Secure Programming Foundation

Subjects

1. Secure Programming Awareness
2. STRIDE
3. OWASP Top 10 latest edition:
   • 10 most critical web application security risks
   • related weaknesses (CWE)
   • best practices to mitigate them
4. SOP, CORS, Security-related Headers
5. Input Handling
6. Authentication & Authorization
7. Configuration, Error Handling and Logging
8. Cryptography

Introduction to Secure Programming

• Identify OWASP as a leading authority in secure programming and application security.
• Understand the core principles and best practices outlined by OWASP for secure programming and where to access this information.
• Familiarize with the OWASP Top 10 list of the most critical web application security risks.
• In the news: what happend this week?

Security Awareness

• Recognize the historical underfunding of security and understand its implications for organizations.
• Define and explain technical terms commonly used in the context of security.
• Know the STRIDE model to identify and understand different types of threats to security.
• Recognize and understand the role of "man in the middle" proxies in security contexts.
• Understand the HTTP protocol and its relevance as an attack vector in web security.
• Comprehend the Browser Security Model and its significance in ensuring secure web browsing.

Authentication and Session Management

• Differentiate between authentication and authorization and understand their respective best practices.
• Implement secure password policies and understand hashing and salting using Bcrypt.
• Know the importance of Multi-Factor Authentication (MFA) as a critical defense against credential theft and weak passwords.
• Differentiate between session-based and token-based authentication, understanding their trade-offs and security implications.
• Implement and manage JWT-based authentication securely, including proper token storage, expiration, and revocation strategies.
• Understand and apply appropriate cookie attributes for secure session management.
• Recognize session fixation and user enumeration attacks and implement appropriate countermeasures.

Input Handling

• Recognize common areas where injection attacks can occur like command injection, XSS, and path traversal.
• Understand the difference between input validation and sanitization, and when to apply each technique.
• Implement measures to harden applications against SQL injection attacks and understand the risks associated with blind SQL injection attacks.
• Differentiate between allowlist and blocklist input validation methods.
• Recognize three types of Cross-Site Scripting (XSS) attacks.
• Implement context-aware encoding to prevent XSS attacks across different contexts.
• Understand how modern frameworks provide automatic escaping and sanitization, and when manual intervention is still required.
• Recognize regular expression pitfalls including ReDoS attacks and greedy quantifiers.
• Understand encoding standards and the importance of decoding.

Authorization

• Understand the rationale for using indirect object references and preventing Insecure Direct Object Reference (IDOR) vulnerabilities.
• Apply the principle of least privilege when designing access control mechanisms.
• Understand the difference between Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC).
• Enforce record ownership in access controls to prevent unauthorized CRUD operations on other users' data.
• Design and maintain a two-dimensional access control matrix documenting subjects, objects, and allowed actions for each role.
• Understand the basics of an OAuth 2.0.
• Recognize Server-Side Request Forgery (SSRF) attacks and understand mitigation.
• Recognize Cross-Site Request Forgery (CSRF) attacks and implement mitigation.
• Identify and mitigate clickjacking attacks.

Configuration, Error Handling, and Logging

• Recognize that frameworks, servers, and cloud platforms are rarely secure by default and require hardening.
• Implement secure configuration practices like disabling directory listing.
• Prevent accidental information disclosure through detailed error messages, stack traces, and response headers.
• Understand best practices around security logging and alerting.
• Configure security-related HTTP response headers like Content-Security-Policy.
• Understand the security implications of missing or misconfigured security related cookie attributes.
• Recognize the importance of applying the principle of "secure by default" across all configurations.
• Implement proper exception handling that fails securely.

Cryptography

• Differentiate between symmetric and asymmetric encryption methods and understand their appropriate use cases in secure communication.
• Understand the role of digital signatures in ensuring data integrity, authenticity, and non-repudiation.
• Explain the basics of Public Key Infrastructure (PKI) including certificate authorities, certificate chains, and the risks of CA compromise.
• Recognize that modern, proven cryptographic algorithms (AES-GCM, ChaCha20-Poly1305, SHA-256/512, Argon2) must be used instead of broken algorithms like MD5, SHA-1, or DES.
• Understand the critical difference between standard PRNGs and Cryptographically Secure PRNGs (CSPRNGs) when generating secrets.
• Understand some best practices around cryptographic key management.
• Verify integrity of third-party resources (CDN scripts, libraries).