of last year.
8. CYBERSECURITY EDUCATION CATALOG
6
Banking Security
Online banking has soared in popularity, not only for businesses but for consumers who depend on banks for their everyday financial needs. While
you are taking steps to protect their customers from identity theft and financial crimes, customers themselves must also implement security best
practices when accessing online banking on their personal or business computers. Providing resources to customers to educate them about best
practices for securing their information online demonstrates your commitment to securing your customers’ information, improves security for you
and your customers and helps satisfy Federal Financial Institutions Examination Council (FFIEC) requirements for customer education.
Banking Security These lessons target the specific security awareness needs of bank customers who use online accounts to manage their finances.
# Lesson Name Lesson Objectives Supporting Objectives
BAN-01 Online Banking Security
Recognize the risks and threats that come with
online banking, as well as the technology and
security best practices available to help combat
such threats.
• Recognize ways information is stolen from online accounts.
• Recognize the monetary risk of security incidents and the top attack targets used by criminals.
• Learn how banks and their customers work together to protect valuable information.
BAN-02
Protecting Online
Accounts for
Businesses
Recognize a business’s role in helping to secure
its own online systems and accounts, and
identify the security best practices businesses
can follow to do so.
• Recognize a business’s role in keeping their sensitive information secure online.
• List best practices for businesses to use to protect their sensitive information.
BAN-03
Protecting Online
Accounts for
Consumers
Recognize the individual’s role in helping to
secure their own online accounts, and identify
the security best practices individuals can follow
to do so.
• Recognize an individual consumer’s role in keeping their sensitive information secure online.
• List best practices consumers can use to protect their sensitive information.
9. 7
Security Awareness Course Builder
The first table below indicates the lessons included in our basic SAE courses. These lessons are targeted to common roles that fit most
organizations. Also shown below is the recommended Job Role Training (JRT) lesson for each role.
If you prefer to create a custom course, use the Create Your Own table to indicate what lessons you would like to include in which courses.
Security Awareness for
Retail Associates
● ● ●
Security Awareness for
Retail Managers
● ● ● ● ● ● ● ● ●
Security Awareness for
Call Center Employees
● ● ● ● ● ● ● ●
Security Awareness for
Call Center Managers
● ● ● ● ● ● ● ●
Security Awareness for
Office Employees
● ● ● ● ● ● ● ● ●
Security Awareness for
IT and Engineering Staff
● ● ● ● ● ● ● ● ●
Security Awareness for
Health Care Staff
● ● ● ● ● ● ● ●
Security Awareness for
PCI Compliance
● ●
Security Awareness for
PCI Compliance and
Risk Reduction
● ● ● ● ● ● ● ● ● ●
Create your Own Use this section to mix and match lessons to build up to five courses of your own. Just print this sheet and fill in the necessary information,
which you can then share with your Trustwave account manager.
COM-01
COM-02
COM-03
COM-04
COR-01
SAT-01
SAT-02
SAT-03
SAT-04
SAT-05
SAT-06
BAN-01
BAN-02
BAN-03
JRT-01
JRT-02
JRT-03
JRT-04
JRT-05
JRT-06
ADV-01
ADV-02
Quiz
PolicyDocument
COR-02
10. CYBERSECURITY EDUCATION CATALOG
8
Role-Based Security Awareness Education Courses
We designed these courses to fit common job roles. Each is available for you to assign to your employees using the Learning
Assignment Tool in the Cybersecurity Education portal. If you prefer to assign your own custom sets of lessons, please
contact us at CybersecurityEducationSupport@trustwave.com.
Security Awareness for Office Employees
(2 hours)
This course is designed for general office staff and
employees who have access to sensitive information.
• COR-01 Introduction to Security Awareness (15 minutes)
• COR-02 Social Engineering (20 minutes)
• SAT-01 Physical Security (20 minutes)
• SAT-02 PC Security (10 minutes)
• SAT-03 Email Security (10 minutes)
• SAT-04 Password Security (10 minutes)
• SAT-05 Web Browsing Security (10 minutes)
• SAT-06 Mobile Device Security (10 minutes)
• JRT-05 Secure Practices for Office Employes
(15 minutes)
Security Awareness for Retail Associates
(50 minutes)
This course is designed for employees who process
credit card transactions in person.
• COR-01 Introduction to Security Awareness (15 minutes)
• COR-02 Social Engineering (20 minutes)
• JRT-01 Secure Practices for Retail Associates
Security Awareness for Retail Managers
(2 hours 5 minutes)
This course is designed for managers of retail point of
sale environments.
• COM-03 PCI for Retail Managers (15 minutes)
• COR-01 Introduction to Security Awareness (15 minutes)
• COR-02 Social Engineering (20 minutes)
• SAT-01 Physical Security (20 minutes)
• SAT-02 PC Security (10 minutes)
• SAT-03 Email Security (10 minutes)
• SAT-04 Password Security (10 minutes)
• SAT-05 Web Browsing Security (10 minutes)
• JRT-02 Secure Practices for Retail Managers (15 minutes)
Security Awareness for Call Center Employees
(1 hour 50 minutes)
This course is designed for employees who process
card-not-present transactions.
• COR-01 Introduction to Security Awareness (15 minutes)
• COR-02 Social Engineering (20 minutes)
• SAT-01 Physical Security (20 minutes)
• SAT-02 PC Security (10 minutes)
• SAT-03 Email Security (10 minutes)
• SAT-04 Password Security (10 minutes)
• SAT-05 Web Browsing Security (10 minutes)
• JRT-03 Secure Practices for Call Center Employees
(15 minutes)
Security Awareness for Call Center Managers
(1 hour 50 minutes)
This course is designed for managers of card-not-
present environments.
• COR-01 Introduction to Security Awareness (15 minutes)
• COR-02 Social Engineering (20 minutes)
• SAT-01 Physical Security (20 minutes)
• SAT-02 PC Security (10 minutes)
• SAT-03 Email Security (10 minutes)
• SAT-04 Password Security (10 minutes)
• SAT-05 Web Browsing Security (10 minutes)
• JRT-04 Secure Practices for Call Center Managers
(15 minutes)
Security Awareness for IT and Engineering Staff
(2 hours)
This course is designed for employees who handle
systems carrying sensitive data.
• COR-01 Introduction to Security Awareness (15 minutes)
• COR-02 Social Engineering (20 minutes)
• SAT-01 Physical Security (20 minutes)
• SAT-02 PC Security (10 minutes)
• SAT-03 Email Security (10 minutes)
• SAT-04 Password Security (10 minutes)
• SAT-05 Web Browsing Security (10 minutes)
• SAT-06 Mobile Device Security (10 minutes)
• JRT-06 Secure Practices for IT and Engineering Staff
(15 minutes)
11. 9
Security Awareness for PCI Compliance
(25 minutes)
This course is designed for employees who need to
meet PCI-DSS training requirements but have minimal
time available for training.
• COM-04 PCI Essentials (10 minutes)
• COR-01 Introduction to Security Awareness (15 minutes)
Security Awareness for PCI Compliance and Risk
Reduction (2 hours 15 minutes)
This comprehensive course is designed for employees
who need to meet PCI-DSS security awareness training
requirements and learn how to reduce risk of data
exposure.
• COM-01 PCI Overview (15 minutes)
• COR-01 Introduction to Security Awareness (15 minutes)
• COR-02 Social Engineering (20 minutes)
• SAT-01 Physical Security (20 minutes)
• SAT-02 PC Security (10 minutes)
• SAT-03 Email Security (10 minutes)
• SAT-04 Password Security (10 minutes)
• SAT-05 Web Browsing Security (10 minutes)
• SAT-06 Mobile Device Security (10 minutes)
• JRT-05 Secure Practices for Office Employees
(15 minutes)
Security Awareness for Health Care Staff
(1 hour 50 minutes)
This course is designed for employees who need to
meet HIPAA security awareness training requirements
and learn how to reduce risk of data exposure.
• COM-02 HIPAA Overview (15 minutes)
• COR-01 Introduction to Security Awareness (15 minutes)
• COR-02 Social Engineering (20 minutes)
• SAT-01 Physical Security (20 minutes)
• SAT-02 PC Security (10 minutes)
• SAT-03 Email Security (10 minutes)
• SAT-04 Password Security (10 minutes)
• SAT-05 Web Browsing Security (10 minutes)
12. SECURITY AWARENESS, TRAINING AND EDUCATION CATALOG
10
SAE Posters
Augment your security awareness program with posters specific to your target audience. Posters are only available in
English, and they are in PDF format. Posters are available for download in the Cybersecurity Education portal and are
included with client-hosted content packages.
13. 11
Secure Development Training (SDT)
Trustwave offers a suite of web-based technical lessons that introduce your
solution development staff to theory and best practices around planning and
writing secure code. You can choose to enroll employees in just one of the
lessons that is most relevant to them, or give them access to an SDT lesson
bundle. No matter what option you select, this section will help you decide
which lessons are right for your staff.
Secure Development Lessons
Use the SDT Lessons list to browse our library of SDT lessons. Categorized by the stages of the Software Development
Life Cycle (SDLC), each lesson’s catalog code, topic, and prerequisites (if any) are listed here to help you decide which
topics are most appropriate for your target audience(s). All lessons are available in English and content translation is
available. The portal is English by default and may be configured in Spanish, French and Portuguese as well as many
other languages.
Secure Development Bundles
The Secure Development Bundles page shown on page 19 in this document defines the lesson bundles available to
customers using SDT. You can use the Secure Development Bundles page to note which courses (consisting of various
lessons) you would like to offer to your staff.
14. CYBERSECURITY EDUCATION CATALOG
SecurityAwareness and Process These lessons cover topics related to fundamental security awareness concepts as they relate to software development.
# Lesson Name Lesson Objectives Time Suggested Prerequisites
AWA 101
Fundamentals of
Application Security
• Learn about the main drivers for application security, fundamental concepts of
application security risk management, the anatomy of an application attack, some
common attacks, and the concept of input validation as a primary risk mitigation
technique.
• Learn key security principles and best practices for developing secure applications.
1 hour
Understanding of the Software Development Life
Cycle (SDLC) and technologies; basic understanding
of software security.
Security Engineering These lessons cover topics related to the employment of security awareness strategies as a Software Engineer.
# Lesson Name Lesson Objectives Time Suggested Prerequisites
ENG 211
How to Create
Application Security
Design Requirements
• Understand, create, and articulate security requirements.
• Understand the security engineering process.
• Recognize key security engineering activities to integrate into the SDLC.
• Understand software security objectives and apply security design guidelines.
1 hour • Fundamentals of Application Security (AWA 101)
ENG 301
How to Create an
Application Security
Threat Model
• Learn to identify the goals of threat modeling and the corresponding Software
Development Life Cycle (SDLC) requirements.
• Identify the roles and responsibilities involved in the threat modeling process.
• Recognize when and what to threat model.
• Identify the tools that help with threat modeling.
• Learn to use the threat modeling process to accurately identify, mitigate,
and validate threats.
90 minutes None
ENG 311
Attack Surface Analysis
and Reduction
• Understand the goals and methodologies of attackers.
• Identify attack vectors.
• Learn how to minimize the attack surface of an application.
• Learn how to define the attack surface of an application.
• Learn how to reduce the risk to an application by minimizing its attack surfaces.
1 hour
• Fundamentals of Secure Development
(COD 101)
• Architecture Risk Analysis and Remediation
(DES 212)
ENG 312
How to Perform a
Security Code Review
• Learn how to best organize a code review.
• Learn how to prioritize code segments to review.
• Learn best practices for reviewing source code and maximizing security resources.
1 hour
• Fundamentals of Secure Development
(COD 101)
• Architecture Risk Analysis and Remediation
(DES 212)
ENG 352
How to Create an
Automotive Systems
Threat Model
• Learn about threat modeling in the context of developing automotive systems.
• Understand the step-by-step instructions for performing threat modeling that is aligned
with the approach proposed in the NHTSA (National Highway Traffic Safety Administration)
document entitled “Characterization of Potential Security Threats in Modern Automobiles”.
Some supplementary data in this course is taken from that document.
• Upon completion of this course, you will be able to perform threat modeling; use threat
modeling to identify vulnerabilities; and integrate threat modeling with other security and
development activities.
90 minutes None
ENG 391
IoT Embedded Systems
Security - How to Create
an Application Security
Threat Model
• Learn additional information about creating an Application Security threat model.
• Learn how to map content to specific compliance and regulatory requirements.
• Learn about key reference resources that support the topics covered in the module.
• Assess mastery of key concepts.
30 minutes
How to Create an Application Security Threat Model
(ENG 301)
SDT Lessons
15. # Lesson Name Lesson Objectives Time Suggested Prerequisites
ENG 392
IoT Embedded Systems
Security - Attack Surface
Analysis and Reduction
• Learn additional information about Attack Surface Analysis and Reduction (particularly
important to embedded software engineers).
• Learn about key reference resources that support topics covered in this module.
• Assess mastery of key concepts.
30 minutes Attack Surface Analysis and Reduction (ENG 311)
ENG 393
IoT Embedded Systems
Security - How to
Perform a Security Code
Review
• Learn additional information about code (particularly important to embedded software
engineers).
• Learn how to map content to specific compliance and regulatory requirements.
• Learn about key reference resources that support the topics covered in the module.
• Assess mastery of key concepts.
30 minutes How to Perform a Security Code Review (ENG 312)
Secure Design These lessons cover topics related to secure software architecture and design, to help plan security into applications before any code is written.
# Lesson Name Lesson Objectives Time Suggested Prerequisites
DES 101
Fundamentals of Secure
Architecture
• Examine the state of the industry from a security perspective.
• Learn about the biggest security disasters in software design.
• Understand that confidentiality, integrity, and availability are the three main tenets of
information security.
• Learn how to avoid repeating past information security mistakes.
1 hour
• Fundamentals of Application Security (AWA 101)
• How to Create Application Security Design
Requirements (ENG 211)
DES 201
Fundamentals of
Cryptography
• Learn the basic concepts of cryptography and common ways that it is applied, from the
perspective of application development.
• Learn the importance of randomness; the roles of encoding, encryption, and hashing;
the concepts of symmetric and asymmetric encryption; the purpose of cryptographic
keys; and the roles of message authentication codes (MACs) and digital signatures.
• Learn about complexity of cryptography.
2 hours
• Fundamentals of Application Security (AWA 101)
• Fundamentals of Secure Development
(COD 101)
• OWASP Top Ten Threats and Mitigations
(DES 221)
DES 212
Architecture Risk Analysis
and Remediation
• Learn concepts, methods, and techniques for analyzing the architecture and design of a
software system for security flaws.
1 hour Fundamentals of Application Security (AWA 101)
DES 213
Introduction to Security
Tools and Technologies
• Review the types of security tools.
• Learn how to interpret, prioritize, and act on the tool output.
• Learn strategies for selecting and deploying tools.
2 hours Fundamentals of Security Testing (TST 101)
DES 221
OWASP Top 10 - Threats
and Mitigations
• Identify and mitigate the greatest threats that web application developers face. 2 hours None
DES 292
IoT Embedded Systems
Security - Architecture
Risk Analysis
Remediation
• Learn additional information about Architecture Risk Analysis and Remediation training
(of particular importance to embedded software engineers).
• Assess mastery of key concepts.
30 minutes Architecture Risk Analysis Remediation (DES 212)
DES 311
Creating Secure
Application Architecture
• Learn how to harden applications and make them more difficult for intruders to breach.
• Learn about compartmentalization, centralized input, and data validation as methods to
protect applications from malicious input.
2 hours
• Fundamentals of Application Security (AWA 101)
• Fundamentals of Security Testing (TST 101)
DES 352
Creating Secure Over
the Air (OTA) Automotive
System Updates
• Learn about secure design considerations for over-the-air (OTA) updates for automotive
systems.
• After completing this course, you will be able to identify the benefits and risks of OTA
automotive system updates, understand the importance of public key cryptography
to the security of these updates, and identify secure design considerations for
development, delivery, and installation of OTA automotive system updates.
90 minutes
• Fundamentals of Secure Mobile Development
(COD 110)
• IoT Embedded Systems Security - Fundamentals
of Secure Embedded Software Development
(COD 160)
16. CYBERSECURITY EDUCATION CATALOG
# Lesson Name Lesson Objectives Time Suggested Prerequisites
DES 391
IoT Embedded Systems
Security - Creating
Secure Application
Architecture
• Learn additional information about Creating Secure Application Architecture (of
particular importance to embedded software engineers).
• Assess mastery of key concepts.
30 minutes Creating Secure Application Architecture (DES 311)
Secure Coding These lessons cover topics related to the implementation stage of the Software Development Life Cycle (when code is actually written).
# Lesson Name Lesson Objectives Time Suggested Prerequisites
COD 101
Fundamentals of Secure
Development
• Learn about the need for secure software development.
• Learn about the models, standards, and guidelines you can use to understand security
issues and improve the security posture of your applications.
• Learn about key application security principles.
• Learn how to integrate secure development practices into the SDLC.
80 minutes None
COD 110
Fundamentals of Secure
Mobile Development
• Learn about common risks associated with mobile applications.
• Learn mobile application development best practices.
• Understand mobile development threats and risks.
2 hours None
COD 141
Fundamentals of Secure
Database Development
• Understand database development best practices.
1 hour 50
minutes
Fundamentals of Application Security (AWA 101)
COD 153
Fundamentals of Secure
AJAX Code
• Learn about AJAX technology and its common vulnerabilities and attack vectors.
• Identify the differences between regular and AJAX applications, common AJAX
vulnerabilities that attackers tend to exploit, and major threats to AJAX applications.
35 minutes None
COD 160
IoT Embedded Systems
Security - Fundamentals
of Secure Embedded
Software Development
• Learn about security issues inherent to embedded device architecture.
• Learn about techniques to identify system security and performance requirements,
develop appropriate security architecture, select the correct mitigations, and develop
policies that can ensure the secure operation of your system.
90 minutes None
COD 170
Identifying Threats to
Mainframe COBOL
Applications and Data
• Learn about common security issues that affect the confidentiality, integrity, and
availability of COBOL programs or mainframes.
20 minutes None
COD 190
IoT Embedded Systems
Security - Fundamentals
of Secure Mobile
Development
• Learn additional information about Secure Mobile Development (of particular importance
to embedded software engineers).
• Assess mastery of key concepts.
30 minutes
Fundamentals of Secure Mobile Development
(COD 110)
COD 211
Creating Secure Code –
Java Foundations
• Learn best practices and techniques for secure application development in Java. 2.5 hours
• Fundamentals of Application Security (AWA 101)
• Fundamentals of Secure Development (COD 101)
• OWASP Top 10 - Threats and Mitigations
(DES 221)
COD 212
Creating Secure Code –
C/C++ Foundations
• Learn best practices and techniques for secure application development in C/C++. 2 hours
• Fundamentals of Application Security (AWA 101)
• Fundamentals of Secure Development (COD 101)
• OWASP Top 10 - Threats and Mitigations
(DES 221)
14
17. 15
# Lesson Name Lesson Objectives Time Suggested Prerequisites
COD 215
Creating Secure Code –
.NET Framework
Foundations
• Learn about .NET 4 security features.
• Learn about changes in .NET 4.
• Learn secure coding best practices.
2 hours
Fundamentals of Secure Development
(COD 101)
COD 219
Creating Secure Code-
SAP ABAP Foundations
• Learn best practices and techniques for secure SAP application development using
Java and ABAP.
• Learn about basic application security principles, input validation in SAP applications,
common application security vulnerabilities and mitigations, protecting data using
encryption, and conducting security code analysis and code reviews.
90 minutes
• Fundamentals of Secure Development (COD 101)
• Fundamentals of Application Security (AWA 101)
• OWASP Top 10 - Threats and Mitigations (DES
221)
COD 222
PCI DSS v3.2 Best
Practices for Developers
• Learn about PCI DSS best practices and how to use them to address application
security issues.
1 hour Fundamentals of Secure Architecture (DES 101)
COD 251
Creating Secure AJAX
Code - ASP.NET
Foundations
• Understand how to mitigate common vulnerabilities and protect against common
attack vectors.
• Identify threats to AJAX applications from cross-site scripting and other attacks.
• Learn how to implement countermeasures against attacks.
35 minutes Fundamentals of Secure AJAX Code (COD 153)
COD 252
Creating Secure AJAX
Code – Java Foundations
• Understand how to mitigate common vulnerabilities and protect against common
attack vectors.
• Identify threats to AJAX applications from cross-site scripting and other attacks.
• Learn how to implement countermeasures against attacks.
35 minutes Fundamentals of Secure AJAX Code (COD 153)
COD 253
Creating Secure
Cloud Code – AWS
Foundations
• Learn about security vulnerabilities, threats, and mitigations for AWS cloud computing
services.
• Learn about Elastic Compute Cloud (EC2), Virtual Private Cloud (VPC), and four
additional core AWS services: Identity and Access Management (IAM), DynamoDB Flat
Database Service, Relational Database Service (RDS), and Simple Storage Service (S3).
• Learn about ancillary AWS Services.
• After completing this course, you will be able to identify the most common security
threats to cloud development and best practices to protect against these threats. You
will also be able to identify AWS security features and ways to integrate them into your
AWS resources.
1 hour None
COD 254
Creating Secure
Cloud Code – Azure
Foundations
• Learn about the risks associated with creating and deploying applications on Microsoft’s
Azure cloud platform.
• Recognize core security considerations for Azure Virtual Machine (VM) security,
authentication and access control, legacy .Net Framework applications, Azure web
sites, and the Microsoft WebMatrix3 IDE.
90 minutes None
COD 255
Creating Secure Code -
Web API Foundations
• Learn about common web services that may put your application at risk.
• Learn best practices that you should incorporate to mitigate the risk from web
services attacks.
• Understand various web services threats and the cause and impact of web
services attacks.
• Learn how to implement secure development best practices to protect web services.
2 hours
• Fundamentals of Application Security (AWA 101)
• Fundamentals of Secure Development (COD 101)
• OWASP Top 10 Threats and Mitigations
(DES 221)
18. CYBERSECURITY EDUCATION CATALOG
16
# Lesson Name Lesson Objectives Time Suggested Prerequisites
COD 256
Creating Secure
Code - Ruby on Rails
Foundations
• Learn best practices and techniques for secure application development with Ruby
on Rails.
• Learn to identify and mitigate injection vulnerabilities, such as SQL injection and
cross-site scripting.
• Learn how to build strong session management into your Rails applications, and prevent
other common vulnerabilities, such as cross-site request forgery and direct object access.
90 minutes Fundamentals of Application Security (AWA 101)
COD 257
Creating Secure Python
Web Applications
• Learn about best practices and techniques for secure application development with
Python.
• Understand various types of injection vulnerabilities.
• Understand how to build strong session management into your Python web application
and how to prevent common vulnerabilities.
• Recognize file system threats to web applications, including vulnerabilities with path
traversal, temporary files, and insecure client redirects.
45 minutes None
COD 292
IoT Embedded Systems
Security - C/C++
Foundations
• Learn additional information about C/C++ Foundations of particular importance to
software engineers.
• Assess your mastery of key concepts.
30 minutes Creating Secure Code - C/C++ Foundations (COD 212)
COD 311
Creating Secure ASP
.NET Code
• Learn about ASP .NET and WEeb API code security issues that affect MVC and Web
API applications.
• Learn methods to protect your application from attacks against MVC’s model-binding
behavior.
• Learn methods to protect your application from cross-site scripting, cross-site request
forgery, and malicious URL redirects.
• Learn about the Web API pipeline and how to implement authentication and
authorization in Web API applications.
2 hours
• Fundamentals of Application Security (AWA 101)
• Fundamentals of Secure Development (COD 101)
• OWASP Top 10 – Threats and Mitigations
(DES 221)
• Creating Secure Code – .NET Framework
Foundations (COD 215)
COD 312
Creating Secure C/C++
Code
• Learn techniques for securing your C/C++ applications.
• Learn about secure memory management in C/C++, protecting and authenticating
sensitive data with symmetric and public key cryptography, and secure communications
with TLS.
2 hours
• Fundamentals of Secure Development (COD 101)
• Fundamentals of Application Security (AWA 101)
• OWASP Top 10 – Threats and Mitigations
(DES 221)
• Creating Secure Code – C/C++ Foundations
(COD 212)
COD 313
Creating Secure Java
Code
• Identify and use the components of the Java security model.
• Identify how to use JAAS to control user authentication and authorization in your Java
application.
• Learn how to implement cryptography to sign and verify Java jar files.
35 minutes
• Fundamentals of Application Security (AWA 101)
• Fundamentals of Secure Development
(COD 101)
• OWASP Top 10 – Threats and Mitigations
(DES 221)
• Creating Secure Code – Java Foundations
(COD 211)
COD 314
Creating Secure C#
Code
• Learn about common security vulnerabilities that can be mitigated by proper input
validation, other common security vulnerabilities and their mitigations, secure error
handling and logging, and secure communication.
• Learn about the unique features of C# and the .NET framework that help protect against
security vulnerabilities.
2 hours
and
30 minutes
• Fundamentals of Application Security (AWA 101)
• Fundamentals of Secure Development (COD 101)
• OWASP Top 10 – Threats and Mitigations
(DES 221)
19. 17
# Lesson Name Lesson Objectives Time Suggested Prerequisites
COD 315
Creating Secure PHP
Code
• Learn the security principles for building secure PHP applications.
• Assess mastery of key concepts.
2 hours
• Fundamentals of Application Security (AWA 101)
• Fundamentals of Secure Development (COD 101)
COD 317
Creating Secure iPhone
Code in Objective-C
• Recognize common iOS application vulnerabilities and learn secure coding best
practices.
• Recognize and mitigate threats such as malicious user input, threats to privacy and
confidentiality, and more.
90 minutes None
COD 318
Creating Secure Android
Code in Java
• Learn about common Android application vulnerabilities.
• Learn secure coding best practices using Java and the Android SDK.
• Identify and mitigate a variety of attacks.
90 minutes None
COD 351
Creating Secure HTML5
Code
• Learn about the development of secure HTML5 code.
• Learn about common HTML5 application vulnerabilities and threats, and secure coding
best-practices.
• Upon completion of this class, participants will be able to identify ways in which the
expanded attack surface introduced with HTML 5 might impact your web applications.
Participants will also be able to identify new security features available with HTML5, as well
as countermeasures and best practices to mitigate the application’s exposure to attack.
80 minutes None
COD 352
Creating Secure jQuery
Code
• Learn about common client-side vulnerabilities and threats to jQuery applications, and
techniques for mitigating these vulnerabilities and threats.
• Learn about how to implement new HTML5 security features to secure JQuery
applications, and best practices to secure local storage and implement transport
layer security.
• Be able to describe the threats that can impact your jQuery code and describe the
countermeasures to address these threats.
90 minutes None
COD 392
IoT Embedded Systems
Security: Creating
Secure C/C++ Code for
Embedded Systems
• Learn additional information on security topics that may be of particular importance to
embedded software engineers. It includes mapping of content to specific compliance and
regulatory requirements, links to key reference resources that support the topics covered
in the module, and a “Knowledge Check” quiz that assesses mastery of key concepts.
• This course module is a supplement to the Security Innovation course COD 812, “Creating
Secure Code -- C/C++”.
30 minutes None
COD 411
Integer Overflows
- Attacks and
Countermeasures
• Learn security concepts, testing techniques, and best practices to develop robust
applications that are secure against integer overflow vulnerabilities.
1 hour
Basic understanding of the C, C++, and C#
programming languages.
COD 412
Buffer Overflows
- Attacks and
Countermeasures
• Learn how to avoid and mitigate the risks posed by buffer overflows.
• Learn about the protection provided by the Microsoft compiler and the Windows
operating system.
• Learn how to avoid buffer overflows during the design, development, and verification
phases of the SDLC.
2 hours
Basic knowledge of Windows programming and
memory management in Windows.
20. CYBERSECURITY EDUCATION CATALOG
18
SecurityTesting These lessons cover topics related to the testing of software for security flaws and remediating defects before release.
# Lesson Name Lesson Objectives Time Suggested Prerequisites
TST 101
Fundamentals of
Security Testing
• Learn security testing concepts and processes.
• Learn how to conduct effective security testing.
• Identify common security issues during testing, to uncover security vulnerabilities.
2 hours
• Fundamentals of Application Security (AWA 101)
• How to Create Application Security Design
Requirements (ENG 211)
TST 191
IoT Embedded Systems
Security - Fundamentals
of Security Testing
• Learn additional information about the Fundamentals of Security Testing training
(of particular importance to embedded software engineers).
• Assess mastery of key concepts.
30 minutes Fundamentals of Security Testing (TST 101)
TST 201
Classes of Security
Defects
• Learn what is needed to create a robust defense against common security defects.
• Learn how and why security defects are introduced into software.
• Learn about common classes of attacks.
• Learn about techniques and best practices to help identify, eliminate, and mitigate each
class of security defects.
3 hours Fundamentals of Application Security (AWA 101)
TST 211
How to Test for the
OWASP Top 10
• Learn about the top ten OWASP flaws and how to perform testing to identify these flaws
in web applications.
1 hour and
30 minutes
Fundamentals of Security Testing (TST 101)
TST 291
IoT Embedded Systems
Security - Classes of
Security Defects
• Learn additional information about Security Defects Classes (of particular importance to
embedded software engineers).
• Assess mastery of key concepts.
30 minutes Classes of Security Defects (TST 201)
TST 401
Advanced Software
Security Testing - Tools
and Techniques
• Learn about testing for specific security weaknesses.
• Learn about the top ten types of attacks and the tools to use to test for these attacks.
• Learn how to test software applications for susceptibility to the top ten attacks.
2 hours
• Fundamentals of Security Testing (TST 101)
• Classes of Security Defects (TST 201)
TST 411
Exploiting Buffer
Overflows
• Understand and mitigate buffer-overflow exploits.
• Understand the challenges faced by exploit code and how different exploitation
techniques overcome environmental limitations.
2 hours Creating Secure C/C++ Code (COD 312)
TST 491
IoT Embedded Systems
Security - Classes of
Security Defects
• Learn additional information about Software Security Testing (of particular importance to
embedded software engineers).
• Assess mastery of key concepts.
30 minutes
Advanced Software Security Testing – Tools
Techniques (TST 401)
21. 19
Secure Development Bundles
Use this section to determine which bundles you want to provide for your staff. Descriptions of the lessons in each bundle
can be found in the SDT Lessons List. Custom bundles, consisting of up to five lessons, can be set up upon request.
Contact your Trustwave account manager if you would like to configure a custom bundle.
Contact your Trustwave account manager if you would like to configure a custom course or add advanced training lessons.
C/C++ Developer
• AWA 101 Fundamentals of Application Security
• COD 101 Fundamentals of Secure Development
• COD 160 Fundamentals of Secure Embedded Development
• DES 201 Fundamentals of Cryptography
• COD 212 Creating Secure Code - C/C++ Foundations
C/C++ Developer II
• COD-312 Creating Secure C/C++ Code
• ENG-301 How to Create an Application Security Threat Model
• ENG-312 How to Perform a Security Code Review
• COD-411 Integer Overflows - Attacks and Countermeasures
• COD-412 Buffer Overflows - Attacks and Countermeasures
Database Developer
• AWA 101 Fundamentals of Application Security
• COD 141 Fundamentals of Secure Database Development
• DES 201 Fundamentals of Cryptography
• ENG-301 How to Create an Application Security Threat Model
• ENG-312 How to Perform a Security Code Review
Java Developer
• AWA 101 Fundamentals of Application Security
• COD 101 Fundamentals of Secure Development
• COD 211 Creating Secure Code - Java Foundations
• COD 252 Creating Secure AJAX Code - Java Foundations
• DES 221 OWASP Top 10 - Threats and Mitigations
Java Developer II
• COD-313 Creating Secure Java Code
• COD-352 Creating Secure jQuery Code
• ENG-301 How to Create an Application Security Threat Model
• ENG-312 How to Perform a Security Code Review
• COD-351 Creating Secure HTML5 Code
Mobile Developer
• AWA 101 Fundamentals of Application Security
• COD 110 Fundamentals of Secure Mobile Development
• COD 317 Creating Secure iPhone Code in Objective-C
• COD 318 Creating Secure Android Code in Java
• DES 221 OWASP Top 10 - Threats and Mitigations
PCI Developer
• AWA 101 Fundamentals of Application Security
• COD 222 PCI DSS v 3.2 Best Practices for Developers
• DES 221 OWASP Top 10 - Threats and Mitigations
• ENG-301 How to Create an Application Security Threat Model
• ENG 312 How to Perform a Security Code Review
PHP Developer
• AWA 101 Fundamentals of Application Security
• COD 153 Fundamentals of Secure AJAX Code
• COD 256 Creating Secure Code - Ruby on Rails Foundations
• COD 257 Creating Secure Code - Python
• DES 221 OWASP Top 10 - Threats and Mitigations
Project Manager
• AWA 101 Fundamentals of Application Security
• COD 311 Creating Secure ASP .NET Code
• DES 101 Fundamentals of Secure Architecture
• ENG 211 How to Create Application Security Design
Requirements
Software Architect
• AWA 101 Fundamentals of Application Security
• DES 101 Fundamentals of Secure Architecture
• DES 221 OWASP Top 10 - Threats and Mitigations
• DES 212 Architecture Risk Analysis and Remediation
• DES 213 Introduction to Security Tools and Technologies
Test/QA (Embedded QA also available)
• TST 101 Fundamentals of Application Security
• TST 201 Classes of Security Defects
• TST 211 How to Test for the OWASP Top 10
• ENG 312 How to Perform a Security Code Review
• TST 401 Advanced Software Security Testing - Tools
Techniques
.NET Developer
• AWA 101 Fundamentals of Application Security
• COD 215 Creating Secure Code - .NET Framework Foundations
• COD 251 Creating Secure AJAX Code - ASP .NET Foundations
• COD 311 Creating Secure ASP .NET Code
• DES 221 OWASP Top 10 - Threats and Mitigations
22. CYBERSECURITY EDUCATION CATALOG
20
Cloud Developer
• AWA 101 Fundamentals of Application Security
• DES 201 Fundamentals of Cryptography
• COD 253 Creating Secure Cloud Code - AWS Foundations
• COD 254 Creating Secure Cloud Code - Azure Foundations
Embedded Developer
• AWA 101 Fundamentals of Application Security
• DES 201 Fundamentals of Cryptography
• COD 160 Fundamentals of Secure Embedded Development
• COD 212 Creating Secure Code - C/C++ Foundations
• COD 292 Creating Secure Code - C/C++ Foundations for
Embedded Systems
Embedded Architect
• DES 101 Fundamentals of Secure Architecture
• COD 110 Fundamentals of Secure Mobile Development
• DES 201 Fundamentals of Cryptography
• DES 212 Architecture Risk Analysis and Remediation
• DES 292 Architecture Risk Analysis and Remediation for
Embedded Systems
Embedded QA
• TST 101 Fundamentals of Security Testing
• TST 191 Fundamentals of Security Testing for Embedded
Systems
• TST 201 Classes of Security Defects
• TST 291 Classes of Security Defects for Embedded Systems
• ENG 312 How to Perform a Security Code Review
IT Architect
• DES 101 Fundamentals of Secure Architecture
• DES 212 Architecture Risk Analysis and Remediation
• DES 213 Introduction to Security Tools and Technologies
• ENG 211 How to Create Application Security Design
Requirements
• ENG-301 How to Create an Application Security Threat Model
Systems Leadership
• COD 101 Fundamentals of Secure Development
• DES 221 OWASP Top 10 - Threats and Mitigations
• DES 311 Creating Secure Application Architecture