• Security training / workshops for Product Security Evaluation

With more than 35 years of experience in security evaluations, SGS Brightsight has accumulated a wealth of knowledge and expertise in this industry. To share our knowledge with you , we offer training courses adapted to meet your specific needs and interests. These courses serve to equip you with the knowledge and skills necessary to take on future challenges in your business. 

Our courses are adapted to meet your specific needs and interests at the required level. Examples of topics are: 
    • PIN entry device and terminal security training
    • IoT Baseline security training
    • Smart card security training
    • Common Criteria for developers
    • GDPR readiness training
    • Host Card Emulation training
    • Secure coding and secure design

Our target audience includes risk and fraud managers, marketing and product managers of secure IT products and smart cards, and hardware and software developers in particular.

All training courses can be given in English, Spanish, French, German and Chinese. We offer in-house as well as on-site training courses:
    • In-house training: You benefit from having access to all of our experts and visiting our labs
    • On-site training: You can select as many of your employees to attend the course as your premises allow, with no additional costs

Security Training Courses

Common Criteria course
Host card emulation course
Payment terminal security course
Smart card security course
Security training workshops
Common Criteria course

Common Criteria course (2 days)

Common Criteria (ISO 17025) is the most widely used IT standard for evaluating and certifying products such as smart cards and other devices that implement security functionality. CC certificates are recognized by all 26 member nations of the CCRA (Common Criteria Recognition Arrangement).

The goal of the course is to give you an introduction to and basic understanding of the Common Criteria in terms of structure, terminology and use, enabling participants to:
    • Determine the steps to getting a product CC certified and creating the required CC documentation;
    • Understand the impact of having your CC product certified on the development process and environment.

    The CC standard and its terminology;
    • CC history and relationship to other evaluation standards;
    • The (hidden) structures of the CC standard;

The application of the CC standard in terms of:

    • Steps & roles involved in CC evaluation and certification;
    • Recognition of CC certificates and Assurance Levels;
    • Different certification bodies and labs;
    • Cost and effort involved in a CC evaluation.

Details of Common Criteria:
    • Requirements for specifying product functionality;
    • Requirements for product documentation and development/production environment;
    • Assurance Levels;
    • Security Targets & Protection Profiles.

The hands-on training included uses well-known devices to ensure easy understanding for all participants. Examples will be tailored to the participants’ line of business.
Host card emulation course

Host card emulation course (1 day)

The landscape of electronic payments is changing rapidly due to the fast introduction of new technologies and capabilities of mobile devices. Several mobile payment software solutions are currently replacing dedicated secure hardware solutions. Brightsight offers a state-of-the-art training course in cloud based payment with a focus on Host Card Emulation.

To provide a high-level overview of Cloud Based Payment, particularly HCE. More detailed course topics can be added on request.

  • A general introduction to and explanation of Host Card Emulation;
  • The characteristics of HCE solutions, with a strong focus on security of the mobile application;
  • Common security aspects as well as known pitfalls and applicable attack vectors;
  • Android;
  • White Box Crypto (WBC);
  • Code Obfuscation Techniques;
  • Trusted Execution Environments (TEE);
  • Demo on penetration testing;
  • Security requirements of different schemes, which are generally similar but differ in detail.
Payment terminal security course

Payment terminal security course (2 days)

Payment terminals are usually certified under the PCI PTS requirements. PCI PTS approved payment terminals can process American Express, Discover, JCB, MasterCard and VISA transactions. To get your product certified, you’ll need to know what the requirements are and how to apply them.

To introduce the PCI PTS requirements and common attacks performed on payment terminals, including examples and exercises. The course is set up to enable participants to understand PCI PTS and start a PCI PTS evaluation at a certified security lab.

  • Introduction to the PCI PTS security requirements, their purpose and how to apply them in practice (Core, SRED requirements, device management and open protocols);
  • Payment terminal attack techniques and general mechanisms for protection;
  • Attack potential calculation and how to determine device resistance (exercise);
  • Key management and the impact on PCI PTS compliance;
  • Side-channel analysis applied to payment terminals;
  • Additional PCI PTS security programs;
  • Details of the PCI PTS certification process.

The modules “additional PCI PTS security programs” and “details of the PCI PTS certification process” primarily focus on management aspects, while the other modules focus on techniques.
Smart card security course

Smart card security course (3 days)

Smart cards are used in a wide variety of applications, including banking, public transportation, conditional door access, pay TV and passports. A security flaw in the implementation can have a huge impact, such as financial or reputational damage. Brightsight offers a three-day training course on all major techniques used in accessing the security of smart cards.

To form the basis of design of secure products. The most relevant topics will be explained in detail, including examples. The course is set up to establish a ‘common ground’ for all people involved in the evaluation process of the product.

  • Evaluation methodologies and how to get assurance of protection against threats;
  • Physical attacks;
  • Perturbation security threats (power and light manipulation);
  • Side-channel analysis;
  • Demo on differential power analysis;
  • Advanced side-channel attacks;
  • Software: potential vulnerabilities;
  • Software (choose: Java Card or exercise);
  • Random number generators;
  • Introduction to Host Card Emulation.

Training on Crypto can be given as an introduction to this course, if desired. The Crypto training includes the following topics: introduction to crypto, symmetric cryptography, asymmetric cryptography and future cryptography. This pre-training course will take about one day.
Security training workshops

Security training workshops

We provide training in the various technical domains of Mobile Payments, such as the Global Platform TEE and payment scheme HCE security programs. In these training programs, SGS Brightsight experts give an introduction to the security program in order to get the development team at the right level of knowledge to start their developments in an efficient way and avoid known pitfalls where possible.

Topics of the training program include
• Overview of the technology with a strong focus on security;
• Relevant security requirements and their purpose;
• Security considerations for the domain in question;
• How to prepare for smooth evaluation;
• Known development pitfalls.