Basic knowledge of handling the Unix / or Linux command line; Knowledge of the most important commands for navigation in the tree; Copying, deleting, etc. of files; User management; Basic knowledge of networking: Configuring the network interface; Basic knowledge about the configuration of network devices (routers, switches) using the console (e.g. CLI). The students understand the concepts of structured as well as object-oriented programming. They master an object-oriented programming language. They know how to design software and can apply a software process. They know basic design patterns. Students already know concepts and models related to computer networks (e.g., layer model); They know the most important network protocols (e.g., HTTP, TCP, IP, DNS, etc.). They can log and analyze network traffic (e.g., using wireshark) network traffic. |
Introduction:
- Motivation
- Concrete examples of security problems caused by software vulnerabilities
- Emphasize the importance of early stages
- Security goals (CIA and others)
- Security principles (e.g. Saltzer and Schroeder but also updated ones)
Security requirements
- Typical security requirements
- Compliance requirements
- Techniques for finding security requirements
- Checklists
- Difference functional / non-functional requirements and connection with security
- Misuse cases
- Threat modeling
- Risk analysis and assessment (OWASP risk rating)
- Security Development Lifecycle (incl. Agile): How can security be "built in" in the SDL?
- Touchpoints
- MS SDL Secure Development Lifecycle
- OWASP SAMM and BSIMM
Security tests:
- Static, dynamic test procedures and tools (SAST, DAST)
- Code review, penetration tests
- Secure coding
- Standards and norms as well as important organizations in the area of software security:
- OWASP Open Web Application Security Project
- MITRE (CVE, CWE, CVSS)
- National Vulnerability Database NVD (NIST)
- SEI CERT (Secure Coding Standards): e.g. for C, C ++, Java, Android
- BSI Baseline Protection
- Classes of frequently occurring software errors / weaknesses (injection, overflow, format string, race conditions)
Web application security / web security
OWASP Top 10: Web Application Risks
- Injection: SQLi, OS Command Injecton
- Broken Authentication / Access Control
- Session problems (session fixation etc.)
- Sensitive data exposure
- Cross-site scripting (XSS)
Countermeasures:
- Data handling / input validation
- (Output) encoding
- Secure authentication
- Current authentication methods in the web environment
- Access control
- Role-based access control
- Session management
- Logging
- Error handling
Exercises with vulnerable web apps (e.g. Security Dojo / DVWA and OWASP juice shop) |
Students know and understand models, concepts and tools to:
- Install security in all phases of the software development process (including requirements analysis, architecture / design and implementation) and
- Understand the security challenges associated with agile software development.
The students know and understand approaches, processes, methods and technologies for risk management. They can use the OWASP risk rating method.
The students know typical areas in software development, in which mistakes are often made in connection with security; they are familiar with possible solutions ("best practices"). These areas are: authentication, authorization, data validation (input validation and output encoding), session management, error handling, logging and monitoring as well as applied cryptology.
For common software development processes, the students are familiar with the challenges and solutions of enriching them with best practices and methods for secure software development. There is an overview of security aspects in the most common process models (waterfall to agile); however, the focus will be on agile processes (Scrum).
Students learn how threat modeling can be used to identify and classify threats.
Threat modeling is a central method in the area of secure software development, so it is discussed in detail. The participants learn which steps are to be carried out for threat modeling (values; actors identified; architecture; identifying and documenting threats; assessing threats; planning countermeasures). Recognized best practices are used for this: DFD, trust limits, STRIDE, threat trees.
The participants learn how OWASP Risk Rating can be used. The individual categories of OWASP Risk Rating are discussed and applied on the basis of the case study.
Students understand the security issues associated with web application development and the most common and risky threats to web applications. They know a wide variety of countermeasures and can also implement some of them.
|
Allen, Julia H. (2008): Software Security Engineering: A Guide for Project Managers: A Guide for Project Managers. 1st Ed. Upper Saddle River, NJ: Addison-Wesley Professional.
Anderson, Ross J. (2008): Security Engineering: A Guide to Building Dependable Distributed Systems. 2. Tokyo, New York: Wiley.
Bell, Laura et al. (2017): Agile Application Security: Enabling Security in a Continuous Delivery Pipeline. Sebastopol, CA: O'Reilly UK Ltd.
Deogun, Daniel; Johnsson, Dan Bergh; Sawano, Daniel (2019): Secure By Design. 1st Ed. Shelter Island: Manning Publications.
Fernandez-Buglioni, Eduardo (2013): Security Patterns in Practice: Designing Secure Architectures Using Software Patterns. 1. Chichester, West Sussex: Wiley.
Howard, Michael (2009): 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them. 1st Ed. New York: McGraw-Hill Education.
Kriha, Walter; Schmitz, Roland (2008): Internet-Security aus Software-Sicht: Grundlagen der Software-Erstellung für sicherheitskritische Bereiche. 2008th Ed. Berlin: Springer.
Kriha, Walter; Schmitz, Roland (2009): Sichere Systeme. Konzepte, Architekturen und Frameworks. 2009th Ed. Berlin: Springer.
LeBlanc, Jonathan; Messerschmidt, Tim (2016): Identity and Data Security for Web Development: Best Practices. 1st Ed. Beijing ; Boston: O'Reilly UK Ltd.
McGraw, Gary R. (2006): Software Security: Building Security In. Annotated ed. Upper Saddle River, NJ: Addison Wesley.
Najera-Gutierrez, Gilberto (2018): Kali Linux Web Penetration Testing Cookbook: Identify, exploit, and prevent web application vulnerabilities with Kali Linux 2018.x, 2nd Edition. 2nd Revised edition. Birmingham, UK: Packt Publishing.
Paulus, Sachar (2011): Basiswissen Sichere Software: Aus- und Weiterbildung zum ISSECO Certified Professional for Secure Software Engineering. 1st Ed. Heidelberg: Dpunkt Verlag.
Richer, Justin; Sanso, Antonio (2017): OAuth 2 in Action. 1st Ed. Shelter Island, NY: Manning Publications.
Schäfers, Tim Philipp (2018): Hacking im Web: Denken Sie wie ein Hacker und schließen Sie die Lücken in Ihren Webapplikationen | Völlig überarbeitete & aktualisierte 2. Auflage. 2., überarbeitete & aktualisierte Aufl. Haar bei München: FRANZIS Verlag GmbH.
Schumacher, Markus et al. (2005): Security Patterns: Integrating Security and Systems Engineering. 1. Chichester, England ; Hoboken, NJ: Wiley.
Seacord, Robert C. Seacord (2013): Secure Coding in C and C++. 2nd edition. Upper Saddle River, NJ: Addison-Wesley Professional.
Shostack, Adam (2014): Threat Modeling: Designing for Security. 1. Indianapolis, IN: Wiley.
Stuttard, Dafydd; Pinto, Marcus (2011): The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws. 2. Indianapolis, IN : Chichester: Wiley.
|