Page History

13:00-13:15

Introduction to the training

SA4T1 /DFN or

GF

Organization of the training, introducing the agenda, conventions etc., information where to get the previous content.

13:15-13:45

How we support building secure MDS Tools

GF (+ support)

SA4T1 activities intended for SDTs and how they differ from GN3+ activities (a more broad portfolio).

“Support” means that probably some slides would be prepared by SA4T1 representative, but would be described by GF. A short presentation of the procedures, deliverable D4.1.1. etc.

13:45-14:30

Threat modelling and risk assessment

GF

The presentation would contain a short introduction to the IT Infrastructure Threat Modelling (ITI TM) process and its particular stages: vision, model, identifying the threats, countermeasures and validation. STRIDE threat model will be presented as well as DREAD risk analysis model. The developers will learn how to think about security from the very earliest stage of the project lifecycle, how to identify potential threats and address them in the appropriate way.

Additional exercises will be prepared, the group will be working on assessing the threats with the DREAD model and propose countermeasures using the gained knowledge.

Short break 15 min. (14:30-14:45)

14:45-15:20

Data sanitization – meaning and techniques

GF

A recap of presentation from the first SCTs. Reminder about the crucial role of data sanitization techniques in software security. Several real examples will be shown how to bypass insufficiently strict sanitization mechanisms (e.g. black lists).

A short exercise with building regular expressions will be prepared.

15:20-16:00

Secure file uploads mechanisms

PB, GF

The presentation will cover a short description of known security problems associated with uploading files to Web applications. Examples are: possibility of uploading files with the active code run by the application (like .php, .jsp files), opportunity to further calling these files or referring to them in another way, possibility to upload files like .htaccess, files with multiple extensions, large files, pictures with an embedded active code with them etc.

Short break 15 min. (16:00-16:15)

16:15-17:00

Java encapsulation and object mutability workshop

TN

A set of 5 exercises presenting not so obvious Java features, which can lead to introducing security vulnerabilities. Each of the exercises
consists of several steps described in the source code directory, so that participants can do them in their own pace and consult the expert when necessary. At the end of the session the experts will explain solutions to all participants.

9:00-10:10

Secure Web programming workshop
1. Injection flaws (10' lecture, 30' exercise)
2. Broken authentication and session management (10' lecture, 20' exercise)

PB, TN

Common security vulnerabilities according to OWASP top 10 will be introduced to participants. Every category of errors will be explained in details, with practical exercises.

Short break 10 min. (10:10-10:20)

10:20-11:20

Secure Web programming workshop

3. Cross-site scripting flaws (10' lecture, 30' exercise)

4. Insecure Direct Object References (5' lecture, 15' exercise)

PB, TN

See above

Short break 10 min. (11:20-11:30)

11:30-12:30

Secure Web programming workshop

5. Security misconfiguration (5' lecture, 15' exercise)

6. Sensitive data exposure (5' lecture, 15' exercise)

7. Missing function level access control (5' lecture, 15' exercise)

PB, TN

See above

Lunch break 1h  min. (12:30-13:30)

13:30-14:30

Secure Web programming workshop

8. Cross-Site Request Forgery (CSRF) (5' lecture, 15' exercise)

9. Using components with known vulnerabilities (5' lecture, 15' exercise)

10. Unvalidated redirects and forwards (5' lecture, 15' exercise)

PB, TN

See above

• Encoding Issues
• Impact of using CMSs on security of Web applications
• Race condition problems in Web applications

Short break 15 min. + preparation to HackMe (14:45-15:10)

15:10-17:00

HackMe

PB, TN

HackMe contest

9:00-10:00

Secure programming in Perl, Python and shell scripting languages

ŁC (author),

TN (speaking),

GF

(demo)

A general review of the most significant bad and good programming practices in the mentioned languages. The presentation will rather mention the most significant practices and will not be as extended as Java or C parts.

The slot will include a demo of Perl::Critic source code analyser.

10:00-10:30

Introduction to code review strategies and techniques

GF

A comparison of manual and automated code analysis. Basic information (with examples) to the manual source code review strategies: Code Comprehension, Candidate Point, Design Generalization. Code Auditing Tactics. An exercise will be included.

10:30-11:00

From riddle to Heartbleed – catch the bug!

GF, ?

Several exercises concerning analyzing of the source code parts, looking for security bugs. Simple exercises may be prepared as well as the real famous bugs will be analyzed (e.g. OpenSSL Heartbleed).

The detailed contents may depend on what programming language preferences will be chosen by the attendees in the registration form.

Short break 15 min (11:00-11:15), preparations to the demos and workshop

11:15-11:45

Review of the most up-to-date free static source code analyzers for C, Java and PHP 

GF, TN

A short review of currently available free static source code analysers for C, Java, and PHP (extended, comparing with previous SCTs).

11:45-12:45

Workshop: automated source code analysis 

GF, TN

2 code parts will be analyzed with automated scanners; Java and PHP. Example: the set of returned results will be analysed with the detection of false positives. Different configuration options of the tools will be tried. The source code will be repaired and the tools will be re-run.

12:45-13:00

Closing of the training

GF

Summary. Filling the evaluation forms. Prize for the smartest participant who scores the most points during the exercises (or wins the most difficult contest).