Web application security with SDL

CL-SDW
3 nap
210 000 Ft + ÁFA
tanfolyamkezdési időpontok:
Jelentkezem!
oktatók:

A tanfolyam célja

The course gives an insight into secure software design, development and testing through Microsoft Secure Development Lifecycle (SDL) with a focus on web application security. It provides a level 100 overview of the fundamental building blocks of SDL, followed by design techniques to apply to detect and fix flaws in early stages of the development process of web applications.

Dealing with the development phase, the course gives an overview of the typical security relevant programming bugs in web applications. In this it follows the OWASP Top Ten, but also introduces some client-side issues tackling Javascript security, Ajax and HTML5.

Attack methods are presented for the discussed vulnerabilities along with the associated mitigation techniques, all explained through a number of hands-on exercises providing live hacking fun for the participants. Introduction of different security testing methods is followed by demonstrating the effectiveness of various testing tools. Participants can understand the operation of these tools through a number of practical exercises by applying the tools to the already discussed vulnerable code.

  •     Understand basic concepts of security, IT security and secure coding
  •     Get known to the essential steps of Microsoft Secure Development Lifecycle
  •     Learn secure design and development practices
  •     Learn about secure implementation principles
  •     Learn client-side vulnerabilities and secure coding practices
  •     Learn about XML security
  •     Learn about JSON security
  •     Learn about denial of service attacks and protections
  •     Understand security testing methodology
  •     Get sources and further readings on secure coding practices

Tematika

  •     IT security and secure coding
  •     Introduction to the Microsoft® Security Development Lifecycle (SDL)
  •     Secure design principles
  •     Secure implementation principles
  •     Client-side security
  •     XML security
  •     JSON security
  •     Denial of service
  •     Secure verification principles
  •     Principles of security and secure coding
  •     Knowledge sources

1. IT security and secure coding

  •         Nature of security
  •         What is risk?
  •         IT security vs. secure coding
  •         From vulnerabilities to botnets and cybercrime
    •             Nature of security flaws
    •             Reasons of difficulty
    •             From an infected computer to targeted attacks
  •         Classification of security flaws
    •             Landwehr’s taxonomy
    •             The Seven Pernicious Kingdoms
    •             OWASP Top Ten 2017

    Introduction to the Microsoft® Security Development Lifecycle (SDL)

  •         Agenda
  •         Applications under attack...
    •             Cybercrime Evolution
    •             Attacks are focusing on applications
    •             Most vulnerabilities are in smaller ISV apps
  •         Origins of the Microsoft SDL...
    •             Security Timeline at Microsoft...
    •             Which apps are required to follow SDL?
  •         Microsoft Security Development Lifecycle (SDL)
    •             Microsoft Security Development Lifecycle (SDL)
    •             Pre-SDL Requirements: Security Training
    •             Phase One: Requirements
    •             Phase Two: Design
    •             Phase Three: Implementation
    •             Phase Four: Verification
    •             Phase Five: Release
    •             Post-SDL Requirement: Response
    •             SDL Process Guidance for LOB Apps
    •             SDL Guidance for Agile Methodologies

    Secure design principles

  •         Attack surface
    •             Attack surface reduction
    •             Attack surface – an example
    •             Attack surface analysis
    •             Attack surface reduction – examples
  •         Privacy
    •             Privacy
    •             Understanding Application Behaviors and Concerns
  •         Defense in depth
    •             SDL Core Principle: Defense In Depth
    •             Defense in depth – example
  •         Least privilege principle
    •             Least privilege – example
  •         Secure defaults
    •             Secure defaults – examples

    Secure implementation principles

  •         Microsoft Security Development Lifecycle (SDL)
  •         Input validation
    •             Input validation concepts
    •             Integer problems
      •                 Representation of negative integers
      •                 Integer overflow
      •                 Exercise IntOverflow
      •                 What is the value of Math.Abs(int.MinValue)?
      •                 Integer problem – best practices
      •                 Case study – Integer overflow in .NET
  •         Buffer overflow basics
    •             Intel 80x86 Processors – main registers
    •             The function calling mechanism in C/C++ on x86
    •             The local variables and the stack frame
    •             Stack overflow
      •                 Buffer overflow on the stack
      •                 Overwriting the return address

2. Secure implementation principles

  •         SQL injection
    •             Exercise – SQL Injection
    •             Exercise – SQL injection
    •             Typical SQL Injection attack methods
    •             Blind and time-based SQL injection
    •             SQL injection protection methods
  •         Other injection flaws
    •             Command injection
    •             Command injection exercise – starting Netcat
  •         Broken authentication - password management
    •             Exercise – Weakness of hashed passwords
    •             Password management and storage
    •             Special purpose hash algorithms for password storage
    •             Case study – the Ashley Madison data breach
      •                 The loginkey token
      •                 Revealing the passwords with brute forcing
  •         Cross-Site Scripting (XSS)
    •             Persistent XSS
    •             Reflected XSS
    •             DOM-based XSS
    •             Exercise – Cross Site Scripting
    •             Exploitation: CSS injection
    •             Exploitation: injecting the tag
    •             Exercise – HTML injection with base tag
    •             XSS prevention
    •             Output encoding API in C#
    •             XSS protection in ASP.NET – validateRequest
    •             Web Protection Library (WPL)

    Client-side security

  •         JavaScript security
  •         Same Origin Policy
  •         Cross Origin Resource Sharing (CORS)
  •         Exercise – Client-side authentication
  •         Client-side authentication and password management
  •         Protecting JavaScript code
  •         Exercise – JavaScript obfuscation
  •         Clickjacking
    •             Clickjacking
    •             Exercise – Do you Like me?
    •             Protection against Clickjacking
    •             Anti frame-busting – dismissing protection scripts
    •             Protection against busting frame busting
  •         AJAX security
    •             XSS in AJAX
    •             Script injection attack in AJAX
    •             Exercise – XSS in AJAX
    •             XSS protection in Ajax
    •             Exercise CSRF in AJAX – JavaScript hijacking
    •             CSRF protection in AJAX
  •         HTML5 security
    •             New XSS possibilities in HTML5
    •             HTML5 clickjacking attack – text field injection
    •             HTML5 clickjacking – content extraction
    •             Form tampering
    •             Exercise – Form tampering
    •             Cross-origin requests
    •             HTML proxy with cross-origin request
    •             Exercise – Client side include
  •         Practical cryptography
    •             Providing confidentiality with symmetric cryptography
    •             Symmetric encryption algorithms
    •             Block ciphers – modes of operation
    •             Hash or message digest
    •             Hash algorithms
    •             Message Authentication Code (MAC)
    •             Providing integrity and authenticity with a symmetric key
    •             Providing confidentiality with public-key encryption
    •             Rule of thumb – possession of private key
    •             Typical mistakes in password management
    •             Exercise – Hard coded passwords
    •             Conclusion

3. XML security

  •         Introduction
  •         XML parsing
  •         XML injection
    •             (Ab)using CDATA to store XSS payload in XML
    •             Exercise – XML injection
  •         Abusing XML Entity
    •             XML Entity introduction
    •             XML bomb
    •             Exercise – XML bomb
    •             XML external entity attack (XXE) – resource inclusion
    •             XML external entity attack – URL invocation
    •             XML external entity attack – parameter entities
    •             Exercise – XXE attack
    •             Preventing entity-related attacks
  •         Case study – XXE in Google Toolbar
  •         XML Signature
    •             XML Signature introduction
    •             XML Signature structure
    •             Hash collision with XML Digital Signature
    •             XML canonicalization
    •             Signing XML documents – spot the bug!
    •             XML Signature Wrapping (XSW) attack
    •             XML Signature Wrapping – countermeasures

    JSON security

  •         JSON parsing
  •         Embedding JSON server-side
  •         JSON injection
  •         JSON hijacking
  •         Case study – XSS via spoofed JSON element

    Denial of service

  •         DoS introduction
  •         Asymmetric DoS
  •         SSL/TLS renegotiation DoS
  •         Regular expression DoS (ReDoS)
    •             Exercise ReDoS
    •             ReDoS mitigation
    •             Case Study – ReDos in Stack Exchange
  •         Hashtable collision attack
    •             Using hashtables to store inputs
    •             Hashtable collision
    •             Hashtable collision in ASP.NET

    Secure verification principles

  •         Functional testing vs. security testing
  •         Security vulnerabilities
  •         Prioritization – risk analysis
  •         Security in the SDLC
  •         Security assessments in various SDLC phases
  •         Steps of test planning (risk analysis)
  •         Scoping and information gathering
    •             Stakeholders
    •             Assets
    •             Security objectives for testing
  •         Threat modeling
    •             Attacker profiles
    •             Threat modeling
    •             Threat modeling based on attack trees
    •             Threat modeling based on misuse/abuse cases
    •             Misuse/abuse cases – a simple example
    •             SDL threat modeling
    •             The STRIDE threat categories
    •             Diagramming – elements of a DFD
    •             Data flow diagram – example
    •             Threat enumeration – mapping STRIDE to DFD elements
    •             Risk analysis – classification of threats
    •             The DREAD risk assessment model
  •         Security testing techniques and tools
    •             General testing approaches
  •         Source code review
    •             Code review for software security
    •             Taint analysis
    •             Heuristic-based
  •         Static code analysis
    •             Static code analysis
    •             Exercise – Using static code analysis tools
  •         Testing the implementation
    •             Dynamic security testing
    •             Manual vs. automated security testing
    •             Penetration testing
    •             Stress tests
  •         Fuzzing
    •             Automated security testing - fuzzing
    •             Challenges of fuzzing
  •         Web vulnerability scanners
    •             Exercise – Using a vulnerability scanner
  •         Deployment environment
    •             Vulnerability repositories
    •             Common Vulnerability Scoring System – CVSS
    •             Vulnerability scanners
  •         Case study – Forms Authentication Bypass
    •             NULL byte termination vulnerability
    •             The Forms Authentication Bypass vulnerability in the code
    •             Exploiting the Forms Authentication Bypass

    Principles of security and secure coding

  •         Matt Bishop’s principles of robust programming
  •         The security principles of Saltzer and Schroeder

    Knowledge sources

  •         Secure coding sources – a starter kit
  •         Vulnerability databases
  •         .NET secure coding guidelines at MSDN
  •         .NET secure coding cheat sheets
  •         Recommended books – .NET and ASP.NET

Kinek ajánljuk

Előfeltételek

Basic software development

Kapcsolódó tanfolyamok



Ajánlja másoknak is!