This course aims to make developers aware of some best practices in everyday development in order to create secure applications. On the other side this course shared some of the exploits used by attackers in order to have access to systems or data through systems vulnerabilities.
The course is intended for developers, with the aim of introducing the concept of security from the early stages of the design and development process of a software application or system.
Developers will have a nice understanding of systems fragilities and will know the “do’s and don’t” for a modern developer.
Good developer skills and deep knowledge of how systems work together like web servers, databases and development tools.
(não existem exames)
1) sSDLC - Secure Software Development Life Cycle
a. Software development cycle: describing both classical (or cascade) and agile methodologies.
b. Requirements: detailing standards-based requirements identification methodologies, for example, IEEE 830.
c. Architecture and design: describing the related activities for the creation of an efficient and reusable architecture that also allows incorporating not only use cases but also abuse cases; incorporating specific safety issues early in development.
d. Implementation: describing the activities necessary to carry out the implementation of the code based on good practices and development patterns. Version control systems and their integration with automatic construction systems will also be described.
e. Testing: describing the testing models, both unit and integration and performance necessary to increase the quality and completeness of the deliverables developed. f. Deployment: describing the procedures and actions necessary to carry out deployments and the availability of the different recommended environments for use. g. Maintenance: describing the necessary activities, both monitoring and supervision of infrastructures and their corresponding relationship with the maintenance tasks of the applications.
2) Security in development
a. Ticket validation
b. Ticket validation practice
c. Output coding
d. Cryptography: describing the use of the cryptographic functions included by default in PHP -md5 (), crypt () and sha1 () -, as well as the use of packages and external libraries (MCrypt, MHash, Crypt_Blowfish, Crypt_RSA, Crypt_ HMAC and Crypt_DiffieHellman).
e. Buffer overflow: describing the characteristics of this type of vulnerability and demonstrating its possible application in PHP applications.
3) Safety in processes and procedures
a. Password Authentication and Management: Describing good practices for storing password information, its values and expiration policies and options for incorporating double factor authentication in the functionalities that may require it.
b. Session management: describing the communication model based both on cookies that maintain the session and on JWT or server-less technologies.
c. Error and log handling: describing the different possible approaches for incorporating an adequate traceability policy for both the use of applications in a legitimate way, but allowing traceability of the actions carried out in the event that it is necessary to investigate a bug or a security incident, such as error management and minimization of information disclosure in this type of situation.
4) OWASP Top Ten
b. Broken Authentication
c. Sensitive Data Exposure
d. XML External Entities (XXE)
e. Broken Access Control
f. Security Misconfiguration
g. Cross-Site Scripting XSS
h. Insecure Deserialization
i. Using Components with Known Vulnerabilities
j. Insufficient Logging & Monitoring
5) PHP SECURITY Example
a. Register globals
b. Data filtering
c. Error reporting
d. Forms process
e. Credentials and databases
g. Shared accommodation
h. PHP "malicious" functions