Secure Coding
Overview
This course will teach secure coding practices
Audience
Developers, team leads, project managers
Skill Level
Introductory – Intermediate
Duration
Three days
Format
Lectures and hands-on labs. (50% – 50%)
Prerequisites
- Recommended: Cybersecurity awareness
- Comfortable developing code in the target environment
Lab environment
- Zero Install: There is no need to install software on students’ machines!
- A lab environment in the cloud will be provided for students.
Students will need the following
- A reasonably modern laptop with unrestricted connection to the Internet. Laptops with overly restrictive VPNs or firewalls may not work properly.
- A checklist to verify connectivity will be provided
- Chrome browser
Detailed outline
Threat modeling
- STRIDE attack classification
- Security terminology
- Threat modeling
- CVSS attack assessment
- Labs on threat modeling
Common attacks
- Cross-site scripting
- Malicious file execution
- Session hijacking
- Encryption
- Unsecured direct object reference
- Failure to authorize/hidden URLs
Secure design
- Layered design concepts
- Object layer
- Persistence layer
- Presentation layer
Countermeasures
- Validation
- Validation controls
- Strong typing
- Regular expressions
- White list
- Scrubbing
- Blacklist
- Encoding
- CAPTCHA
- Honey pots
- Avoiding SQL injection
- Parametrizing queries/Prepared statements
- Stored procedures
- Entity Frameworks/Hibernate
- Avoiding cross-site request forgeries
Modern security frameworks
- Introduction to modern frameworks
- Vault
- Consul
- Anthos
- Modern security design patterns
- Dynamic secrets
- Automatic credential rotation
- Cubbyhole response wrapping
- Encryption as a service
- Where to go from here
Authorization and Authentication
- .NET authentication
- Basic & Digest
- Forms
- Windows authentication
- JAAS and other Java authentication services
- Authorization
- Password security
- Brute force attacks
- Password resets
- Secret questions/answers
- SSL/TLS
Session security
- Session IDs
- Policies
- Hijacking/Fixation Attacks
Framework architecture
- Threading
- Privileges
- Audits/Logs
- Secure coding
- Encryption services
- Static code analysis
Securing the runtime environment
- .NET
- Code Access
- GAC
- Strong named assemblies
- CLR
- Security Zones
- Permissions
- Security policy
Security future
- Zero-trust networks
- Artificial intelligence