Introduction

This document has been prepared to show the agenda of Secure Coding Training (SCT) that will be held probably on February by SA4T1 experts. The venue is to be determined.

Contact person: the main contact person for this issue is currently Gerard Frankowski, PSNC – gerard.frankowski@man.poznan.pl.

Experts

Currently we have the following experts (sorted alphabetically):

Agenda

General information

The agenda bases upon previous SCT agendas (it was assumed no significant changes should occur). The updates to that schedule has been made basing on the following factors:

The proposed updates are as follows:

  1. Agenda changes
    1. Removing the “Summer School 4 Developers” slot from the Session 1. The SS4D has already been conducted, and the next one will be much later. Anyway, a short notification about SS4D will be presented in the introduction as a part of SA4 activities.
    2. Extending the “How we support building secure MDS Tools” in Session 1. Additional information will be provided about a non-security part of SA4 portfolio, e.g. quality audit. This input will be supported by some other person from SA4 and presented by one of the SCT experts.
    3. Adding “Data sanitization – meaning and techniques” presentation to Session 1. It will be based on the presentation shown several years ago but extended – including a fine example with insufficient black list filtering from one of the performed external audits. Basing on the most recent GN3+/GN4 source code reviews, it is assumed as a fundamental topic for the developers and would be the first really deep, technical slot. An additional exercise will be prepared, dealing with building regular expressions (the presentation will be extended, comparing to the early SCT version).
    4. Prolonging the slots that are left intact in the Session 1 with 5-10 minutes each, taking into account that there should be more interaction with the attendees through these slots.
    5. Rebuilding the Web secure programming workshop. It will be completely redesigned an rebuild and will take (together with HackMe contest) the whole day (Session 2-3). OWASP Top 10 vulnerabilities will be covered – each type with the introduction and practising. The practical part may be to some extent adjusted to programming language preferences of attendees. Additionally several topics will be incorporated, that were earlier separate, more theoretical, presentations. These topics will be removed some theory and adjusted to the general contents of the workshop in order to produce smooth and consistent material.
      1.                                           i.    Encoding issues (from Session 3)
      2.                                          ii.    Secure programming in PHP (from Session 1)
      3.                                         iii.    Avoiding filesystem problems in the source code (from Session 3)
      4.                                         iv.    Does the CMS help in increasing security? OWASP Top 10, Python and Django (from Session 4)
      5. Moving the „Java encapsulation and object mutability – workshop” from Session 3 to the end of Session 1 – in order to finish the first day with a purely practical element and be more consistent with Web secure programming topics through the Sessions 2-3.
      6. Removing the “Avoiding filesystem problems in the source code” presentation from Session 3, basing on the survey feedback (Don't spend so much time on attack scenarios where the attacker already has access to the machine as in the Geant environment that will most likely not be the case.). However, some part of the content will be redesigned and moved to the Session 2-3 to the Web secure programming workshop (race conditions in Web applications).
      7. Adding an additional short code analysis workshop “From riddle to Heartbleed – catch the bug!” (Session 4) People wished more work with the source code – it will be mainly handled by the Secure Web programming workshop, but this is the place for e.g. some interesting bugs in non-Web languages. There will be code snippets containing security bugs especially crafted by the experts, but also there will be shown well known bugs (like Heartbleed) and the vulnerable place will be looked for in the source code.
      8. Extending the review of source code analysis tools with extra applications in Session 4. The additional tools will be e.g. for reviewing PHP code, but to some extent it is possible to adjust the set of tools basing on the attendees programming language preferences from the registration form). The SCT 2014 attendees expressed interest for being shown more tools.
  2. Changes not directly reflected in the agenda or not concerning the contents themselves.
    1. Refreshing the workshop material with the most recent state-of-the-art.
    2. Analysis of the material whether it is still possible to remove some text from the slides or even the whole slides.
    3. Minor changes to breaks – in order to not make breaks between similar slots, but rather in the place where the topic significantly changes.

This version of the agenda may slightly be adjusted during the SCT as the interaction between the experts and the participants is of the greatest value and if the participants have more questions than expected, particular slots may be prolonged a bit and others may be shortened.

There are 4 sessions that will be handled 1-2-1 per day. Each session lasts between 3 hours – 4 hours and 15 minutes (including short breaks within the sessions). Especially the sessions 2 and 3 plus a bit longer lunch break make the whole day. There will be no parallel sessions. Particular basic programming skills will be required from the participants.

The changes made to the agenda (see the next 4 chapters) are formatted as below:

New content – with bold font

Significantly updated content – with underlined font

Session 1 (Day 1, 13:00 – 17:00)

Time

Subject

Expert

Remarks

13:00-13:15

 

Introduction to the training

SA4T1 /DFN or

GF

Organization of the training, introducing the agenda, conventions etc., information where to get the previous content.

13:15-13:45

How we support building secure MDS Tools

GF (+ support)

SA4T1 activities intended for SDTs and how they differ from GN3+ activities (a more broad portfolio).

“Support” means that probably some slides would be prepared by SA4T1 representative, but would be described by GF. A short presentation of the procedures, deliverable D4.1.1. etc.

13:45-14:30

Threat modelling and risk assessment

GF

The presentation would contain a short introduction to the IT Infrastructure Threat Modelling (ITI TM) process and its particular stages: vision, model, identifying the threats, countermeasures and validation. STRIDE threat model will be presented as well as DREAD risk analysis model. The developers will learn how to think about security from the very earliest stage of the project lifecycle, how to identify potential threats and address them in the appropriate way.

Additional exercises will be prepared, the group will be working on assessing the threats with the DREAD model and propose countermeasures using the gained knowledge.

Short break 15 min. (14:30-14:45)

14:45-15:20

Data sanitization – meaning and techniques

GF

A recap of presentation from the first SCTs. Reminder about the crucial role of data sanitization techniques in software security. Several real examples will be shown how to bypass insufficiently strict sanitization mechanisms (e.g. black lists).

A short exercise with building regular expressions will be prepared.

15:20-16:00

Secure file uploads mechanisms

PB, GF

The presentation will cover a short description of known security problems associated with uploading files to Web applications. Examples are: possibility of uploading files with the active code run by the application (like .php, .jsp files), opportunity to further calling these files or referring to them in another way, possibility to upload files like .htaccess, files with multiple extensions, large files, pictures with an embedded active code with them etc.

Short break 15 min. (16:00-16:15)

16:15-17:00

Java encapsulation and object mutability workshop

TN

A set of 5 exercises presenting not so obvious Java features, which can lead to introducing security vulnerabilities. Each of the exercises
consists of several steps described in the source code directory, so that participants can do them in their own pace and consult the expert when necessary. At the end of the session the experts will explain solutions to all participants.

 

Session 2 (Day 2, 9:00 – 12:30)

Time

Subject

Expert

Remarks

9:00-10:10

Secure Web programming workshop
1. Injection flaws (10' lecture, 30' exercise)
2. Broken authentication and session management (10' lecture, 20' exercise)

PB, TN

Common security vulnerabilities according to OWASP top 10 will be introduced to participants. Every category of errors will be explained in details, with practical exercises.

Short break 10 min. (10:10-10:20)

10:20-11:20

Secure Web programming workshop

3. Cross-site scripting flaws (10' lecture, 30' exercise)

4. Insecure Direct Object References (5' lecture, 15' exercise)

PB, TN

See above

Short break 10 min. (11:20-11:30)

11:30-12:30

Secure Web programming workshop

5. Security misconfiguration (5' lecture, 15' exercise)

6. Sensitive data exposure (5' lecture, 15' exercise)

7. Missing function level access control (5' lecture, 15' exercise)

PB, TN

See above

Lunch break 1h  min. (12:30-13:30)

Session 3 (Day 2, 13:30 – 17:00)

Time

Subject

Expert

Remarks

13:30-14:30

Secure Web programming workshop

8. Cross-Site Request Forgery (CSRF) (5' lecture, 15' exercise)

9. Using components with known vulnerabilities (5' lecture, 15' exercise)

10. Unvalidated redirects and forwards (5' lecture, 15' exercise)

PB, TN

See above

14:30-14:45Short lecture with the workshop summary
  • Encoding Issues
  • Impact of using CMSs on security of Web applications
  • Race condition problems in Web applications
TN 

Short break 15 min. + preparation to HackMe (14:45-15:10)

15:10-17:00

HackMe

PB, TN

HackMe contest

Session 4 (Day 3, 9:00 – 13:00)

Time

Subject

Expert

Remarks

9:00-10:00

Secure programming in Perl, Python and shell scripting languages

ŁC (author),

TN (speaking),

GF

(demo)

A general review of the most significant bad and good programming practices in the mentioned languages. The presentation will rather mention the most significant practices and will not be as extended as Java or C parts.

The slot will include a demo of Perl::Critic source code analyser.

10:00-10:30

Introduction to code review strategies and techniques

GF

A comparison of manual and automated code analysis. Basic information (with examples) to the manual source code review strategies: Code Comprehension, Candidate Point, Design Generalization. Code Auditing Tactics. An exercise will be included.

10:30-11:00

From riddle to Heartbleed – catch the bug!

GF, ?

Several exercises concerning analyzing of the source code parts, looking for security bugs. Simple exercises may be prepared as well as the real famous bugs will be analyzed (e.g. OpenSSL Heartbleed).

The detailed contents may depend on what programming language preferences will be chosen by the attendees in the registration form.

Short break 15 min (11:00-11:15), preparations to the demos and workshop

11:15-11:45

Review of the most up-to-date free static source code analyzers for C, Java and PHP 

GF, TN

A short review of currently available free static source code analysers for C, Java, and PHP (extended, comparing with previous SCTs).

11:45-12:45

Workshop: automated source code analysis 

GF, TN

2 code parts will be analyzed with automated scanners; Java and PHP. Example: the set of returned results will be analysed with the detection of false positives. Different configuration options of the tools will be tried. The source code will be repaired and the tools will be re-run.

12:45-13:00

Closing of the training

GF

Summary. Filling the evaluation forms. Prize for the smartest participant who scores the most points during the exercises (or wins the most difficult contest).

 

Points to be discussed

Information for registration form

Overview

Producing secure code for applications is a key aspect of protecting GɉANT applications and systems. With the move towards multi-domain systems and services, there is a greater emphasis on securing these multi-domain systems as well as ensuring secure deployment of them. This year's Secure Code Training will focus on areas that affect the development and analysis of application's source code.

Emphasis on understanding threat and risk modelling will enable developers to think about security from the very earliest stage of the project lifecycle.

Apart from the main security concepts for this session, a review of the most significant bad and good programming practices covering Perl, Python and shell scripting languages will be covered.

The training will contain an extensive hands-on workshop aspect. The workshop will be divided into four blocks, covering specific coding security problems which lead to various security vulnerabilities. After covering the theoretical basics, the participants will begin to search for the vulnerabilities which were covered, and analyse the code of the modified MDS tools. At the end of the practical part, participants will have the opportunity to take part in a "HackMe" contest, where they will be able to further strengthen the knowledge that they will have obtained during the workshop.

Organizers of the training will review received preregistration application forms and choose a group of participants with a coherent level of knowledge in programming languages. All applicants will be notified in a week after the preregistration is closed.

Objectives

Attendees having completed this training should be able to:

    Perform a threat and risk assessment on their development projects.
    Have a clear understanding on some of the major bad and good programming concepts.
    Develop a secure web application code in several programming languages.
    Use tools for assistance in reviewing code of other developers.

The participants should have a practical knowledge of programming and scripting languages (e.g. Python).
Agenda

The course will begin after lunch on Tuesday 1 March, and end around 13:00 on Thursday 3 March.

Please note this is a preliminary agenda and subject to change. If you have any comments or suggestions about the content of this agenda please contact the GEANT Training Activity.

1 March (13:00 - 17:00)

SESSION 1 - Introduction

2 March (9:00 - 17:00)

SESSION 2 - Secure Web programming (part I)

SESSION 3 - Secure Web programming (part II)

3 March (9:00 - 13:00)

SESSION 4 - Coding and analysis

After the training the lecturers will be available for questions and discussion.

Preregistration form questions

Which programming languages do you know, use and plan to use in the GEANT project?

Please use: 0 - never used, 1 - used for some little projects, 2 - quite familiar, 3 - expert.

How do you rate your security knowledge?

0 - no experience

1 - I just know what SQL injection and XSS means

2 - I am familiar with most of the topics in the agenda