Advanced Software Security – Beyond Ethical Hacking Training

Certificate: N/A
Duration: 5 days
Course Delivery: Classroom
Accreditor: None
Language: English
Credits: N/A

Course Description:
Beyond a solid knowledge in using Java components, even for experienced Java programmers it is essential to have a deep knowledge in Web-related vulnerabilities both on server and client side, the different vulnerabilities that are relevant for Web applications written in Java, and the consequences of the various risks.
General web-based vulnerabilities are demonstrated through presenting the relevant attacks, while the recommended coding techniques and mitigation methods are explained in the context of Java with the most important aim to avoid the associated problems. In addition, a special focus is given to client-side security tackling security issues of JavaScript, Ajax and HTML5.
The course introduces security components of Standard Java Edition, which is preceded with the foundations of cryptography, providing a common baseline for understanding the purpose and the operation of the applicable components. Security issues of Java Enterprise Edition are presented through various exercises explaining both declarative and programmatic security techniques in JEE.
Finally, the course explains the most frequent and severe programming flaws of the Java language and platform. Besides the typical bugs committed by Java programmers, the course introduces security vulnerabilities cover both language-specific issues and problems stemming from the runtime environment. All vulnerabilities and the relevant attacks are demonstrated through easy-to-understand exercises, followed by the recommended coding guidelines and the possible mitigation techniques.

Learning Objectives:
Individuals certified at this level will have demonstrated:
● Understand basic concepts of security, IT security, cryptography and secure coding
● Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them
● Learn client-side vulnerabilities and secure coding practices
● Get information about some recent vulnerabilities in various platforms, frameworks and libraries a native code programmer should know about
● Realize the severe consequences of non-secure buffer handling in native code
● Understand the architectural protection techniques and their weaknesses
● Learn about typical coding mistakes and how to avoid their exploitation
● Get practical knowledge in using security testing tools
● Get sources and further reading on secure coding practices

The course gave deep technical knowledge about the subject matter, especially with the aid of labs.
Accra, Ghana

Prerequisites:
None

Course Materials:
You will receive the following as part of this course:
● A participant handbook with reference materials
● Virtual machine with the exercises (to be distributed by the instructor on a USB drive)

Course Outline:
IT security and secure coding
● Nature of security
● IT security related terms
● Definition of risk
● Different aspects of IT security
● Requirements of different application areas
● IT security vs. secure coding
● From vulnerabilities to botnets and cybercrime
● Classification of security flaws
● SQL Injection
● Other injection flaws
● Cross-Site Scripting (XSS)
● Broken authentication and session management
● Cross Site Request Forgery (CSRF)
● Insecure direct object reference
● Unvalidated file upload
● Security misconfiguration
● Failure to restrict URL access
● Transport layer security issues
● Unvalidated redirects and forwards
Basics of cryptography
● Cryptosystems
● Symmetric-key cryptography
● Other cryptographic algorithms
● Asymmetric (public-key) cryptography
● Public Key Infrastructure (PKI)
Security of Web services
● Web services – Introduction
● Transport layer security
● Message level security
● Signing XML documents – spot the bug!
● XML security
● XML Digital Signature
● XML Encryption
● XML Security with Username/Password
● Security of RESTfulweb services
● REST-related vulnerabilities
● JavaScript security
● Ajax security
● HTML5 Security
ASP.NET security features and vulnerabilities
● NULL byte termination vulnerability
● Real life example – Forms Authentication Bypass
● Denial of service possibilities
● x86 machine code, memory layout, stack operations
● Stack overflow
● Protection principles
● Stack smashing protection
● Address Space Layout Randomization (ASLR)
● Non executable memory areas – the NX bit
● Return-to-libc attack – Circumventing the NX bit
● Return oriented programming (ROP)
● Heap overflow
Some additional native code-related vulnerabilities

Java specific vulnerabilities
● Input validation
● Improper error and exception handling
● Time and state problems
● Mobile code
● Improper use of security features
● Code quality problems
Security testing
● Security testing
● Introduction to security testing
● Security testing techniques
Advices and principles
● Matt Bishop’s principles of robust programming
● The security principles of Saltzer and Schroeder
Knowledge sources
● Secure coding sources – a starter kit
● Vulnerability databases

Audience:
Software developers

Examination:
There are no exams associated with this course