Microsoft SDL Core培训

Day 1

• IT security and secure coding
  • Nature of security
  • IT security related terms
  • Definition of risk
  • Different aspects of IT security
  • Requirements of different application areas
  • IT security vs. secure coding
  • From vulnerabilities to botnets and cybercrime
    • Nature of security flaws
    • Reasons of difficulty
    • From an infected computer to targeted attacks
  • Classification of security flaws
    • Landwehr’s taxonomy
    • The Seven Pernicious Kingdoms
    • OWASP Top Ten 2013
    • OWASP Top Ten comparison 2003 – 2013
• Introduction to the Microsoft® Security Development Lifecycle (SDL)
  • Agenda
  • Applications under attack...
    • Cybercrime Evolution
    • Attacks are focusing on applications
    • Most vulnerabilities are in smaller ISV apps
  • Origins of the Microsoft SDL...
    • Security Timeline at Microsoft...
    • Which apps are required to follow SDL?
  • Microsoft Security Development Lifecycle (SDL)
    • Microsoft Security Development Lifecycle (SDL)
    • Pre-SDL Requirements: Security Training
    • Phase One: Requirements
    • Phase Two: Design
    • Phase Three: Implementation
    • Phase Four: Verification
    • Phase Five: Release – Response Plan
    • Phase Five: Release – Final Security Review
    • Phase Five: Release – Archive
    • Post-SDL Requirement: Response
    • SDL Process Guidance for LOB Apps
    • SDL Guidance for Agile Methodologies
    • Secure Software Development Requires Process Improvement
• Secure design principles
  • Attack surface
    • Attack surface reduction
    • Attack surface – an example
    • Attack surface analysis
    • Attack surface reduction – examples
  • Privacy
    • Privacy
    • Understanding Application Behaviors and Concerns
  • Defense in depth
    • SDL Core Principle: Defense In Depth
    • Defense in depth – example
  • Least privilege principle
    • Least privilege – example
  • Secure defaults
    • Secure defaults – examples
• Secure implementation principles
  • Agenda
  • Microsoft Security Development Lifecycle (SDL)
  • Buffer overflow basics
    • Intel 80x86 Processors – main registers
    • The memory address layout
    • The function calling mechanism in C/C++ on x86
    • The local variables and the stack frame
    • Stack overflow
      • Buffer overflow on the stack
      • Exercises – introduction
      • Exercise BOFIntro
      • Exercise BOFIntro – determine the stack layout
      • Exercise BOFIntro – a simple exploit
  • Input validation
    • Input validation concepts
    • Integer problems
      • Representation of negative integers
      • Integer overflow
      • Arithmetic overflow – guess the output!
      • Exercise IntOverflow
      • What is the value of Math.Abs(int.MinValue)?
    • Integer problem mitigation
      • Integer problem mitigation
      • Avoiding arithmetic overflow – addition
      • Avoiding arithmetic overflow – multiplication
      • Detecting overflow with the checked keyword in C#
      • Exercise – Using the checked keyword in C#
      • Exceptions triggered by overflows in C#
    • Case study –Integer overflow in .NET
      • A real-world integer overflow vulnerability
      • Exploiting the integer overflow vulnerability
    • Path traversal vulnerability
      • Path traversal mitigation

Day 2

• Secure implementation principles
  • Injection
    • Typical SQL Injection attack methods
    • Blind and time-based SQL injection
    • SQL Injection protection methods
    • Command injection
  • Broken authentication - password management
    • Exercise – Weakness of hashed passwords
    • Password management and storage
    • Special purpose hash algorithms for password storage
  • Cross-Site Scripting (XSS)
    • Cross-Site Scripting (XSS)
    • CSS injection
    • Exploitation: injection through other HTML tags
    • XSS prevention
  • Missing function level access control
    • Filtering file uploads
  • Practical cryptography
    • Providing confidentiality with symmetric cryptography
    • Symmetric encryption algorithms
    • Block ciphers – modes of operation
    • Hash or message digest
    • Hash algorithms
    • Message Authentication Code (MAC)
    • Providing integrity and authenticity with a symmetric key
    • Providing confidentiality with public-key encryption
    • Rule of thumb – possession of private key
    • Typical mistakes in password management
    • Exercise – Hard coded passwords
    • Conclusion
• Secure verification principles
  • Functional testing vs. security testing
  • Security vulnerabilities
  • Prioritization
  • Security testing in the SDLC
  • Steps of test planning (risk analysis)
  • Scoping and information gathering
    • Stakeholders
    • Assets
    • The attack surface
    • Security objectives for testing
  • Threat modeling
    • Threat modeling
    • Attacker profiles
    • Threat modeling based on attack trees
    • Threat modeling based on misuse/abuse cases
    • Misuse/abuse cases – a simple Web shop example
    • STRIDE per element approach to threat modeling – MS SDL
    • Identifying security objectives
    • Diagramming – examples of DFD elements
    • Data flow diagram – example
    • Threat enumeration – MS SDL’s STRIDE and DFD elements
    • Risk analysis – classification of threats
    • The DREAD threat/risk ranking model
  • Security testing techniques and tools
    • General testing approaches
    • Techniques for various steps of the SDLC
  • Code review
    • Code review for software security
    • Taint analysis
    • Heuristics
  • Static code analysis
    • Static code analysis
    • Static code analysis
    • Exercise – Using static code analysis tools
  • Testing the implementation
    • Manual run-time verification
    • Manual vs. automated security testing
    • Penetration testing
    • Stress tests
  • Fuzzing
    • Automated security testing - fuzzing
    • Challenges of fuzzing
  • Web vulnerability scanners
    • Exercise – Using a vulnerability scanner
  • Checking and hardening the environment
    • Common Vulnerability Scoring System – CVSS
    • Vulnerability scanners
    • Public databases
  • Case study – Forms Authentication Bypass
    • NULL byte termination vulnerability
    • The Forms Authentication Bypass vulnerability in the code
    • Exploiting the Forms Authentication Bypass
• Knowledge sources
  • Secure coding sources – a starter kit
  • Vulnerability databases
  • .NET secure coding guidelines at MSDN
  • .NET secure coding cheat sheets
  • Recommended books – .NET and ASP.NET