Statement of Qualifications

ribul - Javagirl

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

5 pages

English

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

A propos
Informations
Extrait

Description

exposé

Phase Separation Science, Inc. Statement of Qualifications 6630 Baltimore National Pike 410-747-8770 800-932-9047 Baltimore, Maryland 21228 FAX 410-788-8723

project requirements during the pre-project
environmental science statement
full data packages
accuracy from sample receipt to final report submission
sample integrity
format requirements
analytical chemistry
project
laboratory

Sujets

Washington (District de Columbia)

TT8820:DatabaseSecurity(STIG) AccordingtoresearchbytheNationalInstituteofStandards,92%ofallsecurityvulnerabilitiesarenowconsideredapplicationvulnerabilitiesandnotnetworkvulnerabilitiesTriveraTechnologies’BestDefense™SecurityTrainingSeriesisasuiteoffrontline‐orientedsecuritycoursesthatprovidecompleteandcurrentcoverageofDISA’sSecurityTechnicalImplementationGuides(STIGS)andassociatedchecklists.STIGSareanintegralpartoftherequiredconfigurationstandardsforDoDInformationAssurancemeasures.Thesemeasuresarefocusedonpreventingcyberespionageandcrimeaswellasdenial‐of‐serviceattacks.Ourcomprehensivesetofclassesaddresseachofthecriticalissueshead‐on,asourcourses,seminarsandworkshopsexplicitly: Teachdevelopers,DBAs,andstakeholderswhatthevulnerabilitiesare Demonstrate,inrealterms,thepotentialimpactofeachofthesevulnerabilities Provideexperienceinhowtorecognizeandproperlyaddressthesevulnerabilities Teachstakeholdershowtodefendagainstthepotentialconsequencesofsecuritybreaches Illustratethevalueandtheprocessofintegratingsecurityintotheentirelifecycleofapplications,products,anddevices Course:TT8820:DatabaseSecurity(STIG)Duration:3daysSkillLevel:IntermediateandbeyondFormat:Extensivehands‐onprogramminglabs,expertlecturecombinedwithopendiscussionsandhigh‐Leveldemonstrationsanddynamicgroupexercises.Language/Tools:SpecificdatabasesthatarecurrentlycoveredareMicrosoftSQLServer,IBM’sDB2,andOracle.DeliveryFormat:Availableforonsiteprivateclassroompresentation,orliveonline/virtualpresentationAudience:DBAs,developers,andotherenterpriseteammembersCustomizable:YesDISA’sDatabaseSTIG,inconjunctionwithbothgenericandproduct‐specificchecklists,providesacomprehensivelistingofrequirementsandneedsforimprovingandmaintainingthesecurityofDatabaseManagementSystemswithintheDepartmentofDefense.Thiscoursefillsinthecontext,background,andbestpracticesforfulfillingthoserequirementsandneeds.Aswithallofourcourses,wemaintaintightsynchronizationbetweenthelatestDISAreleasesandourmaterials.TheclosetiesbetweenthisSTIGandtheApplicationsSecurityandDevelopmentSTIGarereflectedinthecoverageofapplicationissueswithinthecontextofthiscourse.DatabaseSecurityisanintensedatabasesecuritytrainingcourseessentialforDBAs,QA,Testing,andotherpersonnelwhoneedtodeliversecuredatabaseapplicationsandmanagesecuredatabaseswithintheDoD.Inadditiontoteachingbasicskills,thiscoursedigsdeepintosoundprocessesandpracticesthatapplytotheentiresoftwaredevelopmentlifecycle.Perhapsjustassignificantly,studentslearnaboutcurrent,realexamplesthatillustratethepotentialconsequencesofnotfollowingthesebestpractices.Data,databases,andrelatedresourcesareattheheartoftheDoD’sITinfrastructures.Theymustbeprotectedaccordingly.Inthiscourse,studentsrepeatedlyattackandthendefendvariousassetsassociatedwithafully‐functionaldatabase.Thisapproachillustratesthemechanicsofhowtosecuredatabasesinthemostpracticalofterms.Securityexpertsagreethattheleasteffectiveapproachtosecurityis"penetrateandpatch".Itisfarmoreeffectiveto"bake"securityintoanapplicationthroughoutitslifecycle.Afterspendingsignificanttimetryingtodefendapoorlydesignedandconfigured(fromasecurityperspective)databaseapplication,studentsarereadytolearnhowtobuildsecuretheirdatabasesandapplicationsstartingatprojectinception.Thefinalportionofthiscoursebuildsonthepreviouslylearnedmechanicsforbuildingdefensesbyexploringhowdesignandanalysiscanbeusedtobuildstrongerapplicationsfromthebeginningofthesoftwarelifecycle.AkeycomponenttoourcoverageofDISA’sSecurityTechnicalImplementationGuides(STIGS),thiscourseisacompanioncoursewithseveraldeveloper‐orientedcoursesandseminars.Copyright © 2009 Trivera Technologies LLC Worldwide.| CollaborativeIT Training, Mentoring & Courseware Services TT8820_Database_Security_STIG_20090803 | Page1www.triveratech.com |Training@triveratech.com

TriveraTechnologiesBestDefense™ApplicationSecurityTrainingSeries What You’ll LearnCourse Objectives:Who Should AttendAudience & Prerequisites: StudentswhoattendDatabaseSecurity(STIG)willleavethecourseThisisanintermediate‐leveldatabasecourse,designedforthosearmedwiththeskillsrequiredtorecognizeactualandpotentialwhowishtogetupandrunningondevelopingwelldefendeddatabasevulnerabilities,implementdefensesforthosedatabaseapplications.Thiscoursemaybecustomizedtosuityourvulnerabilities,andtestthosedefensesforsufficiency.team’suniqueobjectives.ThiscoursequicklyintroducesstudentstothemostcommonFamiliaritywithdatabasesisrequiredandrealworldexperienceissecurityvulnerabilitiesfacedbydatabasestoday.Eachvulnerabilityhighlyrecommended.Ideally,studentsshouldhaveapproximatelyisexaminedfromadatabaseperspectivethroughaprocessof6monthstoayearofdatabaseworkingknowledge.describingthethreatandattackmechanisms,recognizingRelated Courses – Suggested Learning Path associatedvulnerabilities,and,finally,designing,implementing,andtestingeffectivedefenses.Multiplepracticaldemonstrationsreinforcetheseconceptswithrealvulnerabilitiesandattacks.TakeInstead:WeofferothercoursesthatprovidedifferentlevelsStudentsarethenchallengedtodesignandimplementthelayeredofknowledgeorfocus:defensestheywillneedindefendingtheirowndatabases.ForahighlevelviewoftheSTIGSandrelatedissues,considerTT8800InformationAssurance(STIG)OverviewWorkinginadynamiclearningenvironmentattendeeswilllearnto:Foranapplicationorientation,consider:TT8810ApplicationUnderstandtheconsequencesfornotproperlyhandlingSecurityandDevelopment(STIG)untrusteddatasuchasdenialofservice,cross‐sitescripting,Forahighlevelviewofwebapplicationsecurityandrelatedandinjectionsissues,considerTT8020UnderstandingWebApplicationBeabletoreviewandtestdatabasestodeterminetheSecurityexistenceofandeffectivenessoflayereddefensesandForin‐depthdevelopertrainingforwebapplicationswiththerequiredcheckslifecycleaspect,consider:TT8325SecuringWebApplicationsPreventanddefendthemanypotentialvulnerabilitiesForin‐depthdevelopertrainingwithlesswebapplicationassociatedwithuntrusteddataorientation,consider:TT8200‐JSecureJavaCoding(alsoUnderstandtheconceptsandterminologybehindsupporting,offeredfor.netorotherlanguages)designing,anddeployingsecuredatabasesAppreciatethemagnitudeoftheproblemsassociatedwithTakeAfter:Weofferavarietyofintroductorythroughadvanceddatasecurityandthepotentialrisksassociatedwiththosesecurity,development,projectmanagement,engineering,problemsarchitectureanddesigncourses.Studentsmaywanttoconsiderthefollowingtopicsasfollow‐ontothiscourse.Understandthecurrentlyacceptedbestpracticesforsupportingthemanysecurityneedsofdatabases.TT8150MasteringSecureSOA UnderstandthevulnerabilitiesassociatedwithauthenticationTT8600SecureSoftwareDesignandauthorizationwithinthecontextofdatabasesandAdditionaladvancedSecurityorSecureProgrammingtopicsdatabaseapplicationsService‐OrientedAnalysisandDesignUnderstandthedangersandmechanismsbehindCross‐SiteWebServices–IntrothroughAdvancedScripting(XSS)andInjectionattacksSoftwareEngineering,DesignorProjectManagementtracksPerformbothstaticreviewsanddynamicdatabasetestingtouncovervulnerabilitiesPleasenotealldevelopmentcoursesmayalsobeofferedinotherDesignanddevelopstrong,robustauthenticationandprogramminglanguagesortailoredtosuityouruniqueauthorizationimplementationsrequirements.Pleasecontactusfordetails.Pleasecontactusforrecommendednextstepstailoredtoyourlonger‐termeducation,UnderstandthefundamentalsofEncryptionaswellashowitcanbeusedaspartofthedefensiveinfrastructurefordataprojectordevelopmentobjectives.Delivery Environment: Tools to Use Thisclassis“technology‐centric”,designedtotrainattendeesinessentialsecuredatabaseskills,couplingthemostcurrent,effectiveAlthoughthistrainingisskills‐centric,thiscoursecanbedeliveredtechniqueswiththesoundestindustrypractices.oneofavarietyofdatabaseproducts.PleaseinquirefordetailsandThecourseprovidesasolidfoundationinbasicterminologyandoptions.concepts,extendedandbuiltuponthroughouttheengagement.StudentswillexaminevariousrecognizedattacksagainstdataandStudent Materials: What You’ll Receive databases.Processesandbestpracticesarediscussedandillustratedthroughbothdiscussionsandgroupactivities.OurrobustcoursematerialsincludemuchmorethanasimpleCopyright © 2009 Trivera Technologies LLC Worldwide.| CollaborativeIT Training, Mentoring & Courseware Services TT8820_Database_Security_STIG_20090803 | Page2www.triveratech.com |Training@triveratech.com

TriveraTechnologiesBestDefense™ApplicationSecurityTrainingSeries slideshowpresentationhandout.Studentmaterialsincludeacomprehensivehard‐copycoursemanual,completewithdetailedcoursenotes,codesamples,diagramsandcurrentreferencematerials,alldirectlyrelatedtothecourseathand,indexedforeaseofuse.Step‐by‐steplabinstructionsandprojectdescriptionsareclearlyillustratedandcommentedformaximumlearning.Inadditiontoeverythingstudentsneedforthecourse,thecourseincludesworkshopdemonstrations;non‐restrictedworkshopsoftware,APIs,documentation,technicaleducationpapers,andspecificationsandtutorialspertinenttothetrainingcourse.Ourcoursekitsaredesignedtoserveasanexcellentandusefulreferenceset,longafterweleaveyourclassroom.Optional Pre / PostTesting & Skills Assessment Weworkwithyoutoensurethatyourresourcesarewellspent.Throughourbasiccoursepre‐testingand/orpost‐courseassessments,weensureyourteamisuptothechallengesthatthiscourseoffers.Ourgoalistostructurethebestsolutiontoensureyourneedsaremet,whetherwecustomizethematerial,ordeviseadifferenteducationalpathtoprepareforthiscourse.Pleasecontactusfordetailsaboutouronlinepreandposttest

Session:FoundationMisconceptions‐ThrivingIndustryofIdentifyTheft‐DishonorRollofDataBreaches‐TJX:AnatomyofaDisaster‐Heartland:What?Again?SecurityConcepts‐TerminologyandPlayers‐Assets,Threats,andAttacks‐OWASP‐CWE/SANSTop25ProgrammingErrorsDISA’sSecurityTechnicalImplementationGuides(STIGS)‐Purpose‐Process‐AreasCovered‐Checklists‐Scripts(SRRs)‐ResourcesSecurityConcernsCommontoallDBMSs‐Authentication‐Authorization‐Confidentiality‐Integrity‐Auditing‐Replication,Federation,andClustering‐BackupandRecovery

assessmentservices,custommanagedtrainingplansforonestudentoryourentireorganization,orourcustomonlinetrainingprogrammanagementsystemformonitoringthecoursesorprogresswhileskillingyourstudentsofallexperiencelevels. Bridging the Gap: Collaborative Mentoring ServicesOurteamoftechnicalexpertsisalsoavailableforvariousprojectassistanceservicestohelpyourteamapplytheirnewly‐learnedclassroomskillstotheirreal‐worldprojectinameaningful,practicalway,rightafterthetrainingends.Ourcustomcollaborativementoringprogramsintegratewithorextendyourteam’sclassroomtrainingexperience,tohelpbringtheseskillsintoexisting(orinherited)legacyprojects,intonewprojects,ortosimplykeepyourstudentssharptheminbetweenprojects.Ourprogramscanbehighlyinvolvedandcloselyintegratedwithyourprojecttimelinesorgroupdevelopmentefforts,orcanbelessinvolved,servingsimplyasanoverarchingeducationalframeworkor‘spotcheck’tokeepyourgroupskillsmovingforwardinbetweenprojectsorwaitingforprojectstobegin.Pleasecontactusfordetailsaboutthisexcitingcustomservice.

Workshop Topics Covered ‐OS,Application,andNetworkComponentsDefensivePrinciples‐SecurityIsALifecycleIssue‐MinimizeAttackSurface‐ManageResources‐ApplicationStates‐Compartmentalize‐DefenseInDepth‐LayeredDefense‐ConsiderAllApplicationStates‐NotTrustingTheUntrusted‐SecurityDefectMitigation‐LeverageExperienceReality‐Recent,RelevantIncidents‐FindSecurityDefectsInDBMSsSession:TopDatabaseSecurityVulnerabilitiesUnvalidatedInput‐SourcesofUntrustedInput‐TrustBoundaries‐DesigningandImplementingDefensesBrokenAuthentication‐QualityofPasswords‐ProtectionofPasswords‐HashingPasswords‐ProtectingAuthenticationAssets‐SystemAccountManagement

‐UserAccountManagementBrokenAccessControl‐GainingElevatedPrivileges‐CompartmentalizationBasedonLevelofPrivilege‐SpecialPrivilegesProvidedbyDatabaseandSystems‐ProtectingSpecialRolesCrossSiteScripting(XSS/CSRF)Flaws‐WhatandHow‐RoleofDatabasesinEnablingXSS‐DesigningandImplementingDefensesInjectionFlaws‐WhatandHow‐SQL,PL/SQL,XML,andOthers‐StoredProcedures‐BufferOverflows‐DesigningandImplementingDefensesErrorHandlingandInformationLeakage‐WhatandHow‐FourDimensionsofErrorResponse‐ProperErrorHandlingDesignInsecureHandling‐DataatRest‐DatainMotion‐Encryption

Copyright © 2009 Trivera Technologies LLC Worldwide.| CollaborativeIT Training, Mentoring & Courseware Services TT8820_Database_Security_STIG_20090803 | Page3www.triveratech.com |Training@triveratech.com

TriveraTechnologiesBestDefense™ApplicationSecurityTrainingSeries ‐CompartmentalizationBasedonPracticesBestPractices LevelofPrivilegeEnclaveBoundaryDefensesGenericDatabaseChecksand‐BackupsandArchivesContinuityofServiceProcedures‐ConnectionStringsandHigh ‐DefendingBackup/RestorationSQLServerChecksandProceduresValueServer‐SideCredentialsAssets(Optional)‐DesigningandImplementing ‐DataandSoftwareBackups ‐InstallationChecksDefenses ‐TrustedRecovery ‐DatabaseChecksInsecureManagementofVulnerabilityandIncidentOracleChecksandProceduresConfigurationManagement(Optional)‐InitialInstallation‐DatabaseAutomatedChecks‐PatchManagementSession:SecureSoftwareDevelopment‐DatabaseInterviewChecks‐ServerHardening(SSD)‐DatabaseManualChecks‐OperatingSystemHardeningSSDProcessOverview ‐DatabaseVerifyChecks‐ConnectionHardeningAsset,Boundary,andVulnerability ‐HomeAutomatedChecks‐ReplicationHardeningIdentification ‐HomeInterviewChecks‐BestPractices‐HomeManualChecksProcess,Design,andCodeReviewsDirectObjectAccess‐HomeVerifyChecksApplyingProcessesandPractices‐WhatandHowPracticalApplicationoftheChecklistsConfigurationSpecificationand‐RoleofDatabasesinEnablingComplianceAccess__________________________________SoftwareandDataBaselines‐HighRiskPracticestoAvoidTestingasLifecycleProcessNeedmoredetails?PleasenotethataTestingPlanningandDocumentationSession:STIGDatabaseSecuritymoredetailedoutlineofthecoursetableTestingToolsAndProcessesRequirementsofcontents,listsoflabexercisesand‐PrinciplesIdentificationandAuthenticationprojectdescriptionsisavailable.Please‐Reviews‐GroupandIndividualcontactusatTraining@triveratech.com‐Testing‐KeyManagementPracticesforinfo.‐Tools‐TokenandCertificatesPracticesStaticandDynamicAnalysisEnclave/ComputingEnvironmentNeedcourseware?ThiscourseisfullyTestingPractices‐AuditingMechanicsandBestcustomizable,andalsoavailablefor‐AuthenticationTestingPracticeslicensewithcompletesupportforqualified‐DataValidationTesting‐DataChangesandControlsorganizations.Pleasecontact‐DenialOfServiceTesting‐EncryptionCourseware@triveratech.comfordetails.‐PrivilegeManagementSession:DatabaseChecklists‐AdditionalControlsandChecklistOverview,Conventions,and_____________________________________________________________________________________________________________________Why Work With Trivera Technologies? Whetheryouareaprojectleaderchoosingatrainingproviderorcoursetobringtoyourteam,oranorganizationoraninstructorlookingtopotentiallylicenseorusecoursematerialstotrainyourownteam,orastudentlookingforanexciting,targetedtrainingclasstoattendortorecommendtoyourcolleagues‐OursinglefocusistomakeYOURtrainingeventorexperienceasuccess.Here’swhychoosingTriveraTechnologiesasyourITsecurityeducationresourcetakestheriskrightoutofyourdecisionmakingprocess…Weprovideasolidsecure,design,codingandimplementationfoundation.Studentswilllearnhowtocode,use(andreuse!)essentialsecureJavaprogramminganddesignskillsandconceptsproperly,usingbestcodingpractices,groundingthemforadvancedcurriculum,andwillbepreparedfordesigningandimplementingsolutions.Studentswilllearntheimportanceofdevelopingwell‐defendedapplications.Ourcoursesarefocused‐no"fluff"included.Weoffermorethana“laundrylist”approachtoteaching.Alllessonshaveclearobjectives,arefundamentaltocoresecureapplicationdevelopmentanddesignpractices,andarereinforcedbyhands‐onlabsandsolidpracticalexamples.Eachlessonhasperformancedrivenobjectivesthatensurestudentswilllearntechnologiesandskillscoretofundamentalserver‐ sideapplicationdesign–nothingmore,nothingless.Ourmaterialsarecomprehensive,andcurrent.Ourcomprehensivemanualsincludenotonlyahardcopyofthecoursepresentation,butalsodetailedreferencenotes,pertinentdiagramsandcharts,currentlistsofsuggestedonlineresourcesandarticles,andoftentechnicaltutorialsorwhitepapersgearedtothetopicsathand.Ourdedicatedcoursedevelopmentteamkeepseverythingascurrentaspossiblewithbothindustrytrendsandsoftwareeditionstoensureyourteamisgettingthemostcurrentinformationavailable.Wefoster"LearningbyDoing".Progressivelabsaredesignedinsuchawaythatstudentsgetafirmgrasponfundamentalskillswhiletheyworktowarddesigningacompleteapplication.Alllabsaretake‐home,andallsolutioncodeispresentedinaneasytouseself‐studyformat

Copyright © 2009 Trivera Technologies LLC Worldwide.| CollaborativeIT Training, Mentoring & Courseware Services TT8820_Database_Security_STIG_20090803 | Page4www.triveratech.com |Training@triveratech.com