KEN VAN WYK. Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)

Transcription

1 TECHNOLOGY TRANSFER PRESENTS KEN VAN WYK Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY) info@technologytransfer.it

2 FUNDAMENTALS OF SECURE CODING AND HOW TO BREAK SOFTWARE ABOUT THIS SEMINAR Everyone whether they write protocols or internal processes is responsible for using secure programming techniques to minimize the adverse effects of attacks, test the code for software security and know how to fix the software for security. This 3 Part, 5 day class delivers the best of all the Software Security classes and more. It includes items that are classed as defensive in nature (e.g. checking error return codes before using, other data structures that should have been created, or protecting against using a pointer after it has been released). It also includes items how to prevent attacks and a step by step process to fix software and lastly provides Solutions and Counter Measures to protect your code. Lastly, its about the Web as the Internet's killer app. Web servers are the target of choice for hackers. 97% of all Web applications are vulnerable and better network security isn't the only answer. We will explore a model for Web application testing as Well as Web application concerns including accountability, availability, confidentiality and integrity. We will go well beyond the OWASP 10 to look at 19 specific Web application attacks including attacking the client, state, data and the server WHO SHOULD ATTEND Software Testers Software Developers Development and Test Managers Security Auditors and anyone involved in software production for resale or internal use will find it valuable Information Security and IT Managers Information Assurance Programmers Information Security Analysts and Consultants Internal Auditors and Audit Consultants QA Specialists The participants are kindly requested to bring their laptop with wireless connection capability.

3 OUTLINE PART A 1. Introduction to Software Security Common Software Coding and Design Errors and Flaws Students will learn about the range of software development errors and flaws that create application security, reliability, availability and confidentiality failures. Specifically in this section we will deal with those vulnerabilities that are common across language implementations (C, C++ and Java). For each vulnerability type, the course will cover real-world examples illustrated in code - of failures along with methods to find, fix and prevent each type of flaw. System-Level Accepting Arbitrary Files as Parameters; Default or Weak Passwords; Permitting Relative and Default Paths Offering Administrative, Software and Service Back Doors; Dynamic Linking and Loading; Shells, Scripts and Macros Data Issues Parsing Problems Integer Overflows Information Disclosure Storing Passwords in Plain Text The Swap File and Incomplete Deletes Creating Temporary Files Leaving Things in Memory Weakly-Seeded Keys and Random Number Generation On the Wire Trusting the Identity of a Remote Host (Spoofing) Volunteering Too Much Information Proprietary Protocols Loops, Self References and Race Conditions Tools 2. Web Vulnerabilities The Web is different. We will address common Web vulnerabilities, how to find them, how to prevent them. Web Sites Cross Site Scripting; Forceful Browsing; Parameter Tampering; Cookie Poisoning; Trusting SSL; Hidden Field Manipulation; SQL Injection; Security on the Client; Trusting the Domain Security Model 3. Defensive Coding Principles This section is designed to educate developers and testers on the general principles of Secure Coding. This includes a historical perspective on software failure, when good design goes bad, and 18 defensive coding principles to live by. 4. Security Testing and Quality Assurance This includes the difference between functional and security testing, understanding and application's entry points, and spotting three classes of security bugs: dangerous inputs, rigged environment and logic vulnerabilities. PART B Gathering Information on the Target How Web apps are built Attack 1: Looking for information in HTML comments Attack 2: Guessing filenames and directories Attack 3: Vulnerabilities in example applications Attacking the client The need for a rich UI Attack 4: Selections outside of ranges Attack 5: Client side validation Attacking State Why state is important Attack 6: Hidden fields Attack 7: Cgi parameters Attack 8: Cookies Attack 8: Forceful browsing Attack 9: Session hijacking Attacking Data Attack 10: Cross-site scripting Attack 11: SQL Injection Attack 12: Directory traversal Attack 13: Buffer overflows Attack 14: Canonicalization Attack 15: Null-string attacks

4 Attacking the Server Attack 17: SQL injection II stored procedures Attack 18: Command injection Attack 19: Fingerprinting the server Attack 20: Death by 1,000 cuts (DOS) Attack 19: Fake cryptography Attack 20: Breaking basic authentication Attack 21: Cross Site Tracing Web Services Moving to Web Services Common Attacks Constraints on input and output Attack 22: Web Services specific attacks Privacy Who you are, where have you been Methods for gathering data Tool support A review of Web security/vulnerability scanning tools Introduction to HolodeckWeb PART C A step by step methodology and models for effective software testing A plan for on-the-fly testing How to develop an insight to find those hard-to-find bugs How to attack Inputs and Outputs from the User Interface How to attack Data and Computation from the User Interface How to attack the File System Interface How to attack the Software/OS Interface How to use tools to inject faults for File System and OS testing Live vulnerability and exploit tour This is the core of the class. In this section, attendees will go through a wide range of software vulnerabilities and labs to show sample exploits of these vulnerabilities live. Labs include: cross-site scripting, SQL injection, buffer overflows, format string vulnerabilities, and many others software vulnerabilities. Attendees gain awareness and key insights into these vulnerability type, the ease with which the attacker community can exploit them and what to do to prevent these critical attacks. Tools and Threats The threat is growing and so is the number of tools that lower the bar for attackers. This section takes the attendees inside the underground world of the attacker tools. Thinking like the Attacker Threat Modeling. A critical step in securing software or system is to methodically think through threats. In this section we present several techniques for threat modeling and also walk the audience through the process of modeling threats against several systems. Incorporating Threats Into Software/System Design, Development, Testing and Deployment By thinking about threats at each stage of the development lifecycle, we can make software and systems that are more resilient to attack. Attendees will walk away with an introduction to tools and techniques to build security in. We sneek in Reverse Engineering too.

5 INFORMATION PARTICIPATION FEE 2500 The fee includes all seminar documentation, luncheon and coffee breaks. VENUE Residenza di Ripetta Via di Ripetta, 231 Rome (Italy) SEMINAR TIMETABLE 9.30 am pm 2.00 pm pm HOW TO REGISTER You must send the registration form with the receipt of the payment to: TECHNOLOGY TRANSFER S.r.l. Piazza Cavour, Rome (Italy) Fax within March 5, 2007 PAYMENT Wire transfer to: Technology Transfer S.r.l. Banca Intesa Sanpaolo S.p.A. Agenzia 3 di Roma Iban Code: IT-34-Y GENERAL CONDITIONS If anyone registered to participate is unable to attend, a substitute may participate in their place. A full refund is given for any cancellation received more than 15 days before the seminar starts. Cancellations less than 15 days prior the event are liable for 50% of the fee. Cancellations less than one week prior to the event are liable for the full fees as invoiced. In case of cancellation of the seminar, Technology Transfer s responsibility only applies to the refund of the participation fees which have already been forwarded. KEN VAN WIK FUNDAMENTALS OF SECURE CODING AND HOW TO BREAK SOFTWARE first name... surname... March 19-23, 2007 Residenza di Ripetta Via di Ripetta, 231 Rome (Italy) Registration fee: 2500 job title... organisation... address... postcode... Stamp and signature city... country... If registered participants are unable to attend, or in case of cancellation of the seminar, the general conditions mentioned before are applicable. telephone... fax Send your registration form with the receipt of the payment to: Technology Transfer S.r.l. Piazza Cavour, Rome (Italy) Tel Fax info@technologytransfer.it

6 SPEAKER Ken Van Wyk is an internationally recognized information security expert and author of the O Reilly and Associates books, Incident Response and Secure Coding. In addition to providing consulting and training services through his company, KRvW Associates, LLC, he currently holds numerous positions: as a monthly columnist for on-line security Portal, esecurityplanet and a Visiting Scientist at Carnegie Mellon University s Software Engineering Institute. Mr. Van Wyk has 20+ years experience as an IT Security practitioner in the academic, military, and commercial sectors. Mr.Van Wyk also served a two-year elected position as a member of the Steering Committee for the Forum of Incident Response and Security Teams (FIRST) organization. At the Software Engineering Institute of Carnegie Mellon University, Mr. Van Wyk was one of the founders of the Computer Emergency Response Team (CERT ).