Detailed Course Outline
Day 1
- Cyber security basics- What is security?
- Threat and risk
- Cyber security threat types – the CIA triad
- Cyber security threat types – the STRIDE model
- Consequences of insecure software
 
- Cloud security basics- Cloud infrastructure basics
- The Cloud Cube Model and Zero Trust Architecture
 
- The OWASP Top Ten 2021- The OWASP Top 10 2021
- A01 - Broken Access Control- Access control basics
- Failure to restrict URL access
- Confused deputy
- File upload
- Open redirects and forwards
- Cross-site Request Forgery (CSRF)
 
- A02 - Cryptographic Failures- Information exposure
- Cryptography for developers
 
 Day 2- A02 - Cryptographic Failures (continued)- Cryptography for developers
- Transport security
 
- A03 - Injection- Injection principles
- Injection attacks
- SQL injection
- NoSQL injection
- Parameter manipulation
- Code injection
- HTML injection - Cross-site scripting (XSS)
 
 Day 3- A04 - Insecure Design- The STRIDE model of threats
- Secure design principles of Saltzer and Schroeder
- Client-side security
 
- A05 - Security Misconfiguration- Configuration principles
- Server misconfiguration
- AWS configuration best practices
- Cookie security
- XML entities
 
- A06 - Vulnerable and Outdated Components- Using vulnerable components
- Assessing the environment
- Hardening
- Untrusted functionality import
- Vulnerability management
 
- A07 - Identification and Authentication Failures- Authentication
- Session management
- Identity and access management (IAM)
 
 Day 4- A07 - Identification and Authentication Failures (continued)- Password management
 
- A08 - Software and Data Integrity Failures- Integrity protection
- Subresource integrity
- Insecure deserialization
 
- A09 - Security Logging and Monitoring Failures- Logging and monitoring principles
- Log forging
- Log forging – best practices
- Case study – Log interpolation in log4j
- Case study – The Log4Shell vulnerability (CVE-2021-44228)
- Case study – Log4Shell follow-ups (CVE-2021-45046, CVE-2021-45105)
- Lab – Log4Shell
- Logging best practices
- Detection and monitoring
 
- A10 - Server-side Request Forgery (SSRF) - Server-side Request Forgery (SSRF)
- Case study – SSRF and the Capital One breach
 
 Cloud securityAWS security- Security considerations
- Data security in the cloud
 Day 5Cloud security- Container security- Container security concerns
- Containerization, virtualization and security
- The attack surface
- Docker security
- Kubernetes security
 
 
The OWASP Top Ten 2021
Web application security beyond the Top Ten
- Code quality
- Denial of service
Input validation
- Input validation principles
- Denylists and allowlists
- What to validate – the attack surface
- Where to validate – defense in depth
- When to validate – validation vs transformations
- Validation with regex
- Integer handling problems- Representing signed numbers
- Integer visualization
- Integer overflow
- Lab – Integer overflow
- Signed / unsigned confusion in Java
- Case study – The Stockholm Stock Exchange
- Integer truncation
- Best practices
 
- Files and streams- Path traversal
- Lab – Path traversal
- Path traversal-related examples
- Additional challenges in Windows
- Virtual resources
- Path traversal best practices
- Lab – Path canonicalization
 
- Unsafe reflection- Reflection without validation
- Lab – Unsafe reflection
 
- Unsafe native code- Native code dependence
- Lab – Unsafe native code
- Best practices for dealing with native code
 
Wrap up
- Secure coding principles
- And now what?
