Secure Programming Foundation

Subjects

1. Introduction to Secure Programming
2. Secure Programming Awareness
3. Authentication and Session Management
4. Input Handling
5. Authorization
6. Configuration, Error Handling and Logging
7. Cryptography
8. Secure Software Engineering

Introduction to Secure Programming

• Identify OWASP as a leading authority in secure programming and application security.
• Understand the core principles and best practices outlined by OWASP for secure programming and where to access this information.
• Familiarize with the OWASP Top 10 list of the most critical web application security risks.
• In the news: what happend this week?

Security Awareness

• Recognize the historical underfunding of security and understand its implications for organizations.
• Define and explain technical terms commonly used in the context of security.
• Utilize the STRIDE model to identify and understand different types of threats to security.
• Identify and assess potential attack surfaces within a given system or application.
• Recognize and understand the role of "man in the middle" proxies in security contexts.
• Identify and comprehend basic vulnerabilities commonly found in web applications.
• Understand the HTTP protocol and its relevance as an attack vector in web security.
• Comprehend the Browser Security Model and its significance in ensuring secure web browsing.

Authentication and Session Management

• Differentiate between authentication and authorization and understand their respective best practices.
• Apply best practices for error handling in authentication and session management processes.
• Select and implement strong password policies and guidelines.
• Understand the concepts of hashing and salting in the context of password security.
• Implement a secure "Forgot Password" flow to ensure robust user authentication.
• Differentiate between client-side and server-side session management and their implications.
• Implement and manage JWT-based session authentication securely.
• Understand and apply appropriate cookie attributes for secure session management.
• Recognize the threat of cross-site request forgery (CSRF) attacks and implement preventive measures.
• Identify and mitigate the risk of clickjacking attacks in web applications.

Input Handling

• Recognize common areas where injection attacks can occur and understand the basics of such attacks.
• Implement measures to harden applications against SQL injection attacks.
• Understand the risks associated with blind SQL injection attacks and how to defend against them.
• Differentiate between whitelist and blacklist input validation methods and their effectiveness in preventing attacks.
• Identify and defend against buffer overflow attacks in applications.
• Recognize the potential for embedded instructions and how they can lead to cross-site scripting (XSS) attacks.
• Implement strategies to prevent and mitigate cross-site scripting (XSS) attacks.
• Identify and address the attack surface of second-order injection attacks.

Authorization

• Understand the rationale for using indirect referencing in authorization processes.
• Apply the concept of least privilege when designing access control mechanisms.
• Implement role-based access security models for effective authorization.
• Recognize the difference between Time of Check and Time of Use vulnerabilities in authorization processes.
• Understand the basics of OAuth 2 authorization flows and their applications in modern security contexts.

Configuration, Error Handling, and Logging

• Integrate vulnerability scanning into development pipelines to identify and address security flaws early in the development lifecycle.
• Implement measures to prevent accidental information disclosure in application configurations and error handling processes.
• Reduce the attack surface of applications by implementing secure configuration practices.
• Prevent the inadvertent leakage of sensitive information through metadata in logging and error handling.
• Understand the concept of timing attacks and implement strategies to prevent them in secure systems.

Cryptography

• Differentiate between symmetric and asymmetric encryption methods and understand their applications in secure communication.
• Understand the role of digital signing in ensuring data integrity and authenticity.
• Comprehend the basics of Public Key Infrastructure (PKI) and its relevance in secure communication.
• Explain the process by which Transport Layer Security (TLS) establishes a symmetric key for secure communication.