Day 1
Security basics
What is security?
Threat and risk
Types of threats against computer systems
Consequences of insecure software
Constraints and the market
Bugs, vulnerabilities and exploits
Categorization of bugs
- Seven pernicious kingdoms
- Common Weakness Enumeration (CWE)
- CWE/SANS Top 25 Most Dangerous Software Errors
- SEI Cert Secure Coding Guidelines
- Vulnerabilities in the environment and the dependencies
The OWASP Top Ten
A1 - Injection
- Injection principles
- Injection attacks
- SQL injection
- SQL injection basics
- Lab – SQL injection
- Attack techniques
- Content-based blind SQL injection
- Time-based blind SQL injection
- SQL injection best practices
- Input validation
- Output encoding
- Parameterized queries
- Other best practices
- Lab – Using prepared statements in C#
- Case study – Hacking Fortnite accounts
- Code injection
- Command injection
- Lab – Command injection
- Command injection best practices
- Using Runtime.exec() in Java
- Using ProcessBuilder in Java
- Command injection best practices in C#
- Lab – Command injection best practices in C#
- Case study – Command injection
- Script injection
- Expression language injection
- Injection best practices
- Input validation
- Output sanitization
- Encoding and escaping the output
- Encoding challenges
A2 - Broken Authentication
- Authentication basics
- Authentication weaknesses
- Spoofing on the Web
- Case study – PayPal two factor authentication bypass
- User interface best practices
- Session management
- Session management essentials
- Why do we protect session IDs – Session hijacking
- Session ID best practices
- Insufficient session expiration
- Session fixation
- Cross-site Request Forgery (CSRF)
- Lab – Cross-site Request Forgery
- CSRF best practices
- Lab – CSRF protection with tokens
- Cookie security
- Cookie security best practices
- Cookie parameters
Day 2
The OWASP Top Ten
A2 - Broken Authentication
- Password management
- Inbound password management
- Storing account passwords
- Plaintext passwords at Facebook
- Lab – Why just hashing passwords is not enough?
- Dictionary attacks and brute forcing
- Salting
- Adaptive hash functions for password storage
- Password in transit
- Password policy
- Weak and strong passwords
- Using passphrases
- Lab – Applying a password policy
- The Ashley Madison data breach
- The dictionary attack
- The ultimate attack
- Exploitation of the results and the lessons learnt
- Outbound password management
- Hard coded passwords
- Lab – Hardcoded password
- Password in configuration file
- Protecting sensitive information in memory
- Challenges in protecting memory
- Storing sensitive data in memory
- Storing sensitive data in memory in C#
- Lab – Storing sensitive data in memory with SecureString in C#
A3 - Sensitive Data Exposure
- Information exposure
- Exposure through extracted data and aggregation
- System information leakage
- Leaking system information
- Relying on accessibility modifiers
- Lab – Inappropriate protection by accessibility modifier
- Information exposure best practices
A4 - XML External Entities (XXE)
- DTD and the entities
- Entity expansion
- External Entity Attack (XXE)
- File inclusion with external entities
- Server-side request forgery with external entities
- Lab – External entity attack
- Case study – XXE attack against some popular services
- Preventing XXE in Java
- Preventing XXE in C#
A5 - Broken Access Control
- Access control basics
- Missing or improper authorization
- Failure to restrict URL access
- Confused deputy
- Insecure direct object reference (IDOR)
- Lab – Insecure Direct Object Reference
- Authorization bypass through user-controlled keys
- Case study – Authorization bypass on Facebook
- File upload
- Unrestricted file upload
- Best practices
- Lab – Unrestricted file upload
A6 - Security Misconfiguration
- Configuration principles
- Server misconfiguration
- Configuration management
- Java related components – best practices
- Tomcat configuration
- NET and IIS configuration best practices
- NET configuration
- IIS configuration
A7 - Cross-site Scripting (XSS)
- Cross-site scripting basics
- Cross-site scripting types
- Persistent cross-site scripting
- Reflected cross-site scripting
- Client-side (DOM-based) cross-site scripting
- Case study – Yahoo mail stored XSS
- Lab – Reflected and stored XSS
- XSS protection best practices
- Protection principles - escaping
- Additional protection layers
- Client-side protection principles
- XSS protection APIs in Java
- XSS protection APIs in C#
- Request validation in ASP.NET
- Further XSS protection techniques in C#
- Lab – XSS best practices in C#
Day 3
The OWASP Top Ten
A8 - Insecure Deserialization
- Serialization and deserialization challenges
- Deserializing untrusted streams
- Deserializing best practices
- Using ReadObject in Java
- Sealed objects
- Look ahead deserialization
- Property Oriented Programming (POP)
- POP best practices
- Lab – Creating POP payload
A9 - Using Components with Known Vulnerabilities
- Using vulnerable components
- Assessing the environment
- Hardening
- Importing functionality from untrusted sources
- Case study – The British Airways data breach
- Vulnerability management
- Patch management
- Vulnerability databases and scanning tools
- Vulnerability rating – CVSS
- Lab – Finding vulnerabilities of used components
- The build process and CI / CD
- Dependency checking in Maven
- Dependency checking in Cake
- Lab – Detecting vulnerable components during the build
A10 - Insufficient Logging & Monitoring
- Logging and monitoring principles
- Logging
- Insufficient logging
- Logging best practices
- Java logging best practices
- Monitoring
- Monitoring best practices
Web application security beyond the Top Ten
- Client-side security
- Same Origin Policy
- Simple request
- Preflight request
- Bypassing the Same Origin Policy
- Cross-origin resource sharing
- Frame sandboxing
- Clickjacking
- Clickjacking protection best practices
- Lab - Clickjacking
- JavaScript hijacking
Common software security weaknesses
Input validation
- Input validation principles
- Blacklists and whitelists
- Validation with regex
- What to validate – the attack surface
- When to validate – validation vs transformations
- Where to validate – defense in depth
- Server-side vs. client-side validation
- Integer handling
- Representing signed numbers
- Integer visualization
- Integer problems
- Integer overflow
- Lab – Integer overflow
- Signed / unsigned confusion
- Signed / unsigned confusion in Java
- Lab – Signed / unsigned confusion
- Integer truncation
- Best practices
- Upcasting
- Precondition testing
- Postcondition testing
- Using big integer libraries
- Integer handling in Java
- Lab – Integer handling in Java
- Integer handling in C#
- Lab – Checked arithmetics in C#
- Other numeric problems
- Division by zero
- Working with floating-point numbers in Java
- Unsafe reflection
- Reflection without validation
- Lab – Unsafe reflection
- Unsafe native code
- Native code dependence
- Lab – Unsafe JNI
- Some other input validation problems
Security features
- Java platform security
- The Java programming language and runtime environment
- Type safety and security
- Security features of the JRE
- The ClassLoader and the BytecodeVerifier
- Application-level access control in Java
- Permissions and the Security Manager
- Privilege best practices
- Lab – Working with permissions in Java
- Role-based access control
- Java Authentication and Authorization Services (JAAS)
- Protecting Java code and applications
- Code signing
Day 4
Common software security weaknesses
Security features
- .NET platform security
- Code Access Security
- Evidences
- Permissions
- The Stack Walk
- Lab – Code Access Security
- The transparency model
- Best practices
- Lab – Experimenting with the transparency model
- Role-based security
- Principal and identity
- Role-based permissions
- Impersonation
- Lab – Role-based security
- Protecting .NET code and applications
- Code signing
Time and state
- Thread management best practices
- Thread management best practices in Java
- Thread Pools
- Thread management best practices in C#
- Race conditions
- Race condition in object data members
- Singleton member fields
- Lab – Singleton member fields
- File race condition
- Time-of-check-to-time-of-usage (TOCTTOU)
- Lab - TOCTTOU
- Insecure temporary file
- Database race conditions
- Lab – Database race conditions
- Avoiding race conditions in Java
- Avoiding race conditions in C#
- Mutual exclusion and locking
- Deadlocks
- Mutual exclusion and locking in Java
- Lab – Locking in Java
- Mutual exclusion and locking in C#
- Lab – Locking in C#
- Synchronization and thread safety
- Synchronization and thread safety in Java
- Synchronization and thread safety in C#
Errors
- Error and exception handling principles
- Error handling
- Returning a misleading status code
- Reachable assertion
- Information exposure through error reporting
- Missing custom error pages
- Exception handling
- In the catch block. And now what?
- Empty catch block
- Best practices for catch blocks
- Overly broad throws
- Catching NULL pointer exceptions
- Improper completing of the finally block
- Swallowed ThreadDeath
- Checked exceptions escaping from finally
- Throwing undeclared checked exceptions
- Throwing RuntimeException, Exception, or Throwable
- Lab – Exception handling mess
- Exception handling in C#
Code quality
- Data
- Arrays and toString()
- Initialization and cleanup
- Uninitialized variable
- Constructors and destructors
- Class initialization cycles
- Lab – Initialization cycles
- Unreleased resource
- Object oriented programming pitfalls
- Accessibility modifiers
- Overriding and accessibility modifiers in Java
- Inheritance and overriding
- Implementing equals()
- Mutability
- Readonly collections in C#
- Lab – Mutable object
- Cloning
- Cloning sensitive classes – object hijacking
- Object hijacking – best practices
- Serialization
Wrap up
Secure coding principles
- Principles of robust programming by Matt Bishop
- Secure design principles of Saltzer and Schröder
- Some more principles
And now what?
- Further sources and readings
- .NET and C# resources
- Further labs and challenges to do