!
Agenda
The OWASP Top Ten 2021 - excerpts
The OWASP Top 10 2021
A01 - Broken Access Control
- Access control basics
- Confused deputy
- Insecure direct object reference (IDOR)
- Path traversal
- Lab – Insecure Direct Object Reference
- Path traversal best practices
- Authorization bypass through user-controlled keys
- Case study – Authorization bypass on Facebook
- Lab – Horizontal authorization
A02 - Cryptographic Failures
- Information exposure
- Case study – Strava data exposure
- Cryptography for developers
- Cryptography basics
A03 - Injection
- Input validation
- Input validation principles
- Denylists and allowlists
- What to validate – the attack surface
- Where to validate – defense in depth
- When to validate – validation vs transformations
- Validation with regex
- Injection
- Injection principles
- Injection attacks
- Code injection
- OS command injection
- OS command injection best practices
- Case study – Shellshock
- Lab - Shellshock
- OS command injection
A04 - Insecure Design
- The STRIDE model of threats
- Secure design principles of Saltzer and Schroeder
- Economy of mechanism
- Fail-safe defaults
- Complete mediation
- Open design
- Separation of privilege
- Least privilege
- Least common mechanism
- Psychological acceptability
- Client-side security
- Frame sandboxing
- Cross-Frame Scripting (XFS) attacks
- Lab - Clickjacking
- Clickjacking protection best practices
- Lab – Using CSP to prevent clickjacking
- Frame sandboxing
A06 - Vulnerable and Outdated Components
- Using vulnerable components
- Vulnerability management
- Vulnerability databases
- DevOps, the build process and CI / CD
A08 - Software and Data Integrity Failures
- Subresource integrity
- Importing JavaScript
- Lab – Importing JavaScript
- Case study – The British Airways data breach
A10 - Server-side Request Forgery (SSRF)
- Server-side Request Forgery (SSRF)
- Case study – SSRF and the Capital One breach
Wrap up
Secure coding principles
- Principles of robust programming by Matt Bishop
And now what?
- Software security sources and further reading
Location:
ITLS Training & Consulting GmbH
Gutheil-Schoder-Gasse 7a
1100 Vienna
www.itls.at/en/anfahrt?ekey=gcfree
Or online via Microsoft Teams
Date:
15 September 2023
Time:
09.00–15.00
Event language:
English
Price:
The event is free of charges.
!
Speaker
Ernő JEGES
Ernő has been working in the area of security for nearly fifteen years. He has been involved in a number of R&D projects in different areas of security and has numerous scientific publications in different topics of both physical and logical security. Some of his areas of interest include secure coding, software technologies, convergence of logical and physical security, data hiding, technological aspects of digital rights, remote biometrics and also video content analysis. He has several innovations in the area of ear-based human identification, integration of fingerprint biometrics with cryptosystems, computer vision and software watermarking.
Ernő has actively taken part in the elaboration of all course materials, and currently he manages Cydrill Software Security. He is a highly qualified trainer with several years of experience; he has already held numerous secure coding courses for leading software development companies all over Europe, Americas, Africa and Asia.
- Engineer of Informatics, Budapest University of Technology and Economics
- Managing director, lead trainer of Cydrill Software Security
- Certified Information Systems Auditor (CISA)