Secure Coding master course for banking and finance

• Understand basic concepts of security, IT security and secure coding
• Understand special threats in the banking and finance sector
• Understand regulations and standards
• Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them
• Learn client-side vulnerabilities and secure coding practices
• Understand security concepts of Web services
• Learn about XML security
• Learn about JSON security
• Have a practical understanding of cryptography
• Understand the requirements of secure

“Money makes the world go round....” – remember? And yes: it is your responsibility to secure all that. As a fintech company you have to take up the challenge, and beat the bad guys with bomb-proof, secure applications!

If there is a domain where security is critical, it is definitely fintech. Vulnerability is not an option if you want to stay a trusted and reliable vendor with systems and applications that certainly comply with PCI-DSS requirements. You need devoted secure coders with high-level professional attitude and developers eager to fight all coding problems: yes, you need a skilled team of software engineers.

Want to know why? Just for the record: even though IT security best practices are widely available, 90% of security incidents stem from common vulnerabilities as a result of ignorance and malpractice. So, you better keep loaded in all possible ways with up to date knowledge about secure coding – unless you wanna cry!

We offer a training program exclusively targeting engineers developing applications for the banking and finance sector. Our dedicated trainers share their experience and expertise through hands-on labs, and give real-life case studies from the banking industry – engaging participants in live hacking fun to reveal all consequences of insecure coding.

Day 1

• IT security and secure coding
  • Nature of security
  • What is risk?
  • IT security vs. secure coding
  • From vulnerabilities to botnets and cybercrime
  • Nature of security flaws
  • Reasons of difficulty
  • From an infected computer to targeted attacks
  • Classification of security flaws
  • Landwehr’s taxonomy
  • The Seven Pernicious Kingdoms
  • OWASP Top Ten 2017 (release candidate)
  • CWE/SANS top 25 most dangerous software errors
  • SEI CERT secure coding standards
• Special threats in the banking and finance sector
  • Banking and finance threats – trends
  • Banking and finance threats – some numbers
  • Attacker model
  • Most significant targets
  • Industry and regulatory response to threats
  • Attacker tools and vectors
• Regulations and standards
  • Protecting sensitive information
  • Responsibilities
  • Managing sensitive data
  • Breach disclosure obligations
  • PCI DSS compliance
  • PCI DSS at a glance
  • Protecting cardholder data
  • Requirements
  • Requirement 6 – Develop and maintain secure systems and applications
    • 6.1 – Identifying vulnerabilities, risk management
    • 6.2 – Patching
    • 6.3 – Secure software development
    • 6.4 – Policies and procedures
    • 6.5 – Train the secure coding best practices
    • 6.6 – Security assessment and attack detection
    • 6.7 – Documentation and enforcement
• Web application security
  • A1 - Injection
    • Injection principles
    • SQL injection
    • Exercise – SQL Injection
    • Exercise – SQL injection
    • Typical SQL Injection attack methods
    • Blind and time-based SQL injection
    • SQL Injection protection methods
    • Other injection flaws
    • Command injection
    • Case study – ImageMagick
  • A2 - Broken authentication and session management
    • Session handling weaknesses – session hijacking and fixation
    • Session handling best practices
    • Setting cookie attributes – best practices
    • Case study – Authentication issues in Danish online banking
    • Danske Bank website debug mode information leak
    • Danske Bank session leakage and potential hijack vulnerability
    • Issues with the NemID centralized single sign-on scheme
  • A3 - Cross-Site Scripting (XSS)
    • Persistent XSS
    • Reflected XSS
    • DOM-based XSS
    • Exercise – Cross Site Scripting
    • Exploitation: CSS injection
    • Exploitation: injecting the tag
    • Exercise – HTML injection with base tag
    • XSS prevention
  • A4 - Broken access control
    • Typical access control weaknesses
    • Insecure direct object reference (IDOR)
    • Exercise – Insecure direct object reference
    • Protection against IDOR
    • Case study – Facebook Notes
    • Exercise – Authorization bypass
  • A5 - Security misconfiguration
    • Security misconfiguration
    • Configuring the environment
    • Insecure file uploads
    • Exercise – Uploading executable files
    • Filtering file uploads – validation and configuration
  • A6 - Sensitive data exposure
    • Sensitive data exposure
    • Case study – Distributed guessing attack against payment cards
    • Information leakage weaknesses in online payment systems
    • Practical guessing attack
    • Real-world exploitation and countermeasures
    • Transport layer security
    • Enforcing HTTPS
  • A7 - Insufficient attack protection
    • Detection and response
    • Logging and log analysis
    • Intrusion detection systems and Web application firewalls
  • A8 - Cross site request forgery (CSRF)
    • Login CSRF
    • CSRF prevention
  • A9 - Using components with known vulnerabilities
  • A10 - Unprotected APIs

Day 2

• Client-side security
• JavaScript security
• Same Origin Policy
• Cross Origin Resource Sharing (CORS)
• JavaScript usage
• JavaScript Global Object
• Dangers of JavaScript
• Exercise – Client-side authentication
• Client-side authentication and password management
• Protecting JavaScript code
• Exercise – JavaScript obfuscation
• History sniffing
• Clickjacking Clickjacking
• Exercise – Do you Like me?
• Protection against Clickjacking
• Anti frame-busting – dismissing protection scripts
• Protection against busting frame busting
• AJAX security XSS in AJAX
• Script injection attack in AJAX
• Exercise – XSS in AJAX
• XSS protection in Ajax
• Exercise CSRF in AJAX – JavaScript hijacking
• CSRF protection in AJAX
• MySpace worm
• AJAX security guidelines
• HTML5 security New XSS possibilities in HTML5
• Client-side persistent data storage
• HTML5 clickjacking attack – text field injection
• HTML5 clickjacking – content extraction
• Form tampering
• Exercise – Form tampering
• Cross-origin requests
• HTML proxy with cross-origin request
• Exercise – Client side include
• Security architecture (platform and technology dependent topics)
  • Application level access control (permissions, sandboxing)
• User level access control Authentication
  • Authorization
• Object-relational mapping (ORM) security
• Security of Web services
• SOAP security SOAP - Simple Object Access Protocol
• Transport layer security
• Message level security
• Security of RESTful web services Authentication with REST
• Authorization with REST
• Vulnerabilities in connection with REST
• XML security Introduction
• XML parsing
• XML injection (Ab)using CDATA to store XSS payload in XML
• Exercise – XML injection
• Abusing XML Entity XML Entity introduction
• XML bomb
• Exercise – XML bomb
• XML external entity attack (XXE) – resource inclusion
• XML external entity attack – URL invocation
• XML external entity attack – parameter entities
• Exercise – XXE attack
• Case study – XXE in Google Toolbar
• Case study – XXE in TGI Friday's ordering system
• JSON security JSON parsing
• Embedding JSON server-side
• JSON injection
• JSON hijacking
• Case study – XSS via spoofed JSON element

Day 3

• Requirements of secure communication
  • Security levels
  • Secure acknowledgement Malicious message absorption Feasibility of secure acknowledgement
  • The solution: Clearing Centers
• Inadvertent message loss
• Integrity Error detection - Inadvertent message distortion (noise) Modeling message distortion
  • Error detection and correction codes
• Authenticity - Malicious message manipulation Modeling message manipulation
• Practical integrity protection (detection)
• Non-repudiation Non-repudiation
• Summary Detecting integrity violation
• Confidentiality Model of encrypted communication
  • Encryption methods in practice
  • Strength of encryption algorithms
• Remote identification Requirements of remote identification
• Anonymity and traffic analysis Model of anonymous communication
  • Traffic analysis
  • Theoretically strong protection against traffic analysis
  • Practical protection against traffic analysis
• Summary
• Relationships between requirements
• Practical cryptography
  • Cryptosystems Elements of a cryptosystem
• Symmetric-key cryptography Providing confidentiality with symmetric cryptography
• Symmetric encryption algorithms
• Stream ciphers
• Block ciphers – modes of operation
• Comparing the modes of operation
• Authenticated Encryption modes Authenticated Encryption
• CCM – Counter with CBC-MAC
• GCM – Galois Counter Mode
• GCM encryption
• Other cryptographic algorithms Hash or message digest
• Hash algorithms
• SHAttered
• Message Authentication Code (MAC)
• Providing integrity and authenticity with a symmetric key
• Random numbers and cryptography
• Cryptographically-strong PRNGs
• Hardware-based TRNGs
• Asymmetric (public-key) cryptography Providing confidentiality with public-key encryption
• Rule of thumb – possession of private key
• The RSA algorithm Introduction to RSA algorithm
• Encrypting with RSA
• Combining symmetric and asymmetric algorithms
• Digital signing with RSA
• Blind signature
• The Digital Signature Algorithm (DSA) Introduction to DSA algorithm
• Digital signing with DSA
• Elliptic Curve Cryptography (ECC) Introduction to ECC
• Public Key Infrastructure (PKI) Man-in-the-Middle (MitM) attack
• Digital certificates against MitM attack
• Certificate Authorities in Public Key Infrastructure
• X.509 digital certificate
• Certificate Revocation Lists (CRLs)
• Online Certificate Status Protocol (OCSP)
• Web of Trust (WoT) Web of Trust (WoT) – introduction
• Challenges of Web of Trust
• Security protocols
• Secure network protocols
• Specific vs. general solutions
• SSL/TLS protocols Security services
• SSL/TLS handshake
• Cryptographic vulnerabilities
• SSL/TLS vulnerabilities related to modes of operation BEAST
• FREAK
• FREAK – attack against SSL/TLS
• Logjam attack
• Padding oracle attack Adaptive chosen-ciphertext attacks
• Padding oracle attack
• CBC decryption
• Padding oracle example
• Lucky Thirteen
• POODLE
• Crypto libraries and APIs

Day 4

• Input validation
• Input validation concepts
• Integer problems Representation of negative integers
• Integer overflow
• Integer problem mitigation Integer problem mitigation
• Case study – Integer overflow in the Stockholm Stock Exchange Integer wraparound problem when purchasing stocks
• Path traversal vulnerability Path traversal mitigation
• Case study – Insufficient URL validation in LastPass
• Unvalidated redirects and forwards
• Log forging Some other typical problems with log files
• (some additional platform and technology dependent topics)
• Improper use of security features
• Typical problems related to the use of security features
• Insecure randomness
• Case study – Tesco Bank fraud Fraud exploiting deterministic card number generation
• Password management Exercise – Weakness of hashed passwords
• Password management and storage
• Brute forcing
• Special purpose hash algorithms for password storage
• Case study – the Ashley Madison data breach The loginkey token
• Revealing the passwords with brute forcing
• Case study – Equifax account freeze PIN code generation
• Typical mistakes in password management
• Case study – Equifax password management issues
• Insufficient anti-automation Captcha
• Captcha weaknesses
• Sensitive information in memory Protecting secrets in memory
• Minimize the attack surface
• Core dumps
• Swapping
• Zeroisation
• Denial of service
• DoS introduction
• Asymmetric DoS
• SSL/TLS renegotiation DoS
• Case Study – ReDos in Stack Exchange
• Hashtable collision attack Using hashtables to store inputs
• Hashtable collision

Day 5

• Improper error and exception handling
• Typical problems with error and exception handling
• Exercise – Information leakage through error reporting
• Time and state problems
• Code quality problems
• Security testing techniques
• General testing approaches
• Source code review Code review for software security
• Taint analysis
• Heuristics
• Static code analysis Static code analysis
• Testing the implementation Dynamic security testing
• Manual vs. automated security testing
• Penetration testing
• Stress tests
• Fuzzing Automated security testing - fuzzing
• Challenges of fuzzing
• Proxy servers and sniffers Testing with proxies and sniffers
• Packet analyzers and proxies
• Exercise – Testing with proxy
• Web vulnerability scanners Exercise – Using a vulnerability scanner
• SQL injection tools
• Exercise – Using SQL injection tools
• Deployment environment
• Hardening
• Patch management
• Case study - Shellshock Shellshock – basics of using functions in bash
• Shellshock – vulnerability in bash
• Exercise - Shellshock
• Shellshock fix and counterattacks
• Exercise – Command override with environment variables
• Principles of security and secure coding
• Matt Bishop’s principles of robust programming
• The security principles of Saltzer and Schroeder
• SEI Cert top 10 secure coding practices
• Knowledge sources
  • Secure coding sources – a starter kit
  • Vulnerability databases