...
Significantly updated content – with underlined font
Session 1 (Day 1
...
, 13:00 – 17:00)
Time | Subject | Expert | Remarks | |
13:00-13:15
| Introduction to the training | SA4T1 /DFN or GF | Organization of the training, introducing the agenda, conventions etc., information where to get the previous content. | |
13:15-13:45 | How we support building secure MDS Tools | GF (+ support) | SA4T1 activities intended for SDTs and how they differ from GN3+ activities (a more broad portfolio). “Support” means that probably some slides would be prepared by SA4T1 representative, but would be described by GF. A short presentation of the procedures, deliverable D4.1.1. etc. | |
13:45-14:30 | Threat modelling and risk assessment | GF | The presentation would contain a short introduction to the IT Infrastructure Threat Modelling (ITI TM) process and its particular stages: vision, model, identifying the threats, countermeasures and validation. STRIDE threat model will be presented as well as DREAD risk analysis model. The developers will learn how to think about security from the very earliest stage of the project lifecycle, how to identify potential threats and address them in the appropriate way. Additional exercises will be prepared, the group will be working on assessing the threats with the DREAD model and propose countermeasures using the gained knowledge. | |
Short break 15 min. (14:30-14:45) | ||||
14:45-15:20 | Data sanitization – meaning and techniques | GF | A recap of presentation from the first SCTs. Reminder about the crucial role of data sanitization techniques in software security. Several real examples will be shown how to bypass insufficiently strict sanitization mechanisms (e.g. black lists). A short exercise with building regular expressions will be prepared. | |
15:20-16:00 | Secure file uploads mechanisms | PB, GF | The presentation will cover a short description of known security problems associated with uploading files to Web applications. Examples are: possibility of uploading files with the active code run by the application (like .php, .jsp files), opportunity to further calling these files or referring to them in another way, possibility to upload files like .htaccess, files with multiple extensions, large files, pictures with an embedded active code with them etc. | |
Short break 15 min. (16:00-16:15) | ||||
16:15-17:00 | Java encapsulation and object mutability workshop | TN | A set of 5 exercises presenting not so obvious Java features, which can lead to introducing security vulnerabilities. Each of the exercises |
|
...
Time | Subject | Expert | Remarks |
13:30-14:30 | Secure Web programming workshop 8. Cross-Site Request Forgery (CSRF) (5' lecture, 15' exercise) 9. Using components with known vulnerabilities (5' lecture, 15' exercise) 10. Unvalidated redirects and forwards (5' lecture, 15' exercise) | PB, TN | See above |
| 14:30-14:45 | Short lecture with worshop the workshop summary
| TN | |
Short break 15 min. + preparation to HackMe (14:45-15:10) | |||
15:10-17:00 | HackMe | PB, TN | HackMe contest |
...
Information for registration form
Producing secure code for applications is a key aspect of protecting GĂANT GÉANT applications and systems. With the move towards multi-domain systems and services, there is a greater emphasis on securing these multi-domain systems as well as ensuring secure deployment of them. This year's Secure Code Training will focus on areas that affect the development and analysis of application's source code.
Emphasis on understanding threat and risk modelling will enable developers to think about security from the very earliest stage of the project lifecycle.
Apart from the main security concepts for this session, a review of the most significant bad and good programming practices covering Perl, Python and shell scripting languages will be covered.
The training will contain an extensive hands-on workshop aspect. The workshop will be divided into four blocks, covering specific coding security problems which lead to various security vulnerabilities. After covering the theoretical basics, the participants will begin to search for the vulnerabilities which were covered, and analyse the code of the modified MDS tools. At the end of the practical part, participants will have the opportunity to take part in a "HackMe" contest, where they will be able to further strengthen the knowledge that they will have obtained during the workshop.
Organizers of the training will review received preregistration application forms and choose a group of participants with a coherent level of knowledge in programming languages. All applicants will be notified as soon as the group is chosenin a week after the preregistration is closed.
Objectives
Attendees having completed this training should be able to:
Perform a threat and risk assessment on their development projects.
Have a clear understanding on some of the major bad and good programming concepts.
Develop a secure web application code in several programming languages.
Use tools for assistance in reviewing code of other developers.
The participants should have a practical knowledge of Java programming and scripting languages (e.g. Python).
The course will begin after lunch on Tuesday 1 March, and end around 13:00 on Thursday 3 March.
Please note this is a preliminary agenda and subject to change. If you have any comments or suggestions about the content of this agenda please contact the GEANT Training Activity.
1 March (13:00 - 17:00)
SESSION 1 - Introduction
- Introduction to the training
- How we support building secure MDS tools
- Threat modelling and risk assessment
- Data sanitization – meaning and techniques
- Secure file uploads mechanisms
2 March (9:00 - 17:00)
SESSION 2 - Secure Web programming (part I)
- Injection flaws
- Broken authentication and session management
- Cross-site scripting flaws
- Insecure Direct Object References
- Security misconfiguration
- Sensitive data exposure
- Missing function level access control
SESSION 3 - Secure Web programming (part II)
- Cross-Site Request Forgery (CSRF)
- Using components with known vulnerabilities
- Unvalidated redirects and forwards
- Workshop summary
- HackMe Contest
3 March (9:00 - 13:00)
SESSION 4 - Coding and analysis
- Code review strategies and techniques
- From riddle to Heartbleed – catch the bug!
- Review of free static source code analyzers
- Workshop: automated source code analysis
After the training the lecturers will be available for questions and discussion.