Course Description:
This course teaches you the basic principles of secure programming. The course is aimed at every programmer or software developer who develops any application in any programming language.
Course Topics:
Secure Programming Awareness
? Why Secure Coding + EXERCISE
Introduction to Secure Programming
? What is security?
? Security jargon + EXERCISE
? Threats
? STRIDE Method + EXERCISE
? Attack surface and Trust zones
? Web applications + DEMO
? HTTP Requests
? HTTP Responses + EXERCISE
? HTTP Header injections + EXERCISE
? Browser Security Model + EXERCISE
? Current state of web security
Authentication and Session Management
? Authentication + DEMO, EXERCISE
? Password storage + EXERCISE
? Managing lost passwords
? Sessions and cookies + DEMOS
? Cross-Site Request Forgery + EXERCISE
? Clickjacking
Handling Input
? Injection Attacks
? Subsystems and data flows
? User input & Trust + EXERCISE
? SQL injection + DEMOS, EXERCISES
? Input validation + EXERCISES
? Buffer overflows + DEMO, EXERCISE
? Cross-site Scripting (XSS) Attacks + DEMOS, EXERCISES
? File Uploads + EXERCISES
? Encoding + DEMO
? Second order injections
Authorization
? Checks
? Session Poisoning + EXERCISE
? Race conditions
Configuration, Error Handling, Logging
? 3rd Party components
? Configuration and hardening + DEMO
? Information Leaks
? Reduce attack surface
? Side channel attacks
? Error handling
? Denial of Service + EXERCISE
? Logging
Cryptography
? Man in the Middle attack
? Trusted 3rd party
? Threats
? General guidelines
Secure Software Engineering
? Assessment + EXERCISE
? SDLC and Security
? Requirements
? Threat modeling + EXERCISE
? Secure design
? STRIDE per element
? Architecture analysis + EXERCISE
? Secure coding + DEMO
? Security testing
Learning Goals:
? Understanding the various issues of insecure software
? Understanding how software vulnerabilities come into existence, how an attacker can exploit these, and what measures to take to counter this
? Understanding how to integrate security in the requirements, designing, coding and testing phases of the software building process
Course Agenda:
Day 1
? Introduction
? Secure Programing Awareness
? Introduction to Secure Programming
? Authentication and Session Management
? Handling Input (1)
Day 2
? Handling Input (2)
? Authorization
? Configuration, Error Handling, Logging
? Cryptography
? Secure Software Engineering
Who can Attend?
All software developers, lead programmers and software architects. This course is programming language agnostic, so every developer can attend this course.