Andaira Technology

Scrum Roles - Una breve introducción

Advanced Software Security - Beyond Ethical Hacking 


Certificación: N/A 

Acreditación: Ninguno 

Duración: 5 días 

Idioma del material: Inglés 

Formato: Presencial

Créditos: N/A

Introducción:

Beyond a solid knowledge in using Java components, even for experienced Java programmers it is essential to have a deep knowledge in Web-related vulnerabilities both on server and client side, the different vulnerabilities that are relevant for Web applications written in Java, and the consequences of the various risks.

General web-based vulnerabilities are demonstrated through presenting the relevant attacks, while the recommended coding techniques and mitigation methods are explained in the context of Java with the most important aim to avoid the associated problems. In addition, a special focus is given to client-side security tackling security issues of JavaScript, Ajax and HTML5.

The course introduces security components of Standard Java Edition, which is preceded with the foundations of cryptography, providing a common baseline for understanding the purpose and the operation of the applicable components.  Security issues of Java Enterprise Edition are presented through various exercises explaining both declarative and programmatic security techniques in JEE.

Finally, the course explains the most frequent and severe programming flaws of the Java language and platform. Besides the typical bugs committed by Java programmers, the course introduces security vulnerabilities cover both language-specific issues and problems stemming from the runtime environment. All vulnerabilities and the relevant attacks are demonstrated through easy-to-understand exercises, followed by the recommended coding guidelines and the possible mitigation techniques.

Audiencia:

Software developers

Objetivos:

Individuals certified at this level will have demonstrated:

  • Understand basic concepts of security, IT security, cryptography and secure coding
  • Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them
  • Learn client-side vulnerabilities and secure coding practices
  • Get information about some recent vulnerabilities in various platforms, frameworks and libraries a native code programmer should know about
  • Realize the severe consequences of non-secure buffer handling in native code
  • Understand the architectural protection techniques and their weaknesses
  • Learn about typical coding mistakes and how to avoid their exploitation
  • Get practical knowledge in using security testing tools
  • Get sources and further reading on secure coding practices

Prerrequisitos:

None

Material del curso:

You will receive the following as part of this course:

  • A participant handbook with reference materials
  • Virtual machine with the exercises (to be distributed by the instructor on a USB drive)

Examen:

There are no exams associated with this course

Requisitos técnicos:

A preinstalled exercise environment in the form of desktop virtual machine will be distributed on USB sticks for the participants at the start of the course by the instructor.

Hardware and software specifications for the used host PCs are:

  • CPU equivalent to Core i5 with virtualization technology is recommended, minimum is Core i3 (or equivalent laptop processors)
  • 4GB is recommended, minimum is 2GB
  • At least 20 GB free space on the HDD.
  • Display resolution minimum 1024×768 (the larger the better)
  • Keyboard, mouse: any can be used as long as participants are familiar with them.
  • VMware Player minimal version is 3.2, preferred is 5.0.4.

Temario:

IT security and secure coding

  • Nature of security
  • IT security related terms
  • Definition of risk
  • Different aspects of IT security
  • Requirements of different application areas
  • IT security vs. secure coding
  • From vulnerabilities to botnets and cybercrime
  • Classification of security flaws
  • SQL Injection
  • Other injection flaws
  • Cross-Site Scripting (XSS)
  • Broken authentication and session management
  • Cross Site Request Forgery (CSRF)
  • Insecure direct object reference
  • Unvalidated file upload
  • Security misconfiguration
  • Failure to restrict URL access
  • Transport layer security issues
  • Unvalidated redirects and forwards

Basics of cryptography

  • Cryptosystems
  • Symmetric-key cryptography
  • Other cryptographic algorithms
  • Asymmetric (public-key) cryptography
  • Public Key Infrastructure (PKI)

Security of Web services

  • Web services – Introduction
  • Transport layer security
  • Message level security
  • Signing XML documents – spot the bug!
  • XML security
  • XML Digital Signature
  • XML Encryption
  • XML Security with Username/Password
  • Security of RESTfulweb services
  • REST-related vulnerabilities
  • JavaScript security
  • Ajax security
  • HTML5 Security

ASP.NET security features and  vulnerabilities

  • NULL byte termination vulnerability
  • Real life example – Forms Authentication Bypass
  • Denial of service possibilities
  • x86 machine code, memory layout, stack operations
  • Stack overflow
  • Protection principles
  • Stack smashing protection
  • Address Space Layout Randomization (ASLR)
  • Non executable memory areas – the NX bit
  • Return-to-libc attack – Circumventing the NX bit
  • Return oriented programming (ROP)
  • Heap overflow

Some additional native code-related vulnerabilities

Java specific vulnerabilities

  • Input validation
  • Improper error and exception handling
  • Time and state problems
  • Mobile code
  • Improper use of security features
  • Code quality problems

Security testing

  • Security testing
  • Introduction to security testing
  • Security testing techniques

Advices and principles

  • Matt Bishop’s principles of robust programming
  • The security principles of Saltzer and Schroeder

Knowledge sources

  • Secure coding sources – a starter kit
  • Vulnerability databases