Overview

This 2 day course focuses on the technical controls specific to mitigating the occurrence of common software vulnerabilities and is aimed at making you aware of common insecure coding practices and how these can be addressed to make secure applications.

You will have access to a controlled environment that has been specifically created to demonstrate the main areas of vulnerability and mitigation strategies. Besides learning about the vulnerabilities which arise from insecure coding, you will also learn about the array of hacking techniques that many attackers use to disrupt the way an applications programming/business logic work for their own gain. This will help you take on a defence-in-depth approach and ensure you consider all the security issues that may arise while developing applications.

Rather than attempt to cover all languages on one course we focus on the important principles with examples and exercises in Java.

Prerequisites

A base understanding of coding, preferably in Java.


Who Should Attend?

  • Penetration Testers
  • Professional Software Developers
  • Software Architects
  • Software Security Auditors
  • Security Managers

Outline

1. Introduction

  • Disclaimer
  • Trends & Metrics
  • Lab Environment

2. Core Security Concepts

  • Confidentiality, Integrity, Availability
  • Authentication and Authorisation
  • Accounting
  • Non-repudiation
  • Privacy
    • Data Anonymisation
    • User Consent
    • Disposition
    • Test Data Management

3. Secure Development Lifecycle

  • aWaterfall vs Agile
  • Microsoft SDLC
  • TouchPoints
  • CLASP
  • Comparison

4. Security Design Principles

  • Least Privilege
  • bSeparation of Duties
  • Defence in Depth
  • Fail Safe
  • Economy of Mechanism
  • Complete Mediation
  • Open Design
  • Least Common Mechanism
  • Psychological Acceptability
  • Weakest Link
  • Leveraging Existing Components

5. Secure Development Principles

  • Input Validation
  • Canonicalisation
  • Output Encoding
  • Error Handling
  • eAuthentication & Authorisation
  • Auditing & Logging
  • Session Management
  • Secure Communications
  • Secure Resource Access
  • Secure Storage
  • Cryptography

6. Best Practices

7. Conclusion