IQSOFT - John Brice Oktatóközpont
ENGEDÉLYEZETT KÉPZÉSEK

Secure coding master course for banking and finance

Tanfolyam célja

"Money makes the world go round....” – remember? And yes: it is your responsibility to secure all that. As a fintech company you have to take up the challenge, and beat the bad guys with bomb-proof, secure applications!

If there is a domain where security is critical, it is definitely fintech. Vulnerability is not an option if you want to stay a trusted and reliable vendor with systems and applications that certainly comply with PCI-DSS requirements. You need devoted secure coders with high-level professional attitude and developers eager to fight all coding problems: yes, you need a skilled team of software engineers.

Want to know why? Just for the record: even though IT security best practices are widely available, 90% of security incidents stem from common vulnerabilities as a result of ignorance and malpractice. So, you better keep loaded in all possible ways with up to date knowledge about secure coding – unless you wanna cry!

We offer a training program exclusively targeting engineers developing applications for the banking and finance sector. Our dedicated trainers share their experience and expertise through hands-on labs, and give real-life case studies from the banking industry – engaging participants in live hacking fun to reveal all consequences of insecure coding.

  •     Understand basic concepts of security, IT security and secure coding
  •     Understand special threats in the banking and finance sector
  •     Understand regulations and standards
  •     Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them
  •     Learn about XML security
  •     Learn how to set up and operate the deployment environment securely
  •     Learn client-side vulnerabilities and secure coding practices
  •     Have a practical understanding of cryptography
  •     Understand the requirements of secure communication
  •     Understand essential security protocols
  •     Understand some recent attacks against cryptosystems
  •     Understand security concepts of Web services 
  •     Learn about JSON security
  •     Learn about typical coding mistakes and how to avoid them
  •     Get information about some recent vulnerabilities in the Java framework
  •     Learn about denial of service attacks and protections
  •     Get practical knowledge in using security testing techniques and tools
  •     Get sources and further readings on secure coding practices
Tematika
  •     IT security and secure coding
  •     Special threats in the banking and finance sector
  •     Regulations and standards
  •     Web application security (OWASP Top Ten 2017)
  •     Client-side security
  •     Security architecture
  •     Requirements of secure communication
  •     Practical cryptography
  •     Security protocols
  •     Crypto libraries and APIs
  •     Input validation
  •     Security of Web services
  •     Improper use of security features
  •     Object-relational mapping (ORM) security
  •     Improper error and exception handling
  •     Time and state problems
  •     Code quality problems
  •     Denial of service
  •     Security testing techniques
  •     Principles of security and secure coding
  •     Knowledge sources  

1. IT security and secure coding

  •         Nature of security
  •         What is risk?
  •         IT security vs. secure coding
  •         From vulnerabilities to botnets and cybercrime
    •             Nature of security flaws
    •             Reasons of difficulty
    •             From an infected computer to targeted attacks
  •         Classification of security flaws
    •             Landwehr’s taxonomy
    •             The Seven Pernicious Kingdoms
    •             OWASP Top Ten 2017
    •             CWE/SANS top 25 most dangerous software errors
    •             SEI CERT secure coding standards

    Special threats in the banking and finance sector

  •         Banking and finance threats – trends
  •         Banking and finance threats – some numbers
  •         Attacker model
  •         Most significant targets
  •         Industry and regulatory response to threats
  •         Attacker tools and vectors

    Regulations and standards

  •         The fintech cybersecurity regulatory / compliance landscape
  •         Important regulations from an IT standpoint
  •         Managing sensitive data
  •         Breach disclosure obligations
  •         PCI DSS compliance
    •             PCI DSS at a glance
    •             The main assets protected by PCI-DSS
    •             Requirements
    •             Requirement 6 – Develop and maintain secure systems and applications
      •                 6.1 – Identifying vulnerabilities, risk management
      •                 6.2 – Patching
      •                 6.3 – Secure software development
      •                 6.4 – Policies and procedures
      •                 6.5 – Train developers in secure coding best practices
      •                 6.6 – Security assessment and attack detection
      •                 6.7 – Documentation and enforcement

    Web application security (OWASP Top Ten 2017)

  •         A1 - Injection
    •             Injection principles
    •             SQL injection
      •                 Exercise – SQL Injection
      •                 Exercise – SQL injection
      •                 Typical SQL Injection attack methods
      •                 Blind and time-based SQL injection
      •                 SQL injection protection methods
    •             Other injection flaws
      •                 Command injection
      •                 Case study – ImageMagick
  •         A2 - Broken authentication
    •             Session handling threats
    •             Session handling best practices
    •             Setting cookie attributes – best practices
    •             Case study – Authentication issues in Danish online banking
      •                 Danske Bank website debug mode information leak
      •                 Danske Bank session leakage and potential hijack vulnerability
      •                 Issues with the NemID centralized single sign-on scheme
  •         A3 - Sensitive data exposure
    •             Sensitive data exposure
    •             Case study – Distributed guessing attack against payment cards
      •                 Information leakage weaknesses in online payment systems
      •                 Practical guessing attack
      •                 Real-world exploitation and countermeasures
    •             Transport layer security
      •                 Enforcing HTTPS

2. Web application security (OWASP Top Ten 2017)

  •         A4 - XML external entity (XXE)
    •             XML Entity introduction
    •             XML bomb
    •             Exercise – XML bomb
    •             XML external entity attack (XXE) – resource inclusion
    •             XML external entity attack – URL invocation
    •             XML external entity attack – parameter entities
    •             Exercise – XXE attack
    •             Case study – XXE in Google Toolbar
    •             Case study – XXE in TGI Friday's ordering system
      •                 Identifying the vulnerability: JSON input processed as XML
  •         A5 - Broken access control
    •             Typical access control weaknesses
    •             Insecure direct object reference (IDOR)
    •             Exercise – Insecure direct object reference
    •             Protection against IDOR
    •             Case study – Facebook Notes
    •             Exercise – Authorization bypass
  •         A6 - Security misconfiguration
    •             Configuration management
    •             Hardening
    •             Patch management
    •             Configuring the environment
    •             Insecure file uploads
    •             Exercise – Uploading executable files
    •             Filtering file uploads – validation and configuration
  •         A7 - Cross-Site Scripting (XSS)
    •             Persistent XSS
    •             Reflected XSS
    •             DOM-based XSS
    •             Exercise – Cross Site Scripting
    •             Exploitation: CSS injection
    •             Exploitation: injecting the tag
    •             Exercise – HTML injection with base tag
    •             XSS prevention
  •         A8 - Insecure deserialization
    •             Deserialization basics
    •             Security challenges of deserialization
    •             From deserialization to code execution
    •             Issues with deserialization – JSON
  •         A9 - Using components with known vulnerabilities
    •             Vulnerability attributes
    •             Common Vulnerability Scoring System – CVSS
  •         A10 - Insufficient logging and monitoring
    •             Detection and response
    •             Logging and log analysis
    •             Intrusion detection systems and Web application firewalls

    Client-side security

  •         JavaScript security
  •         Same Origin Policy
  •         Cross Origin Resource Sharing (CORS)
  •         Exercise – Client-side authentication
  •         Client-side authentication and password management
  •         Protecting JavaScript code
  •         Exercise – JavaScript obfuscation
  •         Clickjacking
    •             Clickjacking
    •             Exercise – Do you Like me?
    •             Protection against Clickjacking
    •             Anti frame-busting – dismissing protection scripts
    •             Protection against busting frame busting
  •         AJAX security
    •             XSS in AJAX
    •             Script injection attack in AJAX
    •             Exercise – XSS in AJAX
    •             XSS protection in Ajax
    •             Exercise CSRF in AJAX – JavaScript hijacking
    •             CSRF protection in AJAX
  •         HTML5 security
    •             New XSS possibilities in HTML5
    •             HTML5 clickjacking attack – text field injection
    •             HTML5 clickjacking – content extraction
    •             Form tampering
    •             Exercise – Form tampering
    •             Cross-origin requests
    •             HTML proxy with cross-origin request
    •             Exercise – Client side include

    Security architecture

  •         (platform and technology dependent topics)
  •         Application level access control
    •             (permissions, sandboxing)
  •         User level access control   
  •         Authentication
  •         Authorization        

3. Requirements of secure communication

  •         Security levels
  •         Secure acknowledgment
    •             Malicious message absorption
      •                 Feasibility of secure acknowledgment
      •                 The solution: Clearing Centers
    •             Inadvertent message loss
  •         Integrity
    •             Error detection - Inadvertent message distortion (noise)
      •                 Modeling message distortion
      •                 Error detection and correction codes
    •             Authenticity - Malicious message manipulation
      •                 Modeling message manipulation
      •                 Practical integrity protection (detection)
    •             Non-repudiation
      •                 Non-repudiation
    •             Summary
      •                 Detecting integrity violation
  •         Confidentiality
    •             Model of encrypted communication
    •             Encryption methods in practice
    •             Strength of encryption algorithms
  •         Remote identification
    •             Requirements of remote identification
  •         Anonymity and traffic analysis
    •             Model of anonymous communication
    •             Traffic analysis
    •             Theoretically strong protection against traffic analysis
    •             Practical protection against traffic analysis
  •         Summary
    •             Relationship between the requirements

    Practical cryptography

  •         Cryptosystems
    •             Elements of a cryptosystem
  •         Symmetric-key cryptography
    •             Providing confidentiality with symmetric cryptography
    •             Symmetric encryption algorithms
    •             Block ciphers – modes of operation
  •         Other cryptographic algorithms
    •             Hash or message digest
    •             Hash algorithms
    •             SHAttered
    •             Message Authentication Code (MAC)
    •             Providing integrity and authenticity with a symmetric key
    •             Random numbers and cryptography
    •             Cryptographically-strong PRNGs
    •             Hardware-based TRNGs
  •         Asymmetric (public-key) cryptography
    •             Providing confidentiality with public-key encryption
    •             Rule of thumb – possession of private key
    •             The RSA algorithm
      •                 Introduction to RSA algorithm
      •                 Encrypting with RSA
      •                 Combining symmetric and asymmetric algorithms
      •                 Digital signing with RSA
  •         Public Key Infrastructure (PKI)
    •             Man-in-the-Middle (MitM) attack
    •             Digital certificates against MitM attack
    •             Certificate Authorities in Public Key Infrastructure
    •             X.509 digital certificate

    Security protocols

  •         Secure network protocols
  •         Specific vs. general solutions
  •         SSL/TLS protocols
    •             Security services
    •             SSL/TLS handshake
  •         Protocol-level vulnerabilities
    •             BEAST
    •             FREAK
    •             FREAK – attack against SSL/TLS
    •             Logjam attack
  •         Padding oracle attacks
    •             Adaptive chosen-ciphertext attacks
    •             Padding oracle attack
    •             CBC decryption
    •             Padding oracle example
    •             Lucky Thirteen
    •             POODLE

    Crypto libraries and APIs

4. Input validation

  •         Input validation concepts
  •         Integer problems
    •             Representation of negative integers
    •             Integer overflow
    •             Integer problem – best practices
      •                 Integer problem – best practices
    •             Case study – Integer overflow in the Stockholm Stock Exchange
      •                 Integer wraparound problem when purchasing stocks
  •         Path traversal vulnerability
    •             Path traversal mitigation
    •             Case study – Insufficient URL validation in LastPass
  •         Unvalidated redirects and forwards
  •         Log forging
    •             Some other typical problems with log files
  •         (some additional platform and technology dependent topics)

    Security of Web services

  •         SOAP security
    •             SOAP - Simple Object Access Protocol
    •             Transport layer security
    •             Message level security
  •         Security of RESTful web services
    •             Authentication with REST
    •             Authorization with REST
    •             Vulnerabilities in connection with REST
  •         XML security
    •             Introduction
    •             XML parsing
    •             XML injection
      •                 (Ab)using CDATA to store XSS payload in XML
      •                 Exercise – XML injection
  •         JSON security
    •             JSON parsing
    •             Embedding JSON server-side
    •             JSON injection
    •             JSON hijacking
    •             Case study – XSS via spoofed JSON element

    Improper use of security features

  •         Typical problems related to the use of security features
  •         Insecure randomness
  •         Case study – Tesco Bank fraud
    •             Fraud exploiting deterministic card number generation
  •         Password management
    •             Exercise – Weakness of hashed passwords
    •             Password management and storage
    •             Special purpose hash algorithms for password storage
    •             Case study – the Ashley Madison data breach
      •                 The loginkey token
      •                 Revealing the passwords with brute forcing
    •             Case study – Equifax account freeze PIN code generation
    •             Typical mistakes in password management
  •         Case study – Equifax password management issues

    Object-relational mapping (ORM) security

5. Improper error and exception handling

  •             Typical problems with error and exception handling
  •             Exercise – Information leakage through error reporting

        Time and state problems
        Code quality problems
        Denial of service

  •             DoS introduction
  •             Asymmetric DoS
  •             SSL/TLS renegotiation DoS
  •             Case Study – ReDos in Stack Exchange
  •             Hashtable collision attack
    •                 Using hashtables to store inputs
    •                 Hashtable collision

        Security testing techniques

  •             General testing approaches
  •             Source code review
    •                 Code review for software security
    •                 Taint analysis
    •                 Heuristic-based
    •                 Static code analysis
    •                     Static code analysis
  •             Testing the implementation
    •                 Dynamic security testing
    •                 Manual vs. automated security testing
    •                 Penetration testing
    •                 Stress tests
    •                 Fuzzing
      •                     Automated security testing - fuzzing
      •                     Challenges of fuzzing
    •                 Proxy servers and sniffers
      •                     Testing with proxies and sniffers
      •                     Packet analyzers and proxies
      •                     Exercise – Testing with proxy
    •                 Web vulnerability scanners
      •                     Exercise – Using a vulnerability scanner
      •                     SQL injection tools
      •                     Exercise – Using SQL injection tools

        Principles of security and secure coding

  •             Matt Bishop’s principles of robust programming
  •             The security principles of Saltzer and Schroeder
  •             SEI Cert top 10 secure coding practices

        Knowledge sources

  •             Secure coding sources – a starter kit
  •             Vulnerability databases

 

Kinek ajánljuk
Előfeltételek

Advanced desktop and Web application development

Kapcsolódó tanfolyamok