Secure Code Training 2016

Introduction

This document has been prepared to show the agenda of Secure Coding Training (SCT) that will be held at DFN (Berlin) in March 2016 by SA4T1 experts.

Registration page: https://eventr.geant.org/events/2332

Contact person: the main contact person for this issue is currently Gerard Frankowski, PSNC – gerard.frankowski@man.poznan.pl.

During week 25-29.01.2015 main contact person is Paweł Berus, PSNC - pawel.berus@man.poznan.pl 

Experts

Currently we have the following experts (sorted alphabetically):

• Paweł Berus (PSNC) – referred as PB
• Łukasz Czarniecki (PSNC) – referred as ŁC (not talking in person but prepares some input)
• Gerard Frankowski (PNSC) – referred as GF
• Maciej Miłostan (PSNC) – referred as MM (not talking in person but prepares some input)
• Tomasz Nowak (PSNC) – referred as TN

Overview

Producing secure code for applications is a key aspect of protecting GɉANT applications and systems. With the move towards multi-domain systems and services, there is a greater emphasis on securing these multi-domain systems as well as ensuring secure deployment of them. This year's Secure Code Training will focus on areas that affect the development and analysis of application's source code.

Emphasis on understanding threat and risk modelling will enable developers to think about security from the very earliest stage of the project lifecycle.

Apart from the main security concepts for this session, a review of the most significant bad and good programming practices covering Perl, Python and shell scripting languages will be covered.

The training will contain an extensive hands-on workshop aspect. The workshop will be divided into four blocks, covering specific coding security problems which lead to various security vulnerabilities. After covering the theoretical basics, the participants will begin to search for the vulnerabilities which were covered, and analyse the code of the modified MDS tools. At the end of the practical part, participants will have the opportunity to take part in a "HackMe" contest, where they will be able to further strengthen the knowledge that they will have obtained during the workshop.

Organizers of the training will review received preregistration application forms and choose a group of participants with a coherent level of knowledge in programming languages. All applicants will be notified in a week after the preregistration is closed.

Objectives

Attendees having completed this training should be able to:

• Perform a threat and risk assessment on their development projects.
• Have a clear understanding on some of the major bad and good programming concepts.
• Develop a secure web application code in several programming languages.
• Use tools for assistance in reviewing code of other developers.

The participants should have a practical knowledge of programming and scripting languages.

Agenda

The course will begin after lunch on Tuesday 1 March, and end around 13:00 on Thursday 3 March.

Please note this is a preliminary agenda and subject to change. If you have any comments or suggestions about the content of this agenda please contact the GEANT Training Activity.

1 March (13:00 - 17:00)

SESSION 1 - Introduction

• Introduction to the training
• How we support building secure MDS tools
• Threat modelling and risk assessment
• Data sanitization – meaning and techniques
• Secure file uploads mechanisms

2 March (9:00 - 17:00)

SESSION 2 - Secure Web programming (part I)

• Injection flaws
• Broken authentication and session management
• Cross-site scripting flaws
• Insecure Direct Object References
• Security misconfiguration
• Sensitive data exposure
• Missing function level access control

SESSION 3 - Secure Web programming (part II)

• Cross-Site Request Forgery (CSRF)
• Using components with known vulnerabilities
• Unvalidated redirects and forwards
• Workshop summary
• HackMe Contest

3 March (9:00 - 13:00)

SESSION 4 - Coding and analysis

• Code review strategies and techniques
• From riddle to Heartbleed – catch the bug!
• Review of free static source code analyzers
• Workshop: automated source code analysis

After the training the lecturers will be available for questions and discussion.

Funding

The funding covers participants of the GEANT GN4 Project.
It is to cover reasonable costs of travel and accommodation for the 
purpose of attending the course.

The process is that any participant will pay for their own travel and 
accommodation then claim and be repaid these costs from their own NREN 
under their own expenses policy.

The NREN in turn claims these costs in their monthly reclaim with the 
Reference NA1 T7 and the course title in the description line.

The GEANT project is unable to pay individuals directly.

Accommodation

The Park Inn is offering special rates for attendees - Keyword - SecureCode 2016.

Park Inn by Radisson Berlin – Alexanderplatz
Alexanderplatz 7
10178 Berlin
Germany

The guests reserve the room by themselves directly in the hotel under the above mentioned keyword in our Individual Reservation department as follows:

• telephone number: +49 (0)30 2389 4333 or
• fax number: +49 (0)30 2389 4305 or
• Email: reservations@parkinn-berlin.com.

This hotel is less than 5 minutes walk from the DFN office.