Duration: 3 Days
In this intense hands-on workshop, software application designers and architects will learn to build secure applications. You will be introduced to the concept and process of Threat Modeling as a key enabler for architecting effective and appropriate security for software and information assets. You will get an-depth review of the various types of threats against your software, and you will leave the course armed with the skills required to recognize software vulnerabilities (actual and potential) and design defenses for those vulnerabilities.
Throughout the course, you will learn the best practices for designing and architecting secure programs. You will take an application from requirements to implementation, analyzing and testing for software vulnerabilities and building appreciation for why software needs to be designed from the ground up in a secure fashion.
You will learn the foundation, basic terminology, and concepts. You will also cover a series of vulnerabilities illustrating in very real terms the right way to implement secure software applications. In the last portion of the course, you will examine several design patterns that can be used to facilitate better application architecture, design, implementation, and deployment.
What You Will Learn
- Concepts and terminology behind defensive coding
- Use Threat Modeling as a tool in identifying software vulnerabilities based on realistic threats against meaningful assets
- Spectrum of threats and attacks that take place against software applications in today's world
- Use Threat Modeling to identify potential vulnerabilities in a real-life case study
- Implement the processes and measures associated with the security development lifecycle (SDL)
- Skills, tools, and best practices for design reviews as well as testing initiatives
- Basics of security testing and planning
- Comprehensive testing plan for recognized vulnerabilities and weaknesses
Audience
This is an intermediate-level software design course designed for architects and stakeholders who wish to get up and running on building well-defended software applications.
Prerequistes
- Familiarity with software design and technologies
- Real-world programming experience
- Approximately six months to a year of working knowledge of a programming language
Course Outline
1. Misconceptions
- Security: The Complete Picture
- TJX: Anatomy of a Disaster?
- 2012 Attacks Continued to Evolve
- Causes of Data Breaches
- Heartland: Slipping Past PCI Compliance
- Verizon's 2012 Data Breach Report
- 360M Down to 4M in 2010?
- US Secret Service Continued to Battle
- Verizon's 2013 Data Breach Report
- The Numbers are Abstract, but.
- Are You Concerned Yet?
- Verizon AppSec Recommendations
2. Security Concepts
- Motivation: Cost of Security Defects
- Motivations: Organizations and Standards
- Open Web Application Security Project
- Web Application Security Consortium
- Assets are the Targets
- Denial of Service
- Case Study Asset Analysis
- Context for Defensive Coding
- Attackers Not Hackers
- Mantra of Information Security
- Architectures and Architects
- Security Activities Cost Resources
- Timeline of Activities
- Secure Software Harder to Achieve
- Threat Modeling
- System/Trust Boundaries
3. Principles of Information Security
- Security Is a Lifecycle Issue
- What is Bolted on vs. Baked In?
- Minimize Attack Surface Area
- Examples of Minimization
- Defense in Depth
- Manage Resources
- Layers of Defense: Tenacious D
- Compartmentalize
- Consider All Application States
- Do NOT Trust the Untrusted
- Security Defect Mitigation
- Learning From Vulnerabilities
- Recent Incidents
4. Vulnerabilities
- Unvalidated Input
- Broken Authentication
- Cross Site Scripting (XSS/CSRF)
- Injection Flaws
- Error Handling, Logging, and Information Leakage
- Insecure Storage
- Direct Object Access
- XML Vulnerabilities
- Web Services Vulnerabilities
- Ajax Vulnerabilities
5. Understanding What's Important
- Prioritizing Your Efforts
- Common Vulnerabilities and Exposures
- OWASP Top Ten for 2013
- CWE/SANS Top 25 Most Dangerous SW Errors
- Monster Mitigations
- Defense In Depth: Layered Defense
- Defense in Depth: An Example
- Defense in Depth: Damage Control
- Strength Training: Project Teams/Developers
- Strength Training: IT Organizations
6. Security Design Patterns
- Authentication Enforcer
- Authorization Enforcer
- Intercepting Validator
- Secure Base Action
- Secure Logger
- Secure Pipe
- Secure Service Proxy
- Intercepting Web Agent
7. Secure Software Development (SSD)
- SSD Process
- CLASP Defined
- CLASP Applied
- Asset, Boundary, and Vulnerability Identification
- Vulnerability Response
- Design and Code Reviews
- Applying Processes and Practices
- Risk Analysis
8. Security Testing
- Testing as Lifecycle Process
- Testing Planning and Documentation
- Testing Tools And Processes
- Principles
- Reviews
- Testing
- Tools
- Static and Dynamic Code Analysis
- Testing Practices
- Authentication Testing
- Session Management Testing
- Data Validation Testing
- Denial Of Service Testing
- Web Services Testing
- Ajax Testing
Course Labs
