Secure Programming Training
With the amount of (attempted) security breaches and high-paced agile sprint cycles, securing your software from day 1 is a major cost-saver. When developers know where common security flaws lie and how they can be prevented, the risk of security breaches and costs will be reduced by implementing security features early on. This course is given by Secura security experts, focused on code review and application security.
Required skills & expertise
This course is intended for developers, who want to learn how to program more secure. Programming skills are required and a basic knowledge regarding the OWASP top 10 is needed.
The program is divided into three sections, which are given in a one-day course. The whole session is set up with a lot of quizzes and questions for you to support you in internalizing the knowledge, which makes it a fun and interactive training session.
- Section 1: Security Awareness
The program starts with an introduction and several quiz questions to jointly identify and grasp several security concepts like defense in depth, least privilege, fail securely and keep it simple.
- Section 2: Web Application Security
This section describes the several OWASP top 10 vulnerabilities in more detail, shows you examples and how to prevent them.
It explains what CSRF (Cross Site Request Forgery) is, how it works and how to prevent this. This is still a common way to gain unauthorized access to systems. We discuss topics like (SQL) injection attacks, dynamic file inclusion, input validation, blacklist/whitelist filtering, handling invalid input and dealing with character encoding. Jointly we go over our input validation checklist and try to perform user enumeration (taking on the role of a hacker) by showing the information gained via user validation errors and request throttling.
Next we move to XSS (Cross-site Scripting), how it works (with for example session pollution) and how to prevent it with extensive examples. After a password policy discussion, the benefits and limitations of HTTPS usage we move to a cryptography explanation. Lastly we discuss server configuration, error handling and logging.
- Section 3: Software Security Engineering
This section describes common best practices in software security engineering, how to define (and test) security requirements and common security standards. This section also provides advice on Security architecture design, code reviews, security testing, security audits and automated testing.
The day is rounded off by some complex quiz questions on real-live examples in Java and C + some more!
- Understand and know basic security concepts for secure programming;
- Gain proper understanding of common vulnerabilities like cross-site scripting and Cross-site request forgery;
- Know how to prevent common vulnerabilities with a wide range of methods;
- Understand how a hacker uses presented information to learn about and gain unauthorized access to your systems;
- Complete many quiz-questions to internalize the knowledge and better understand how to use it during your coding.