Architectural Services | Resources | Views | Contact Arctec Group

Current Classes
  • Security in the Cloud
  • Secure Audit Logging
  • SOA, Web Services, & XML Security
  • Collaboration in Secure Software Development Process
  • Threat Modeling

Security in the Cloud

Who should attend: Security and software architects - anyone who needs to make design decisions for securing cloud technologies.

The time to build security into the system is when the systems are being designed. This means that security teams must get involved early in the system development lifecycle. Cloud architectures are rapidly evolving, and how they will end up looking is uncertain. What is certain is that if security is left to the last minute, it will be too late for anything beyond patch and pray.

Practical Focus: In this classs you will learn how to build security services in cloud computing using access control, defensive, and enablement services.

Topics include:

  • Identity services: Key differences in how identity is handled in the cloud
  • Separating authentication, authorization, and attribution concerns
  • How to design for and roll out SAML, Information Cards, and OAuth identity standards
  • SOAP and REST Web services, including WS-Security, XML Signature, and XML encryption
  • Gateway and proxy cloud patterns: on/off ramp patterns to mediate cloud communications
  • Setting up federated identity with SAML and security token servers
  • Enabling a consistent authorization policy with XACML and SecPal
  • Hands-on threat-modeling exercises
Training is available as private (on or off site) and public sessions.

Requesting Training
Training may include up to 30 participants. Courses may be held at client site, or off site. To discuss pricing, availability, and other training questions, mail info@arctecgroup.net

Instructor
Gunnar Peterson is a Managing Principal at Arctec Group. He is focused on distributed systems security for large mission critical financial, financial exchanges, healthcare, manufacturer, and insurance systems, as well as emerging start ups Mr. Peterson is an internationally recognized software security expert, frequently published, an Associate Editor for IEEE Security & Privacy Journal on Building Security In, an Associate Editor for Information Security Bulletin, a contributor to the SEI and DHS Build Security In portal on software security, a Visiting Scientist at Carnegie Mellon Software Engineering Institute, and an in-demand speaker at security conferences.

Workshop: Secure Audit Logging
How to Build Visibility into your Software for Improved Security and Compliance

There are a lot of products out there that help enterprises implement and manage logs for improved security and PCI compliance, but the problem remains for security, analysts, developers and architects - how to integrate audit logging into their real, production systems? In this class you will learn to design interfaces to logging APIs, where to hook them into the applications, what type of events to log for and how to make the log messages useful to the responder.

The class examines the following Audit Logging disciplines.

Application Security: Secure Audit Logging training

  • Introduction - A Day in the Life of a Security Incident
  • Audit Logging Goals
  • Using Audit Logs for reporting
  • Audit Log Event Record Format
  • Publishing & Storing Audit Log data
  • Integrating the Audit Logger to your application
  • What Goes Wrong (and how to fix it)

    Audience: this is a class aimed developers, architects and security people

    Workshop: SOA, Web Services, and XML Security

    Course Objectives: Understand the real risks in SOA, Web Services, and XML. Not just the hype:

    • What standards there are to help and how to use them
    • Where standard don’t help

    After completing this class, you should be able to:

    • Architect security services in Web Services and SOA
    • Understand how an attacker looks at Web Services
    • Use best practices
    Training is available as private (on or off site) and public sessions.

    SOA, Web Services, and XML Security - One Day

    The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. This session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identity servers and related software.

    Many enterprises are currently developing new Web Services and/or adding and acquiring Web Services functionality into existing applications -- now is the time to build security into the system!

    Details

    Topics covered include understanding how web application risks (such as those in OWASP Guide and OWASP Top Ten) apply in a Web Services world, and Web Services security topics including:

    • Web Services attack patterns
    • Common XML attack patterns
    • Data and XML security using WS-Security, SAML, XML Encryption and XML Digital Signature
    • Identity services and federation with SAML and Liberty
    • Hardening Web Services servers
    • Input validation for Web Services
    • Integrating Web Services securely with backend resources and applications using WS-Trust
    • Secure Exception handling in Web Services
    • Understand the impact of Web 2.0 technologies like Ajax, and REST on distributed systems security

    Requesting Training

    Training is either full or half day. Training may include up to 30 participants. Courses may be held at client site, or off site. To discuss pricing, availability, and other training questions, mail info@arctecgroup.net

    Instructor
    Gunnar Peterson is a Managing Principal at Arctec Group. He is focused on distributed systems security for large mission critical financial, financial exchanges, healthcare, manufacturer, and insurance systems, as well as emerging start ups Mr. Peterson is an internationally recognized software security expert, frequently published, an Associate Editor for IEEE Security & Privacy Journal on Building Security In, an Associate Editor for Information Security Bulletin, a contributor to the SEI and DHS Build Security In portal on software security, and an in-demand speaker at security conferences.

    Testimonials

    "High quality detailed overview of SOA security standards and approaches. Well thought-out and structured presentation."
    - Sr. IT Architect, Fortune 10 enterprise

    "The knowledge and transfer was a great baseline and with the additional resources Gunnar made available, made this one of the best one day classes I've taken."
    - IT Security Lead, Fortune 10 enterprise

    "This class was a thorough and well-organized trek through the current Web Services Security landscape. Going beyond just describing the standards and the options available in the Web Services Security world, this class discusses real-world use cases and offers implementable solutions, best practices, even vendor choices in several key areas.  This class provided me with actionable tasks that I took back to my project teams the very next day!"
    -Jesse Aalberg, Sr. Enterprise Application Architect, United Healthcare

    "The class was distinctly focused on Security requirements and the strength and weaknesses of the various solution approaches we could consider. The result of the course was actionable approaches to providing security in our SOA environment."
    -Brad Sillman, Director IT Security, Deluxe Corp.

    "Anyone who wants up-to-date information on SOA Security, security standards and best practices should take this class."
    -Kevin Beam, Senior Systems Engineer, Union Pacific Railroad

    "Good comprehensive overview of subject, standards, and threats"
    - Sr.Security Consultant, Ubizen

    "The class helped me get my head around what "SOA" and WS-Security is really all about"
    - Mike Zusman, Independent consultant

    "Topics addressed are timely and relevant. Labs are hands-on and help see concepts in action"
    - Jerry Tan, Systems Analyst, DTCC

    "This class was concise and covered a majority of the problem set my company is looking at and dealing with."
    - Steve Reilley, Technical consultant, Commerce Insurance

    "Excellent two day overview of security topics as related to Web Services."
    - Daniel Reznick, Information Security, ADP

    "Issue affecting most of us today & for those that don't - will soon. Very necessary education and technology."
    Aaron Delashmutt

    "Great class! Effective and relevant teaching in an area without much guidance."
    - Mark DiSabato, Senior Information Security Architect, Roche

    "The class cut through jargon to communicate concepts and implementation details."
    - Developer, Fortune 100 insurance company

    "Good overview regarding SOA Security. Contains new technology like AMQP and REST"
    - Lars Loland, Statoil

    "The course covered what I had to learn about Web services"
    - Sven Vetsch, Dreamlab Technologies

    "Very good, eye opening especially for websecurity noob."
    -Michael Brandon

    "Presenter has very broad and deep technical knowledge on subject. Content: good overview and comparison of SAML and WS-*"
    - Security consultant, ING

    "Good to learn where our application is vulnerable to attacks and how we can avoid them."
    - Application Development Programmer Lead, Fortune 100 Insurance company

    "Entirely thorough overview of technology surrounding the use of web services with a 1 day presentation"
    - Technical consultant Contextis

    "Gave a good overview of the Web services security environment"
    - Francesco Degrassi, Emaze Networks

    "A great entry point for securing your web services"
    - Stig Kluver

    "Lots of good technical information about an emerging area that's very useful"
    - Rory McClune, HBOS PLC

    "This class reinforced the importance of software security assurance to me as it lucidly demonstrated why being 'behind the firewall' is an outdated concept."
    -Senior Support Engineer, Software Security vendor

    "The area of SOA Security is complicated and youg. A course such as this helps bring it into focus."
    -Jayme Frye, System Engineer, Union Pacific Railroad

    "Web services security class provided application security concepts valuable for applications audits."
    - Mary Ma, IT Auditor, DTCC

    "Very knowledgeable coverage of security requirements for Web services."
    - David Libershal, Network Security Engineer, Johns Hopkins University Applied Physics Laboratory

    "WS/XML security is not a "black art", but you do need to know about it to be able to take it into consideration."
    - Applications Specialist, Global 500 manufacturer

    "Good overview of techniques worth considering when planning secure apps"
    - EAI Specialist, Leading Mobility company

    "Brought concepts in very easily understood terms."
    -Glenn Bernard, Systems Engineer

    "Gives ideas about the latest Web services security standards in the industry"
    - Security Coordinator, Global 500 manufacturer

    "Class cleared up various WS-* standards and gave great concrete examples of how to build a message using each standard. Very good general thoughts on security groups' role in IT."
    - Matt Kasselman, UP Systems Engineering

    "I found this very useful as an IT architect in a "security critical environment"."
    - Mika Pullinen, IT Architect, Finnish Defense Forces

    "Lots of useful information packed in a small amount of time. Good overall picture."
    - Jari Pirhonen, Security Director, Samlink

    "Gunnar is very knowledgeable about security topics and has a great ability to explain complex ideas using simple, appropriate, and amusing language and analogies."
    - Scott Redd, Sr. Project Engineer, Union Pacific

    "Excellent instructor who had a good pace to go through the presentation"
    - Anna Vaahtokan, Specialist, Nordea

    "Good application security principles."
    - Tuomas Kivinen, IT Security Specialist, Nordea

    "I liked the class quite a bit. I took it in a "survey mode" where I wanted to learn about topics at a high level, and this was accomplished. It was good to listen to those in the class that were much more familiar with SAO than I."
    - John Glazeski, Senior Systems Engineer

    Workshop 3 - Collaboration in a Secure Development Process (Full and 1/2 day sessions)
    Target Audience: security personnel, developers, architects, business analysts, and managers
    Building more secure software means proactive collaboration in the development lifecycle through leveraging existing artifacts and creating security-centric artifacts. This session focuses on pragmatic techniques to articulate security goals in commonly used artifacts such as Use Cases, Unit Tests, Test Cases, and Software Architecture documents. The session further examines secure coding principles and security-centric artifacts and activities in a series of hands on exercises dealing with Threat Models and Abuse Cases. Workshop participants learn techniques and abilities that allow them to improve their enterprise's software security.

    Workshop 4 - Know Your Threats: Threat Modeling (Full and 1/2 day sessions)
    Target Audience: security personnel, developers, and architects
    This session focuses on the specific discipline of Threat Modeling. The chief value of threat models is to identify and prioritize threats to the systems and assets so that countermeasures and security mechanisms can be architected that make the system resilient. This session includes hands on examples of using threat modeling for distributed systems to build a secure architecture. Workshop participants learn how to identify and model threats using a variety of industry standard models, and how to deploy threat models in the software development process to drive architecture, testing, and coding. Copyright © 2005-7 Arctec Group, LLC All Rights Reserved