Day 1
IT security and secure coding
Nature of security
What is risk?
IT security vs. secure coding
From vulnerabilities to botnets and cybercrime
- Nature of security flaws
- From an infected computer to targeted attacks
- TheSevenPerniciousKingdoms
- OWASP Top Ten 2017
Web application security
Injection
Injection principles
SQLinjection
- Exercise–SQL injection
- Typical SQL Injection attack methods
- Blind and time-based SQL injection
- SQL injection protection methods
- Effect of data storage frameworks on SQL injection
Other injection flaws
- Command injection
- Case study – ImageMagick
HTTP parameter pollution
- Cookie injection/HTTP parameter pollution
- Exercise–Value shadowing
- Broken authentication
- Session handling threats
- Session handling best practices
- Session handling examples in different languages
- Setting cookie attributes – best practices
Cross site request forgery (CSRF)
- CSRF prevention
- CSRF prevention examples
XML external entity (XXE)
- XML Entity introduction
- XML external entity attack (XXE)–resource inclusion
- XML external entity attack – URL invocation
- XML external entity attack – parameter entities
- Exercise – XXE attack
- Preventing entity-related attacks
- Case study – XXE in Google Toolbar
Broken access control
- Typical access control weaknesses
- Insecure direct object reference (IDOR)
- Exercise – Insecure direct object reference
- Protection against IDOR
- Case study – Facebook Notes
Cross-Site Scripting (XSS)
- Persistent XSS
- Reflected XSS
- DOM-based XSS
- Exercise–CrossSite Scripting
- XSS prevention
- XSS prevention tools
HTML5 security
- New XSS possibilities in HTML5
- HTML5 clickjacking attack – text field injection
- HTML5clickjacking – content extraction
- Form tampering
- Exercise – Form tampering
- Cross-origin requests
- HTML proxy with cross-origin request
- Exercise–Client-side include
Insecure deserialization
- Serialization and deserialization basics
- Security challenges of deserialization
- Deserialization examples
- Denial-of-service via deserialization
- From deserialization to code execution
- POP payload targeting
- Real-world deserialization vulnerabilities
- Issues with alternative object deserialization methods
- Secure deserialization with FST
- Secure deserialization with Kryo
- Issues with deserialization – JSON
- Best practices against deserialization vulnerabilities
- Case study – XML deserialization in Apache Struts leading to RCE
Using components with known vulnerabilities
- Vulnerability attributes
- Common Vulnerability Scoring System – CVSS
Insufficient logging and monitoring
- Detection and response
- Logging and log analysis
- Intrusion detection systems and Web application firewalls
Day 2
Common coding errors and vulnerabilities
Input validation
Input validation concepts
Integer problems
- Representation of negative integers
- Integer overflow
- Exercise IntOverflow
- What is the value of Math.abs(Integer.MIN_VALUE)?
- Integer problem–best practices
Path traversal vulnerability
- Path traversal – weak protections
- Path traversal–best practices
Unvalidated redirects and forwards
Log forging
Some other typical problems with log files?
Improper use of security features
Typical problems related to the use of security features
- Password management
- Exercise – Weakness of hashed passwords
- Password management and storage
- Special purpose hash algorithms for password storage
- Argon2 and PBKDF2 implementations in Java
- bcrypt and scrypt implementations in Java
- Case study – the Ashley Madison data breach
- Typical mistakes in password management
- Exercise – Hard coded passwords
Accessibility modifiers
- Accessing private fields with reflection in Java
- Exercise Reflection – Accessing private fields with reflection
Exercise Scademy Pay– Integrity protection weakness
Improper error and exception handling
Typical problems with error and exception handling
- Emptycatchblock
- Overly broad throws
- Overly broad catch
- Usingmulti-catch
- Returning from finally block – spot the bug!
- CatchingExceptions
- Exception handling – spot the bug!
- Exercise ScademyPay – Error handling
Time and state problems
- Concurrency and threading
- Concurrency examples
- Omitted synchronization–spot the bug!?
- Exercise – Omitted synchronization
- Incorrect granularity– spot the bug!
- Exercise–Incorrect granularity
- Deadlocks
- Avoiding deadlocks
- Exercise–Avoiding deadlocks
- Lock statement
Code quality problems
- Dangers arising from poor code quality
- Poor code quality – spot the bug!
- Unreleased resources
- Serialization–spot the bug!
- Exercise–Serializablesensitive
- Privatearrays–spot the bug!
- Private arrays – typed field returned from a public method
- Exercise-Object hijacking
- Public method without final –object hijacking
- Immutable String–spot the bug!
- Exercise Immutable Strings
- Immutability and security
Principles of security and secure coding
- Matt Bishop’s principles of robust programming
- The security principles of Saltzer and Schroeder
Knowledge sources
- Secure coding sources – a starter kit
- Vulnerability databases
- Java secure coding sources
- .NET secure coding guidelines at MSDN
- .NET secure coding cheat sheets
- Recommended books – .NET and ASP.NET
- Recommended books – Java