SECURE APPLICATION CODING

Application source code, independent of languages and platforms, is a major source for vulnerabilities. One of the CSI surveys on vulnerability distribution suggests that 64% of the time, a vulnerability crops up due to programming errors and 36% of the time, due to configuration issues. According to IBM labs, there is a possibility of at least one security issue contained in every 1,500 lines of code. To avoid these sort of security issues one needs to follow sound secure coding and design principals. It is also imperative to know code review methodologies and strategies to assess the quality of code before deploying to the production. The course is designed by the author of "Web Hacking: Attacks and Defense", “Hacking Web Services” and “Web 2.0 Security – Defending Ajax, RIA and SOA” bringing his experience in application security and research as part of curriculum.

Secure Coding course for Applications is hands-on class. The class features real life cases, hands one exercises, code scanning tools and defense plans. Participants would be methodically taken down to the source code level and exposed to the flaws in design and coding practices. The class would then focus on what are the proper ways of writing secure code and analyze the code base. This class addresses popular languages and platforms like VB/C# (.NET), Java(J2EE), PHP, ASP etc.

Target Audience:

Developers, QA team, Code reviewers, Security professionals and Managers.

Class Outline:

• Client side coding: Ajax and JavaScript analysis, Flash based application reviews and Browser security.

• Exposure to various tools and cases.

Hands-on:

All concepts taught in this class are punctuated with hands-on exercises based on situations observed in real life. The class ends with a challenge exercise. Working within a limited time period, participants are expected to analyze the code, identify loopholes, exploit vulnerabilities present in the applications and suggest appropriate defense strategies.

Application Security Fundamentals and Principles

• The evolution of applications
• Threats to an application
• Application security trends
• The spectrum of application security attacks

Application Components and Protocols

• Understanding multi-layered application architecture
• Programming languages used in applications – J2EE, .NET, PHP, etc.
• Inside HTTP
• HTML forms and browser interaction
• Introduction to tools useful for testing applications

Front-end servers

• Web Server configuration
• Application security fundamentals: Application evolution, Layered threats, Threat models, Attack vectors and Hacker’s perspective.
• Application infrastructure overview: Protocols (HTTP/SSL), Tools for analysis, Server layers and Browsers.
• Application Architecture: Overview to .NET and J2EE application frameworks, Application layers and components, Resources and interactions, other languages.
• Advanced Web Technologies: Ajax, Rich Internet Applications (RIA) and Web Services.
• Application attack vectors and detail understanding: SQL injection, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Path traversal, Session hijacking, LDAP/XPATH/Command injection, Buffer overflow, Input validation bypassing, Database hacks, Ajax exploits, Web Services attack vectors, Decompiling assemblies and many more.
• Principals of Secure Coding: Fundamentals, Controls and Strategies.
• Key security aspects: Authentication, Authorization, Session management, Crypto usage and Error handling.
• Defense plans: Secure objects, functions and wrappings
• Code review methodologies: Spidering the code, enumerating blocks, identifying modules.
• Scanning for vulnerabilities: Function and Method signature mapping, entry point identification, data access layer calls, tracing variables and functions.
• Applying validations: Input validations, Output validations, Data access filtering, and Authentication validates.
• XML and Web Services: SOAP, XML-RPC and REST base attacks and secure coding.
• Web server vulnerabilities
• Fingerprinting web servers and application servers
• Security controls pertaining to web servers and their deployment

Application Attack Vectors

• Mapping assets to attacks
• Sifting through HTML source
• Forcing application layer errors
• Information leakage through error messages
• Source code disclosure
• Input tampering and input validation attacks
• SQL injection and attacks on the database
• Injecting malicious code and remote command execution
• Accessing the underlying file system
• Brute forcing HTTP authentication
• Brute forcing HTML form authentication
• Session Hijacking
• Cross Site Scripting (XSS) attacks
• Cross Site Request Forgery (XSRF) attacks

AJAX and Web Services Components and Protocols

• Web 2.0 application components
• Programming languages used in web 2.0 applications
• Inside the Web Services stack
• Understanding XML, WSDL, SOAP and UDDI protocols

Threat Modeling

• Threat analysis
• Architecture review
• Technologies and Source Code
• Threat matrix
• Security controls for code
• Design analysis and review

Source Code Analysis

• Entry points detection
• Tracing and Digging
• Function and Component dissecting
• Threat and Impact analysis

Vulnerability Detection and Countermeasures

• Authentication
• Authorization
• SQL and XSS
• Session Management
• Client side
• Web 2.0 component vulnerabilities (RSS, Mashups, Widgets etc.)
• Etc.

Securing Code

• Input validations
• Error handling
• Session hardening
• Logs and Tracing
• Traps for hackers
• Assembly hardening
• Guarding application code

Libraries and Approaches

• Security libraries
• Integration for .NET and J2EE
• SDLC approach
• Security in the process
• Standards and best practices

Advanced attacks and defense

• XPATH injection
• XML and Schema poisoning
• Blind SQL injection
• XSS proxy attacks
• Browser hijacking
• Intranet scanning
• Javascript exploitation

Shreeraj Shah, B.E., MSCS, MBA, is the founder of Blueinfy, a company that provides application security services. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in security space. He is also the author of popular books like Web 2.0 Security (Thomson 07), Hacking Web Services (Thomson 06) and Web Hacking: Attacks and Defense (Addison-Wesley 03). In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA etc. His articles are regularly published on Securityfocus, InformIT, DevX, O’reilly, HNS. His work has been quoted on BBC, Dark Reading, Bank Technology as an expert.

Shreeraj was instrumental in product development, researching new methodologies and training designs. He has performed several security consulting assignments in the area of penetration testing, code reviews, web application assessments, security architecture reviews and managing projects.
Blog: http://shreeraj.blogspot.com