...
Producing secure code for applications is a key aspect of protecting GÉANT applications and systems. With the move towards multi-domain systems and services, there is a greater emphasis on securing these multi-domain systems as well as ensuring secure deployment of them. This year's Secure Code Training will focus on areas that affect the development and analysis of application's source code.
Emphasis on understanding threat and risk modelling will enable developers to think about security from the very earliest stage of the project lifecycle.
Apart from the main security concepts for this session, a review of the most significant bad and good programming practices covering Perl, Python and shell scripting languages will be covered.
The training will contain an extensive hands-on workshop aspect. The workshop will be divided into four blocks, covering specific coding security problems which lead to various security vulnerabilities. After covering the theoretical basics, the participants will begin to search for the vulnerabilities which were covered, and analyse the code of the modified MDS tools. At the end of the practical part, participants will have the opportunity to take part in a "HackMe" contest, where they will be able to further strengthen the knowledge that they will have obtained during the workshop.
Organizers of the training will review received preregistration application forms and choose a group of participants with a coherent level of knowledge in programming languages. All applicants will be notified in a week after the preregistration is closed.
Objectives
Attendees having completed this training should be able to:
Perform a threat and risk assessment on their development projects.
Have a clear understanding on some of the major bad and good programming concepts.
Develop a secure web application code in several programming languages.
Use tools for assistance in reviewing code of other developers.
The participants should have a practical knowledge of programming and scripting languages (e.g. Python).
The course will begin after lunch on Tuesday 1 March, and end around 13:00 on Thursday 3 March.
Please note this is a preliminary agenda and subject to change. If you have any comments or suggestions about the content of this agenda please contact the GEANT Training Activity.
1 March (13:00 - 17:00)
SESSION 1 - Introduction
- Introduction to the training
- How we support building secure MDS tools
- Threat modelling and risk assessment
- Data sanitization – meaning and techniques
- Secure file uploads mechanisms
2 March (9:00 - 17:00)
SESSION 2 - Secure Web programming (part I)
- Injection flaws
- Broken authentication and session management
- Cross-site scripting flaws
- Insecure Direct Object References
- Security misconfiguration
- Sensitive data exposure
- Missing function level access control
SESSION 3 - Secure Web programming (part II)
- Cross-Site Request Forgery (CSRF)
- Using components with known vulnerabilities
- Unvalidated redirects and forwards
- Workshop summary
- HackMe Contest
3 March (9:00 - 13:00)
SESSION 4 - Coding and analysis
- Code review strategies and techniques
- From riddle to Heartbleed – catch the bug!
- Review of free static source code analyzers
- Workshop: automated source code analysis
After the training the lecturers will be available for questions and discussion.
Preregistration form questions
Which programming languages do you know, use and plan to use in the GEANT project?
Please use: 0 - never used, 1 - used for some little projects, 2 - quite familiar, 3 - expert.
Java: [ ]
Python: [ ]
Scripting (bash): [ ]
Other: ...........................
How do you rate your security knowledge?
0 - no experience
1 - I know what SQL injection and XSS means
2 - I am familiar with most of the topics in the agenda