Secure Coding master course for banking and finance

Intra-company training

Who is the training for?

All public

Level reached

Advanced

Duration

5,00 day(s)

Language(s) of service

EN

Prerequisites

  • Understand basic concepts of security, IT security and secure coding
  • Understand special threats in the banking and finance sector
  • Understand regulations and standards
  • Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them
  • Learn client-side vulnerabilities and secure coding practices
  • Understand security concepts of Web services
  • Learn about XML security
  • Learn about JSON security
  • Have a practical understanding of cryptography
  • Understand the requirements of secure

Goals

“Money makes the world go round....” – remember? And yes: it is your responsibility to secure all that. As a fintech company you have to take up the challenge, and beat the bad guys with bomb-proof, secure applications!

If there is a domain where security is critical, it is definitely fintech. Vulnerability is not an option if you want to stay a trusted and reliable vendor with systems and applications that certainly comply with PCI-DSS requirements. You need devoted secure coders with high-level professional attitude and developers eager to fight all coding problems: yes, you need a skilled team of software engineers.

Want to know why? Just for the record: even though IT security best practices are widely available, 90% of security incidents stem from common vulnerabilities as a result of ignorance and malpractice. So, you better keep loaded in all possible ways with up to date knowledge about secure coding – unless you wanna cry!

We offer a training program exclusively targeting engineers developing applications for the banking and finance sector. Our dedicated trainers share their experience and expertise through hands-on labs, and give real-life case studies from the banking industry – engaging participants in live hacking fun to reveal all consequences of insecure coding.

Contents

Day 1
  • IT security and secure coding
    • Nature of security
    • What is risk?
    • IT security vs. secure coding
    • From vulnerabilities to botnets and cybercrime
    • Nature of security flaws
    • Reasons of difficulty
    • From an infected computer to targeted attacks
    • Classification of security flaws
    • Landwehr’s taxonomy
    • The Seven Pernicious Kingdoms
    • OWASP Top Ten 2017 (release candidate)
    • CWE/SANS top 25 most dangerous software errors
    • SEI CERT secure coding standards
  • Special threats in the banking and finance sector
    • Banking and finance threats – trends
    • Banking and finance threats – some numbers
    • Attacker model
    • Most significant targets
    • Industry and regulatory response to threats
    • Attacker tools and vectors
  • Regulations and standards
    • Protecting sensitive information
    • Responsibilities
    • Managing sensitive data
    • Breach disclosure obligations
    • PCI DSS compliance
    • PCI DSS at a glance
    • Protecting cardholder data
    • Requirements
    • Requirement 6 – Develop and maintain secure systems and applications
      • 6.1 – Identifying vulnerabilities, risk management
      • 6.2 – Patching
      • 6.3 – Secure software development
      • 6.4 – Policies and procedures
      • 6.5 – Train the secure coding best practices
      • 6.6 – Security assessment and attack detection
      • 6.7 – Documentation and enforcement
  • Web application security
    • A1 - Injection
      • Injection principles
      • SQL injection
      • Exercise – SQL Injection
      • Exercise – SQL injection
      • Typical SQL Injection attack methods
      • Blind and time-based SQL injection
      • SQL Injection protection methods
      • Other injection flaws
      • Command injection
      • Case study – ImageMagick
    • A2 - Broken authentication and session management
      • Session handling weaknesses – session hijacking and fixation
      • Session handling best practices
      • Setting cookie attributes – best practices
      • Case study – Authentication issues in Danish online banking
      • Danske Bank website debug mode information leak
      • Danske Bank session leakage and potential hijack vulnerability
      • Issues with the NemID centralized single sign-on scheme
    • A3 - Cross-Site Scripting (XSS)
      • Persistent XSS
      • Reflected XSS
      • DOM-based XSS
      • Exercise – Cross Site Scripting
      • Exploitation: CSS injection
      • Exploitation: injecting the tag
      • Exercise – HTML injection with base tag
      • XSS prevention
    • A4 - Broken access control
      • Typical access control weaknesses
      • Insecure direct object reference (IDOR)
      • Exercise – Insecure direct object reference
      • Protection against IDOR
      • Case study – Facebook Notes
      • Exercise – Authorization bypass
    • A5 - Security misconfiguration
      • Security misconfiguration
      • Configuring the environment
      • Insecure file uploads
      • Exercise – Uploading executable files
      • Filtering file uploads – validation and configuration
    • A6 - Sensitive data exposure
      • Sensitive data exposure
      • Case study – Distributed guessing attack against payment cards
      • Information leakage weaknesses in online payment systems
      • Practical guessing attack
      • Real-world exploitation and countermeasures
      • Transport layer security
      • Enforcing HTTPS
    • A7 - Insufficient attack protection
      • Detection and response
      • Logging and log analysis
      • Intrusion detection systems and Web application firewalls
    • A8 - Cross site request forgery (CSRF)
      • Login CSRF
      • CSRF prevention
    • A9 - Using components with known vulnerabilities
    • A10 - Unprotected APIs
Day 2
  • Client-side security
  • JavaScript security
  • Same Origin Policy
  • Cross Origin Resource Sharing (CORS)
  • JavaScript usage
  • JavaScript Global Object
  • Dangers of JavaScript
  • Exercise – Client-side authentication
  • Client-side authentication and password management
  • Protecting JavaScript code
  • Exercise – JavaScript obfuscation
  • History sniffing
  • Clickjacking Clickjacking
  • Exercise – Do you Like me?
  • Protection against Clickjacking
  • Anti frame-busting – dismissing protection scripts
  • Protection against busting frame busting
  • AJAX security XSS in AJAX
  • Script injection attack in AJAX
  • Exercise – XSS in AJAX
  • XSS protection in Ajax
  • Exercise CSRF in AJAX – JavaScript hijacking
  • CSRF protection in AJAX
  • MySpace worm
  • AJAX security guidelines
  • HTML5 security New XSS possibilities in HTML5
  • Client-side persistent data storage
  • HTML5 clickjacking attack – text field injection
  • HTML5 clickjacking – content extraction
  • Form tampering
  • Exercise – Form tampering
  • Cross-origin requests
  • HTML proxy with cross-origin request
  • Exercise – Client side include
  • Security architecture (platform and technology dependent topics)
    • Application level access control (permissions, sandboxing)
  • User level access control Authentication
    • Authorization
  • Object-relational mapping (ORM) security
  • Security of Web services
  • SOAP security SOAP - Simple Object Access Protocol
  • Transport layer security
  • Message level security
  • Security of RESTful web services Authentication with REST
  • Authorization with REST
  • Vulnerabilities in connection with REST
  • XML security Introduction
  • XML parsing
  • XML injection (Ab)using CDATA to store XSS payload in XML
  • Exercise – XML injection
  • Abusing XML Entity XML Entity introduction
  • XML bomb
  • Exercise – XML bomb
  • XML external entity attack (XXE) – resource inclusion
  • XML external entity attack – URL invocation
  • XML external entity attack – parameter entities
  • Exercise – XXE attack
  • Case study – XXE in Google Toolbar
  • Case study – XXE in TGI Friday's ordering system
  • JSON security JSON parsing
  • Embedding JSON server-side
  • JSON injection
  • JSON hijacking
  • Case study – XSS via spoofed JSON element
Day 3
  • Requirements of secure communication
    • Security levels
    • Secure acknowledgement Malicious message absorption Feasibility of secure acknowledgement
    • The solution: Clearing Centers
  • Inadvertent message loss
  • Integrity Error detection - Inadvertent message distortion (noise) Modeling message distortion
    • Error detection and correction codes
  • Authenticity - Malicious message manipulation Modeling message manipulation
  • Practical integrity protection (detection)
  • Non-repudiation Non-repudiation
  • Summary Detecting integrity violation
  • Confidentiality Model of encrypted communication
    • Encryption methods in practice
    • Strength of encryption algorithms
  • Remote identification Requirements of remote identification
  • Anonymity and traffic analysis Model of anonymous communication
    • Traffic analysis
    • Theoretically strong protection against traffic analysis
    • Practical protection against traffic analysis
  • Summary
  • Relationships between requirements
  • Practical cryptography
    • Cryptosystems Elements of a cryptosystem
  • Symmetric-key cryptography Providing confidentiality with symmetric cryptography
  • Symmetric encryption algorithms
  • Stream ciphers
  • Block ciphers – modes of operation
  • Comparing the modes of operation
  • Authenticated Encryption modes Authenticated Encryption
  • CCM – Counter with CBC-MAC
  • GCM – Galois Counter Mode
  • GCM encryption
  • Other cryptographic algorithms Hash or message digest
  • Hash algorithms
  • SHAttered
  • Message Authentication Code (MAC)
  • Providing integrity and authenticity with a symmetric key
  • Random numbers and cryptography
  • Cryptographically-strong PRNGs
  • Hardware-based TRNGs
  • Asymmetric (public-key) cryptography Providing confidentiality with public-key encryption
  • Rule of thumb – possession of private key
  • The RSA algorithm Introduction to RSA algorithm
  • Encrypting with RSA
  • Combining symmetric and asymmetric algorithms
  • Digital signing with RSA
  • Blind signature
  • The Digital Signature Algorithm (DSA) Introduction to DSA algorithm
  • Digital signing with DSA
  • Elliptic Curve Cryptography (ECC) Introduction to ECC
  • Public Key Infrastructure (PKI) Man-in-the-Middle (MitM) attack
  • Digital certificates against MitM attack
  • Certificate Authorities in Public Key Infrastructure
  • X.509 digital certificate
  • Certificate Revocation Lists (CRLs)
  • Online Certificate Status Protocol (OCSP)
  • Web of Trust (WoT) Web of Trust (WoT) – introduction
  • Challenges of Web of Trust
  • Security protocols
  • Secure network protocols
  • Specific vs. general solutions
  • SSL/TLS protocols Security services
  • SSL/TLS handshake
  • Cryptographic vulnerabilities
  • SSL/TLS vulnerabilities related to modes of operation BEAST
  • FREAK
  • FREAK – attack against SSL/TLS
  • Logjam attack
  • Padding oracle attack Adaptive chosen-ciphertext attacks
  • Padding oracle attack
  • CBC decryption
  • Padding oracle example
  • Lucky Thirteen
  • POODLE
  • Crypto libraries and APIs
Day 4
  • Input validation
  • Input validation concepts
  • Integer problems Representation of negative integers
  • Integer overflow
  • Integer problem mitigation Integer problem mitigation
  • Case study – Integer overflow in the Stockholm Stock Exchange Integer wraparound problem when purchasing stocks
  • Path traversal vulnerability Path traversal mitigation
  • Case study – Insufficient URL validation in LastPass
  • Unvalidated redirects and forwards
  • Log forging Some other typical problems with log files
  • (some additional platform and technology dependent topics)
  • Improper use of security features
  • Typical problems related to the use of security features
  • Insecure randomness
  • Case study – Tesco Bank fraud Fraud exploiting deterministic card number generation
  • Password management Exercise – Weakness of hashed passwords
  • Password management and storage
  • Brute forcing
  • Special purpose hash algorithms for password storage
  • Case study – the Ashley Madison data breach The loginkey token
  • Revealing the passwords with brute forcing
  • Case study – Equifax account freeze PIN code generation
  • Typical mistakes in password management
  • Case study – Equifax password management issues
  • Insufficient anti-automation Captcha
  • Captcha weaknesses
  • Sensitive information in memory Protecting secrets in memory
  • Minimize the attack surface
  • Core dumps
  • Swapping
  • Zeroisation
  • Denial of service
  • DoS introduction
  • Asymmetric DoS
  • SSL/TLS renegotiation DoS
  • Case Study – ReDos in Stack Exchange
  • Hashtable collision attack Using hashtables to store inputs
  • Hashtable collision
Day 5
  • Improper error and exception handling
  • Typical problems with error and exception handling
  • Exercise – Information leakage through error reporting
  • Time and state problems
  • Code quality problems
  • Security testing techniques
  • General testing approaches
  • Source code review Code review for software security
  • Taint analysis
  • Heuristics
  • Static code analysis Static code analysis
  • Testing the implementation Dynamic security testing
  • Manual vs. automated security testing
  • Penetration testing
  • Stress tests
  • Fuzzing Automated security testing - fuzzing
  • Challenges of fuzzing
  • Proxy servers and sniffers Testing with proxies and sniffers
  • Packet analyzers and proxies
  • Exercise – Testing with proxy
  • Web vulnerability scanners Exercise – Using a vulnerability scanner
  • SQL injection tools
  • Exercise – Using SQL injection tools
  • Deployment environment
  • Hardening
  • Patch management
  • Case study - Shellshock Shellshock – basics of using functions in bash
  • Shellshock – vulnerability in bash
  • Exercise - Shellshock
  • Shellshock fix and counterattacks
  • Exercise – Command override with environment variables
  • Principles of security and secure coding
  • Matt Bishop’s principles of robust programming
  • The security principles of Saltzer and Schroeder
  • SEI Cert top 10 secure coding practices
  • Knowledge sources
    • Secure coding sources – a starter kit
    • Vulnerability databases

These courses might interest you