course
Secure Programming Foundation
Learn the basics of secure programming
Description
In this training you will learn the basics of secure programming.
Topics covered are authentication & session management and handling user input to prevent injection attacks such as SQL-injection and buffer overflows. XSS and the browser's security model are also discussed. In addition to implementing authorization, logging and error handling, we'll look at how cryptography can be used in a secure way for storage and transport. Finally, we briefly discuss how security can be integrated into the software development process in the requirements preparation, design, coding and testing phases.
The examples use web technology, but the principles of secure programming can also be applied in other environments. Furthermore, the guidelines of the OWASP are adhered to as much as possible.
Target audience: The course is suitable for programmers who have limited knowledge of secure programming or need an update of their knowledge.
Learning Goals
This training covers the following learning goals:
 Recognize security risks in common contexts and demonstrate awareness. | Remember  |
| Cite 5 categories of vulnerabilities from the OWASP Top 10. | Remember |
| Recall the STRIDE threat model and how it can be used to identify security threats. | Remember |
| Adapt secure web application development practices to mitigate common security risks. | Apply  |
| Describe common injection attacks and mitigation strategies. | Understand  |
| Understand the principles and practices of authorization. | Understand |
| Paraphrase common cryptography use cases, like hashing, encryption, and digital signatures. | Understand |
| Understand common security practices surrounding authentication. | Understand |
| Describe common security misconfigurations and how to prevent them. | Understand |
For the above learning goals we use Bloom's Taxonomy
Prior Knowledge
Experience with at least one programming language is required
Subjects
- Introduction to Secure Programming
- Secure Programming Awareness
- Authentication and Session Management
- Input Handling
- Authorization
- Configuration, Error Handling and Logging
- Cryptography
- Secure Software Engineering
Introduction to Secure Programming
- Identify OWASP as a leading authority in secure programming and application security.
- Understand the core principles and best practices outlined by OWASP for secure programming and where to access this information.
- Familiarize with the OWASP Top 10 list of the most critical web application security risks.
- In the news: what happend this week?
Security Awareness
- Recognize the historical underfunding of security and understand its implications for organizations.
- Define and explain technical terms commonly used in the context of security.
- Utilize the STRIDE model to identify and understand different types of threats to security.
- Identify and assess potential attack surfaces within a given system or application.
- Recognize and understand the role of "man in the middle" proxies in security contexts.
- Identify and comprehend basic vulnerabilities commonly found in web applications.
- Understand the HTTP protocol and its relevance as an attack vector in web security.
- Comprehend the Browser Security Model and its significance in ensuring secure web browsing.
Authentication and Session Management
- Differentiate between authentication and authorization and understand their respective best practices.
- Apply best practices for error handling in authentication and session management processes.
- Select and implement strong password policies and guidelines.
- Understand the concepts of hashing and salting in the context of password security.
- Implement a secure "Forgot Password" flow to ensure robust user authentication.
- Differentiate between client-side and server-side session management and their implications.
- Implement and manage JWT-based session authentication securely.
- Understand and apply appropriate cookie attributes for secure session management.
- Recognize the threat of cross-site request forgery (CSRF) attacks and implement preventive measures.
- Identify and mitigate the risk of clickjacking attacks in web applications.
Input Handling
- Recognize common areas where injection attacks can occur and understand the basics of such attacks.
- Implement measures to harden applications against SQL injection attacks.
- Understand the risks associated with blind SQL injection attacks and how to defend against them.
- Differentiate between whitelist and blacklist input validation methods and their effectiveness in preventing attacks.
- Identify and defend against buffer overflow attacks in applications.
- Recognize the potential for embedded instructions and how they can lead to cross-site scripting (XSS) attacks.
- Implement strategies to prevent and mitigate cross-site scripting (XSS) attacks.
- Identify and address the attack surface of second-order injection attacks.
Authorization
- Understand the rationale for using indirect referencing in authorization processes.
- Apply the concept of least privilege when designing access control mechanisms.
- Implement role-based access security models for effective authorization.
- Recognize the difference between Time of Check and Time of Use vulnerabilities in authorization processes.
- Understand the basics of OAuth 2 authorization flows and their applications in modern security contexts.
Configuration, Error Handling, and Logging
- Integrate vulnerability scanning into development pipelines to identify and address security flaws early in the development lifecycle.
- Implement measures to prevent accidental information disclosure in application configurations and error handling processes.
- Reduce the attack surface of applications by implementing secure configuration practices.
- Prevent the inadvertent leakage of sensitive information through metadata in logging and error handling.
- Understand the concept of timing attacks and implement strategies to prevent them in secure systems.
Cryptography
- Differentiate between symmetric and asymmetric encryption methods and understand their applications in secure communication.
- Understand the role of digital signing in ensuring data integrity and authenticity.
- Comprehend the basics of Public Key Infrastructure (PKI) and its relevance in secure communication.
- Explain the process by which Transport Layer Security (TLS) establishes a symmetric key for secure communication.
Read more
Schedule
| Start date | Duration | Location | |
|---|---|---|---|
January 21, 2025January 22, 2025 | 2 days | Utrecht / Remote This is a hybrid training and can be followed remotely. More information Utrecht / Remote This is a hybrid training and can be followed remotely. More information | Sign up |
March 5, 2025March 6, 2025 | 2 days | Utrecht / Remote This is a hybrid training and can be followed remotely. More information Utrecht / Remote This is a hybrid training and can be followed remotely. More information | Sign up |
April 1, 2025April 2, 2025 | 2 days | Veenendaal / Remote This is a hybrid training and can be followed remotely. More information Veenendaal / Remote This is a hybrid training and can be followed remotely. More information | Sign up |
April 15, 2025April 16, 2025 | 2 days | Veenendaal / Remote This is a hybrid training and can be followed remotely. More information Veenendaal / Remote This is a hybrid training and can be followed remotely. More information | Sign up |
Keep me posted on new sessions
All courses can also be conducted within your organization as customized or incompany training.
Our training advisors are happy to help you provide personal advice or find Incompany training within your organization.
Trainers
"Trainer who knows his profession!"Marc
-
Hoge waardering
-
Praktijkgerichte trainingen
-
Gecertificeerde trainers
-
Eigen docenten