Secure development and coding training
Online course with own lab environment for practical exercises
Chapter overview: Secure Development / Secure Coding for developers
Intro & Let’s hack
Introduction & Basics: How does the training work. Why is security so important throughout the software development lifecycle.
Plus some hacking to get warm: LAB exercise on bad exception handling and password cracking. The exercise shows which effects even inconspicuous security holes can have.
Intro & Let’s hack
Clarification of the most important basic terms
- The protection goals in the CIA Triad: Confidentiality, Integrity and Availability.
- The security principles to achieve these CIA security goals: Don't trust any input, keep security simple, minimize the attack surface, implement 'Defense in Depth', use minimal rights, be 'Secure by Default' and always solve security problems properly.
- Authentication: What mistakes are often made during authentication and what simple methods can be used to significantly increase security.
- Authorization (access control): what is the difference to authentication. LAB exercise Accessing data via Direct Object Reference. How to prevent such vulnerabilities and how to implement appropriate access control.
- Session Management: What threats exist around session management. LAB exercise Adoption of a Session by Session Fixation. How to make session management secure.
- Input Validation, Output Sanitization and Injection: What is an injection and what types are there? LAB exercise Data manipulation and deletion by SQL injection. How can injections be prevented.
- Cross Site Scripting: What types of Cross Site Scripting are available. LAB exercise on persistent cross site scripting. Which defense measures are effective.
- Cryptography & Secrets Management: What types of secrets exist and what forms do they take ("at rest", "in transit" and "in memory"). LAB exercise System Access via File Inclusion. What is the difference between encryption and encoding. LAB Exercise Decoding a password in a config file. Tips for handling secrets.
- Remote Code Execution: LAB exercise web shell upload. Why do RCE vulnerabilities have such catastrophic effects. How can the "Defence in Depth" approach reduce such effects.
- Exceptions & Error Handling: How do hackers exploit error messages and error routines? How should secure error handling look like.
- Application Logging: Why is a good logging strategy elementary and what should better not be logged. LAB exercise on confidential data in log files. Tips on how to achieve good logging.
- Secure Networking and Infrastructure: Hackers attack systems, not software. What are the weaknesses in transmission protocols and why are hardening and patching not just the job of administrators?
- Code Reviews: what security best practices exist and when should a source code review be performed.
- Automated Code Analysis: what are the benefits of automated code analysis and which modules can be analyzed.
- Vulnerability scans: What are the benefits of automated vulnerability scans and where are their limits.
- Penetration tests: why are penetration tests sometimes indispensable.
- Code Changes: what effects do code changes have on security. Which measures should be taken.
- Configuration: how does the configuration influence the security.
- Patch Management: Who is responsible for patching systems and to where. LAB exercise Exploitation of another RCE vulnerability through an outdated library.
- Decommissioning: What steps to take when a system is 'End of Life'.