Short Courses for Industry

CPD banner image

Automated Security Testing During Software Development (CPD)

A one-day course on security testing during software development. The course is given and designed by the former Security Testing Strategist of SAP SE and has been given successfully at heise devsec 2017, a professional conference on secure software development.

Date: Expected to run March 2019
Cost: TBC
 

Summary

About the course

CPD imageSoftware security vulnerabilities are a serious threat to software vendors and their customers: they can result in both monetary loss and loss of reputation. Thus, implementing a rigid secure software development life-cycle (SDLC) is a competitive advantage for a software vendor. Security testing is an important part of any SDLC. Moreover, it is commonly accepted that security testing should be applied as early as possible in software development.

In this one day continuous professional development (CDP) training, the participants will learn different security testing approaches (e.g., SAST, DAST), their specific strengths and weaknesses, how to evaluate tools and how to select the best “blend” of tools for their own software development. Moreover, the participants will learn how these tools can be integrated into various software development methods (ranging from traditional waterfall-like processes to agile processes supporting continues delivery).

The training is structured into a series of short lectures, discussion for exchanging own experiences, and practical exercises.

Prerequisites

Prerequisites

  • basic knowledge in software development
  • basic knowledge in (secure) programming
  • basic knowledge of software vulnerabilities
  • knowledge of a programming language is of advantage

For the practical lab session, participants should bring their own laptop with at least 8GB of RAM and 5GB of free disk space. Moreover, a common virtualisation software (VMWare, VirtualBox, Parallels, KVM) should be installed. If you do not have already a virtualisation solution installed, you might want to use VirtualBox. VirtualBox is a free virtualisation solution that runs on Windows, Linux, and OX X. Note that hardware virtualisation support should be enabled in the Bios/UEFIsetup.

Learning Outcomes

Learning outcomes

  • understand which types of software vulnerabilities can be detected by the different security testing tools
  • understand how different security testing tools can be evaluated and compared understand the requirements that security testing tools need to fulfil to be suitable for different software development processes (and different phases of a software development life-cycle)
  • understand in which other tools (e.g., IDE, CI) security testing tools can and should be integrated
  • know how to avoid typical pitfalls in introducing and using security testing tools
Agenda

08.30 - 09.30: registration and welcome (coffee)

09.30 - 11.00: introduction

  • welcome & get-to-know each other
  • introduction to secure software development
  • security testing during software development

11.00 - 11.15: coffee break & networking

11.15 - 12.30: static security testing approaches

  • different types of static security testing approaches
  • static security testing by and for developers
  • practical exercise “static security testing tools”

12.30 - 13.30: networking lunch

13.30 - 15.00: dynamic security testing approaches

  • different types of dynamic security testing approaches
  • dynamic security testing by and for developers
  • practical exercise “dynamic security testing tools”

15.00 - 15.15: coffee break & networking

15.15 - 17.00enquiries: introducing and integrating security testing tools

  • integrating security testing tools
  • comparing and selecting security testing tools introducing security testing into a software development organisation
  • final discussion and closing
Course Leaders

Course leaders

The workshop is given by Dr. Achim D. Brucker and Michael Herzberg.

Dr. Achim D. Brucker is a Senior Lecture in Software Assurance & Security in the Computer Science Department of The University of Sheffield. Before joining The University of Sheffield, he was the Security Testing Strategist in the Global Security Team of SAP SE, where, among others, he defined the risk-based security testing strategy of SAP that is now implemented across all worldwide development locations of SAP SE. As part of his work, he evaluated and rolled out security testing tools to more than 25’000 developers world-wide as well as designed and offered trainings for all developers at SAP. He is a frequent speaker at
both academic and professional security conferences.

Michael Herzberg is a PhD student at the University of Sheffield, UK, supervised by Dr. Achim D. Brucker. Michael’s focus lies on formal methods for building secure systems. Previously he graduated from the Karlsruhe Institute of Technology, Germany, with a B.Sc. in Computer Science. During that time he also worked at SAP Research on assessing different static code analysis

Contact

Contact details

For technical queries please contact the course leader:

Dr Achim Brucker

Email: a.brucker@sheffield.ac.uk
Telephone +44 (0) 114 222 1806

For all other enquiries please contact:

Dr Stuart Wrigley
Business Development Manager

Email: s.wrigley@sheffield.ac.uk
Telephone: +44 (0) 114 222 1880