Advanced Application Security and Audit Bootcamp - MIS Training

The International 

Information Security Training 

EARN 

37 CPE CREDITS 

10th - 14th November 2008, London 

Course Director Ken Cutler, CISSP, CISM, CISA 

Over 25 years of experience in IS, IT auditing, quality assurance, BCP and information services 

Advanced Application 

Security and Audit 

Bootcamp 

Designing and Ensuring End-to-End Security and Compliance in Today's E-Business Applications 

Review 

the major application security risks 

Learn 

tools, techniques, and checklists for ensuring reliable 

enterprise security services 

Gain 

insight into common security vulnerabilities and 

outlooks on application software 

Identity 

and Access Control Management (I&ACM) 

Architecture 

And much more... 

SAVE UP TO 50% 

WITH IN HOUSE 

TRAINING 

Details inside 

LONDON 

Web mistieurope.com Email mis@mistieurope.com

Advanced Application Security and Audit Bootcamp 

Designing and Ensuring End-to-End Security and Compliance in Today's 

E-Business Applications 

10th - 14th 

November 2008, 

London 

Seminar Focus & Features 

The recent avalanche of government regulatory initiatives, litigations, and intensified attacks on Web-based applications, along with 

traditional information asset protection, have significantly raised the stakes on the importance of secure application design, testing, 

certification/accreditation, and audit. In addition, IT applications have become more complex and frequently rushed to market by 

commercial IT product and internal developers, increasing the business risks and the challenges to applying and verifying reliable security 

safeguards. In this information-packed five-day seminar you will cover key building blocks and significant risks, and systematically sort 

through the available safeguards in today's complex Web-enabled, multi-tiered applications, including elusive Web services and 

service-oriented architecture (SOA) applications. You will place special emphasis on a control point definition and transactional analysis 

approach to application design. You will also cover security service providers and auditing within the context of robust but practical 

enterprise architecture and governance models. Case studies, demonstrations, and checklists will provide reinforcement and enhanced 

comprehension of complex design, safeguard concepts, and best practices. 

Course Director Ken Cutler 

Ken Cutler is Vice President - Information Security (IS) for MIS Training Institute (MISTI) where his current responsibilities include: IT audit and IS 

curriculum development, and chairing major IS and Business Continuity Planning (BCP) conferences and symposia. Ken is a frequent and much-indemand 

speaker on a wide array of IS and audit topics. He is also the President and Founder of Ken Cutler & Associates (KCA), an independent 

information security consulting firm. Through KCA, Mr. Cutler has personally delivered consulting services in both management and hands-on 

technical areas. He has also managed and directly participated in numerous information security consulting projects under various former MISTI 

affiliated professional services divisions, including the Information Security Institute (ISI) and Advanced Information Management (AIM). He 

directed the development and growth of MISTI’s IS curriculum and has frequently demonstrated his diverse expertise by personally developing and 

delivering numerous seminars and hands-on workshops in IS management and concepts, IT auditing, network infrastructure security and audit, 

wireless security, and vulnerability testing. Since 1996, Mr. Cutler has frequently delivered hands-on network auditing and vulnerability testing 

courses in the United States, Russia, United Kingdom, Middle East, and Greece. Audiences for his MISTI hands-on government technical auditing 

programs include: NASA, NIST, NSA, and FDIC. His input on vulnerability testing tools is frequently sought out by major software vendors, such as 

Internet Security Systems, Symantec (Axent), SPI Dynamics, and The Saint Corporation. 

Mr. Cutler has over 25 years of experience in IS, IT auditing, quality assurance, BCP, and information services. His industry experience includes 

insurance, banking, financial services, natural resources, manufacturing, government contracting, consulting and training. Ken has held numerous 

positions in IT management, including IT audit fields. He has lectured at many major industry and regional professional association events, including 

frequent appearances at numerous COMDEX shows in the United Sates, Canada, and The Middle East. Mr. Cutler has chaired the popular InfoSec 

Mexico program. Ken has been a featured speaker at the Middle East IT Security Conference (MEITSEC) in Dubai, UAE. 

Ken’s current consulting and training experience was preceded by his heading company-wide IS programs for American Express Travel Related 

Services, Martin Marietta Data Systems, and Midlantic Banks, Inc. The scope of his management responsibilities at each of those major 

corporations included: security policies and standards, awareness programs, security risk assessments, overseeing security administration, 

consulting services, and security technology selection. He was appointed to form the Information Security program, including Disaster Recovery 

Planning, at Midlantic Banks, Inc. in response to the results of a series of his in-depth technical internal audits identifying major exposures in major 

application recoverability and data protection controls. 

While at Midlantic Banks, he also served as the first President of the COMDISCO International Disaster Recovery Users Group. He represented 

American Express at the International Information Integrity Institute (I-4) and was unanimously elected by its members to serve on the I-4 Member 

Advisory Committee (MAC) during his first year of participation. 

Ken has been a long-time active participant in international government and industry security standards initiatives including the President’s 

Commission on Critical Infrastructure Protection, Generally Accepted System Security Principles (GSSP), Information Technology Security Evaluation 

Criteria (ITSEC), US Federal Criteria, and Department of Defense Information Assurance Certification Initiative. 

Mr. Cutler is the primary author of the widely acclaimed Commercial International Security Requirements (CISR), which offers a commercial 

alternative to military security standards for system security design criteria. He is the co-author of NIST SP 800-10, “Guidelines on Firewalls and 

Firewall Policy”. Ken has also published works on the intricacies of information security, security architecture, disaster recovery planning, wireless 

security, vulnerability testing, firewalls, and single sign-on. In addition, he has been frequently quoted in popular trade publications such as 

Computerworld, Information Security Magazine, Infoworld, Information Week, CIO Bulletin, Healthcare Information Security Newsletter, and MIS 

TransMISsion. Mr. Cutler was featured in a special TV program entitled, “The Electronic Battlefield”, on Abu Dhabi, UAE Public TV and has also been 

interviewed on several US radio talk programs, including My Technology Lawyer and Talk America. 

In-House Training 

Save Up To 50% When You Run 

This course In-house 

In-house tailored training will enable 

you & your colleagues to make 

significant savings as we charge per 

day & not per participant so the cost 

remains the same regardless of how 

many people attend. We can offer any 

of our public courses or tailor them to 

your requirements. Training is 

available in all areas of Internal Audit, 

IT Audit, and IT Security 

If you have 6 or more colleagues who 

would be interested in one of our 

courses and you would like to make 

significant savings, contact us now; 

• What are your training objectives? 

• How many people require the 

training? 

• When would you like to run the 

training? 

• What level of experience do you 

and your colleagues have? 

• We will then email you a detailed 

proposal which addresses your 

unique needs. 

You will have complete control of the 

training content and decide when it is 

run. We guarantee that we will be able 

to cater for all your business needs. 

More Great Reasons to Choose 

our In-house Training: 

• Save money over public seminar 

fees 

• Save money on travel & 

accommodation 

• Save time on travel as the instructor 

will travel to you. Furthermore, the 

training can be held at the most 

convenient time for you. 

• Tailor the course content; ensure 

the relevance of the seminar for 

your colleagues. You can tailor the 

structure & methodology of your 

seminar or customise the seminar 

to meet the expertise levels of the 

participants. 

• Bring the best in the business; 

Instructors are hands-on, expert 

practitioners who are your subject 

matter consultants when they are 

not training. 

• Gain CPE points & certificates for 

the number of training hours. 

Email Guy Cooper at 

gcooper@mistieurope.com 

or call 

+44 (0) 20 7779 8975

Day One 

Business Drivers for 

Secure Applications 

• Goals for information security safe 

guards in applications 

• Legislation and standards affecting 

application security 

• Review of major application 

security risks 

• Classification/impact analysis to 

define security controls 

• Security assurance in the system 

development life cycle 

Identity and Access 

Control Management 

(I&ACM) Architecture 

• Defining an enterprise information 

security architecture 

• Using the Information Security 

Management Cycle to define an 

I&ACM security and audit 

deployment game plan 

• Essential I&ACM policy, standards, 

and procedures 

• Ownership, provisioning, and 

security administration 

• Translating security policies into 

application safeguards 

• Computing models, roles, 

components, and associated 

control points 

• Access control models and 

architecture 

• Security mechanisms and 

systems 

• Client/server and middleware 

security for multi-tiered 

applications 

• Using access path and 

transactional analysis to pinpoint 

control points and safeguards 

• Locating control points in 

complex, multi-tiered applications 

Application Infrastructure 


• Key application building blocks 

• Baselines for secure operating 

system security 

• Physical files, network shares, 

databases, and other file sharing 

technologies 

• Controls over privileged programs 

and users 

• Network application services 

security risk analysis 

• Practical approaches to audit logs 

and monitoring 

• Printer and “high-end” office 

equipment security 

• Application vulnerability tracking 

resources and testing tools 

• Change controls and configuration 

management 

• Tools, techniques, and checklists 

for securing and auditing 

application infra structure security 

Day Two 

Relational Database 

Management System 


• Relational database management 

systems (RDBMS) 

• Structured Query Language (SQL) 

• Security risks associated RDBMS 

systems 

• Connection and authentication for 

RDBMS systems 

• Comparing security and audit 

features for major RDBMS 

products: IBM DB2, 

Oracle, Microsoft SQL Server 

• Connection and 

authentication for RDBMS 

systems 

• User accounts, roles, and 

privileges 

• Database object 

protection methods: 

access control, 

encryption 

• Database audit logging 

options 

• Database integrity and 

availability controls 

• Built-in audit tools: tables, 

stored procedures 


for securing and auditing RDBMS 

components 

Day Three 

Encryption, Directories, 

and Other Enterprise 

Security Services 

• Encryption fundamentals 

• Key management: symmetrical, 

asymmetrical 

• Making sense of all the encryption 

algorithms 

• Public key infrastructure (PKI) and 

certificate authorities (CAs) 

• Mapping encryption requirements 

to the OSI and TCP/IP models 

• Session and network encryption: 

SSL/TLS, SSH, VPNs 

• Critical enterprise directory 

services: LDAP 

• Single/reduced sign-on (SSO) 

pros and cons: scripting, trusted 

domains, Kerberos, digital 

certificates, Web-based SSO 

• Federated authentication services 

and protocols: Windows Live ID, 

Liberty Alliance, Security 

Assertion Markup Language 

(SAML) 


for ensuring reliable enterprise 

security services 

Security and Audit of 

Web-Enabled 

Applications 

• Web application control points: 

HTTP protocol exposed 

• Web application security 

vulnerabilities 

• Attacks on Web servers: crosssite 

scripting, SQL injection, buffer 

over flow 

• Best practices for Web server 

security 

• Perils and protections for remote 

Web application development: 

Frontpage, WebDAV 

• Application firewalls and intrusion 

prevention systems 

• Web browser security 

considerations 


for testing Web application 

security 

Day Four 

Security in Application 

Software Design 

• Major Web application 

environments and tools 

• Common security vulnerabilities 

and attacks on application 

software 

• Coding snafus and how to avoid 

them 

• Server-side web page scripting 

security: SSI, CGI, ASP, PHP, JSP, 

ASP.NET 

• Mobile code security: Java, 

ActiveX, VBScript, JavaScript, 

AJAX 

• HTTP state management: cookies, 

hidden fields, view state, query 

strings 

• Input validation and editing 

• Software testing tools 


for auditing application design 

security 

Day Five 

Web Application Servers 

• Roles, architecture, and security 

control points for XML-oriented 

development environments and 

associated Web application 

servers 

• Defining key sources of Web 

application server security: 

declarative vs. programmatic 

controls, database and Enterprise 

Information System (EIS) 

connectors 

• Locating security and audit 

features in different versions of 

Microsoft .NET Framework and 

associated ASP.NET and ADO.NET 

components 

• Demystifying the architecture, 

vendor variations, and security 

features of Java 2 Enterprise 

Edition (J2EE) and the underlying 

Java security services 

• Tools and techniques for securing 

and auditing Web application 

servers 

Web Services and 

Service-Oriented 

architecture 

• Web services definition and 

architecture 

• Web services standards 

• Web services security and audit 

• Service Oriented architecture 

(SOA): Pie in the Sky? 

• SOA Enterprise Service Bus (ESB) 

• Web services security and audit 

tools, and techniques 

Remote Access and 

Mobile Application 


• Key control points in remote 

access and mobile applications: 

Blackberry, Wireless Application 

Protocol (WAP) 

• Gateways for mobile applications: 

vulnerabilities and safeguards 

• Checklist for secure mobile and 

wireless application best practices 

© MIS Training 2008 

Who Should Attend 

Information Security Managers 

and Analysts; IT Managers, 

Auditors, and Architects; Security 

Architects; Application 

Certification Specialists, 

Consultants, Architects and 

Developers 

Prerequisite 

None 

Learning level 

Advanced 

Bonus 

You will receive the Standard 

Edition of the MIS Swiss Army 

Knife Reference listing 

hundreds of valuable resources for 

you and your organisation 

Fee 

GBP £2,545 

Earn 37 

CPE Credits 

Previous attendees 

Met my 

expectations 

Audit Advisor, Statoil 

Good 

explanation 

and clears up 

the difference 

between 

monitoring & 

auditing 

IT Audit Manager, HBOS 

Plc


Designing and Ensuring End-to-End Security and Compliance in Today's E-Business Applications 

When registering for this event please quote reference WEB 

Key topic areas 

• Review the major application security risks 

• Learn tools, techniques, and checklists for ensuring reliable enterprise 

security services 

• Gain insight into common security vulnerabilities and outlooks on 

application software 

• Identity and Access Control Management (I&ACM) Architecture 

• And much more... 

Why should you attend? 

• MIS Training is the global leader in IT audit and info security training, 

having trained over 200,000 delegates 

• Course Instructors are the most reputable in the industry 

• We have an impressive client list including ABN AMRO, Alliance & 

Leicester, Barclays, BT, Deutsche Bank, Goldman Sachs, HM Revenue 

and Customs, to name a few 

• Earn CPE points - which can be used to qualify/maintain a CISSP, CISA 

or CISM 

10th - 14th November 2008, London 

PLEASE SEND ME INFORMATION ABOUT RUNNING THIS COURSE IN-HOUSE 


(please photocopy form for additional delegates) 

10th - 14th November 2008, London (MT2509) 

GBP £2,545 £ 

+ VAT @ 17.5% £ 

Grand Total £ 

Payment Information 

You can now pay online at www.mistieurope.com 

Cheque enclosed (payable to MIS Training) 

Please invoice my company PO# 

Please debit my credit card AMEX VISA MasterCard 

Card Number 

Cardholders name 

Please include billing address if different from address given 

Expiry 

Verification Code 

Please note that in completing this booking you undertake to adhere to the 

cancellation and payment terms listed below 

Signature 

Date 

Approving Manager 

*Discounts: Please call to enquire 

about corporate discounts. 

Discounts can not be used in 

conjunction with each other. 

Position 

5 easy ways to register 

Tel: +44 (0)20 7779 8944 

Fax completed form to: +44 (0)20 7779 8293 

Email: mis@mistieurope.com Web: www.mistieurope.com 

Post completed form to: Carlos Doughty, MIS Training, Nestor House, 

Playhouse Yard, London EC4V 5EX UK 

Customer Information 

Title First name Surname 

Title/Position 

Organisation 

E-Mail Address (Required) 

Address 

Country 

Postcode 

Telephone 

Fax 

VAT Number (If you have one) 

The information you provide will be safeguarded by the Euromoney Institutional Investor PLC 

group whose subsidiaries may use it to keep you informed of relevant products and services. 

We occasionally allow reputable companies outside the Euromoney Institutional Investor PLC 

group to contact you with details of products that may be of interest to you. As an international 

group we may transfer your data on a global basis for the purposes indicated above. If you 

object to contact by telephone fax or email please tick the relevant box. If you do not 

want us to share your information with other reputable companies please tick this box 

Please send me information on 

In House Training 

Preparing for the CISA Exam, 3rd - 7th November 2008, London 

Security & Audit of Unix/Linux, 18th - 20th November 2008, London 

Registration Information 

(fees must be paid in advance of the event) 

Accommodation: The course will be held in a Radisson Edwardian hotel in Central London (zone 1). To get the best available rate at Radisson Edwardian hotels in London 

please visit www.radissonedwardian.com/mis or, alternatively contact the hotel direct and quote the MIS event title and dates when making your booking. 

Cancellation Policy: Should a delegate be unable to attend, a substitute may attend in his or her place. Cancellations received within 21 working days of the event are liable 

for the full seminar fee. If full payment has been received you are eligible for a 75% reduction on the next run of the seminar. This discount will be valid for one year only. MIS 

reserves the right to change or cancel programmes due to unforeseen circumstances. 

VAT: All delegates attending are liable to pay VAT. After the event organisations registered for VAT in the UK may reclaim the tax. 

Delegates from outside the UK but within the European Community may also be able to reclaim the VAT. Organisations outside 

the UK should check with their excise authority as to which domestic fiscal regulations apply. High Yield/No-Risk 

EARN 

37 CPE CREDITS 

Web mistieurope.com 

Email mis@mistieurope.com

Advanced Application Security and Audit Bootcamp - MIS Training

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?