Secure Software Design (TT8600)

1. Introduction: Misconceptions

• Security: The Complete Picture
• TJX: Anatomy of a Disaster?
• Causes of Data Breaches
• Heartland - Slipping Past PCI Compliance
• Target's Painful Christmas
• Meaning of Being Compliant
• Verizon's 2013 Data Breach Report

2. Foundation

• Security Concepts
• Motivations: Costs and Standards
• Open Web Application Security Project
• Web Application Security Consortium
• CERT Secure Coding Standards
• Assets are the Targets
• Security Activities Cost Resources
• Threat Modeling
• System/Trust Boundaries
• Principles of Information Security
• Security Is a Lifecycle Issue
• Minimize Attack Surface Area
• Layers of Defense: Tenacious D
• Compartmentalize
• Consider All Application States
• Do NOT Trust the Untrusted

3. Vulnerabilities

• Vulnerabilities
  • Unvalidated Input
  • Broken Authentication
  • Cross Site Scripting (XSS/CSRF)
  • Injection Flaws
  • Error Handling, Logging, and Information Leakage
  • Insecure Storage
  • Direct Object Access
  • XML Vulnerabilities
  • Web Services Vulnerabilities
  • Ajax Vulnerabilities
• Understanding What's Important
  • Common Vulnerabilities and Exposures
  • OWASP Top Ten for 2013
  • CWE/SANS Top 25 Most Dangerous SW Errors
  • Monster Mitigations
  • Strength Training: Project Teams/Developers
  • Strength Training: IT Organizations
• Security Design Patterns
  • Authentication Enforcer
  • Authorization Enforcer
  • Intercepting Validator
  • Secure Base Action
  • Secure Logger
  • Secure Pipe
  • Secure Service Proxy
  • Intercepting Web Agent

4. Secure Development Lifecycle (SDL)

• SDL Process Overview
  • Software Security Axioms
  • Security Lifecycle - Phases
• Applying Processes and Practices
  • Awareness
  • Application Assessments
  • Security Requirements
  • Secure Development Practices
  • Security Architecture/Design Review
  • Security Code Review
  • Configuration Management and Deployment
  • Vulnerability Remediation Procedures
• Risk Analysis
  • Threat Modeling Process
    1. Identify Security Objectives
    2. Describe the System
    3. List Assets
    4. Define System/Trust Boundaries
    5. List and Rank Threats
    6. List Defenses and Countermeasures

5. Security Testing

• Testing Tools and Processes
  • Security Testing Principles
  • Black Box Analyzers
  • Static Code Analyzers
  • Criteria for Selecting Static Analyzers
• Testing Practices
  • OWASP Web App Penetration Testing
  • Authentication Testing
  • Session Management Testing
  • Data Validation Testing
  • Denial of Service Testing
  • Web Services Testing
  • Ajax Testing

Hands- on Learning: Throughout the course students will be led through a series of progressively advanced topics, where each topic consists of lecture, group discussion, comprehensive hands-on lab exercises, and lab review. This course is "skills-centric", designed to train attendees in essential secure coding and development skills, coupling the most current, effective techniques and best practices with the soundest coding practices.

This course is about 50% hands-on lab and 50% lecture, with extensive programming exercises designed to reinforce fundamental skills and concepts learned in the lessons. Our courses include ample materials and labs to ensure all students are either appropriately challenged, or assisted, at all times - no matter their skill level.