training

NL/EN
Deze training is beschikbaar in het Nederlands en Engels. Meer informatie

Secure Programming Foundation

Leer de basisprincipes van veilig programmeren

21 januari 2025
- Utrecht / Remote
2 dagen
1650 (ex BTW)

Beschrijving

Je leert in deze training de basisprincipes van veilig programmeren.

Aan bod komen authenticatie & sessiebeheer en het afhandelen van gebruikersinvoer ter voorkoming van injectieaanvallen zoals SQL-injectie en buffer overflows. Ook komen XSS en het beveiligingsmodel van de browser aan de orde.

Naast het implementeren van autorisatie, logging en foutafhandeling, wordt er gekeken naar hoe cryptografie op een veilige manier gebruikt kan worden voor opslag en transport. Tenslotte wordt kort besproken hoe security in het software development-proces kan worden geïntegreerd in de fases requirements opstellen, ontwerpen, coderen en testen.

In de voorbeelden wordt webtechnologie gebruikt, maar de principes van veilig programmeren zijn ook toe te passen in andere omgevingen. Verder worden zoveel mogelijk de richtlijnen van de OWASP aangehouden.

Doelgroep De cursus is geschikt voor programmeurs die beperkte kennis hebben van veilig programmeren of een update van hun kennis nodig hebben.

Leerdoelen

Deze training behandeld de volgende leerdoelen:

CheckmarkRecognize security risks in common contexts and demonstrate awareness.
RememberLogo InfoSupport
CheckmarkCite 5 categories of vulnerabilities from the OWASP Top 10.
RememberLogo InfoSupport
CheckmarkRecall the STRIDE threat model and how it can be used to identify security threats.
RememberLogo InfoSupport
CheckmarkAdapt secure web application development practices to mitigate common security risks.
ApplyLogo InfoSupport
CheckmarkDescribe common injection attacks and mitigation strategies.
UnderstandLogo InfoSupport
CheckmarkUnderstand the principles and practices of authorization.
UnderstandLogo InfoSupport
CheckmarkParaphrase common cryptography use cases, like hashing, encryption, and digital signatures.
UnderstandLogo InfoSupport
CheckmarkUnderstand common security practices surrounding authentication.
UnderstandLogo InfoSupport
CheckmarkDescribe common security misconfigurations and how to prevent them.
UnderstandLogo InfoSupport
Voor bovenstaande leerdoelen gebruiken we de Taxonomie van Bloom

Benodigde voorkennis

Ervaring met ten minste één programmeertaal is vereist

Onderwerpen

  1. Introduction to Secure Programming
  2. Secure Programming Awareness
  3. Authentication and Session Management
  4. Input Handling
  5. Authorization
  6. Configuration, Error Handling and Logging
  7. Cryptography
  8. Secure Software Engineering

Introduction to Secure Programming

  • Identify OWASP as a leading authority in secure programming and application security.
  • Understand the core principles and best practices outlined by OWASP for secure programming and where to access this information.
  • Familiarize with the OWASP Top 10 list of the most critical web application security risks.
  • In the news: what happend this week?

Security Awareness

  • Recognize the historical underfunding of security and understand its implications for organizations.
  • Define and explain technical terms commonly used in the context of security.
  • Utilize the STRIDE model to identify and understand different types of threats to security.
  • Identify and assess potential attack surfaces within a given system or application.
  • Recognize and understand the role of "man in the middle" proxies in security contexts.
  • Identify and comprehend basic vulnerabilities commonly found in web applications.
  • Understand the HTTP protocol and its relevance as an attack vector in web security.
  • Comprehend the Browser Security Model and its significance in ensuring secure web browsing.

Authentication and Session Management

  • Differentiate between authentication and authorization and understand their respective best practices.
  • Apply best practices for error handling in authentication and session management processes.
  • Select and implement strong password policies and guidelines.
  • Understand the concepts of hashing and salting in the context of password security.
  • Implement a secure "Forgot Password" flow to ensure robust user authentication.
  • Differentiate between client-side and server-side session management and their implications.
  • Implement and manage JWT-based session authentication securely.
  • Understand and apply appropriate cookie attributes for secure session management.
  • Recognize the threat of cross-site request forgery (CSRF) attacks and implement preventive measures.
  • Identify and mitigate the risk of clickjacking attacks in web applications.

Input Handling

  • Recognize common areas where injection attacks can occur and understand the basics of such attacks.
  • Implement measures to harden applications against SQL injection attacks.
  • Understand the risks associated with blind SQL injection attacks and how to defend against them.
  • Differentiate between whitelist and blacklist input validation methods and their effectiveness in preventing attacks.
  • Identify and defend against buffer overflow attacks in applications.
  • Recognize the potential for embedded instructions and how they can lead to cross-site scripting (XSS) attacks.
  • Implement strategies to prevent and mitigate cross-site scripting (XSS) attacks.
  • Identify and address the attack surface of second-order injection attacks.

Authorization

  • Understand the rationale for using indirect referencing in authorization processes.
  • Apply the concept of least privilege when designing access control mechanisms.
  • Implement role-based access security models for effective authorization.
  • Recognize the difference between Time of Check and Time of Use vulnerabilities in authorization processes.
  • Understand the basics of OAuth 2 authorization flows and their applications in modern security contexts.

Configuration, Error Handling, and Logging

  • Integrate vulnerability scanning into development pipelines to identify and address security flaws early in the development lifecycle.
  • Implement measures to prevent accidental information disclosure in application configurations and error handling processes.
  • Reduce the attack surface of applications by implementing secure configuration practices.
  • Prevent the inadvertent leakage of sensitive information through metadata in logging and error handling.
  • Understand the concept of timing attacks and implement strategies to prevent them in secure systems.

Cryptography

  • Differentiate between symmetric and asymmetric encryption methods and understand their applications in secure communication.
  • Understand the role of digital signing in ensuring data integrity and authenticity.
  • Comprehend the basics of Public Key Infrastructure (PKI) and its relevance in secure communication.
  • Explain the process by which Transport Layer Security (TLS) establishes a symmetric key for secure communication.

Planning

StartdatumDuurLocatie
21 januari 202522 januari 2025
2 dagen
Utrecht / Remote
Dit is een hybride training die remote gevolgd kan worden. Meer informatie
Utrecht / Remote
Dit is een hybride training die remote gevolgd kan worden. Meer informatie
Inschrijven
5 maart 20256 maart 2025
2 dagen
Utrecht / Remote
Dit is een hybride training die remote gevolgd kan worden. Meer informatie
Utrecht / Remote
Dit is een hybride training die remote gevolgd kan worden. Meer informatie
Inschrijven
1 april 20252 april 2025
2 dagen
Veenendaal / Remote
Dit is een hybride training die remote gevolgd kan worden. Meer informatie
Veenendaal / Remote
Dit is een hybride training die remote gevolgd kan worden. Meer informatie
Inschrijven
15 april 202516 april 2025
2 dagen
Veenendaal / Remote
Dit is een hybride training die remote gevolgd kan worden. Meer informatie
Veenendaal / Remote
Dit is een hybride training die remote gevolgd kan worden. Meer informatie
Inschrijven
Houd me op de hoogte van nieuwe data

Incompany of persoonlijk advies nodig?

Onze opleidingsadviseurs denken graag met je mee om een persoonlijk advies te geven of een incompany training binnen jouw organisatie te vinden.

Trainers

"Deze training was direct toepasbaar op het project"
Cursist
  • icon

    Hoge waardering

  • icon

    Praktijkgerichte trainingen

  • icon

    Gecertificeerde trainers

  • icon

    Eigen docenten