"Charting the Course... Certified Secure Web Application Engineer Course Summary

Transcription

1 Course Summary Description Web applications are increasingly more sophisticated and as such, they are critical to almost all major online businesses. As more applications are web enabled, the number of web application security issues will increase, traditional local system vulnerabilities, such as directory traversals, overflows and race conditions, are opened up to new vectors of attack. The responsibility for the security of sensitive systems will rest increasingly with the web developer, rather than the vendor or system administrator. As with most security issues involving client/server communications, Web application vulnerabilities generally stem from improper handling of client requests and/or a lack of input validation checking on the part of the developer. The mile2 training teaches students to detect various security issues with web applications and identify vulnerabilities and risks The internet is one of the most dangerous places to do business today. Every day, organizations and government fall victim to internet based attacks. In many cases, attacks could be easily thwarted but hackers, organized criminal gangs, and foreign agents are able to exploit weaknesses in web applications and architecture. The Secure Web programmer knows how to identify, mitigate and defend against all attacks, through designing and building systems that are resistant to failure. The secure web application developer knows how to develop web applications that are not subject to common vulnerabilities, and how to test and validate that their applications are secure, reliable and resistant to attack. The Secure Web Application Engineer course provides the developer with a thorough and broad understanding of secure application concepts, principles and standards. The developer will be able to design, develop and test web applications that will provide reliable web services that meet functional business requirements and satisfy compliance and assurance needs. Objectives Upon completion of the CSWAE students will be able to confidently undertake the CSWAE certification examination (recommended). Students will enjoy an in-depth course that is continuously updated to maintain and incorporate the ever changing web application and secure code technologies. This course offers up-to-date proprietary laboratories that have been researched and developed by leading security professionals from around the world. Topics Software Security Explained Risk Management Secure Architecture Design Recent Attacks and the OWASP Top 10 Threat Modeling Software Security Vulnerabilities Other Vulnerabilities Overview of Secure Coding Principles Detailed Examination of Secure Coding Principles Secure Software Development Lifecycle PCI Data Security Standard Security Web 2.0 Other Key Items Selling Security to Management Web Application Penetration Testing Prerequisites A minimum of 12 months experience in networking technologies Sound knowledge of TCP/IP Knowledge of Microsoft packages Network+, Microsoft, Security+ Basic Knowledge of Linux is essential Duration Four days

2 Course Outline I. Software Security Explained B. What is Software Security? C. Security Terms D. Attack Vectors E. Threats F. Why Change? G. Consumer Expectations H. Business Responsibility I. Consumer Expectations J. Business Responsibility K. Response? L. Why Care About Security? M. What is Software Security? N. Software Security Methodology O. Software Security P. Why is Software Security so Tough? Q. The Rise of Insecure Software R. Connectivity S. Extensibility T. Complexity U. So what is the problem? V. Challenges With Security W. What can we do about it? X. Layered Defense Y. Secure Coding Fundamentals Z. Software Security Methodology AA. Process Overview BB. What We Can Do About It? CC. Roles and Responsibilities DD. Developer s Role II. Risk Management B. Risk Management C. Why ERM Is Important D. Important Terms E. The Importance of Risk Management F. NIST G. When Should it Start H. Risk Management in the SDLC I. Requirements Phase Tasks J. Design Phase Tasks K. Implementation Phase Tasks L. Integrate / Release Phase Tasks M. Risk Management Process N. Know The Business O. Identify Risks P. Identify Assets and Value Q. Risk Analysis R. Identify Threats and Risks S. Determine Impacts T. Impact vs. Cost to Mitigate U. Classify Risks V. Develop Mitigation Plan W. Implement X. Validating Fixes Y. Reporting Your Findings Z. Keys for Success AA. BB. Review III. Secure Architecture Design B. Secure Architecture Design C. Architecture and Design D. Enterprise Security Architecture E. Enterprise Architecture F. Security Architecture Multi-layer G. SAL Focus on Standardization H. Design for Security I. Architectural Design J. Protection K. What to Consider During Design L. Design Guidelines M. Design It Secure N. The Economics of Software O. Forces In Software P. Design Considerations Q. Secure Product Development Timeline R. Secure By Design S. Design Considerations T. The SD3 Framework U. Understanding the Environment V. Use of Encryption W. Security in Layers X. Buy vs. Build Y. Secure your data Z. Filters AA. Things to Remember BB. Review IV. Recent Attacks and the OWASP Top 10 A. OWASP Guides B. Common Vulnerabilities C. Cross Site Scripting D. XSS Example E. Cross Site Scripting F. Cross Site Scripting Attacks G. XSS Example H. Cross Site Request Forgery I. Link Injection to Facilitate Cross Site Request Forgery J. Injection Flaws

3 K. SQL Injection and Injection Flaws L. Bobby Tables M. SQL Injection Example in.net N. E-Commerce Web Site O. E-Commerce Login P. Demonstration Q. SQL Injection R. SQL Injection Buggy Code S. SQL Injection Countermeasures T. Command Injection U. SQL Injection V. Why SQL Injection? W. Blind SQL injection X. SQL Connection Properties Y. SQL Injection: Enumeration Z. SQL Extended Stored Procedures AA. Shutting Down SQL Server BB. Business Impacts of SQL Injection CC. Finding and Fixing SQL Injection DD. Unvalidated Input EE. Unvalidated Input Illustrated FF. Business Impacts of Unvalidated Input GG. Finding and Fixing Unvalidated Input HH. Common Vulnerabilities II. Buffer Overflow JJ. Buffer Overflow Illustrated KK. Business Impacts of Buffer Overflows LL. Finding and Fixing Buffer Overflows MM. Improper Error Handling NN. Improper Error Handling Illustrated OO. Business Impacts of Improper Error Handling PP. Finding and Fixing Improper Error Handling QQ. Session Hijacking RR. Session Management SS. Common Vulnerabilities TT. Session Hijacking UU. Broken Access Control VV. Broken Account and Session Management WW. Broken Authentication and Session Mgmt XX. Broken Authentication Illustrated YY. Business Impacts of Broken Authentication ZZ. Finding and Fixing Broken Authentication AAA. Broken Access Control BBB. Broken Access Control Illustrated CCC. Where Does Access Control Typically Occur? DDD. Business Impacts of Broken Access Control EEE. Finding and Fixing Broken Access Control FFF. Insecure Storage GGG. Insecure Storage Illustrated HHH. Business Impacts of Insecure Storage III. Finding and Fixing Insecure Storage JJJ. Application Denial of Service KKK. Application DOS Illustrated LLL. Business Impacts of Application DOS MMM. Finding and Fixing Application DOS NNN. Insecure Configuration Management OOO. Insecure Configuration Illustrated PPP. Business Impacts of Insecure Configuration QQQ. Finding and Fixing Insecure Configuration RRR. Attacks SSS. Man-in-the Middle TTT. Attacks UUU. Information Integrity VVV. Insufficient Anti-Automation WWW. XML Poisoning XXX. Malicious Code Execution YYY. Malicious Code Execution Example ZZZ. RSS Atom Injection AAAA. WSDL Scanning and Enumeration BBBB. Client side validation in AJAX routines CCCC. Web Service Routing Issues DDDD. Parameter Manipulation With SOAP EEEE. XPATH Injection SOAP message FFFF. RIA Client Binary Manipulation GGGG. Information Leakage HHHH. Web 2.0 Information Leakage IIII. Application Denial of Service JJJJ. Application Denial of Service Remediation KKKK. Application Level DOS LLLL. Real-World Test MMMM. Hacktics Results NNNN. Directory Traversal OOOO. Directory Listing PPPP. Insecure Software is Everywhere QQQQ. Security Focus RRRR. SecurityFocus (Demo) SSSS. ISS (Demo) TTTT. Review

4 V. Threat Modeling B. Threat Modeling Overview C. The Process D. Identify Security Objectives E. Application Review F. Application Diagram G. Application Decomposition H. Identify Threats I. Threat Modeling J. Harmonized Threat and Risk Assessment Methodology K. Framework for the Harmonized TRA Methodology L. Example: Threat Graph M. Example: Threat Tree N. Threat Methodologies (STRIDE) O. Spoofing Identity P. Tampering With Data Q. Repudiation R. Information Disclosure S. Denial of Service T. Elevation of Privilege U. Rank the Threats (DREAD) V. How to Respond to Threats W. Mitigating Threats X. Review VI. Software Security Vulnerabilities A. Introduction B. Application Test Script Detected C. Cacheable SSL page D. Cacheable SSL Page Remediation E. Database Error Pattern Found F. Database Error Message Found G. Direct Access to Administration Pages H. Address Pattern Found I. HTML Comments Contain Sensitive Information J. Internal IP Address Disclosure K. Missing Secure Attribute in Encrypted Sessions L. Possible Server Path Disclosure M. Query Parameter found in SSL Request N. Query Parameter Found in SSL Request O. Unencrypted Login Request P. Cross Site Scripting Q. XSS Example R. Phishing S. Phishing Web 2.0 Example T. Injection Flaws U. Cross Site Scripting V. Cross Site Scripting Attacks W. XSS Example X. SQL Injection and Injection Flaws Y. Bobby Tables Z. SQL Injection Example in.net AA. E-Commerce Web Site BB. E-Commerce Login CC. SQL Injection DD. Demonstration EE. SQL Injection Buggy Code FF. SQL Injection Countermeasures GG. Cross Site Request Forgery HH. Web-Based II. Cross Site Request Forgery JJ. Directory Traversal VII. Other Vulnerabilities A. Introduction B. HTTP Response Splitting C. Application Input Restrictions Bypass D. Hidden Directory Detected E. Microsoft ASP Debugging Enabled F. Sensitive Files Found G. Unencrypted View H. Where to Learn More I. Phishing J. Phishing Web 2.0 Example K. Sensitive Data Leakage (CWE-0) L. Information Leakage M. Web 2.0 Information Leakage N. Information Integrity O. Insufficient Anti-Automation P. XML Poisoning Q. Malicious Code Execution R. RSS Atom Injection S. WSDL Scanning and Enumeration T. Client side validation in AJAX routines U. Web Service Routing Issues V. Parameter Manipulation with SOAP W. XPATH Injection SOAP message X. RIA Client Binary Manipulation Y. Two Types of Vulnerabilities Z. Activity Monitoring and Data Retrieval AA. Unauthorized Dialing, SMS, and Payments BB. Unauthorized Network Connectivity (exfiltration or command & control) CC. UI impersonation DD. System Modification (rootkit, APN, proxy config) EE. Logic or Time Bomb (CWE-) FF. Hardcoded Password/Keys (CWE-) GG. Summary

5 VIII. Overview of Secure Coding Principles A. The Principles of Secure Development B. Principle #1 Input Validation C. Possible Places to do Validation D. Principle #3 Improper Error Handling E. Principle #4 Authentication and Authorization F. Principle #5 Session Hijacking G. Principle #6 Secure Communications IX. Detailed Examination of Secure Coding Principles B. Data Validation C. Defending the Attack D. Error and Exception Handling E. Logging and Auditing F. Authentication G. Web Authentication Methods H. Basic and Digest Authentication I. Form Based Authentication J. Certificate Based Authentication K. Strong Authentication L. Authorization M. Review X. Secure Software Development Lifecycle B. Secure SDLC Overview C. S-SDLC Overview D. A Secure Process E. Manager s Point of View F. Developer s Point of View G. Phases of The Development Lifecycle H. Project Initiation/Concept I. Requirements Gathering J. Integration Through Risk Management K. Principles L. Process M. Risk Assessment N. Testing Methodologies O. Integrating Testing in the Dev Lifecycle P. Architecture and Design Q. Implementing Defense In-depth R. Traceability Matrix S. Things to Consider T. Development U. Testing V. Unit Test W. Testing X. Implementation and Deployment Y. Maintenance Z. Review XI. PCI Data Security Standard A. Payment Card Industry B. PCI DSS Overview C. PCI Overview D. PCI-Requirement 6 E. Requirement 6.1 F. Requirement 6.2 G. Requirement 6.3 H. Requirement 6.4 I. Requirement 6.5 J. Requirement 6.6 K. Discussion L. Summary M. Security Audit Procedures N. Compensating Controls O. Summary XII. Security Web 2.0 A. Introduction B. What is Web 2.0 and who uses it? C. Classic Web Vs Ajax D. Synchronous vs. Asynchronous E. WEB 2.0 Target Application Layout F. Web 2.0 Security Vulnerabilities G. Web 2.0 Usability H. Web 2.0 and No SSL I. Web 2.0 and Remember Me J. Web 2.0 and Social Engineering K. Overpowered APIs and Duplicated Code L. Outsourcing M. Web 2.0 and Cutting Edge Technology N. Web 2.0 and Trust O. Web 2.0 Security Vulnerabilities P. Systems Susceptible to Attacks Q. Insufficient Authentication Controls XIII. Other Key Items B. Other items - Integrated Systems C. ISO D. Organizational Standard Processes E. The CMMI Approach F. International StandardsSSE-CMM G. Integrated Systems H. What is DMZ? I. Classic Security Model J. DNS K. Middleware Defined L. Integrated Systems Fundamental Requirements

6 M. What to Require N. How do you select the correct security product? O. The Software Market P. The Market is Changing! Q. The Future XIV. Selling Security to Management A. Security is Challenging B. Software Security is A Different World C. Root Causes of Application Insecurity D. Targeting the Root Causes E. What to Recommend F. Key Enhancements G. Advanced Enhancements H. Application Security I. Capacity Scorecard J. Compliance & Security K. Integrated Requirements L. Recommended Training M. Review XV. Web Application Penetration Testing B. Secure Code Review C. Web Application Penetration Testing Overview D. Quick Poll E. Benefits of a Penetration Test F. Article and Example of WAPT G. Current Problems in WAPT H. Learning Attack Methods I. Developer s Point of View J. Progression of The Professional Hacker K. What Information is gathered by the Hacker? L. Methods of Obtaining Information M. Physical Access N. Social Access O. Social Engineering Techniques P. Digital Access Q. Passive vs. Active Reconnaissance R. Footprinting Defined S. Footprinting Tool: KartOO Website T. Footprinting tools U. Google and Query Operators V. Instructor Demonstration W. SPUD: Google API Utility Tool X. Instructor Demonstration Y. Online Social Websites Z. Identity Theft and MySpace AA. Instant Messengers and Chats BB. Blogs, Forums & Newsgroups CC. Internet Archive: DD. The WayBack Machine EE. Domain Name Registration FF. WHOIS GG. WHOIS Output HH. Instructor Demonstration II. DNS Databases JJ. Using Nslookup KK. Dig for Unix / Linux LL. People Search Engines MM. Client Reputation NN. Web Server Info Tool: Netcraft OO. Countermeasure: Domainsbyproxy.com PP. Footprinting Countermeasures QQ. Introduction to Port Scanning RR. Popular Port Scanning Tools SS. Port Scan Tips TT. Most Popular: BackTrack UU. Expected Results VV. Method: Ping WW. Stealth Online Ping XX. NMAP: Preferred Scanning Tool YY. Which Services use Which Ports? ZZ. OS Fingerprinting AAA. Countermeasures: Scanning BBB. Enumeration Overview CCC. Web Server Banners DDD. Practice: Banner Grabbing with Telnet EEE. SuperScan 4 Tool: Banner Grabbing FFF. Sc GGG. SMTP Server Banner HHH. DNS Enumeration III. Web Application Penetration Methodologies JJJ. HTTrack Tool: Copying the website offline KKK. Httprint Tool: Web Server Software ID LLL. Instructor Demonstration MMM. The Anatomy of a Web Application Attack NNN. The Anatomy of a Web Application Attack OOO. Web Attack Techniques PPP. Cracking Techniques QQQ. Password Guessing RRR. Brute Force Tools SSS. Precomputation Detail TTT. Cain and Abel s Cracking Methods UUU. Free Rainbow Tables VVV. Password Sniffing WWW. Changes In Software Development XXX. Reality Check YYY. Changes Required From Security Testers

7 ZZZ. Types of Penetration Testing AAAA. Penetration Testing Methodologies BBBB. FireFox The ScriptKiddie s Dream CCCC. Assessment Tool: Stealth HTTP Scanner DDDD. Acunetix Web Scanner EEEE. Wikto Web Assessment Tool FFFF. Instructor Demonstration GGGG. Tool: Paros Proxy HHHH. Instructor Demonstration IIII. Tool: Burp Proxy JJJJ. Fuzzers KKKK. Nessus LLLL. Nessus Report MMMM. SAINT Sample Report NNNN. Hacking Tool: Metasploit OOOO. Direct Attacks Against a Database PPPP. Attacking Database Servers QQQQ. Obtaining Sensitive Information RRRR. Hacking Tool: SQL Ping2 SSSS. Hacking Tool: osql.exe TTTT. Hacking Tool: Query Analyzers UUUU. Hacking Tool: SQLExec VVVV. Oracle Security Expert WWWW. Hardening Databases XXXX. On the Horizon YYYY. Website Reviews ZZZZ. Review