Secure Programming Foundation

Leer de basisprincipes van veilig programmeren

Beschrijving

Je leert in deze training de basisprincipes van veilig programmeren.

Aan bod komen authenticatie & sessiebeheer en het afhandelen van gebruikersinvoer ter voorkoming van injectieaanvallen zoals SQL-injectie en buffer overflows. Ook komen XSS en het beveiligingsmodel van de browser aan de orde.

Naast het implementeren van autorisatie, logging en foutafhandeling, wordt er gekeken naar hoe cryptografie op een veilige manier gebruikt kan worden voor opslag en transport. Tenslotte wordt kort besproken hoe security in het software development-proces kan worden geïntegreerd in de fases requirements opstellen, ontwerpen, coderen en testen.

In de voorbeelden wordt webtechnologie gebruikt, maar de principes van veilig programmeren zijn ook toe te passen in andere omgevingen. Verder worden zoveel mogelijk de richtlijnen van de OWASP aangehouden.

Doelgroep De cursus is geschikt voor programmeurs die beperkte kennis hebben van veilig programmeren of een update van hun kennis nodig hebben.

Leerdoelen

• Recognize security risks in common contexts and demonstrate awareness. [Remember]
• Cite 5 categories of vulnerabilities from the OWASP Top 10. [Remember]
• Recall the STRIDE threat model and how it can be used to identify security threats. [Remember]
• Adapt secure web application development practices to mitigate common security risks. [Apply]
• Describe common injection attacks and mitigation strategies. [Understand]
• Understand the principles and practices of authorization. [Understand]
• Paraphrase common cryptography use cases, like hashing, encryption, and digital signatures. [Understand]
• Understand common security practices surrounding authentication. [Understand]
• Describe common security misconfigurations and how to prevent them. [Understand]

Onderwerpen

1. Introduction to Secure Programming
2. Secure Programming Awareness
3. Authentication and Session Management
4. Input Handling
5. Authorization
6. Configuration, Error Handling and Logging
7. Cryptography
8. Secure Software Engineering

• Identify OWASP as a leading authority in secure programming and application security.
• Understand the core principles and best practices outlined by OWASP for secure programming and where to access this information.
• Familiarize with the OWASP Top 10 list of the most critical web application security risks.
• In the news: what happend this week?

• Recognize the historical underfunding of security and understand its implications for organizations.
• Define and explain technical terms commonly used in the context of security.
• Utilize the STRIDE model to identify and understand different types of threats to security.
• Identify and assess potential attack surfaces within a given system or application.
• Recognize and understand the role of "man in the middle" proxies in security contexts.
• Identify and comprehend basic vulnerabilities commonly found in web applications.
• Understand the HTTP protocol and its relevance as an attack vector in web security.
• Comprehend the Browser Security Model and its significance in ensuring secure web browsing.

• Differentiate between authentication and authorization and understand their respective best practices.
• Apply best practices for error handling in authentication and session management processes.
• Select and implement strong password policies and guidelines.
• Understand the concepts of hashing and salting in the context of password security.
• Implement a secure "Forgot Password" flow to ensure robust user authentication.
• Differentiate between client-side and server-side session management and their implications.
• Implement and manage JWT-based session authentication securely.
• Understand and apply appropriate cookie attributes for secure session management.
• Recognize the threat of cross-site request forgery (CSRF) attacks and implement preventive measures.
• Identify and mitigate the risk of clickjacking attacks in web applications.

• Recognize common areas where injection attacks can occur and understand the basics of such attacks.
• Implement measures to harden applications against SQL injection attacks.
• Understand the risks associated with blind SQL injection attacks and how to defend against them.
• Differentiate between whitelist and blacklist input validation methods and their effectiveness in preventing attacks.
• Identify and defend against buffer overflow attacks in applications.
• Recognize the potential for embedded instructions and how they can lead to cross-site scripting (XSS) attacks.
• Implement strategies to prevent and mitigate cross-site scripting (XSS) attacks.
• Identify and address the attack surface of second-order injection attacks.

• Understand the rationale for using indirect referencing in authorization processes.
• Apply the concept of least privilege when designing access control mechanisms.
• Implement role-based access security models for effective authorization.
• Recognize the difference between Time of Check and Time of Use vulnerabilities in authorization processes.
• Understand the basics of OAuth 2 authorization flows and their applications in modern security contexts.

• Integrate vulnerability scanning into development pipelines to identify and address security flaws early in the development lifecycle.
• Implement measures to prevent accidental information disclosure in application configurations and error handling processes.
• Reduce the attack surface of applications by implementing secure configuration practices.
• Prevent the inadvertent leakage of sensitive information through metadata in logging and error handling.
• Understand the concept of timing attacks and implement strategies to prevent them in secure systems.

• Differentiate between symmetric and asymmetric encryption methods and understand their applications in secure communication.
• Understand the role of digital signing in ensuring data integrity and authenticity.
• Comprehend the basics of Public Key Infrastructure (PKI) and its relevance in secure communication.
• Explain the process by which Transport Layer Security (TLS) establishes a symmetric key for secure communication.