Day 1 - Introduction, Authentication, Authorization, and Client Side Security
Day one sets the foundation for the course with an introduction to software
security concepts and issues. Students then learn about the problems
cryptography can solve and how to select the appropriate cryptographic
techniques to solve real world problems. They learn the various options for
authenticating users and system components and how to build secure authorization
systems.
Introduction
Why build secure software in the first place and what exactly do we mean by
security in the software development life cycle? This introduction covers the
process of building secure software and the economics of insecure software.
Economics of Insecure Software
Cryptography
How does cryptography work and what problems can it be used to solve? This
section includes details of symmetric, asymmetric and hash functions, types of
algorithms, key management (including key generation, key exchange, key
histories, key storage, and key lengths). This section is reinforced with real
word scenarios and the Building Secure Software crypto challenge lab.
- Conceptual Foundation
- Key Management
- Issues and Scenarios
- Building a Secure Crypto System
Authentication
How do I authenticate users and other system components? What techniques can I
employ and what precautions must I consider? This section discusses the options,
the benefits, and the pitfalls of those choices.
- Methods of Authentication
- Components of Authentication
- Choice Criteria
- Real World Scenarios
Authorization
I know who the user is, now what? This section describes techniques and models
for building software authorization schemes.
- Authorization Models
- Choice Criteria
- Real World Scenarios
Day 2 - User Management, Data Validation, Architecture, and Design Patterns
Students learn how to build secure user management systems including password
storage and password reset systems. They then learn how to perform data
validation to prevent common attacks and how to deal with the inevitable
failures, errors, and exceptions in a secure manner.
User Management
We all have users but how do I manage their accounts securely? This section
describes the right way to store passwords, build password reset schemes, and
prevent users from being locked out by rogue attackers.
- Designing a Secure User Management Systems
- Password Management
- Account Management
Client Side Security
No one will find this license key if I bury it well enough, right? Wrong! This
section explains the fallacy of client side security with demonstrations of a
how a hacker would subvert a database front end.
- Clients in Untrusted Environments
- Avoiding Common Pitfalls
- Technology Specific Threats
Data Validation
We all know we have to validate the input, right? Well, there is a little more
to it than that. This section describes the pros and cons of strategies like
white lists and black lists and why input validation alone is not enough. It
also describes specifics such as how to prevent SQL injection and Cross Site
Scripting and how internationalization concerns need to be taken into account.
- Preventing Hacking Attacks
- Preparing for the Unexpected
- Validation Strategies
- Dealing with Internationalization
Error Handling and Exception Management
Failure is inevitable, but what should I expect? How do I ensure that I fail
closed and not open? Should I ever fail open? This section describes strategies
for error handling to ensure that you fail securely.
- Designing for Failure
- Failing Securely
- Dealing with the Unexpected
Day 3 - Error Handling, Event Logging and Exception Management, and Web
Application Security
Day Three teaches students how to perform effective logging and how logging can
help enhance security. They are then taught how architecture and design patterns
can be applied to build secure designs and why it is important to not reinvent
the wheel. The afternoon walks students through top web application security
vulnerabilities including SQL Injection and Cross Site Scripting using the
Foundstone Hacme BankT, an ASP.NET banking application that demonstrates
hands-on flaws. Students get to exploit the vulnerabilities and are stimulated
to think about how to protect against them.
Event Logging
Trust but verify implies that events must be monitored and analyzed. This
section outlines event logging strategies and techniques that can be used to
capture security events and improve security through observation.
- Designing Security Monitoring
- Capturing Security Events
- Tracking Security Problems
Architecture & Design Patterns
Many problems can be solved strategically or avoided altogether by architecture.
This section discusses network security architectures to support software
security and application architectures such as the Model View Controller (MVC).
Software engineers have been applying design patterns for a long time to improve
performance and create elegant designs. Most of these patterns also have
significant security benefits. This section describes the patterns' security
properties and when they may be appropriate. It concludes with the Military lab.
Web Application Security
Covering the OWASP top ten and beyond, this hands-on section has students
exploiting real world security vulnerabilities like SQL injection and Cross Site
Scripting on the Hacme Bank.
Building Reusable Security Components
Application Architecture [MVC II]
Supporting Secure Applications with Network Security Architectures
- Appling Design Patterns for Security
- Learning from the Real World
Platform and Web Services Security
- Security in the JAVA and .NET Environments
- Session Management
- Common Attacks
- Exploitation Strategies
Prevention and Countermeasures
Day 4 - Testing and Threat Modeling
Building a testing framework can be a complicated task. Students are presented
with a task orientated testing framework that they can take back to their own
environment and test their own software. They are then taught the nuts and bolts
of developing Threat Models and are required to use the Microsoft Threat
Modeling tool to develop a real world threat model using the Java or Microsoft
Pet Store reference architectures.
Software Security Testing
In the SDLC - Testing security is about testing people, process, policy, and
technology. This section highlights the techniques and tasks that should be
considered.
The Right Tools - There are a lot of security tools on the market, but are they
effective? What tools should you consider for what tasks?
The Right Techniques - Black Box Testing, code review, threat modeling. What
techniques should be a
|