Secure development and coding training

Clarification of the most important basic terms

• The protection goals in the CIA Triad: Confidentiality, Integrity and Availability.
• The security principles to achieve these CIA security goals: Don't trust any input, keep security simple, minimize the attack surface, implement 'Defense in Depth', use minimal rights, be 'Secure by Default' and always solve security problems properly.

• Authentication: What mistakes are often made during authentication and what simple methods can be used to significantly increase security.
• Authorization (access control): what is the difference to authentication. LAB exercise Accessing data via Direct Object Reference. How to prevent such vulnerabilities and how to implement appropriate access control.
• Session Management: What threats exist around session management. LAB exercise Adoption of a Session by Session Fixation. How to make session management secure.
• Input Validation, Output Sanitization and Injection: What is an injection and what types are there? LAB exercise Data manipulation and deletion by SQL injection. How can injections be prevented.
• Cross Site Scripting: What types of Cross Site Scripting are available. LAB exercise on persistent cross site scripting. Which defense measures are effective.
• Cryptography & Secrets Management: What types of secrets exist and what forms do they take ("at rest", "in transit" and "in memory"). LAB exercise System Access via File Inclusion. What is the difference between encryption and encoding. LAB Exercise Decoding a password in a config file. Tips for handling secrets.
• Remote Code Execution: LAB exercise web shell upload. Why do RCE vulnerabilities have such catastrophic effects. How can the "Defence in Depth" approach reduce such effects.
• Exceptions & Error Handling: How do hackers exploit error messages and error routines? How should secure error handling look like.
• Application Logging: Why is a good logging strategy elementary and what should better not be logged. LAB exercise on confidential data in log files. Tips on how to achieve good logging.
• Secure Networking and Infrastructure: Hackers attack systems, not software. What are the weaknesses in transmission protocols and why are hardening and patching not just the job of administrators?

• Code Reviews: what security best practices exist and when should a source code review be performed.
• Automated Code Analysis: what are the benefits of automated code analysis and which modules can be analyzed.
• Vulnerability scans: What are the benefits of automated vulnerability scans and where are their limits.
• Penetration tests: why are penetration tests sometimes indispensable.

• Code Changes: what effects do code changes have on security. Which measures should be taken.
• Configuration: how does the configuration influence the security.
• Patch Management: Who is responsible for patching systems and to where. LAB exercise Exploitation of another RCE vulnerability through an outdated library.
• Decommissioning: What steps to take when a system is 'End of Life'.

Final test with multiple choice questions

If you pass, you will receive a certificate for download

Risks associated with the use of 3rd party libraries.

Practical tips for risk reduction, for example

• through reputation checks by developers and repositories
• continuous use of dependency check tools

LAB exercise: Attack on software via unpatched 3rd party library

• Benefits and advantages of central identity providers.
• Explanation of SSO with Oauth, OpenID Connect and SAML.
• Risks of SSO use with weak validation of tokens.
  LAB exercise: leveraging single sign-on with manipulated Oauth tokens.
• Practical tips for secure token signing

• The concept behind DevSecOps: a win-win-win situation.

• Automated security checks: How to permanently eliminate vulnerabilities with functional tests, code scanners and co.

• Infrastructure as code: Code is code - and therefore susceptible to vulnerabilities. Tips for secret handling and security checks in IaC.

Lab exercise: Reading secrets from the state of an IaC project.

• Strictly Confidential: Why source code can be very sensitive and how a business secret should be guarded.
• Strict separation: Why business code should not be edited with private accounts.
• Healthy skepticism: When is the use of AI in development a benefit, and when does it pose a risk?

Final Secure Development test with multiple-choice questions:

If you pass, you can download a certificate.