Free Analyst Application Security Course (6Months)

Analyst Application Security:

Analyst Application Security in the IT-ITeS Industry is also known as Engineer Application Security. In consulting firms the role is known as Consultant Application Security.

Brief Job Description:

Individuals at this job are responsible for vulnerability assessment for applications, performing source code review, testing the source code, suggesting remediation actions, perform hardening and monitor organization’s traffic and logs for threats.
Personal Attributes:

This job may require the individual to work independently and take decisions for his/her own area of work. The individual should be result oriented and have a high attention for detail. The individual should also be able to demonstrate communication skills, logical thinking along with willingness to undertake desk-based job with long hours.

CERTIFIED APPLICATION SECURITY ENGINEER (CASE JAVA) Course Online - Enrol  Now & Start Learning - Global Edulink

Identify and analyze exposures and weaknesses in applications and their deployments:

Performance Criteria

PC1. gather preliminary information about the application through manual documentation review
PC2. evaluate the criticality of information by taking into consideration various factors
PC3. identify the application type/category by considering various factors
PC4. gather web-based information through the use of automated tools and techniques
PC5. establish the application functionality, connectivity, interdependency and working
PC6. review application design and architecture to check that appropriate security requirements are enforced
PC7. check the source code of an application manually and identify security issues
PC8. explore potential threats by considering threats from various sources
PC9. evaluate the vulnerabilities discovered for their relevance, root causes, risk criticality, and corresponding mitigation methods
PC10. collate application security controls from various internal and external sources
PC11. collate information about the application with respect to industry trends through various sources
PC12. gather information related to application patching and its interdependencies with IT infrastructure requirements
PC13. assess application vulnerability using security assessment tools
PC14. isolate root causes of vulnerabilities and identify fixes, by including contextual information like architectural composition, exploitation methods, and probabilities of exposure
PC15. validate data to identify failed false positives and individual vulnerabilities
PC16. categorize vulnerabilities and identify extent of vulnerability including level of weakness and sensitivity of the information
PC17. develop an application tracker capturing relevant information
PC18. plan for application penetration testing covering various parameters
PC19. test applications using various testing methods
PC20. conduct penetration testing using automatic scanning technologies, “black box testing, as well as manual tests that use human intelligence to guide the steps
PC21. capture the requirements for securing applications stipulated by clients & external stakeholders in designated format during the application life cycle

PC22. document information and activities at every step to provide an audit trail
PC23. secure storage of data collected during the assessment, including vulnerabilities, analysis results, and mitigation recommendations
PC24. automate correlation of static, dynamic and interactive application security testing results

Organizational
Context

You need to know and understand:
KA1. relevant legislation, standards, policies, and procedures followed in the company
KA2. organization’s knowledge base and how to access and update this
KA3. limits of your role and responsibilities and who to seek guidance from
KA4. the organizational systems, procedures and tasks/checklists within the domain and how to use these
KA5. the operating procedures that are applicable to the system(s) being used, typical response times and service times related to own work area
KA6. standard tools and templates available and how to use these

Technical
Knowledge

You need to know and understand:
KB1. basic cyber security concepts
KB2. relevant networking concepts, devices and terminologies
KB3. secure Software Development Lifecycle (SDLC)
KB4. what are applications, types of applications and common application security requirements
KB5. the basic functionalities of the applications and role based access that are used by the customers
KB6. how software vulnerabilities can be identified and resolved for applications
KB7. application / database layer intrusion detection / prevention appliance
KB8. OWASP tools and methodologies
KB9. common Vulnerability and Exposures (CVE) language, which standardizes descriptions of vulnerabilities
KB10. code scanning toolsets
KB11. security assessment tools
KB12. new technological developments in application security
KB13. basics of mobile application security and cloud application security
KB14. key features of mobile application and cloud application security testing tools
KB15. systems engineering theories, concepts, and methods Systems/Product Life Cycle
KB16. scripting knowledge (Shell Script, Java Script)
KB17. basics of encryption algorithms

KB18. common security requirements within web (thin client) and desktop (thick client) applications
KB19. security solutions like web application Firewall, IDS/IPS, web security gateways, email security, content Filtering, etc.
KB20. tools that focus on application penetration testing
KB21. access to public databases and vulnerability sharing clubs

Generic Skills
Writing Skills
You need to know and understand how to:
SA1. complete accurate well written work with attention to detail
SA2. document call logs, reports, task lists, and schedules with co-workers
SA3. prepare status and progress reports
SA4. write memos and e-mail to customers, co-workers, and vendors to provide them with work updates and to request appropriate information without English language errors regarding grammar or sentence construct and following professional etiquettes

Reading Skills
You need to know and understand how to:
SA5. read about new products and services with reference to the organization and also from external forums such as websites and blogs
SA6. keep abreast with the latest knowledge by reading brochures, pamphlets, and product information sheets
SA7. read comments, suggestions, and responses to Frequently Asked Questions (FAQs) posted on the helpdesk portal
SA8. read policy manual, standard operating procedures and service level agreements relevant to work area
SA9. read emails received from own team, across team and external vendors and clients

Update Your IT Career with a Move into Cyber Security

Oral Communication (Listening and Speaking skills)
You need to know and understand how to:
SA10. discuss task lists, schedules, and work-loads with co-workers
SA11. give clear instructions to specialists/vendors/users/clients as required
SA12. keep stakeholders informed about progress
SA13. avoid using jargon, slang or acronyms when communicating with a customer, unless it is required
SA14. receive and make phone calls, including call forward, call hold, and call mute

Professional Skills

Decision Making
You need to know and understand how to

SB1. follow rule-based decision-making processes
SB2. make a decision on a suitable course of action

Plan and Organize
You need to know and understand how to:
SB3. plan and organize your work to achieve targets and deadlines

Customer Centricity
You need to know and understand how to:
SB4. Identify internal or external customer requirement and priorities clearly with respect to work at hand
SB5. carry out rule-based transactions in line with customer-specific guidelines, procedures, rules and service level agreements
SB6. check that your own and/or your peers work meets customer requirements

Problem Solving
You need to know and understand how to:
SB7. apply problem-solving approaches in different situations
SB8. seek clarification on problems from others

Analytical Thinking
You need to know and understand how to:
SB9. analyze data and activities
SB10. configure data and disseminate relevant information to others
SB11. pass on relevant information to others

Critical Thinking
You need to know and understand how to:
SB12. provide opinions on work in a detailed and constructive way
SB13. apply balanced judgments to different situations

Attention to Detail
You need to know and understand how to:
SB14. check your work is complete and free from errors

Team Working
You need to know and understand how to:
SB15. work effectively in a team environment
SB16. work independently and collaboratively
Technical Skills
You need to know and understand how to:
SC1. perform writing and testing of web applications/ web services in various programming languages such as C/C++, Java, and JavaScript programming
SC2. read and write coded scripts and modify and debug programs
SC3. work on various operating system

SC4. work with word processers, spreadsheets and presentations
SC5. stay abreast of the latest developments in terms of industry standards and information security tools and techniques

Harden application and deployment configurations for minimizing
exposure and vulnerabilities:

Performance Criteria

PC1. identify all web servers and web applications on the network and secure their administrative consoles
PC2. review the list of all applications and ensure valid credentials are required to connect
PC3. review list of systems and applications to identify and uninstall unauthorized instances and extraneous functionality to reduce the chance of exploitation
PC4. apply access controls to applications and databases as required as per policy
PC5. ensure all web servers, web applications and databases are patched as per latest guidelines
PC6. ensure all follow security technical implementation guides (STIGs) to ensure compliance with best practices
PC7. review logs for web attacks and identify signs of compromise
PC8. implement application and database defences such as firewalls, load balancer
PC9. ensure that all applications connect with least privilege
PC10. limit and monitor file creation in all web accessible directories
PC11. configure application securely across the environments for minimum exposure and weaknesses
PC12. secure applications using tools and solutions such as application testing, code review, web application firewall, etc.
PC13. check frontend and backend platforms for reported vulnerabilities and available patches or updates
PC14. work on the established guidelines (or establish new ones with the support of a senior) for security configuration and hardening for each category of applications
PC15. establish mechanism and measures to ensure that security, antivirus updates and patches are effectively applied on all the application assets
PC16. define security baseline for malware protection — at servers, endpoints and applications and their signatures updates including patch/security updates
PC17. make the business users aware about application vulnerability and patch requirements

PC18. define strategy for management of patches and updates considering various relevant factors
PC19. identify a patch management life cycle process considering various parameters
PC20. integrate patch management with the operational cycle of IT infrastructure management
PC21. ensure that IT infrastructure processes are reengineered as per the patch management requirements
PC22. research best practices in hardening applications
PC23. document results of the outcome of the tools and solutions used

5 reasons you should choose a career in cyber security

Organizational
Context

KA1. relevant legislation, standards, policies, and procedures followed in the company
KA2. organization’s knowledge base and how to access and update this
KA3. limits of your role and responsibilities and who to seek guidance from
KA4. the organizational systems, procedures and tasks/checklists within the domain and how to use these
KA5. the operating procedures that are applicable to the system(s) being used, typical response times and service times related to own work area

Technical
Knowledge

You need to know and understand:
KB1. basic cyber security concepts
KB2. relevant networking concepts, devices and terminologies
KB3. standard Systems Development Lifecycle (SDLC) practices and process
KB4. the enterprise information technology (IT) architecture Information Technology Architecture
KB5. what are applications, types of applications and common application security requirements
KB6. the basic functionalities of the applications, hardware and/or access rights that are used by the customers
KB7. how hardware and software vulnerabilities can be identified and resolved for applications
KB8. application / database layer intrusion detection / prevention appliance
KB9. measures or indicators of system performance and availability Information
KB10. new technological developments in application security
KB11. basics of mobile application security and cloud application security
KB12. server administration and systems engineering theories, concepts, and methods Systems/Product Life Cycle
KB13. scripting knowledge (Shell Script, Java Script)

KB14. knowledge-base of the known problems
KB15. security solutions like Firewall, IDS/IPS, web security gateways, email security, content management, etc.
KB16. common Vulnerability and Exposures (CVE) language, which standardizes descriptions of vulnerabilities
KB17. Secure configuration of applications
KB18. Application Hardening processes and best practices
KB19. Patch management

Core Skills/ Generic Skills
Writing Skills
The user/ individual on the job needs to know and understand how to:
SA1. document call logs, reports, task lists, and schedules with co-workers
SA2. prepare status and progress reports
SA3. write memos and e-mail to customers, co-workers, and vendors to provide them with work updates and to request appropriate information without English language errors regarding grammar or sentence construct and following professional etiquettes
Reading Skills
The user/individual on the job needs to know and understand how to:
SA4. read about new products and services with reference to the organization and also from external forums such as websites and blogs
SA5. keep abreast with the latest knowledge by reading brochures, pamphlets, and product information sheets
SA6. read comments, suggestions, and responses to Frequently Asked Questions (FAQs) posted on the helpdesk portal
SA7. read policy manual, standard operating procedures and service level agreements relevant to work area
SA8. read emails received from own team, across team and external vendors and clients Oral Communication (Listening and Speaking skills)
The user/individual on the job needs to know and understand how to:
SA9. discuss task lists, schedules, and work-loads with co-workers
SA10. give clear instructions to specialists/vendors/users/clients as required
SA11. keep stakeholders informed about progress
SA12. avoid using jargon, slang or acronyms when communicating with a customer, unless it is required
SA13. receive and make phone calls, including call forward, call hold, and call mute

Professional Skills

Decision Making

The user/individual on the job needs to know and understand how to:
SB1. follow rule-based decision-making processes
SB2. make decisions on suitable courses of action

Plan and Organize
The user/individual on the job needs to know and understand:
SB3. plan and organize your work to achieve targets and deadlines

Customer Centricity
The user/individual on the job needs to know and understand how to:
SB4. carry out rule-based transactions in line with customer-specific guidelines, procedures, rules and service level agreements
SB5. check your own and/or your peers work meets customer requirements

Problem Solving
The user/individual on the job needs to know and understand how to:
SB6. apply problem-solving approaches in different situations
SB7. seek clarification on problems from others

Analytical Thinking
The user/individual on the job needs to know and understand how to:
SB8. analyze data and activities
SB9. configure data and disseminate relevant information to others
SB10. pass on relevant information to others

Critical Thinking
The user/individual on the job needs to know and understand how to:
SB11. provide opinions on work in a detailed and constructive way
SB12. apply balanced judgments to different situations

Attention to Detail
You need to know and understand how to:
SB13. apply good attention to details
SB14. check your work is complete and free from errors

Team Working
You need to know and understand how to:
SB15. work effectively in a team environment
SB16. contribute to the quality of team working
SB17. work independently and collaboratively

. Technical Skills
You need to know and understand how to:
SC1. perform writing and testing of web applications/ web services in various programming languages such as C/C++, Java, and JavaScript programming;
SC2. do HTTP and web programming

SC3. read and write coded scripts and modify and debug programs
SC4. work on various operating systems
SC5. work with word processors, spreadsheets and presentations
SC6. perform basic application penetration testing and ethical hacking
SC7. stay abreast of the latest developments in terms of industry standards and information security tools and techniques

Update Your IT Career with a Move into Cyber Security

Monitor applications and solutions deployed for their security for possible
breaches and compromises:

verify the scope of application assets and system components to be monitored with stakeholders
PC2. use specified monitoring and data collection methods and tools following organizational procedures and policies
PC3. monitor application consoles using Security Information and Event Management (SIEM) tool to detect security threats and health of the applications
PC4. define and establish operational processes for log management
PC5. identify and capture all the key events and activity logs as per established format using appropriate tools and infrastructure
PC6. ensure that mechanisms such as time stamping and synchronization of servers are utilized for time consistency among all log sources
PC7. maintain a tracker which captures inventory of Cyber security incidents related to applications
PC8. define in co-ordination with seniors and Cyber security incident management team the process for Cyber Security incident/breach management plan and technical and tactical measures deployed to detect or report incidents
PC9. work on the defined process for prioritization and handling of Cyber Security incidents
PC10. characterize and analyze application traffic to identify anomalous activity and potential threats
PC11. identify trends and patterns as per standard guidelines
PC12. coordinate with enterprise-wide computer network defense (CND) staff to validate network alerts
PC13. perform event correlation using information gathered to gain situational awareness and determine the threat potential
PC14. categorize the priority of identified risks by determining their probability of occurrence and potential impact as per organizational processes and policies
PC15. determine actions required to investigate and mitigate identified risks
PC16. raise incidents in Cyber Security Incident logging/reporting tools if something is found suspicious during the analysis
PC17. record and categorize the service request accurately as per organizational processes and policies
PC18. assign the incident to the relevant persons as per the type of risk following organizational procedures
PC19. prioritize the service request according to organizational guidelines
PC20. follow-up with the relevant personnel for taking actions on the incidents raised within agreed timelines

PC21. obtain help or advice from specialist if the problem is outside his/her area of competence or experience
PC22. report the results of the monitoring, incident logging and closure activities using standard documentation following organizational procedures
PC23. comply with relevant legislation, standards, policies and procedures
PC24. monitor external data sources (e.g., computer network defense [CND] vendor sites, Computer Emergency Response Teams, SANS, Security Focus) and determine which security issues may have an impact on the enterprise
PC25. perform telemetry monitoring to identify security platform issues

Organizational
Context

KA1. relevant legislation, standards, policies, and procedures followed in the company
KA2. organization’s knowledge base and how to access and update this
KA3. limits of your role and responsibilities and who to seek guidance from
KA4. the organizational systems, procedures and tasks/checklists within the domain and how to use these
KA5. how to engage with both internal and external specialists for support in order to resolve incidents and service requests
KA6. service request procedures, tools, and techniques
KA7. the operating procedures that are applicable to the system(s) being used

Technical Knowledge
You need to know and understand:
KB1. basic cyber security concepts
KB2. relevant networking concepts, devices and terminologies
KB3. standard Systems Development Lifecycle (SDLC) practices and process
KB4. the enterprise information technology (IT) architecture Information Technology Architecture
KB5. what are applications, types of applications and common application security requirements
KB6. the basic functionalities of the applications, hardware and/or access rights that are used by the customers
KB7. how hardware and software vulnerabilities can be identified and resolved for applications
KB8. application / database layer intrusion detection / prevention appliance
KB9. measures or indicators of system performance and availability Information
KB10. new technological developments in application security
KB11. server administration and systems engineering theories, concepts, and methods Systems/Product Life Cycle

KB12. knowledge-base of the known problems
KB13. security solutions like Firewall, IDS/IPS, web security gateways, email security, content management, etc.
KB14. common Vulnerability and Exposures (CVE) language, which standardizes descriptions of vulnerabilities
KB15. how to use Security Incident and Event Management (SIEM) tool for monitoring, reporting, analyzing and raising service requests
KB16. operational processes such as report generation, verification, data analysis and correlation, etc.
KB17. common types of physical and electronic threats to various types of applications
KB18. log management, event and log analysis and packet analysis
KB19. typical response times and service times for problems
KB20. the importance of documenting, classifying, prioritizing service requests received over voice calls, email, incident management tools and incident reports

Generic Skills

Writing Skills
The user/ individual on the job needs to know and understand how to:
SA1. document call logs, reports, task lists, and schedules with co-workers
SA2. prepare status and progress reports
SA3. write memos and e-mail to customers, co-workers, and vendors to provide them with work updates and to request appropriate information without English language errors regarding grammar or sentence construct and following professional etiquettes

Reading Skills
The user/individual on the job needs to know and understand how to:
SA4. read about new products and services with reference to the organization and also from external forums such as websites and blogs
SA5. keep abreast with the latest knowledge by reading brochures, pamphlets, and product information sheets
SA6. read comments, suggestions, and responses to Frequently Asked Questions (FAQs) posted on the helpdesk portal
SA7. read policy manual, standard operating procedures and service level agreements relevant to work area
SA8. read emails received from own team, across team and external vendors and clients

Oral Communication (Listening and Speaking skills)
The user/individual on the job needs to know and understand how to:SA9. discuss task lists, schedules, and work-loads with co-workers
SA10. give clear instructions to specialists/vendors/users/clients as required
SA11. keep stakeholders informed about progress
SA12. avoid using jargon, slang or acronyms when communicating with a customer, unless it is required
SA13. receive and make phone calls, including call forward, call hold, and call mute

Professional Skills

Decision Making
The user/individual on the job needs to know and understand how to:
SB1. follow rule-based decision-making processes
SB2. make decisions on suitable courses of action

Plan and Organize
The user/individual on the job needs to know and understand:
SB3. plan and organize your work to achieve targets and deadlines

Customer Centricity
The user/individual on the job needs to know and understand how to:
SB4. carry out rule-based transactions in line with customer-specific guidelines,
SB5. procedures, rules and service level agreements
SB6. check your own and/or your peers work meets customer requirements

Problem Solving
The user/individual on the job needs to know and understand how to:
SB7. apply problem-solving approaches in different situations
SB8. seek clarification on problems from others

Analytical Thinking
The user/individual on the job needs to know and understand how to:
SB9. analyze data and activities
SB10. configure data and disseminate relevant information to others
SB11. pass on relevant information to others

Critical Thinking
The user/individual on the job needs to know and understand how to:
SB12. provide opinions on work in a detailed and constructive way
SB13. apply balanced judgments to different situations

Attention to Detail
You need to know and understand how to:
SB14. apply good attention to details
SB15. check your work is complete and free from errors

Team Working
You need to know and understand how to:
SB16. work effectively in a team environment

SB17. contribute to the quality of team working
SB18. work independently and collaboratively

Technical Skills
You need to know and understand how to:
SC1. operate the console of security information and event management tools (SIEM)
SC2. work on various operating systems
SC3. work with word processors, spreadsheets and presentations
SC4. perform basic application penetration testing and ethical hacking
SC5. stay abreast of the latest developments in terms of industry standards and information security tools and techniques

Guidelines for Assessment:

  1. Criteria for assessment for each Qualification Pack (QP) will be created by the Sector Skill Council (SSC). Each performance criteria (PC) will be assigned Theory and Skill/Practical marks proportional to its importance in NOS.
  2. The assessment will be conducted online through assessment providers authorised by SSC.
  3. Format of questions will include a variety of styles suitable to the PC being tested such as multiple choice questions, fill in the blanks, situational judgment test, simulation and programming test.
  4. To pass a QP, a trainee should pass each individual NOS. Standard passing criteria for each NOS is 70%.
  5. For latest details on the assessment criteria, please visit www.sscnasscom.com.
  6. In case of successfully passing only certain number of NOS’s, the trainee is eligible to take subsequent assessment on the balance NOS’s to pass the Qualification Pack.