Ingeniero de Desaroollo seguro

[SGS2790]

Content Outline For Experience Assessment
1. Secure Software Concepts
A. Confidentiality, Integrity, Availability
B. Authentication, Authorization, and Auditing
C. Security Design Principles
1 Least Privilege
2 Separation of Duties
3 Defense in Depth
4 Fail Safe
5 Economy of Mechanism
6 Complete Mediation
7 Open Design
8 Least Common Mechanism
9 Psychological Acceptability
10 Weakest Link
11 Leveraging Existing Components
D. Risk Management (e.g., vulnerabilities, threats and controls)
E. Regulations, Privacy, and Compliance
F. Software Architecture (e.g., layers)
G. Software Development Methodologies
H. Legal (e.g., Copyright, IP and trademark)
I. Standards (e.g., ISO 2700x, OWASP)
J. Security Models (e.g., Bell-LaPadula, Clark-Wilson and Biba)
K. Trusted Computing (e.g., TPM TCB)
L. Acquisition (e.g., contracts, SLAs and specifications)
2. Secure Software Requirements
A. Policy Decomposition
1 Confidentiality, Integrity, Availability Requirements
2 Authentication, Authorization, and Auditing Requirements
3 Internal and External Requirements
B. Identification and Gathering
1 Data Classification
2 Use Cases
3 Abuse Cases (inside and outside adversaries)
3. Secure Software Design
A. Design Processes
1 Attack surface evaluation
2 Threat modeling
3 Control identification
4 Control prioritization
5 Documentation
B. Design Considerations
1 Confidentiality, Integrity, Availability (e.g., encryption, hashing, and recovery methods)
2 Authentication, Authorization, and Auditing (e.g., multifactor authentication, and logging)
3 Security Design Principles
4 Interconnectivity
5 Security management interfaces
6 Identity Management
C. Architecture
1 Distributed computing
2 Service-oriented architecture
3 Rich Internet applications
4 Pervasive computing
5 Integration with existing architectures
6 Software as a Service
D. Technologies
1 Authentication and Identity Management
2 Credential management (e.g., X.509 and SSO)
3 Flow control (e.g., proxies, firewalls, middleware)
4 Audit (e.g., syslog, IDS and IPS)
5 Data Protection (e.g., DLP, encryption and database security)
6 Computing environment (e.g., programming languages, virtualization, and operating
systems)
7 Digital Rights Management (DRM)
8 Integrity (e.g., code signing)
E. Design and architecture technical review (e.g., reviewing interface points and deployment
diagram)
4. Secure Software Implementation/Coding
A Declarative versus programmatic security (e.g., bootstrapping, cryptographic agility, and
handling configuration parameters)
B Common software vulnerabilities and countermeasures
1 OWASP and CWE vulnerability categories (see references)
2 Virtualization
3 Side Channel (e.g., cold booting)
4 Embedded systems
C. Defensive coding practices (e.g., type safe practices, locality, memory management, error
handling)
D. Exception management
E. Configuration management (e.g., source code and versioning)
F. Build environment (e.g., build tools)
G. Code/Peer review
H. Code Analysis (static and dynamic)
I. Anti-tampering techniques (e.g., code signing)
J. Interface coding (e.g., proper authentication and third party API)
5. Secure Software Testing
A. Testing for Security Quality Assurance
1 Functional Testing (e.g., reliability, logic, performance and scalability)
2 Security Testing (e.g., white box and black box)
3 Environment (e.g., interoperability)
4 Bug tracking (e.g., defects, errors and vulnerabilities)
5 Attack surface validation
B. Test Types
1 Penetration Testing
2 Fuzzing
3 Scanning
4 Simulation Testing (e.g., environment and data)
5 Testing for Failure
6 Cryptographic validation (e.g., PRNG)
C. Impact Assessment and Corrective Action
D. Standards for software quality assurance (e.g., ISO 9126, SSE-CMM and OSSTMM)
E. Regression testing
6. Software Acceptance
A. Pre-release or pre-deployment
1 Completion Criteria (e.g., documentation, BCP)
2 Risk Acceptance
3 Documentation (e.g., DRP and BCP)
B. Post-release
1 Validation and Verification (e.g., Common Criteria)
2 Independent testing (e.g., third party)
7. Software Deployment, Operations, Maintenance and Disposal
A. Installation and Deployment
1 Bootstrapping (e.g., key generation access management)
2 Configuration Management (e.g., elevated privileges, hardening, platform change)
B Operations and Maintenance
1 Monitoring (e.g., Metrics and Audits)
2 Incident Management
3 Problem Management (Root Cause Analysis)
4 Patching
C. End of life policies

Para empresa multinacional

Enviar cv a