Andaira Technology

 

Microsoft SDL Core Training 


Certificación: N/A 

Acreditación: N/A 

Duración: 2 días 

Idioma del material: Inglés 

Formato: Presencial 

Créditos: N/A

Introducción:

The Combined SDL core training gives an insight into secure software design, development and testing through Microsoft Secure Development Lifecycle (SDL). It provides a level 100 overview of the fundamental building blocks of SDL, followed by design techniques to apply to detect and fix flaws in early stages of the development process.

Dealing with the development phase, the course gives an overview of the typical security relevant programming bugs of both managed and native code. Attack methods are presented for the discussed vulnerabilities along with the associated mitigation techniques, all explained through a number of hands-on exercises providing live hacking fun for the participants. Introduction of different security testing methods is followed by demonstrating the effectiveness of various testing tools. Participants can understand the operation of these tools through a number of practical exercises by applying the tools to the already discussed vulnerable code.

Audiencia:

Project managers, software developers, architects and testers

Objetivos:

Individuals certified at this level will have demonstrated:

  • Understand basic concepts of security, IT security and secure coding
  • Get known to the essential steps of Microsoft Secure Development Lifecycle
  • Get practical knowledge in threat modelling
  • Learn secure design and development practices
  • Understand security testing methodology and tools
  • Learn about privacy in software development
  • Get sources and further reading on secure coding practices

Prerrequisitos:

None

Material del curso:

You will receive the following as part of this course:

  • A participant handbook with reference materials
  • Virtual machine with the exercises (to be distributed by the instructor on a USB drive)

Examen:

There are no exams associated with this course

Requisitos técnicos:

A preinstalled exercise environment in the form of desktop virtual machine will be distributed on USB sticks for the participants at the start of the course by the instructor.

Hardware and software specifications for the used host PCs are:

  • CPU equivalent to Core i5 with virtualization technology is recommended, minimum is Core i3 (or equivalent laptop processors)
  • 4GB is recommended, minimum is 2GB
  • At least 20 GB free space on the HDD.
  • Display resolution minimum 1024×768 (the larger the better)
  • Keyboard, mouse: any can be used as long as participants are familiar with them.
  • VMware Player minimal version is 3.2, preferred is 5.0.4.

Temario:

IT security and secure coding

  • Nature of security
  • IT security related terms
  • Definition of risk
  • Different aspects of IT security
  • Requirements of different application areas
  • IT security vs. secure coding
  • From vulnerabilities to botnets and cyber crime
  • Classification of security flaws

Introduction to the Microsoft® Security Development Lifecycle (SDL)

  • Agenda
  • Applications under attack…
  • Origins of the Microsoft SDL…
  • What is Microsoft doing about the threat?
  • Measurable Improvements At Microsoft

Secure Design Principles

  • Agenda
  • Microsoft Security Development Lifecycle (SDL)
  • SDL Secure Design Principles
  • SDL Core Principle: Attack Surface Reduction
  • Attack Surface Example
  • Attack Surface Analysis
  • Attack Surface Analysis Tips
  • It’s Not Just About Turning Things Off
  • Attack Surface Reduction Examples
  • SDL Core Principle: Basic Privacy
  • Important Note: Security Does Not Always Guarantee Privacy
  • Primary Objectives When Developing Privacy-Aware Applications
  • Understanding Application Behaviors and Concerns
  • Microsoft Privacy Guidelines for Developing Products and Services
  • SDL Core Principle: Threat Modeling
  • Threat Modeling In a Nutshell
  • Microsoft SDL Threat Modeling Tool
  • SDL Core Principle: Defense In Depth
  • Defense in Depth Example
  • SDL Core Principle: Least Privilege
  • Least Privilege Example
  • Least Privilege Tips
  • SDL Core Principle: Secure Defaults
  • Secure Defaults Examples
  • Conclusion

Threat modeling

  • Threat Modeling Principles
  • Threat Modeling Tool Principles

Secure Implementation Principles

  • Agenda
  • Microsoft Security Development Lifecycle (SDL)
  • Secure Implementation Overview
  • Input Validation Tips
  • Buffer Overflows
  • Stack Overflows at Work
  • The C/C++ n-Functions Are Safe Right?
  • Buffer Overflow Remedies
  • Integer Arithmetic Errors
  • Integer Arithmetic Error Example
  • Integer Arithmetic Error Remedies
  • Canonicalization Issues
  • Canonicalization Example
  • Canonicalization Issue Remedies
  • Cross-Site Scripting (XSS) Issues
  • Cross-Site Scripting Example: Cookie Stealing
  • Cross-Site Scripting Remedies
  • SQL Injection Issues
  • SQL Injection Example
  • SQL Injection Example
  • SQL Injection Remedies
  • Cryptographic Weaknesses
  • Top Common Cryptographic Mistakes
  • Remedies for Top Common Cryptographic Weaknesses
  • Beware, Not All Cryptographic Standards Are Safe!
  • Conclusion

Security testing

  • Secure Verification Principles
  • Introduction to security testing
  • Security testing methodology
  • Security testing techniques

Advices and principles

  • Matt Bishop’s principles of robust programming
  • The security principles of Saltzer and Schroeder

Knowledge sources

  • Secure coding sources – a starter kit
  • Vulnerability databases