Our Security Education Curriculum PREPARED FOR ASPE TECHNOLOGY BY SI, INC. toll-free:

Transcription

1 Our Security Education Curriculum PREPARED FOR ASPE TECHNOLOGY BY SI, INC toll-free:

2 Security Training for Developers, Testers and Managers Security Innovation, Inc. 187 Ballardvale Street, Suite A170 Wilmington, MA November 2006

3 Table of Contents 1.0 Security Education Curriculum Map Information and Application Security Awareness Attacker Techniques Exposed: Threats, Vulnerabilities and Exploits Architecting Secure Solutions Creating Secure Code Creating Secure Code Java Creating Secure Code Managed Code Creating Secure Code ASP.NET Quarterly Security Brown-Bag How to Break Software Security Security Testing Boot Camp How to Break Web Software Security /20

4 1.0 Security Education Curriculum Map GENERAL/BASELINE Title: Information and Application Security Awareness Duration: 2 hours Title: Attacker Techniques Exposed Duration: 1 day ARCHITECT DEVELOPER CORE CLASSES TESTER Title: Architecting secure solutions Title: Creating Secure Code Title: How to break software security Title: How to break software security Duration: 2 days Duration: 2 days Duration: 2 days Duration: 2 days EXAM EXAM EXAM Number of questions: 15 Number of questions: 15 Number of questions: 15 Format: Multiple choice questions Format: Multiple choice questions Format: Multiple choice questions Quaterly Security Brown Bag Duration: 2 hours Format: virtual ADVANCED/SPECIALIZED CLASSES DEVELOPER TESTER Title: Creating Secure Code Java Title: Creating Secure Code Managed Code Title: Creating Secure Code ASP.NET Title: How to break web software security Duration: 2 days Duration: 2 days Duration: 2 days Duration: 2 days EXAM EXAM EXAM EXAM Number of questions: 15 Number of questions: 15 Number of questions: 15 Number of questions: 15 Format: Multiple choice questions Format: Multiple choice questions Format: Multiple choice questions Format: Multiple choice questions 1 1 All classes are instructor-led unless specified otherwise. 3/20

5 2.0 Information and Application Security Awareness 2 Hour Live Course Lecture Only All Course Description This course explores the consequences of failure, examines the root cause of software vulnerabilities, assesses the true cost of software vulnerability and presents a model to integrate security into the organization. Course Outline Series of case studies/examples Introduces a series of case studies where security vulnerabilities have resulted in huge financial losses. These studies look beyond IT losses to broader consequences such as impact on stock value, remediation expense, reputation loss, liability, etc. The increasing reliance of software to manage sensitive data and systems In this section we assess the true reliance of businesses and critical systems on software and explore the consequences of failure. Most system vulnerabilities have their roots in software This section examines the threats that can be mitigated at the network layer as opposed to those that must be addressed in software. Software vulnerabilities have real costs and consequences to customers and vendors This section addresses the true cost of software vulnerability. Legislative requirements are also examined and attendees will take a tour through current and looming regulation challenges. Getting to the root of software vulnerabilities Most security problems are not in security-specific components; rather they are errors in general software routines and functions. Illustrative examples are shown. Looking forward: balancing security Security is a major concern, but principles must be applied in the context of other organizational goals. Security is also more than just technology. It spans policy, procedure, people and technology. This section looks forward to what can be done to integrate security into the organization and discusses strategies to build a culture of security. 4/20

6 3.0 Attacker Techniques Exposed: Threats, Vulnerabilities and Exploits 1 Day Live Course Lecture Only Manager, Developer, and Tester Course Description This course examines trends in software vulnerabilities, walks through several examples of security breaches, explores a wide range of live software vulnerabilities and introduces Threat Modeling techniques. Course Outline The true threat: insiders and outsiders The course begins by walking students through several examples of security breaches. The case studies will illustrate the broad range of threats that organizations face from both external attackers as well as insiders. For each attack scenario, we will go through the underlying flaws, exploits, vulnerabilities and consequences. Examine some trends in software vulnerabilities Over the years, the industry has seen some distinct trends emerge in vulnerabilities. One of the most interesting is the fact that attackers have moved their assaults to the application layer instead of the network layer. This section examines those trends in detail. Live vulnerability and exploit tour! This is the core of the course. In this section, attendees will go through a wide range of software vulnerabilities and the instructor will show sample exploits for these vulnerabilities live. This tour will span today s most pervasive vulnerabilities including cross-site scripting, SQL injection, buffer overflows, format string vulnerabilities, and many others. Attendees will gain awareness and key insights into these vulnerability types as well as the ease with which the attacker community can exploit them. Tools and threats The threat is growing and so is the number of tools that lower the bar for attackers. This section takes the audience inside the underground world of the attacker and illustrates the range of tools available to adversaries. Thinking like the attacker: threat modeling A critical step in securing an application or system is to methodically think through threats. In this section we present several techniques for threat modeling and also walk the audience through the process of modeling threats against several systems. Incorporating threats into software/system design, development, testing and deployment By thinking about threats at each stage of the development lifecycle, we can make software and systems that are more resilient to attack. Attendees will walk away with an introduction to tools and techniques to build security in. 5/20

7 4.0 Architecting Secure Solutions 2 Day Live Course Hands on and Lecture Developer Course Description This course discusses the four basic tenets of software security: Integrity, Availability, Privacy and Confidentiality. It highlights the need for them in the development process and sets the stage for specific techniques and technologies that enable secure software development. Course Outline Security Principles The fundamental principals of secure development are outlined. The content is sprinkled with examples not just in code but also with live demonstrations of the critical issues and failures. Defense in depth Policy compliance and implications (HIPAA, GLBA, BASLE II, SOX ) Least privilege Separation of duties Input validation Fail secure Security and usability Auditing and logging Prevent, detect and react Testing for security Evaluation and accreditation Designing tunable security levels weakest link Change control, change/configuration management Least exposure (only exposing what is needed) Secure initial configuration (security out of the box) Use available, well-tested security technologies don t invent your own Disclosing security capabilities and limitations The Business Context The role that security concerns and technologies play in product business decisions is discussed. Some of the tradeoffs are highlighted and also topics such as security estimation and metrics along with quantifiable risk assessment are touched on. Business requirements and security functionality How to make design decisions based on your business demands Methodologies and Techniques This section broadly discusses fundamental principals of secure design. This section will also provide background information to better frame the technologies section. Security management and administration Secure remote admin Inter-agent secure communication Identity Management Data in transit security Security design patterns 6/20

8 HA and Recovery techniques Technologies This section is designed to educate developers and testers on the technologies available to create more secure systems. The thrust of this section is to impart knowledge on constituent technologies that can essentially be plugged in to obtain a particular level of assurance. VPN Firewalls and proxies IDS Crypto PKI Hardening and lockdown tools Security patch currency analysis and update tools Vulnerability Assessment tools Anti virus Access control Smart cards Biometrics 7/20

9 5.0 Creating Secure Code 2 Day Live Course Hands on and Lecture Developer Course Description Everyone, whether they write protocols or internal processes is responsible for using secure coding techniques to minimize the adverse effects of attacks, whether those attacks are intentional or accidental. If a process deep in the bowels of a product crashes because it receives bad data or because a resource that should have been there was not, it is still a crash and reduces the availability of the product. Secure coding is the process of reducing the susceptibility of code to vulnerabilities either unintentional or intentional. It includes items that are classed as defensive in nature (e.g. checking error return codes before using handles and other data structures that should have been created, or protecting against using a pointer after it has been released). It also includes items that may be more normally associated with cryptographic procedures (e,g. random number generation, encryption algorithms, etc.) Course Outline Introduction to Software Security Common Coding and Design Errors Students will learn about the range of software development errors that create application security, reliability, availability and confidentiality failures. Specifically in this section we will deal with those vulnerabilities that are common across language implementations (C, C++ and Java). For each vulnerability type, the course will cover real-world examples illustrated in code - of failures along with methods to find, fix and prevent each type of flaw. System-Level Accepting Arbitrary Files as Parameters; Default or Weak Passwords; Permitting Relative and Default Paths Offering Administrative, Software and Service Back Doors; Dynamic Linking and Loading; Shells, Scripts and Macros Data Issues Parsing Problems Integer Overflows Information Disclosure Storing Passwords in Plain Text The Swap File and Incomplete Deletes Creating Temporary Files Leaving Things in Memory Weakly-Seeded Keys Random Number Generation On the Wire Trusting the Identity of a Remote Host (Spoofing) Volunteering Too Much Information Proprietary Protocols 8/20

10 Tools Loops, Self References and Race Conditions Web Vulnerabilities The web is different. We will address common web vulnerabilities, how to find them, how to prevent them. Web sites Cross Site Scripting Forceful Browsing Parameter Tampering Cookie Poisoning Trusting SSL Hidden Field Manipulation SQL Injection Security on the Client Trusting the Domain Security Model Defensive Coding Principles This section is designed to educate developers and testers on the general principles of secure coding, including: Historical perspective on software failure When good design goes bad 18 defensive coding principles to live by Security Testing and Quality Assurance The difference between functional and security testing Understanding an application's entry points Spotting three classes of security bugs: dangerous inputs, rigged environment and logic vulnerabilities Each section will have an in depth hands on lab 9/20

11 6.0 Creating Secure Code Java 2 Day Live Course Hands on and Lecture Developer Course Information This two day course presents the security features and pitfalls of the Java programming environment. Beginning with an investigation of the Java Virtual Machine and its security capabilities, we discuss bytecode, class loading and permissions. We then move on to discuss known Java vulnerabilities and how to properly handle cryptography. We conclude with Java coding best practices. The course content is mixed with hands-on examples, complementing the theoretical scope presentations. Course Outline 1. Platform Security a. How does Java work? b. JVM Security c. Class files d. Class loading e. Bytecode Verification f. Security Manager g. Access Control 2. Policies and Permissions a. Security Policy b. Permission class 3. Known Java Vulnerabilities a. Known Dangerous Functions in 1.5 b. Known Dangerous Functions in 1.4 c. Native Function Calls d. Insecure Component Reuse 4. Cryptography a. Java Security APIs b. Java Security Libraries c. Using JSSE d. Using JAAS e. Code Signing 5. Best Practices 10/20

12 7.0 Creating Secure Code Managed Code 2 Day Live Course Hands on and Lecture Developer Course Description This course gives developers an in-depth emersion into secure coding practices with an emphasis on system integration and solutions built around managed code. We will discuss in-depth: The principles of secure development. Common coding errors for native code, managed code and web apps. Defensive coding principles and how they can be used to develop more secure applications. Online resources that can help keep you up to date. Course Outline Windows Security Architecture 1. ACLS, DACLS, Privileges, and access control 2. Windows Cryptography 3. Tricks with memory 4. ActiveX 5. Code Access Security Common Coding Errors 1. Integer overflows 2. Not Validating User Input 3. Relative and default paths 4. Administrative, software and service back doors 5. Dynamic linking and loading 6. Storing sensitive data in plain text 7. Creating temporary files 8. Leaving things in memory 9. The swap file and incomplete deletes 10. Poorly implementing cryptography 11. Trusting libraries and OS APIs 12. Trusting the identity of a remote host 13. Information Disclosure 14. Buffer Overflows 15. String format vulnerabilities Managed Code Concerns 1. Issues 2. Where Managed Code Helps 3. Where Managed code hurts a. Less Control over memory 11/20

13 b. Decompilation c. Complacency 4. Tools a. Static Analysis Tools b. Dynamic Analysis tools c. Application Vulnerability Scanners d. Other Common Web Application Errors 1. Trusting Client-Side Validation 2. Cross Site Scripting 3. SQL Injection 4. Command Injection 5. Performance Issues / Denial of Service 6. Forceful Browsing 7. Session Hijacking 8. Server Fingerprinting 9. Disclosing too much information 10. Allowing Zero and One-Click Attacks Defensive Coding Principles 1. Secure the weakest link 2. Least privilege 3. Secure by default 4. Economy of mechanism 5. Complete mediation 6. Open design 7. Least common mechanism 8. Psychological acceptability 9. Fail Secure 10. Defense in Depth 11. Input validation 12. Compartmentalization 13. Don t reinvent the wheel 14. Learn from your mistakes 15. Least Exposure 16. Beware of backward compatibility 17. Don t mix code and data 18. Auditing and logging 19. Watch your resources Threat Modeling Secure Development Lifecycle Hands-on lab on implementing secure solutions using Managed Code 12/20

14 8.0 Creating Secure Code ASP.NET 2 Day Live Course Hands on and Lecture Developer Course Information This course gives developers an in-depth emersion into secure coding practices with an emphasis on system integration and solutions built around the ASP.NET technology. We will discuss in-depth: The principles of secure development. Common coding errors for native code, managed code and web apps. Defensive coding principles and how they can be used to develop more secure applications. Online resources that can help keep you up to date. Course Outline Common Coding Errors 1. Trusting the identity of a remote host 2. Poorly implementing cryptography 3. Not Validating User Input 4. Information Disclosure 5. Integer overflows 6. Relative and default paths 7. Administrative, software and service back doors 8. Dynamic linking and loading 9. Creating temporary files 10. Trusting libraries and OS APIs Windows Security Architecture 1. Windows Cryptography 2. Code Access Security Common Web Application Errors 1. Trusting Client-Side Validation 2. Cross Site Scripting 3. SQL Injection 4. Command Injection 5. Performance Issues / Denial of Service 6. Forceful Browsing 7. Session Hijacking 8. Server Fingerprinting 9. Disclosing too much information 10. Allowing Zero and One-Click Attacks Defensive Coding Principles 1. Secure the weakest link 13/20

15 2. Least privilege 3. Secure by default 4. Economy of mechanism 5. Complete mediation 6. Open design 7. Least common mechanism 8. Psychological acceptability 9. Fail Secure 10. Defense in Depth 11. Input validation 12. Compartmentalization 13. Don t reinvent the wheel 14. Learn from your mistakes 15. Least Exposure 16. Beware of backward compatibility 17. Don t mix code and data 18. Auditing and logging 19. Watch your resources Threat Modeling Secure Development Lifecycle Hands-on lab on implementing secure solutions in ASP.NET 14/20

16 9.0 Quarterly Security Brown-Bag 2 Hour Virtual Classroom Developer and Tester To ensure that security awareness and concern remain foremost in employees minds, that development and testing techniques have been internalized, and to enable any ongoing questions to be answered, we offer a quarterly brown-bag web presentation and conference call. This will provide insight into a specific current security issue and strengthen the ongoing security development and testing efforts. 15/20

17 10.0 How to Break Software Security 1 Day Live Course Lecture Only Tester 2 Day Live Course Hands on and Lecture Tester Course Information Learn how to recognize potential security holes before attackers do! This course is designed to give testers and developers the tools and techniques they need to help find security problems before their application is released. The course content is based on the first book to be published on the topic of application security testing: How to Break Software Security. This course will lay the foundation you need to effectively recognize and expose security flaws in software. It introduces a fault model to help testers conceptualize these types of bugs. The instructors will take you through a set of software attacks that have proven effective at exposing security bugs. You'll walk away with a full arsenal of software attacks to uncover security vulnerabilities in your software before hackers discover them for you. Course Outline Introduction Learn why security bugs are different from functional bugs in software Understand why security bugs are usually missed during functional testing Learn to recognize symptoms of insecure behavior in your software The Four Classes of Security Vulnerabilities Learn what a security bug really is Learn the four basic classifications of security vulnerabilities Assessing Risk Learn how to recognize the security threats to your application Get into the mind of the attacker and master the art of translating threats into malicious uses of your software Learn how to recognize potential security holes before attackers do An Overview of the Methodology of How to Break Software Security Learn how to determine which security attacks apply to your application Learn how to quickly develop Hack Cases for each attack, tailored to your application. Learn how to conduct an attack and recognize success Attacking Dependencies Learn 5 techniques that test that your application responds securely if a dependency were to fail Learn how memory, network, files, registry and other resources can cause your application to behave insecurely Learn how to simulate dependency failures in your application's environment using Fault Injection tools Attacking through the User Interface Learn about SQL injection, buffer overflows, escape characters, executable data and much more Learn about the most common security vulnerability in software and how to test for it 16/20

18 Learn the 3 testing techniques to expose security vulnerabilities in your software through the user interface Attacking Design Learn 7 testing techniques to expose vulnerabilities that can creep into an application at the design stage Understand why legacy code can create huge security holes Learn how inappropriate uses of temporary files and the registry can be manipulated to force insecure behavior Attacking Implementation Learn 4 techniques that can be used to expose vulnerabilities that exist because of implementation errors Recognize error messages that reveal sensitive information Learn about how timing related vulnerabilities work and how to expose them during testing. 17/20

19 11.0 Security Testing Boot Camp 3 Day Live Course Hands on and Lecture Tester Course Information This course is unique in the security industry. It is a follow on to the course How to Break Software Security. Instead of learning through just lecture and general hands on labs, this course walks the students through the security issues of the actual application that they are testing day in and day out. The objective of the intense security testing boot camp will be to find actual security vulnerabilities during the security testing initiative. Over the course of the security testing bootcamp the students will transform from top quality assurance testers into leading security testers with passion, knowledge and experience security testing their application. Pre-Course Self Study and Nightly Assignments Students will need to complete required reading and analyze how specific security issues correspond to their area of testing focus of the application. Security Briefings Each morning will start with a briefing on the security issues specific to the application. Application-specific security testing issues are discussed every morning and then immediately implemented against the application and throughout the day-long deep security testing sessions. Application-specific Security Testing Several days of intense hands-on security testing of the application is performed by the students. The class is broken into two-person teams who compete to find the most security defects by performing specific attacks on the sections of the product they typically perform QA testing. Corporate Requirements To achieve the required results, your company needs to provide access to a developer knowledgeable of the entire application, the complete threat model as well as details on past defects discovered in the application. This will enable a strategic attack plan to be created prior to the course that will be discussed and explained during the class. Additionally, your company needs to make sure the students do all pre-course reading and all nightly assignments. This will be an intense several days of security education and testing that will push each student as they evolve from top quality assurance testers into lead security testers. Prizes should be provided to the students for each security defect discovered with special prizes to the top three teams based on the number and severity of the security bugs they find. 18/20

20 12.0 How to Break Web Software Security 1 Day Live Course Lecture Only Tester 2 Day Live Course Hands on and Lecture Tester Course Information The web is the internet s killer app. This makes web servers a good target for hackers. In fact, 97% of all web applications are vulnerable. Why? Network security isn't the answer. We will explore a model for web application testing as well as web application concerns including accountability, availability, confidentiality and integrity. We will go well beyond the OWASP to 10, looking at 19 specific web application attacks including attacking the client, state, data and the server. Course outline Gathering information on the target How Web applications are built Attack 1: Looking for information in the HTML source and in error messages Attack 2: Guessing filenames and directories Attack 3: Finding vulnerabilities in 3 rd party components or server applications Attacking the client Attack 4: Bypass Attack 5: Client side validation Attacking State Why state is important Attack 6: Hidden fields Attack 7: Cgi parameters Attack 8: Cookie Poisoning Attack 8: Forceful browsing Attack 9: Session hijacking Attacking Data Attack 10: Cross-site scripting Attack 11: SQL Injection Attack 12: Directory traversal Attack 13: Buffer overflows Attack 14: Canonicalization Attack 15: Null-string attacks Attacking the server Attack 17: SQL injection II stored procedures Attack 18: Command injection Attack 19: Fingerprinting the server Attack 20: Denial of Service Attack 21: Fake cryptography Attack 22: Breaking authentication Attack 23: Cross Site Tracing 19/20

21 Privacy Attack 24: Forcing Weak Cryptography Introduction to privacy: who you are, where have you been Methods for gathering data Web services Intro to Web services Common Attacks Hands-on lab attacking a site full of vulnerabilities 20/20