ELEARNING COURSE CATALOG

Transcription

1 ELEARNING COURSE CATALOG Updated April Park Plaza, Suite 1400 Boston, MA

2 GENERAL DISCLAIMER This document presents details about the training offerings from Codiscope at the time of its creation. Codiscope has used reasonable efforts to ensure that the information provided in this document is accurate and up-to-date, but details and offerings are subject to change, This document contains confidential information about Codiscope and its businesses. Copies of this document may only be provided, and disclosure of the information contained in it may only be made, with written prior agreement from Codiscope. Ownership and Disposal The information contained in this document is owned by Codiscope. The recipient shall dispose of the Data as confidential waste and/or return the document to Codiscope upon request. Copyright 2016 by Codiscope, LLC. All rights reserved. Codiscope, LLC and the Codiscope logo are trademarks of Codiscope. Other brands and products are trademarks of their respective owner(s). 2

3 About Codiscope 4 Security Training for Every Role 5 Fundamental Foundations of Software Security 6 Foundations of Information Security Awareness 8 OWASP Top Attack and Defense 12 Developing Securely for PCI DSS 14 Introduction to Cryptography for Developers and Architects 16 Defensive Strategies Secure Password Storage 18 Language-Specific Mobile Foundations of JavaScript and HTML5 Security 20 Foundations of Java Platform Security 22 Foundations of.net Platform Security 24 Foundations of PHP Security 26 Foundations of COBOL Security 28 Defensive Programming for Python and Django 30 Defensive Programming for JavaScript and HTML5 32 Defensive Programming for JavaEE Web Applications 34 Defensive Programming for PHP 36 Defensive Programming for C# for ASP.NET 38 Defensive Programming for C/C++ 40 Defensive Programming for COBOL 42 Foundations of Mobile Security 44 Foundations of Android Security 46 Foundations of ios Security 48 Defensive Programming for Android 50 Defensive Programming of ios 52 Requirements, Architecture, and Training Architecture Risk Analysis 54 Foundations of Software Security Requirements 56 Risk-Based Security Testing Strategy 58 OAuth 2.0 Security 60 Microcourses Hapi.js Security 62 React.js Security 63 3

4 ABOUT CODISCOPE Codiscope was established in 2015 as a spin-off of software security services firm Cigital, Inc. with a mission to improve the quality of software everywhere. Codiscope tools fit modern agile development processes by detecting and immediately eliminating vulnerabilities as they re introduced. Codiscope empowers every developer, from the smallest startup to the largest enterprise, to build security in from the start even if they re not security experts. Cigital is a global software security services firm known for its proven approach to building security into the development process. Our continuing relationship with Cigital allows us to leverage the company s expertise derived from over twenty years of research and thousands of successful security engagements as we continue to evolve our products. Codiscope elearning Codiscope offers a hosted elearning curriculum that enables organizations of all sizes to quickly deploy industryleading training company-wide. Codiscope elearning is a subscription-based online training service providing on-demand, unlimited access to Codiscope s comprehensive library of hosted elearning courses. With an annual subscription, you get 24x7 access to Codiscope s interactive security courses including knowledge checks and final exams, individual and group reporting, and periodic content updates so you can easily meet compliance and contractual training requirements. For companies that deploy their own Learning Management System (LMS), all elearning courses are SCORMcompliant and can be deployed within your current LMS. 4

5 SECURITY TRAINING FOR EVERY ROLE Codiscope s software security curriculum provides valuable knowledge across every role within software development organizations. Codiscope elearning features a broad library of 28 courses and 2 microcourses, so you can design a long-term plan to increase the security knowledge and skills of everyone within your SDLC. Below you ll find some sample learning paths for developers and architects. Pick and choose the courses your developers need, or design your own learning path it s up to you. Front-End Developers Back-End Developers Enterprise Developers Mobile Developers QA Engineers Architects Foundations of Software Security Foundations of Software Security Foundations of Software Security Foundations of Mobile Security Foundations of Software Security Foundations of Software Security OWASP Top 10 OWASP Top 10 Attack and Defense OWASP Top 10 OWASP Top 10 OWASP Top 10 Developing Securely for PCI DSS Developing Securely for PCI DSS Introduction to Cryptography Developing Securely for PCI DSS Foundations of Software Security Requirements Developing Securely for PCI DSS Introduction to Cryptography Introduction to Cryptography Secure Password Storage Introduction to Cryptography Risk-Based Security Testing Strategy Introduction to Cryptography Secure Password Storage Secure Password Storage Foundations of COBOL Foundations of ios Security Secure Password Storage Foundations of JavaScript and HTML5 or PHP OAuth 2.0 Security OAuth 2.0 Security Foundations of Android Security OAuth 2.0 Security React.js Security (Microcourse) Hapi.js Security (Microcourse) Hapi.js Security (Microcourse) React.js Security (Microcourse) Architecture Risk Analysis Defensive Programming for JavaScript and HTML5 or PHP Foundations of Java or.net Defensive Programming for COBOL or C# ASP.NET or C/C ++ Defensive Programming for ios or Android Introductory Intermediate Advanced 5

6 Foundations of Software Security Fundamental Description Dive into the basics of software security inside the development process. This course introduces the fundamentals of software security problems, risks, and general approaches for producing better software. It also describes an approach to building software security into the development processes to help you produce better software. This course was created by the experts who literally wrote the book on software security. The approaches described here are currently being utilized by leading global companies with mature software security initiatives. Course Themes Clearly define the software security problem Describe how and why software is exploited Introduce and describe a set of key software security principles and concepts that can be integrated into any existing software development lifecycle Learning Objectives Discuss basic security terminology comfortably when discussing your own development work Confidently contribute to discussions surrounding software security principles Participate in the initial strategy, formation, and role delegation of a Software Security Initiative Confidently begin to contribute to your company s overall design of a software security strategy Intended Audience Developers Development Managers QA Engineers Architects Application Security Specialists Competencies Understanding of the software development lifecycle Prerequisites None ¾ Hour Introductory 6

7 Foundations of Software Security Fundamental Course Outline Basic Software Security Concepts The Importance of Software Security Software Security Vocabulary What is Secure Software? Obstacles to Software Security Building Security In Roles in Software Security Software Security Engineering (continued) Software Security Intelligence Technical Standards and Reference Frameworks Training Defect Discovery and Management Assessing Software is Necessary Discovery Method Pros and Cons The Importance of Fixing Software Fundamentals of a Software Security Initiative Goals of a Software Security Initiative Engineering and Goverance SSG, Outreach, and Satellites Vendor Management Evolution of a Software Security Initiative Software Security Engineering The Touchpoints Secure Software Development Lifecycle 7

8 Foundations of Information Security Awareness Fundamental Description Organizations rely on their information assets to conduct business. Information security incidents targeting those assets happen every day and can cause much damage to profits, reputation, compliance status, and competitive edge. Information security awareness is expected from everyone in an organization and is key to building resistance to attacks from the inside out. The Foundations of Information Security Awareness course enables employees to appreciate the security risks affecting their organization s information assets. Course Themes Explain how to reduce the risk of information security leaks Prescribe a set of secure behaviors to exhibit in the face of: Internet and general computing attacks Social engineering attacks Physical intrusion Learning Objectives Describe the importance of protecting information assets Protect information assets from attacks that can stem from: Internet and general computing Social engineering Physical intrusion ½ Hour Intended Audience Everyone Competencies None Prerequisites None Introductory 8

9 Foundations of Information Security Awareness Fundamental Course Outline Why Security is Important Information Assets Threats and Risks Types of Attacks Social Engineering Internet and General Computing Attacks Malware Physical Intrusion Attacks on Mobile Devices and Storage Media The Three Axes of Security Adopting Secure Behaviors (continued) Safeguarding your Mobile Devices General Computing Best Practices Preventing Intrusions in the Workplace Safe Media Handling and Destruction Adopting Secure Behaviors Practicing Safe Browsing the Internet Safely Adopting Secure Behaviors (continued) Defending Against Social Engineering Preventing Malware Infections Secure Password Best Practices 9

10 OWASP Top 10 Fundamental Description Created for developers with experience developing web applications in any programming language, this course focuses on the most common security defects identified by the Open Web Application Security Project (OWASP). To accomplish this, the course describes in detail each item included in the 2013 OWASP Top 10 list. Each lesson describes a vulnerability and provides practical guidance for testing and remediation. Additionally, this course also presents practical walkthroughs that demonstrate how the vulnerabilities are exploited. Course Themes Introduce the most prevalent web application security issues Describe testing methods and applications Provide remediation guidance to help eradicate specific issues Demonstrate how the issues are exploited by attackers Learning Objectives Describe the role of security in the software development lifecycle Strategize how best to create secure applications Recognize the details of and the causes behind secure coding errors and mistakes Describe how software security defects are exploited Efficiently utilize discovery methods for uncovering security defects Strategize practices to help prevent the most common mistakes and ultimately create more secure software Intended Audience Developers Development Managers QA Engineers Architects Application Security Specialists Competencies Familiarity with at least one web programming language Prerequisites 1 ½ Hours Introductory Foundations of Software Security 10

11 OWASP Top 10 Fundamental Course Outline The OWASP Top 10 The Challenges of Software Security Classic Security Trade-offs Injection Common Injection Vulnerabilities SQL, Command, and XML Injection Mitigations Broken Authentication and Session Management Normal and Exploitation Workflows Brute Forcing, Session Fixation, and Session Hijacking Mitigation and Remediation Examples Cross-Site Scripting Common Attacks and Exploitation Same Origin Policy and Malicious Script Stored and Reflected XSS How to Test for It Mitigation and Remediation Insecure Direct Object References Exploitation and Examples How to Test for It Mitigation and Remediation Security Misconfiguration Exploitation and Examples How to Test for Security Misconfiguration Mitigation and Remediation Sensitive Data Exposure Exploitation and Attacks CIA of Information Security How to Test for It Mitigation and Remediation Missing Function-Level Access Control Exploitation and Examples How to Test for Them Mitigation and Remediation Cross-Site Request Forgery Exploitation and Example How to Test for It Mitigation and Remediation Using Components with Known Vulnerabilities Exploitation and Example How to Test for It Mitigation and Remediation Unvalidated Redirects and Forwards Exploitation and Example How to Test for It Mitigation and Remediation 11

12 Attack and Defense Fundamental Description This course is designed for those who are directly involved with software development particularly with a web-based focus. This elearning module introduces you to common application attacks, shows how these attacks exploit common vulnerabilities, and suggests methods you can use to defend against them. For each topic, we explain the attack and map it to the security defects in source code that allow it to succeed. After discussion of relevant weaknesses, we outline techniques to audit code and find issues. To complete each lesson, we present mitigation and prevention techniques. Course Themes Discuss software security and the crucial role it plays in overall system security Outline important features of the web browser security model Detail specific vulnerabilities and remediation advice to help prevent some of the most common attacks today Learning Objectives Clearly identify the problems associated with software security Describe the appropriate checkpoints utilized in the browser security model Quickly recognize some of the most common attacks against web applications Map the attacks back to vulnerabilities in design and code that allow the attacks to succeed Describe common remediation strategies for preventing design and code vulnerabilities Intended Audience Developers Development Managers QA Engineers Architects Application Security Specialists Competencies Familiarity with at least one programming language Prerequisites 1 ½ Hours Introductory Foundations of Software Security 12

13 Attack and Defense Fundamental Course Outline Introduction to Software Security Connected Devices Software Vulnerability Growth Problems with Software Security Ignoring the Past Ignoring the Business Context Over-reliance on Perimeter Security Hyper-Focus on Functionality Security Viewed as Negative Bugs vs. Flaws Trinity of Trouble Connectivity Complexity Extensibility Impact of Software Failure The Browser Security Model Web Browsers and Web Applications Attack and Defense Cross-Site Scripting Protecting Against XSS Mitigation and Remediation How to Test for It SQL Injection Exploitation How to Test for It Remediation Header Manipulation Typical HTTP Response How to Test for It Exploitation Remediation System Information Leak How to Test for It Remediation Path Manipulation Impact How to Test for It Remediation Cross-Site Request Forgery Exploitation How to Test for It Mitigation Hidden Field Manipulation How to Test for It Mitigation and Remediation Cookie Security Exploitation How to Test for It Mitigation and Remediation Session and State Management Exploitation Mitigation Weak Access Controls Access Control Violations Exploitation How to Test Mitigation 13

14 Developing Securely for PCI DSS Fundamental Description Vulnerabilities to payment card security are a threat to everyone with a credit or debit card in their wallet. Every day, we effectively transmit highly personal and sensitive data about ourselves to strangers. If all goes well, only the intended recipients ever see our information. If not, the results can be disastrous. Thus the criticality of the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS provides guidance to organizations that collect, process, transmit, or store cardholder data. In this course, you will learn about PCI DSS: the data it is intended to secure, its requirements, how to incorporate those requirements into code, and how to avoid common mistakes that can make your software vulnerable to attack. Course Themes Introduce the data protection requirements of the PCI DSS Put PCI DSS requirements into the context of a secure SDLC Explain the secure development guidance outlined in the PCI DSS Examine why sensitive data in memory is of particular concern and present techniques to force its release from memory Learning Objectives Recognize which software security defects are addressed by PCI Strategize and utilize discovery methods for protecting sensitive cardholder data based on PCI guidance Recognize the role memory plays in the security of cardholder s personal information Utilize PCI-guided best practices to avoid common mistakes and ultimately develop more secure software Intended Audience Developers QA Engineers Architects Application Security Specialists Competencies Familiarity with web programming environments and technologies Prerequisites 1 Hour Introductory Foundations of Software Security OWASP Top 10 14

15 Developing Securely for PCI DSS Fundamental Course Outline Secure Coding Guidelines Introduction to the PCI DSS PCI DSS Requirement 6.5 Software Security Vulnerabilities SQL Injection Secure Software Development Lifecycle Injection Flaws SQL Injection Exploitation SQL Injection Remediation Injection Mitigations Buffer Overflows Understanding Buffer Overflow Perform Proper Bounds Checking Beware of Non-null-terminated Strings Secure Coding Guidelines (continued) Insecure Cryptographic Storage Testing for Insecure Cryptographic Storage Insecure Communications Common Pitfalls Improper Error Handling Stack Trace Example All High Risk Vulnerabilities Cross-Site Scripting Common Attacks Testing for It Mitigation and Remediation Improper Access Control Java Code Example Testing for It Mitigation and Remediation Cross-Site Request Forgery Testing for It Mitigation and Remediation Broken Authentication and Session Management Exploitation Common Broken Authentication Problems Mitigation Remediation Protecting Data in Memory Sensitive Account Data Sensitive Data in Memory Data in Use Data in Use as an Asset Extracting Sensitive Data from RAM Managing Volatile Memory System-Level Extraction via Memory Dumps System-Level Mitigation Temporary Files in Memory Protect the Cache Forced Release of Sensitive Data OS-Level Volatile Data Release Garbage Collection Immutable Objects Secure Strings Secure Erase of Data After Use 15

16 Introduction to Cryptography for Developers and Architects Fundamental Description Cryptography is used to address issues of confidentiality, data integrity, data origin, authentication, entity authentication, and non-repudiation. Although cryptography does not eliminate security issues, it does make them more manageable by reducing the task of protecting a large amount of data to a matter of protecting a relatively small key. This course discusses the use of cryptographic algorithms and techniques as they are typically applied within the practice of information security. Course Themes Examine the security of various cryptographic primitives and protocols Describe important options to consider when choosing such primitives Provide a comprehensive overview of common mistakes and lessons learned when designing and implementing cryptographic controls Learning Objectives Define cryptography and cryptographic primitives as they apply to software security practices Identify the most common cryptographic primitives and respective purposes Identify common cryptography errors and how to avoid them Make appropriate design decisions when implementing cryptographic controls into the information security process Intended Audience Developers Architects Competencies Familiarity with standard software design and development Prerequisites 1 ½ Hours Introductory Foundations of Software Security OWASP Top 10 or Attack and Defense 16

17 Introduction to Cryptography for Developers and Architects Fundamental Course Outline Cryptography and Cryptographic Primitives Uses of Cryptography Common Cryptographic Primitives Encryption Symmetric vs. Asymmetric Encryption Common Types of Encryption Block Ciphers and Stream Ciphers Block Cipher Encryption Modes Initialization Vectors Block Cipher Padding Modes Common Types of Asymmetric Key Encryption Hash Functions Cryptographic Hash Functions Algorithms and Uses Protecting Data Integrity Message Authentication Codes (MAC) Common Functions and Algorithms How it Works Problem and Solution Digital Signatures Digital Signatures Algorithms Problem and Solutions Putting It All Together SSL Security of Cryptographic Primitives and Protocols Cryptographic Primitive/Protocol Security Security of Algorithms Over Time Security Over Time Lessons Learned Choosing Your Cryptographic Primitives Typical Attackers and Attacks Criminals Kiddies/Amateur Hackers Crime/Dedicated Hackers Researchers Government Agencies Common Mistakes and Lessons Learned TI Digital Signature Transponder Case Study GSM Security Content Scrambling System Wired Equivalent Privacy Secure Sockets Layer Cryptographic Algorithms Implementation Case Study Using WEP Using Cryptography Future of Cryptography 17

18 Secure Password Storage Defensive Strategies Description This course introduces popular approaches to user password protection and storage, analyzing their common weaknesses and those properties that help schemes resist attack. By learning to evaluate password storage schemes through the properties of their building blocks (hashes, salts, and algorithms), you will be able to properly evaluate password storage options in your development framework, and to articulate the trade-offs between modern schemes. At course end, you will be able to select and harden through configuration your application s password storage scheme, or select a suitable replacement that best meets your application s needs. Learning Objectives Evaluate current best practice solutions for secure password storage Recognize that attackers have sophisticated cracking resources Discuss how current adopted password storage solutions are insecure Show why current solutions do not prevent user passwords from being revealed to an attacker Discuss the password security pros and cons of algorithms like bcrypt/scrypt Propose an alternate approach to strengthening current password security solutions Intended Audience Developers QA Engineers Architects Application Security Specialists Competencies None Prerequisites None 1 Hour Intermediate 18

19 Secure Password Storage Defensive Strategies Course Outline Password Storage Overview Introduction Password Storage Defined The Bumpy Road Password Storage Risk Two Basic Rules Risks Revealed Simple Hashes Introduction What is a Hash Function Hash Function Properties Example Hash Function Risk of Hash Function Rainbox Tables Rainbow vs. Lookup Tables Conclusion Salted Hashes Introduction Salted Hash Definition Benefits of Salted Hashes Risks of Salted Hashes Salted Hashes Best Practices Conclusion Keyed Hash Functions Introduction Defining HMACS HMAC Password Storage Benefits of HMAC HMAC Considerations Implementation Challenges Implementation Recommendations Conclusion Adaptive Hash Functions Introduction What is an Adaptive Hash? Benefits of Adaptive Hashes Adaptive Hash Protection Examples of Adaptive Hash Considerations Recommendations Conclusion 19

20 Foundations of JavaScript and HTML5 Security Language-Specific Description As the fifth revision of the HTML standard, HTML5 and its integration with JavaScript introduces new security risks that developers must mitigate when writing web front-end code. This course introduces common security vulnerabilities and how they can be exploited to damage a web application. It prepares you for Defensive Programming for JavaScript and HTML5 by explaining the client-side code attack surface so you can easily recognize the errors that can put an overall system at risk. Course Themes Introduce the web application attack surface Define common security issues found in web applications Describe the risks associated with key features of HTML5 and JavaScript Explain specific aspects of browser security architecture that impact how you use key features of HTML5 and JavaScript Learning Objectives Confidently discuss how client-side code bases can have the potential to introduce security issues Describe the impact of HMTL5 and JavaScript within the context of browser security Recognize the risks associated with HTML5, JavaScript, and related technologies as they pertain to client-side security concepts Intended Audience Developers QA Engineers Architects Application Security Specialists Competencies Familiarity with web programming Prerequisites ¾ Hour Intermediate Foundations of Software Security OWASP Top 10 20

21 Foundations of JavaScript and HTML5 Security Language-Specific Course Outline The Web Application Attack Surface Web Browser Security Sandboxing The Same Origin Policy Web Browser Security (continued) Intentionally Bypassing the Same Origin Policy Common Web Security Issues Cross-Site Scripting Client-Side Trust Issues Cross-Site Request Forgery Information Disclosure Cross-Domain Issues HTML5 Features and Associated Risks What is HTML5? Cross-Origin Resource Sharing Web Storage Iframe Sandboxing HTML5 Features and Associated Risks (continued) Media Elements Browser History Management Drag and Drop Functionality SVG and Canvas Support Geolocation Functionality WebSocket API Web Messaging and Web Workers JavaScript Features and Associated Risks Including and Executing JavaScript JavaScript Frameworks and Libraries Defining Sources and Sinks Manipulating the DOM Security Risks in Supporting Technologies JSON JSONP 21

22 Foundations of Java Platform Security Language-Specific Description The Java platform offers a powerful, versatile, and robust foundation for creating distributed applications. The platform s specific architecture and security model sets it apart from other environments. On the one hand, the platform provides developers and architects with a multitude of security features that can be leveraged to create resilient applications. On the other hand, some aspects of the Java platform have negative security implications that software developers must be aware of in order to avoid significant security issues. Course Themes Clearly define the Java platform security model and the security advantages of the Java programming language Explain common security issues inherent to the Java platform Describe the built-in features that can be leveraged to design and develop secure Java applications Learning Objectives Describe the security-related aspects of the Java platform Utilize the Java platform security model to sandbox Java applications Mitigate inherent risks to Java platform features based on security best practices Intended Audience Developers QA Engineers Architects Application Security Specialists Competencies Familiarity with the Java programming language Prerequisites ¾ Hour Intermediate Foundations of Software Security OWASP Top 10 or Attack and Defense 22

23 Foundations of Java Platform Security Language-Specific Course Outline The Java Security Architecture The Java Security Model The Bytecode Verifier The Class Loader The Security Manager Security Features of the Java Platform Security Advantages of the Language Automatic Memory Management Code Signing Application Sandboxing Code-Centric Access Control Permissions Protection Domains and Security Policies Security Managers and Access Controllers Access Controller Algorithm Cryptography The Java Cryptographic Architecture (JCA) Cryptographic Services The JCA API Other Security Services Java Authentication and Authorization Services Public-Key Infrastructure Channel Security Risks Inherent to the Java Platform Immutable Strings The doprivileged() Function The Java Native Interface (JNI) Introspection 23

24 Foundations of.net Platform Security Language-Specific Description The.NET platform serves as a powerful framework for developing a wide range of applications, from rich websites and desktop applications to versatile shared libraries and embedded systems. The platform s specific architecture and unique security model sets it apart from other environments. While these traits offer developers and architects a variety of enhancements to the capabilities of their applications, they also introduce specific risks from an application security perspective. Course Themes Clearly define the.net platform security model Describe fundamental components of the.net platform and the security implications of each Explain common security issues inherent in key features of the platform along with mitigation strategies for each Learning Objectives Identify the.net framework components and related concepts Identify and strategize the use of.net security features Identify limitations for each security feature Implement security processes into the development of.net applications based on best practices Intended Audience Developers QA Engineers Architects Application Security Specialists Competencies Familiarity with the.net platform and.net programming languages such as C#.NET Prerequisites ¾ Hour Intermediate Foundations of Software Security OWASP Top 10 or Attack and Defense 24

25 Foundations of.net Platform Security Language-Specific Course Outline The.NET Security Architecture The.NET Security Model Common Language Runtime (CLR) Application Domains Common Type System (CTS) Automatic Memory Management Exception Handling Code Access Security (CAS) Walking the Stack Security Constructs Security Transparency Model NET Framework Class Library (FCL) System.Net Cryptography Cryptographic Service Providers Supported Cryptographic Primitives Cryptographic APIs Additional Features of the Platform Secure Features Strong Naming Additional Features of the Platform (continued) Code Signing Security Advantages of.net Programming Languages Synchronization Mechanisms Risky Features Immutable Strings Interaction with Unmanaged Code Reflection 25

26 Foundations of PHP Security Language-Specific Description PHP has evolved significantly from its insecure early versions into a robust and trustworthy language. However, many of the fundamentally insecure features remain in common use today. PHP developers must familiarize themselves with common security vulnerabilities and how they can be exploited to damage a web application. This course prepares you for Defensive Programming for PHP by explaining the attack surface so you can easily recognize the errors that can put an overall system at risk. Course Themes Describe the risks inherent to the PHP programming language Explain common vulnerabilities affecting PHP applications and web applications as a whole Demonstrate the risks resulting from insecure PHP configuration Learning Objectives Identify the risks inherent to the PHP programming language Explain the risks resulting from insecure PHP configurations Distinguish between common vulnerabilities that affect PHP applications Intended Audience Developers QA Engineers Architects Application Security Specialists Competencies Familiarity with the PHP programming language Prerequisites ¾ Hour Intermediate Foundations of Software Security OWASP Top 10 26

27 Foundations of PHP Security Language-Specific Course Outline General PHP Security Concerns Lack of Sandboxing Local File Inclusion Unsafe PHP Functions Unsafe PHP Configuration NULL Byte Issues PRNG in PHP.inc File Extension Dynamic Code Risk Description Dynamic Variables Dynamic Functions Array Functions Uninitialized Variables Common Web Vulnerabilities in PHP Applications Cross-Site Scripting SQL Injection Cross-site Request Forgery Other Issues Mail Injection XML Injection LDAP Injection 27

28 Foundations of COBOL Security Language-Specific Description All software in any development and execution environment is subject to intrusion. This is certainly true of the COBOL mainframe environment. This course is designed to help you recognize how COBOL design and implementation errors can introduce risk in your organization so you can mitigate these risks while coding. ½ Hour Intermediate Course Themes Introduce software security concepts with respect to the COBOL environment Demonstrate how design and implementation errors in software development can expose systems to risk Expose and correct common myths about system security in the COBOL environment Investigate the relationship between typical COBOL programming errors and a taxonomy of system security vulnerabilities Learning Objectives Discuss how COBOL errors may expose systems to security risks Summarize the main COBOL security myths Map COBOL programming errors to common vulnerability classifications Intended Audience Developers QA Engineers Architects Application Security Specialists Competencies Understanding of COBOL development Prerequisites Foundations of Software Security OWASP Top 10 or Attack and Defense 28

29 Foundations of COBOL Security Language-Specific Course Outline The Cost of (In)Security T.J. Maxx America Online (AOL) Global Payments Elantis Typical COBOL System Assets Sensitive Information Sensitive Functionality Properties of a Secure System Confidentiality Integrity Availability Types of System Intrusion Malware Unauthorized Access Misuse of Authorized Privileges Bugs versus Flaws COBOL Security Myths Recognizing the Myths COBOL Security Myths (continued) Clearing the Myths StuxNet Implications to COBOL Trust Boundaries A Taxonomy for Software Security Errors Input Validation and Data Representation API Abuse Security Features Time and State Error Handling Code Quality Encapsulation Environment 29

30 Defensive Programming for Python and Django Language-Specific Description Django is a web framework built on Python that allows developers to quickly build web applications in a familiar MVC architecture. While the Django project treats security as a first-class citizen, there are still pitfalls to be aware of when writing web applications using Django. This course focuses on teaching defensive programming techniques for safely using Python and Django 1 ½ Hours Advanced Course Themes Demonstrate methods to secure data flow by consistently applying input validation and output encoding techniques Introduce secure methods to ensure permissions are applied at the right level of granularity for authorization Introduce and explain common security assessment approaches Learning Objectives Recognize Django as a web development framework Implement Django configuration in a secure fashion Implement proper authentication and authorization Recognize best practices for secure session management Strategize the prevention of injection attacks Intended Audience Developers QA Engineers Architects Application Security Specialists Competencies Basic knowledge of: Computer and operating system architecture The software development lifecycle Python Prerequisites Foundations of Software Security OWASP Top 10 30

31 Defensive Programming for Python and Django Language-Specific Course Outline Introduction to Python Python Overview Django Overview Authentication Authentication Overview Missing and Broken Authentication Client Side Authentication Authentication Factors and Multi-Factor Authentication Authentication in Django User Authentication and Access Restriction Brute Force Attack Protection Authorization Authorization Overview Vertical and Horizontal Privilege Escalation Forceful Browsing Authorization in Django Django Permissions Session Management Session Management Overview Session ID Attacks: Brute Force and Fixation Network Sniffing Session Management in Django Persistent and Cookie-Based Sessions Cryptographic Signing Validation and Encoding Input Validation and Output Encoding Injection, Path Traversal, and Open Redirect Attacks Best Protection Against Injection Attacks Input Validation and Output Encoding in Django Input, Field, and Form Validation Validation Methods and Errors Object-Role Modeling Object-Role Modeling in Django Adding Permissions to a Model and Modifying Permissions SQL Injection Vulnerabilities in Django Django ORM Protection Insecure SQL Examples: raw(), connection.cursor(), Extra() Protection from SQL Injection in Django Stored Procedures and Escaping User Input Configuration Environment/Framework Configuration Environment/Framework for Django Environment-Specific Configuration Configuring Error-Handling Pages and Notifications Password Storage Direct Attack Resistance Direct Attack Overview Cross Site Request Forgery, Cross Site Scripting, DOM Based XSS, and Clickjacking Direct Attack Protection in Django 31

32 Defensive Programming for JavaScript and HTML5 Language-Specific Description HTML5 and JavaScript introduce a new set of functionality to help developers create even more dynamic and feature-rich web applications. This functionality introduces its very own set of security risks that needs to be carefully considered. Creating secure modern web applications requires that developers follow a set of defensive programming best practices for client-side storage, cross-domain communications, and secure I/O. This course focuses on teaching defensive programming techniques for safely using JavaScript, HTML5, and associated technologies such as JSON. Course Themes Demonstrate methods to secure data flow by consistently applying input validation and output encoding techniques Introduce secure methods to store sensitive data and secure crossdomain communications Prescribe the secure usage of features such as cross-origin resource sharing (CORS), iframe sandboxing, and web storage Introduce and explain common security assessment approaches Learning Objectives Confidently apply HTML5, JavaScript, and JSON defensive programming techniques Apply JSON defensive programming techniques Evaluate common approaches for selecting defensive programming techniques Intended Audience Developers QA Engineers Architects Application Security Specialists Competencies Familiarity with web programming languages, specifically JavaScript or HTML Prerequisites ½ Hour Advanced Foundations of Software Security OWASP Top 10 Foundations of JavaScript and HTML5 Security 32

33 Defensive Programming for JavaScript and HTML5 Language-Specific Course Outline Storage Of Sensitive Data Secure Cross-Domain Communications Validating Message Origin and Data Enforcing a Strict CORS Policy Weak CORS Policy Fixing the CORS Policy Properly Sandboxing IFrames Other Cross-Domain Considerations window.name for Messaging Fragment Identifier Messaging document.domain Property WebSocket Origin Header Implementing Secure Dataflow Understanding Dataflow Performing Input Validation White-Listing, Black-Listing, and Rostering Encoding Output Additional Strategies for Preventing Malicious JavaScript Setting Cookies as HttpOnly JSON-Related Best Practices Common Assessment Approaches Secure Code Reviewing Dynamic Analysis 33

34 Defensive Programming for JavaEE Web Applications Language-Specific Description JavaEE-based applications are prone to vulnerabilities common in all enterprise applications. Due to the characteristics of the platform, JavaEE applications can also be affected by a set of very specific issues that do not apply to other environments. This course focuses on teaching defensive programming techniques for safely using JavaEE to thwart attacks and reduce the risks of information breaches. 2 ½ Hours Advanced Course Themes Review the basic constructs of the Java platform as they pertain to software security Outline secure ways of handing errors, data input, and data output Illustrate common security errors and how they might appear in your source code Recommend best practices for engineering security features Learning Objectives Apply best practices when developing software to avoid common security coding errors Identify ways in which JavaEE vulnerabilities can be exploited Identify multiple secure alternatives to fix common security bugs in code Recognize more security errors when reviewing source code either manually or using automated code scanning tools Eliminate or mitigate security coding errors in your products with increased efficiency Intended Audience Developers QA Engineers Architects Application Security Specialists Competencies Familiarity with Java and JSP programming Prerequisites Foundations of Software Security OWASP Top 10 or Attack and Defense Foundations of Java Platform Security 34

35 Defensive Programming for JavaEE Web Applications Language-Specific Course Outline Introduction Software Vulnerability Growth The Software Security Challenge Understanding the Platform Language Considerations Memory Management Features Garbage Collection Framework Security Model Java Security Model Dangers of doprivileged() Security Manager Best Practices Identity and Session Management Authentication Authorization Session Management Injection Attacks Data and Control Vectors Command Injection Input Validation Regular Expressions Unicode Mishandling Output Encoding HTML and URL Encoding in Practice Input Validation Theory and Flow Injection Attacks and Remediation SQL Injection Cross-Site Scripting XML Attacks Log Injection Path Manipulation Cross-Site Request Forgery Client-Side Trust Determinism and Concurrency Accessing Resources Understanding TOCTOU Problems Reliable Locking Schemes Random Numbers and Temporary Files Safe Error Handling and Logging Error and Exception Handling Programmatic Checks and Assertions Assertion Schemes Numeric Data Types Audit Logging Information Leakage and Debug Code Cryptography Symmetric and Asymmetric Encryption Secure Hash Functions Message Authentication Codes and Digital Signatures Code Signing Software Security in Operations Java Web Application Configuration Application Packaging Managing Key Material Secrets Inside Code Secret Encryption Key Exposure 35

36 Defensive Programming for PHP Language-Specific Description PHP applications are prone to vulnerabilities common in all web applications. Due to the characteristics of the platform, PHP applications can be affected by a set of very specific issues that do not apply to other environments. This course focuses on teaching defensive programming techniques for safely using PHP in your web applications to thwart attacks and reduce the risks of information breaches. 1 Hour Advanced Course Themes Introduce defensive programming and configuration techniques for PHP-specific security issues Demonstrate methods to secure web application data flow Prescribe ways to protect against cross-site request forgery Recommend effective tactics to implement secure SQL access, secure file upload and access, password handling, and secure PHP configuration Learning Objectives Apply defensive programming techniques to mitigate PHP-specific security issues Apply defensive techniques to mitigate common web vulnerabilities Implement system access based on best practices Implement secure configuration based on best practices Confidently architect PHP applications securely Intended Audience Developers QA Engineers Architects Application Security Specialists Competencies Understanding of the PHP programming language Prerequisites Foundations of Software Security OWASP Top 10 Foundations of PHP Security 36

37 Defensive Programming for PHP Language-Specific Course Outline Input Validation Bad Code How to Do It White-listing, Black-Listing, and Rostering PHP Functions for Input Validation Better Code Output Encoding Bad Code Implementing Secure Output Encoding Select the Proper Encoding Scheme Encoding Caveats Cross-Site Request Forgery Description Mitigation CSRF Protection Secure SQL Access SQL Injection Issues Mitigation Approach Better Code System Command Handling Error Handling Information Disclosure and Failing Insecurely Mitigation Approach File Upload and File Access Insecure File Handling Secure File Upload Secure File Access Fixing Code Password Handling in PHP PHP Configuration Best Practices Weak Configuration SQL Access Secure Settings Good Configuration 37

38 Defensive Programming for C# for ASP.NET Language-Specific Description This course provides developers with a strong foundation in software security as it relates to the implementation of applications. This course includes detailed examples and illustrates best practices for developers as they build their applications. It does this with a combination of structured theory, animated demonstrations, technical deep-dives, and illustrated explanations. It connects the habit of building security in through proven programming practices and explains common securityrelated problems in detail so that software engineers can avoid them. Course Themes Review the basic constructs of the Java platform as they pertain to software security Outline secure ways of handing errors, data input, and data output Illustrate common security errors and how they might appear in your source code Recommend best practices for engineering security features Learning Objectives Confidently discuss the latest in secure coding best practices, and how they may apply to your organization Easily Identify common C# coding mistakes that impact application security Recognize security errors when reviewing source code manually or using automated code scanning tools Eliminate or mitigate security coding errors in your products with increased efficiency 2 ½ Hours Advanced Intended Audience Developers QA Engineers Architects Application Security Specialists Code Auditors Competencies Fluency in C# development Understanding of component design Prerequisites Foundations of Software Security OWASP Top 10 or Attack and Defense 38

39 Defensive Programming for C# for ASP.NET Language-Specific Course Outline Introduction Software (In)Security: The Problem Software Vulnerability Growth Understanding the Platform Language Considerations How.NET Features Help Security Memory Management in.net Support for Arrays Larger than 2GB Framework Security Model CLR Security Mechanisms Code Access Security Browser Security Model Strong Naming Identity and Session Management Authentication Authorization Session Management Cookie Security Input Validation Regular Expressions Unicode Mishandling Output Encoding Input Validation Flow and Theory Injection Attacks and Remediation SQL Injection Cross-Site Scripting XML Injection Log Injection Directory Traversal Other Attacks Determinism and Concurrency Accessing Resources Acting on Resource Properties Reliable Locking Schemes The Lock Keyword Random Numbers Temporary Files Safe Error Handling and Logging Error and Exception Handling Audit and Debug Logging Information Leakage Debug Code Numeric Errors Cryptography Symmetric and Asymmetric Key Encryption Secure Hash Functions Message Authentication Codes and Digital Signatures Code Signing Software Security in Operations.NET Web Application Configuration Preventing Configuration Overrides Custom Errors Authentication and Authorization Code Access Security Managing Key Material Key Expiration Secrets Inside Code 39

40 Defensive Programming for C/C++ Language-Specific Description This course provides developers with a strong foundation in software security as it relates to the implementation of applications. It includes detailed examples and illustrates best practices for developers as they build their applications. It does this with a combination of structured theory, animated demonstrations, technical deep-dives, and illustrated explanations. It connects the habit of building security in through proven programming practices and explains common security-related problems in detail so that software engineers can avoid them in their own work. Course Themes Review the basic constructs of the C/C++ platform as they pertain to software security Outline secure ways of handing errors, data input, and data output Illustrate common security errors and how they might appear in your source code Recommend best practices for engineering security features Learning Objectives Identify ways C and C++ can be exploited in order to work towards building more secure code Confidently discuss the latest in secure coding best practices, and how they may apply to your organization Recognize security errors when reviewing source code manually or using automated code scanning tools Compare multiple secure alternatives for fixing common security bugs 2 ½ Hours Advanced Intended Audience Developers QA Engineers Architects Application Security Specialists Code Auditors Competencies Fluency in C or C++ development Understanding of component design Prerequisites Foundations of Software Security OWASP Top 10 or Attack and Defense 40

41 Defensive Programming for C/C++ Language-Specific Course Outline Software (In)Security: The Problem Software Vulnerability Growth The Software Security Challenge Handling Input and Output Software Systems Are Data Pumps Managing Size and Content Buffer Overflow Low-Level Data Representation Data Types Integer Overflow Interfacing with a Database Handling User Content Data Filtration Strategies Filtering to Cleanse Input in Practice Character Representation and Output Encoding Determinism and Concurrency Acting on Resource Properties TOCTOU Synchronization Primitives Locking Schemes Share System Resources Temporary Files Random Numbers Executing External Programs Command Injection Process Initialization Control Plane vs. Data Plane Data and Control Vectors Injection Attacks Confuse Control/Data Log Injection 41

42 Defensive Programming for COBOL Language-Specific Description Building on the Foundations of COBOL Security course, this module explores specific defensive programming techniques to create secure COBOL programs. The course follows a well-established software security vulnerability taxonomy to walk students through a set of defensive programming best practices that are applicable to the COBOL environment. The vision behind the course is to teach secure developer behaviors that follow the principle of defense-in-depth and will help prevent COBOL programs from being the weakest link in the enterprise security chain. Among other techniques covered, the course discusses COBOL-specific methods for input validation, secure database interactions, secure error handling, and proper resource synchronization. Course Themes Demonstrate methods to ensure secure input validation and data representation in your applications Recommend best-practices to avoid code quality issues Outline implementation strategies for error handling and other security features Learning Objectives Confidently discuss the guiding principles for secure design Apply best practice COBOL defensive programming techniques Confidently discuss the software security touch points for COBOL programs Intended Audience Developers QA Engineers Architects Application Security Specialists Code Auditors Competencies Understanding of COBOL development Prerequisites ½ Hour Advanced Foundations of Software Security OWASP Top 10 or Attack and Defense Foundations of COBOL Security 42