don’t fall prey to attackers. - sans software, it ... · pdf filesec504 hacker...
TRANSCRIPT
C U R R I C U L U M
www.sans.org/security-training/curriculums/developer
Don’t fall prey to attackers. Over 80% of today’s vulnerabilities are found in the application layer. Learn how to avoid the security issues rather than fixing the problems post design, development or deployment. Train and certify your teams and contractors in the core competencies for secure application development.
Programming
Tips and Resources
Inside!
S A N S A P P L I C A T I O N S E C U R I T Y T R A I N I N G
SANS AppSec Curriculum 2010 www.sans-ssi.org 1
Recommended Curriculum
DEV522 Defending Web
Applications Security Essentials Pg 2
DEV522 Defending Web
Applications Security Essentials Pg 2
DEV534 Secure Code Review for
Java Web Apps (One-Day) Pg 3
Job / Role in Organization
Developer
Architect
QA/Tester
Senior Developer/ Technical
Team Lead
Security
ManagerFor more information on these courses, visit
www.sans.org/security-training/curriculums/developer
&
& &
DEV530 Essential Secure
Coding in Java/JEE (Two-Days)
DEV533 Secure Coding
in .NET (Two-Days)
OR OR
DEV542 Web App Penetration Testing
and Ethical Hacking GWAPT Pg 7
DEV538 Web Application
Pentesting Hands-On Immersion Pg 5
OR
DEV522 Defending Web
Applications Security Essentials Pg 2
DEV522 Defending Web
Applications Security Essentials Pg 2
DEV522 Defending Web
Applications Security Essentials Pg 2
DEV304 Software Security
Awareness
&
&
&
DEV542 Web App Penetration Testing
and Ethical Hacking GWAPT Pg 7
SEC504 Hacker Techniques, Exploits,
and Incident Handling GCIH
&
DEV541 Secure Coding in
Java/JEE (Four-Days) GSSP-JAVA Pg 6
DEV544 Secure Coding in .NET (Four-Days)
GSSP-NET Pg 9OR OR
DEV541 Secure Coding in
Java/JEE (Four-Days) GSSP-JAVA Pg 6
DEV544 Secure Coding in .NET (Four-Days)
GSSP-NET Pg 9
DEV543 Secure Coding
in C & C++ (Two-Days) Pg 8
DEV543 Secure Coding
in C & C++ (Two-Days) Pg 8
DEV543 Secure Coding
in C & C++ (Two-Days) Pg 8
OR OR
Design & TestDEV522
Defending Web Applications Security
Essentials Pg 2
DEV542Web App Penetration
Testing and Ethical Hacking Pg 7
Code ReviewDEV534
Secure Code Review for Java Web Apps (One-Day) Pg 3
DEV530Essential Secure
Coding in Java/JEE (Two-Days)
DEV544Secure Coding
in .NET (Four-Days) Pg 9
DEV543Secure Coding
in C & C++ (Two-Days) Pg 8
DEV541Secure Coding
in Java/JEE (Four-Days) Pg 6
DEV545Secure Coding
in PHP (Four-Days) Pg 10
Secure Coding
C U R R I C U L U M
C U R R I C U L U M b y J o b R o L e
SANS Application Security curriculum features courses for developers as well as security professionals who want to master the practical steps necessary for defending applications, systems, and networks against the most dangerous threats. The courses are intensive, immersion training full of immediately useful techniques. They were developed through a consensus process involving hundreds of developers, architects, administrators, security managers, and information security professionals. They address secure coding principles, security fundamentals and awareness, and the in-depth technical aspects of the most crucial areas of application security, secure coding, and IT security. NOTe: These courses cover the CWe/SANS Top 25 as well as the OWASP Top 10 as appropriate for each language.
SANS Software Security Institute Web site The learning doesn’t end when class is over. SANS Software Security Institute Web site features the App Sec Street Fighter blog, free research, news, and resources to keep you up to date with the most recent attack vectors and application vulnerabilities as well as full course descriptions of the developer curriculum, information on GIAC certification, and upcoming events. Visit www.sans-ssi.org – new content is added regularly, so please visit often. And don’t forget to share this information with your fellow developers and security professionals.
Frank Kim
Dear Colleague,
News of data breaches, corporate hacks, and cyber crime top the
headlines. It is widely accepted that many of these threats are the
result of insecure software. Security should not be an afterthought
for software that we rely on every day to power our Web sites,
businesses, and other critical infrastructure. It is our trust in these
applications that enables organizations and customers to operate
and interact.
Software development is an involved process with many stakeholders throughout the
SDLC. everyone involved in creating software, from developers, architects, testers, and
managers to security professionals, should have some knowledge about current security
threats and the need for software assurance and security. Application security is no
longer a nice to have, it is emerging as the minimum standard of due care for the delivery
of applications that are essential to business, personal data, and our national security.
To help you build secure software and applications that are resistant to attack, SANS has
created an application security curriculum with classes in secure coding, Web application
security, secure code review, security testing, and software security awareness. These
courses are written and taught by world-class instructors who are also everyday
practitioners working on building secure applications; people who are defending their
applications against the same threats you face!
SANS also has a number of free resources that cover these very threats. There are many
great ways to stay informed and get involved. I hope to see you online or at an event!
Sincerely,
Frank Kim,
Application Security Curriculum Lead
C O N T E N T SDEV522 DefendingWebApplicationsSecurityEssentials . . . . . . . . . . . . . . . . . . . . . . . 2DEV534 SecureCodeReviewforJavaWebApps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3DEV536 SecureCodingforPCICompliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4DEV538 WebApplicationPenTestingHands-OnImmersion . . . . . . . . . . . . . . . . . . . . 5DEV541 SecureCodinginJava/JEE:DevelopingDefensibleApplications . . . . . . . . 6DEV542 WebAppPenetrationTestingandEthicalHacking . . . . . . . . . . . . . . . . . . . . . 7DEV543 SecureCodinginC&C++:DevelopingDefensibleApplications . . . . . . . . 8DEV544 SecureCodingin .NET:DevelopingDefensibleApplications . . . . . . . . . . . . 9DEV545 SecureCodinginPHP:DevelopingDefensibleApplications . . . . . . . . . . . 10SANSTrainingOptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Top25ProgrammingErrorsandSANSCorporateLicense . . . . . . . . . . . . . . . . . . . . . . . 12SecureDevelopmentTechniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-15ApplicationSecurityResources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Instructors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Six-Day Course
36 CPE Credits
Laptop Required
What You Will Learn• Security in SDLC
• Authentication schemes for Web apps
• Authentication attacks and defense
• Access control and user management
• Cryptography in Web apps
• SSL best practices
• Session management in Web apps
• Cross-site request forgery
• Various injection attacks
• SQL injection and blind SQL injection attack and defense
• Cross-site scripting and defense
• HTTP response splitting defense
• Honeypot
• Intrusion detection within applications
• Incident handling of Web applications
• Safe single sign-on with third party
• SOAP
• XML schema attacks
• WSDL enumeration
• XPath injection
• SAML
• XML encryption
• JSON object and security
• AJAX attack scenarios
Who Should Attend• Application developers
• Application security analysts or managers
• Application architects
• Penetration testers who are interested in learning about defense strategies
• Security professionals who are interested in learning about application security
• Auditors who need to understand defensive mechanisms in applications
SANS AppSec Curriculum 2010 www.sans-ssi.org
TrainingOptions(Visit page 11 for more details)Live events • vLive!2
Defending Web applications is critical!
In battle an attacker is exposed and at massive disadvantage when fighting against a well entrenched defender. This course will teach you how to build defense-in-depth, allowing you to detect and expose an attacker early. Learn about the ‘tripwires and obstacles’ that savvy defenders use to detect, channel, and thwart attacks! The course material distills the experience of two top defenders of embattled Web sites, and builds on the industry consensus research of the CWe/SANS Top 25 programming errors (CWe 25) and the oWASP Top 10.
Mitigation strategies from an infrastructure, architecture, and coding perspective will be discussed alongside real-world implementations that really work. The testing aspect of vulnerabilities will also be covered so you can ensure your application is tested for the vulnerabilities discussed in class.
The class goes beyond classic Web applications and includes coverage of Web 2.0 technologies like AJAX and Web services.
To maximize the benefit for a wider range of audiences, the discussions in this course will be programming language agnostic. Focus will be maintained on security strategies rather than coding level implementation.
The course will cover the topics outlined by oWASP’s Top 10 risks document, as well as additional issues the authors found of importance in their day-to-day Web application development practice. An example of the topics that will be covered include:
• Infrastructure security
• Server configuration
• Authentication mechanisms
• Application language configuration
• A pplication coding errors like SQL injection and cross site scripting
• Cross site request forging
• Authentication bypass
• Web services and related flaws
• Web 2.0 and it’s use of Web services
• XPATH and XQUERY languages and injection
• Business logic flaws
The course will make heavy use of hands-on exercises. It will conclude with a large defensive exercise, reinforcing the lessons learned throughout the week.
DEV522 Defending Web Applications Security Essentials
This course focuses on Web application vulnerabilities and shows you how to conduct code reviews for security by examining open source Web applications built with Java.
All software development projects produce at least one artifact – CoDe! Conducting security focused code reviews can be one of the most effective methods of finding severe application vulnerabilities and is becoming an integral part of many secure software development processes.
you will learn how to manually spot security issues and how to use an automated static analysis tool to speed up the code review process. you will also learn some practical approaches to integrating security code review into your Software Development Life Cycle (SDLC). This hands-on class culminates in a Code Review Challenge where you test what you’ve learned to find security issues in a real-world application.
Prerequisites
• A thorough knowledge of Java/Jee and Web technology
• you should be comfortable reading code
• SeC541 Secure Coding in Java/Jee is recommended, but not required, preparation for this course
Additional information: www.sans.org/security-training/ secure-code-review-java-web-apps-1192-mid
One-Day Course
6 CPE Credits
Laptop Required
What You Will Learn• Find security issues such as
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- SQL Injection
- HTTP Response Splitting
- Parameter Manipulation
- Authentication & Authorization
- Session Management
- error handling
• Conduct manual code review
• Use static analysis tools
• FindBugs
• Integrate code review into the SDLC
Who Should Attend• Anyone conducting code reviews
on Web applications built with Java
• enterprise Web application developers
• Professional software developers
• Java ee programmers
• Security professionals
SANS AppSec Curriculum 2010 www.sans-ssi.org
TrainingOptions(Visit page 11 for more details)Live events • OnSite 3
DEV534Secure Code Review for Java Web Apps
Two-Day Course
12 CPE Credits
Laptop Required
Prerequisites
Students should have at least several months of coding experience, preferably Web application coding experience. It is best if the student is familiar with one of the following languages: Perl, PHP, C, C++, Java, or Ruby.
Looking for a great software development resource?
SANS Software Security Institute Web site (www.sans-ssi.org) is a community-focused site offering AppSec professionals a one-stop resource to learn, discuss, and share current developments in the field. It also provides information regarding SANS AppSec training, GIAC certification, and upcoming events. New content is added regularly, so please visit often. And don’t forget to share this information with your fellow application security, developer, and IT security professionals.
SANS AppSec Curriculum 2010 www.sans-ssi.org
TrainingOptions(Visit page 11 for more details)Live events • OnDemand • OnSite4
The audit procedure documents for PCI 1.2 tell the
auditor that they should look for evidence that Web
application programmers in a PCI environment have
had “training for secure coding techniques.” The
problem that many businesses are facing, however,
is, “What is that and where can I get it?” This course
packs a thorough explanation and examination of
the oWASP top ten issues, which are the foundation
of the PCI requirement, into a two-day course.
Throughout the course we will look at examples
of the types of flaws that secure coding protects
against, examine how the flaw might be exploited
and then focus on how to correct that code.
Coupled with the lectures, there are more than ten
hands-on exercises where the students will have the
opportunity to test out their new skills identifying
flaws in code, fixing code, and writing secure code.
All of the exercises are available in Perl, PHP, C/C++,
Ruby and Java. This will allow the student to try their
hand at any of the major Web application coding
languages that they work with in addition to some
of the supporting languages that might be at work
behind the scenes. Students are not required to
be familiar with all of these languages but should
be proficient in at least one of them. Lectures are
presented using a more or less code-neutral format.
For more information on this course, visit author
Dave Hoelzer’s Blog:
http://www.sans.org/info/29399
DEV536 Secure Coding for PCI Compliance
Web Application Pen Testing Hands-On Immersion
In the first half of 2008, five million Web sites were compromised by automated SQL injection attacks.
The hackers’ goal was to inject links to malicious content
in order to infect the users of the Web application. These
automated attacks do not show any sign of stopping and
will likely visit your Web applications in the near future.
Don’t want to be a part of the statistics? Performing
runtime testing is essential to making your Web site
secure. Developer 538 is a two-day course focusing on up-
to-date, hands-on testing of Web application security.
This fast-paced course is ideal for students who have
a basic understanding of Web application security
vulnerabilities and testing methodologies and are
looking to refresh and upgrade their skill set in pen
testing Web applications. It is also well suited to
infrastructure pen testers who are expanding testing
scope to Web applications. If you are going to be testing
Web applications in the next few months, this course
will help you brush up on your Web application security
testing knowledge. Whatever your level is, it will give
you confidence to know that you have the hands-
on experience to perform testing against common
vulnerabilities.
This action-packed, two-day course has a strong, hands-on
focus -- exercises are designed to give you experience with
real-world vulnerabilities. Throughout the two days, you
will be using various testing concepts to test vulnerable
Web applications. The target applications are as realistic
as possible. The labs are structured so both novices and
intermediate students can enjoy the learning experience.
Two-Day Course
12 CPE Credits
Laptop Required
What You Will Learn• Web Fingerprinting
• Input Manipulation
• Blind SQL Injection
• Non-obvious Session Issues
• Brute Forcing Credentials
• Cross-Site Scripting
• Code Review
Who Should Attend• Infrastructure penetration testers
who are trying to expand into pen testing Web applications
• Developers who are interested in testing their applications against common vulnerabilities
• QA testers who are responsible for testing security vulnerabilities in applications
• Information security professionals with some background in hacker exploits
SANS AppSec Curriculum 2010 www.sans-ssi.org
TrainingOptions(Visit page 11 for more details)Live events • OnSite 5
DEV538
Secure Coding in Java/JEE: Developing
Defensible AppsFour-Day Course
24 CPE Credits
Laptop Required
What You Will Learn• Web Application Attacks & Defense - Cross Site Scripting (XSS) - Cross Site Request Forgery (CSRF) - SQL Injection - HTTP Response Splitting - Parameter Manipulation• Java Security Manager• Race conditions• Logging & error Handling• Authentication - Basic & Forms Based Authentication - Client certificate Authentication - Spring Security• Session Management - Attacks, Defense, and Best Practices• Access Control• encryption - JSSe & JCA
Who Should Attend• Developers who want to build more
secure applications• Java ee programmers• Software engineers• Software architects• This class is focused specifically on
software development but is accessible enough for anyone who’s comfortable working with code and has an interest in understanding the developer’s perspective including:
- Application security auditors - Technical project managers - Senior software QA specialists - Penetration testers who want a deeper
understanding of target applications or who want to provide more detailed vulnerability remediation options
Get GSSP-JAVA Certified
www.giac.org
SANS AppSec Curriculum 2010 www.sans-ssi.org
TrainingOptions(Visit page 11 for more details)Live events • OnDemand • OnSite6
Learn how to code securely in Java to prevent application layer attacks – most courses simply talk about the threats – we’ll teach you to avoid them.
DEV541: Secure Coding in Java/JEE: Developing Defensible Applications is a comprehensive course
covering a huge set of skills and knowledge; it’s not
a high-level theory course. It’s about real program-
ming. In this course you will examine actual code,
work with real tools, build applications, and gain
confidence in the resources you need for the journey
to improving security of Java applications.
Rather than learning how to use a set of tools, you’ll
learn concepts of secure programming by looking
at a specific piece of code, identifying a security
flaw, and implementing a fix for the flaw.
For more information visit: www.sans.org/security-training/secure-coding-in-java-jee-developing-defensible-applications-912-mid
Prerequisites Students should have at least one year’s experience working
with the Jee framework and should have thorough knowledge of Java language and Web technology.
A two-day Java essentials course is available. Visit www.sans.org/security-training/
essential-secure-coding-in-java-jee-1332-mid for more details.
DEV541 Web App Penetration Testing and Ethical Hacking
Assess Your Web Apps in Depth
Web applications are a major point of vulnerability in organizations today. Web app holes have resulted in the theft of millions of credit cards, major financial and reputational damage for hundreds of enterprises, and even the compromise of thousands of browsing machines that visited Web sites altered by attackers. In this intermediate to advanced level class, you’ll learn the art of exploiting Web applications so you can find flaws in your enterprise’s Web apps before the bad guys do.
Day One: We will study the attacker’s view of the Web as well as learn an attack methodology and how the pen-tester uses JavaScript within the test.
Day Two: Covers the art of reconnaissance, specifically targeted to Web applications. We will also examine the mapping phase as we interact with a real application to determine its internal structure.
Day Three: Continues our test by starting the discovery phase using the information we gathered on day two. We will focus on application/server-side discovery.
Day Four: Continues discovery, focusing on client-side portions of the application, such as Flash objects and Java applets.
Day Five: We will move into the final stage of exploitation. Students will use advanced exploitation methods to gain further access within the application.
Day Six: Is a Capture the Flag event where the students will be able to use the methodology and techniques explored during class to find and exploit the vulnerabilities within an intranet site.
Throughout the class, you will discover the context behind the attacks so that you intuitively understand the real-life applications of our exploitation. In the end, you will be able to assess your own organization’s Web applications to find some of the most common and damaging Web application vulnerabilities today.
Six-Day Course
36 CPE Credits
Laptop Required
What You Will Learn• The four-step process for Web
application penetration testing through detailed, hands-on exercises
• How to inject SQL into back end databases by understanding how attackers exfiltrate sensitive data
• How to utilize Cross-Site Scripting attacks to dominate a target infrastructure in our unique hands-on laboratory environment
• To explore various other Web app vulnerabilities in depth with tried-and-true techniques for finding them using a structured testing regimen.
• The tools and methods of the attacker, so that you can be a powerful defender.
Who Should Attend• General Security Practitioners
• Web Site Designers
• Web Architects
• Developers
Get GWAPT Certified
www.giac.org
SANS AppSec Curriculum 2010 www.sans-ssi.org
TrainingOptions(Visit page 11 for more details)Live events • OnDemand • OnSite 7
DEV542
Two-Day Course
12 CPE Credits
Laptop Required
What You Will Learn• Off by one errors
• Problems with NTBSs
• Causes of buffer overflows
• Causes of heap overflows
• Common memory management errors
• Integer promotion standards
• Side effects of integer promotions
• Common integer errors
• Common semaphore issues
• File I/O errors
• Review process for identifying coding errors
Who Should AttendThis class is focused specifically on software development but is accessible enough for anyone who’s comfortable working with code and has an interest in understanding the developer’s perspective:
• Software developers and architects
• Senior software QA specialists
• System and security administrators
• Penetration testers
Prerequisites • experience with programming in C &
C++ coding.
SANS AppSec Curriculum 2010 www.sans-ssi.org
TrainingOptions(Visit page 11 for more details)Live events8
The emphasis of the class is a hands-on examination of the practical aspects of securing C & C++ applications during development.
The C and C++ programming languages are the bedrock for most operating systems, major network services, embedded systems, and system utilities. even though C and, to a lesser extent, C++ are well understood languages, the flexibility of the language and inconsistencies in the standard C libraries have led to an enormous number of discovered vulnerabilities over the years. The unfortunate truth is that there are probably more undiscovered vulnerabilities than there are known vulnerabilities!
During this two-day course, it covers all of the most common programming flaws that affect C and C++ code. The course will specifically cover the issues identified by the GSSP (GIAC Secure Software Programmer) blueprint for C/C++ with some additional items from the CeRT Secure Coding Standard. each issue is described clearly with examples. Throughout the course students are asked to identify flaws in modern versions of common open-source software to provide hands-on experience identifying these issues in existing code. exercises also require students to provide secure solutions to coding problems in order to demonstrate mastery of the subject.
Looking for a great software development resource? SANS Software Security Institute Web site (www.sans-ssi.org) is a community-focused site offering AppSec professionals a one-stop resource to learn, discuss, and share current developments in the field. It also provides information regarding SANS AppSec training, GIAC certification, and upcoming events. New content is added regularly, so please visit often. And don’t forget to share this information with your fellow application security, developer, and IT security professionals.
DEV543 Secure Coding in .NET: Developing Defensible Apps
ASP.NET and the .NET framework have provided Web developers with tools that allow them an unprecedented degree of flexibility and productivity.
on the other hand, these sophisticated tools make it easier than ever to miss the little details that allow security vulnerabilities to creep into an application. Since ASP.NeT, 2.0 Microsoft has done a fantastic job of integrating security into the ASP.NeT framework, but the onus is still on application developers to understand the limitations of the framework and ensure that their own code is secure.
During this four-day course we will analyze the defensive strategies and technical underpinnings of the ASP.NeT framework and learn where, as a developer, you can leverage defensive technologies in the framework, where you need to build security in by hand. We’ll also examine strategies for building applications that will be secure both today and in the future.
Rather than focusing on traditional Web attacks from the attacker’s perspective, this class will show developers first how to think like an attacker, and will then focus on the latest defensive techniques specific to the ASP.NeT environment. The emphasis of the class is a hands-on examination of the practical aspects of securing .NeT applications during development.
Have you ever wondered if ASP.NeT Request Validation is effective? Have you been concerned that XML Web services might be introducing unexamined security issues into your application? Should you feel un-easy relying solely only on the security controls built into the ASP.NeT framework? Secure Coding in ASP.NeT will answer these questions and far more.
Four-Day Course
24 CPE Credits
Laptop Required
What You Will Learn• Web Application Attacks - Cross Site Scripting - Cross Site Request Forgery (CSRF) - SQL Injection - HTTP Response Splitting - Parameter Manipulation• Web Application Proxies • Using Fiddler• Code Access Security • Assemblies • Global Assembly Cache • execution Model • Authentication - IIS / ASP.NeT pluggable
authentication architecture - Basic & Digest Authentication - .NeT Form Based Authentication
Framework - Windows Authentication - Authorization, OS security, and
Impersonation - SSL Client Certificates - Authentication Policies• NeT encryption Services - encryption Principals - Securing communications - Protecting data at rest• Strong and Weak Named Assemblies • The Common Language Runtime • Security Zones • evidence • Code Groups • Permissions • Hacking .NeT Security
Who Should AttendThis class is focused specifically on software development but is accessible enough for anyone who’s comfortable working with code and has an interest in understanding the developer’s perspective: • Software developers and architects• Senior software QA specialists• System and security administrators• Penetration testers
SANS AppSec Curriculum 2010 www.sans-ssi.org
TrainingOptions(Visit page 11 for more details)Live events • OnDemand • OnSite 9
DEV544
Get GSSP-.NET Certified
www.giac.org
Prerequisites experience with programming in ASP.NeT using either Visual Basic or C#. All class work will be performed in C#.While this class briefly reviews basic Web attacks, some prior understanding of issues such as XSS and SQL injection is recommended.
Secure Coding in C & C++: Developing
Defensible Apps
SANS Training Options
SANS AppSec Curriculum 2010 www.sans-ssi.org
TrainingOptions(Visit page 11 for more details)Live Training events • OnDemand • OnSite10
DEV545Four-Day Course
24 CPE Credits
Laptop Required
What You Will Learn• How to review code, find errors, and
fix them yourself
• Different options to authenticate users, from simple methods built into your server and browser to more complex custom authentication schemes
• How to use sessions securely and how to provide access control to resources
• Options for logging your users’ actions. We even included a section on how to connect to Web services and how to offer your own, again, with the emphasis on how to do so securely.
• Techniques to avoid SQL injection
• How to deal with uploaded files
• Procedures to securely handle credit cards
• How to send e-mail and PGP sign or encrypt it
• How to execute shell commands securely
Who Should Attend• PHP programmers
• PHP code auditors
• Security professionals who work with PHP code
11
Coding in PHP without this knowledge results in insecure code and exposes your applications and data to unnecessary risks.
PHP as a programming language has a very easy learning curve. you can get started in minutes writing complex Web sites. Sadly, this ease of use and code-as-you-go approach frequently leads to insecure code. PHP provides a lot of freedom to do things wrong.
Coding securely in PHP requires some extra thought and knowledge, which we will provide in this class. Coding in PHP without this knowledge can lead to problems, as insecure coding means exposing your data and your customers.
DeV545 covers all aspects of what is needed to code securely in PHP. We will not spend a lot of time explain-ing how to code in PHP. Instead we will dive right into the more advanced concepts, starting with additional PHP modules, like Suhosin, and how they can be used to harden your PHP application. We will not just tell you that input validation is important; instead, we will show you real code on how to do it right.
The course uses a Linux virtual machine for exercises with PHP 5, Apache, and MySQL, but our focus will be on PHP. Users of Apache/PHP on Windows or users of other databases, like oracle and Postgresql, will find that 90% of the course applies to them as well.
Prerequisites A good understanding of PHP and SQL is required to attend this class. A good understanding of Web-based applications is also required. Students should also have worked with PHP
for at least a few months.
Secure Coding in PHP: Developing Defensible
ApplicationsContact SANS today to learn how we can build a custom training package using all of these formats for your organization. Having a variety of training formats allows SANS to develop
the most technical and enriching training experience at the best price. We can tailor a program that allows you to take advantage of each delivery method and ensure your team
receives not just the training, but the understanding they need to stay secure.
Number of People Training Options
Individuals Live Training events, onDemand, or vLive!
Groups of 15 or More onSite,onDemand, or vLive!
Large Groups of 50 or More enterprise Solutions: onDemand or vLive!
Live Training Events The Most Trusted Name for Information Security Training
SANSoffersclassesthroughouttheyearinmanymajorUScitiesaswellasEurope,Australia,Canada,Asia,India,andDubai .Thesetrainingeventsfeatureanywherefromonetooverfiftyclassesatthesamelocation .SANSeventsoffermuchmorethanjusttraining–thisistheplacetonetworkwithotherapplicationsecurityprofessionals,gaininformationonnewvendorproducts,participateinonsite/onlinechallengesandcontests,andlistentoworld-classguestspeakers .www .sans .org/security-training/bylocation/index_na .php
SANS OnSite Your Location - Your Schedule
WiththeSANSOnSiteprogramyoucanbringacombinationofhigh-qualitycontentandworld-recognizedinstructorstoyourlocationandrealizesignificantsavingsinemployeetravelcosts .www .sans .org/onsite
SANS vLive! Live Virtual Instruction
SANSvLive!usescutting-edgewebcasttechnologytoprovidealiveclassroomexperiencewithSANStopinstructors,butdeliversitoverthewebtostudentsparticipatingfromtheirhomesandoffices .vLive!coursesareinteractiveandallowstudentstoshareideas,resourcesandexperienceswiththeirinstructorsbefore,during,andaftertrainingsessions .Eachsessionisalsorecordedprovidingflexibilityifastudentneedstomissasessionorsimplywishestoreviewthematerialatalaterdate .www .sans .org/vlive
SANS OnDemand Online Training and Assessment
SANSOnDemandallowsstudentstoaccessSANS’high-qualitytraining‘anytime,anywhere’usingSANS’advancedonlinedeliverysystem .Studentsreceivetrainingfromthesametop-notchSANSinstructorswhoteachatourlivetrainingevents,andthesystembringsthetrueSANSexperiencerighttoyouremployees’desktops,whichisconvenientandsavesyoutravelcosts .Plusourintegratedcourseware,onlineassessments,hands-onexercises,andonlinementorallowstudentstoreallygraspthematerialbeingtaught!www .sans .org/ondemand
• Highest-quality SANS training• Unlimited reach • Rapid deployment (<1 week)• Host of extras only available to licensees • Measureable results• Unlimited SANS training online• Full course curriculum
• .mp3 audio files for offline study and mobile devices
• Future proof – any new courses already included by track
• Management control tools• SANS Reporting tools• Updates• Dramatically-reduced costs
SANS Corporate LicenseWhat is a Corporate License and what does it include?
How many of these questions can you answer with confidence?
• Where are the gaps in our programmers’ secure coding knowledge and skills?• Which of our programmers and contractors have the strongest secure coding skills?• Do any of the current job candidates or potential contractors have solid secure
programming skills?• Do we have at least one security-savvy programmer on every critical development project?
If you want a better way to answer any of these questions, consider training and save with a Corporate License.
(Feb. 16, 2010) In Washington, D.C., experts from more than 30 U.S. and international cyber security organizations jointly released a new list of the 25 most dangerous programming errors that enable security bugs, cyber espionage, and cyber crime. These 25 programming errors, and their “on the cusp cousins” have been the cause of nearly every major type of cyber attack, including recent penetrations of Google, power systems, military systems, and millions of other attacks on small businesses and home users. A global effort to eliminate these programming errors is the first step against organized cyber criminals, and the persistent threat from competing nation states.
In addition to the most common programming errors, acquisition experts agreed on a standard for contract language between software buyers and developers. The use of this contract language helps ensure buyers are not held liable for software containing faulty code. Coding errors are a common gateway for attackers to penetrate networks.
Experts Announce Agreement on the 25 Most Dangerous Programming Errors - And How to Fix Them
Top 25 Programming Errors and SANS Corporate License
13
The Top 25 Programming Errors will have four major impacts:
• Software buyers will be able to buy much safer software. • Employers will be able to ensure they have programmers who can write more secure code.• Programmers will have tools that consistently measure the security of the software they
are writing. • Colleges will be able to teach secure coding more confidently.
How Will the Top 25 Programming Errors Be Used?
Secure Develop ment Techniques
Java/JEE Tips1) Perform data validation with a security API such as OWASP ESAPI
See the following paper for some examples that use eSAPI for data validation: www.sans.org/reading_room/application_security/protecting_web_apps.pdf
2) Use PreparedStatements with properly bound variables
bAD:String query = “SELECT id FROM users WHERE userid = ‘” + userid + “’”;PreparedStatement stmt = con.prepareStatement(query);ResultSet rs = stmt.executeQuery();
GooD:String query = “SELECT id FROM users WHERE userid = ?”;PreparedStatement stmt = con.prepareStatement(query);stmt.setString(1, userid)ResultSet rs = stmt.executeQuery();
3) Don’t perform security-critical operations based on data from HttpServletRequest parameters
bAD:String role = request.getParameter(“role”);if (role != null && role.equals(“admin”) { // do admin stuff}
4) Use a framework like Spring Security or ESAPI for authentication and authorization
See the following sites for additional information: http://static.springsource.org/spring-security http://www.owasp.org/index.php/eSAPI
5) Don’t use instance variables in Servlets
bAD:public class BadServlet extends HttpServlet { private String primaryKey; // don’t do this! ...}
Excerpt from the WhatWorks Top 35 Secure Development Techniques – See the full list at www.sans.org/whatworks/poster-spring-2010.pdf
S e c u r e D e v e l o p m e n t Te c h n i q u e sExcerpt from the WhatWorks Top 35 Secure Development Techniques – See the full list at www.sans.org/whatworks/poster-spring-2010.pdf
1514
PHP Tips1) Use prepared SQL statements.
bAD: mysql_db_query(“select id from users where username=’$Username’”)
beTTeR:$Stmt=$DB->prepare(“select id from users where username=?”);$Stmt=$DB->bind_param(“s”,$Username);$Stmt->execute();
2) Enable and configure Suhosin
See http://www.hardened-php.net/suhosin for details about Suhosin.
3) Extract data from super globals inside validation functions only
bAD: $UserID=$_POST[‘userid’];if ( ! is_int($userID) ) { $UserID=0;}
4) Replace “print” statements with a wrapper function escaping HTML tags like
bAD: print $value;
beTTeR:safe_out($value);
function safe_out($value) { $value=htmlentities($value,ENT_QUOTES,’UTF-8’); print $value;}
C and C++ Tips1) Validate input from all untrusted data sources.
2) Compile code using the highest warning level available for your compiler and eliminate warnings by modifying the code.
3) Create a software architecture and design your software to implement and enforce security policies.
4) Keep the design as simple and small as possible.
5) Base access decisions on permission rather than exclusion.
beTTeR: $UserID=get_userid(‘userid’); function get_userid($name) { $value=$_POST[$name]; if ( is_int($value) ) { return $value; } return FALSE; }
.NET Tips1) For data validation, follow the Constrain,
Reject/Replace, Assign (to local variable) paradigm.
2) Use a validation abstraction layer to make validating data easier and more consistent.
3) Validate data from any and all untrusted sources – including cookies, URL parameters, Form Fields, HTTP Headers, as well as inputs from external systems.Code example combined for first three items above:string sanitizedLastName = null;ValidationUtility.TryValidateAndSanitizeLastName(txtLastName.Text, out sanitizedLastName) { // Success, use sanitizedLastName. Never use txtLastName.Text // again. Simplifies code review.} else { // Failed, NEVER display txtLastName.Text back to user or use // again in code}
// Centralize Validationpublic class ValidationUtility { public static bool TryValidateAndSanitizeLastName (string unsanitizedLastName, out string sanitizedLastName) { // Fail Securely bool isValid = false; // Step 1: Constrain. Use whitelists, not blacklists. if (Regex.IsMatch(unsanitizedLastName, “^[a-z’]+$”, RegexOptions.IgnoreCase)) { // Step 2: Replace, substitue any potential bad characters with // something safe for storage. E.g., the tick ‘ char with the // pipe | char unsanitizedLastName = unsanitizedLastName.Replace(‘\’’, ‘|’); isValid = true; // 3. Assign sanitizedLastName = unsanitizedLastName; } else { // Communicate intent to humans reading the code. isValid = false;x sanitizedLastName = null; } return isValid; }}
4) Use Microsoft’s AntiXSS library to counter XSS attacks. Encode all untrusted output.Available AntiXSS methods: HtmlEncode(), HtmlAttributeEncode(), JavascriptEncode(), VisualBasicScriptEncode(), UrlEncode(), XmlEncode(), XmlAttributeEncode().
<div>Welcome, <%= AntiXss.HtmlEncode(Request.Form[“FullName”]); %></div>
“Personally, I favor coding in unstructured languages like Perl and PHP for all the wrong reasons.”
-Johannes Ullrich, PhD
1. Assessments to gauge developers’ and contractors’ abilities to code securely in a specific language: Java and .NET Contact [email protected] for more information.
2. Top 25 Programming Errors Learn about the 25 most dangerous programming errors that enable security bugs, cyber espionage, and cyber crime. See page 12 for more information.
www.sans.org/top25-programming-errors
3. Procurement language Draft language to help you ensure that contracts for application development, management and maintenance require the contractors to consider and build security into the process. This concept has proven critical to countless organizations by helping them to avoid security issues late in the development cycle and by eliminating or significantly mitigating potential threats resulting from insecure code.
www.sans.org/appseccontract
4. Get GIAC Certified GIAC certifications that allow individuals to prove that they are trained and qualified to work on the development and maintenance of your critical applications. GIAC is ANSI accredited. Certifications are available in the following key application security disciplines:
• GWAPT GIAC Web Application Penetration Tester This certification measures an individual’s understanding of Web application exploits and
penetration testing methodology.
• GSSP-JAVA GIAC Secure Software Programmer in Java
• GSSP-.NET GIAC Secure Software Programmer in .NET
• GSSP-C GIAC Secure Software Programmer in C & C++
The GIAC Secure Software Programmer was designed for individuals who are responsible for coding secure software applications, identifying shortfalls in the security knowledge of other programmers, ensuring other programmers have adequate secure coding skills, and advanced secure programming skills. GIAC Certified Secure Software Programmers (GSSP) have the knowledge, skills, and abilities to write secure code and recognize security shortcomings in existing code.
5. Stay In Touch with the AppSec Community Find free resources and materials related to application security. SANS Software Security
Institute Web site features the App Sec Street Fighter blog, free research, news, and resources to keep you up to date with the most recent attack vectors and application vulnerabilities as well as full course descriptions of the developer curriculum, information on GIAC certification, and upcoming events. New content is added regularly, so please visit often. And don’t forget to share this information with your fellow developers and security
professionals. www.sans-ssi.org
6. Application Security Street Fighter Blog https://blogs.sans.org/appsecstreetfighter
7. AppSec - Discuss Alumni listserv to facilitate discussion between alumni of appsec courses. Allows alumni to share knowledge and keep from reinventing the wheel.
Application Security Resources Instructors
Frank Kim - SANS Certified Instructor and Curriculum Lead for SANS’ Application Security Curriculum Frank Kim is a co-founder and principal with Think Security Consulting (www.thinksec.com), a San Francisco Bay area based ap-plication security consulting firm. Frank is an author and instructor for SANS SEC541: Secure Coding in Java/JEE. He has over ten years of experience developing applications using Java/Java EE and has designed and developed Web applications for large health care, technology, insurance, and consulting companies. Frank currently focuses on integrating security into the software develop-ment life cycle by doing penetration testing, security assessments, architecture reviews, code reviews, and training. Frank holds the CISSP, GPEN, GCIH, GCFA, GCIA, and GSSPJava certifications and is a Sun Certified Java Developer and Programmer.
Johannes Ullrich, PhD - SANS Certified Instructor As chief research officer for the SANS Institute, Johannes is currently responsible for the SANS Internet Storm Center (ISC) and the GIAC Gold program. He founded DShield.org in 2000, which is now the data collection engine behind the ISC. His work with the ISC has been widely recognized, and in 2004, Network World named him one of the 50 most powerful people in the networking industry. Prior to working for SANS, Johannes worked as a lead support engineer for a Web development company and as a research physicist. Johannes holds a PhD in Physics from SUNY Albany and is located in Jacksonville, Florida. He also enjoys blogging about application security tips.
Jason Lam - SANS Certified Instructor Jason is a senior security analyst at a major financial institution in Canada. His recent SANS Institute courseware development includes Defending Web Application Security Essentials and Web Application Pen Testing Hands-On Immersion. Jason started his career as a programmer before moving on to ISP network administration, where he handled network security incidents, which sparked his interest in information security. Jason specializes in Web application security, penetration testing, and intrusion detec-tion. He currently holds a BA in computer science from York University in Toronto, Ontario, as well as the CISSP, GCIA, GCFW, GCUX, GCWN, and GCIH certifications.
Kevin Johnson - SANS Certified Instructor Kevin Johnson is a senior security analyst with InGuardians, LLC. Kevin came to security from a development and system admin-istration background. He has many years of experience performing security services for Fortune 100 companies, and in his spare time he contributes to a large number of open source security projects. Kevin founded and leads the development on the Basic Analysis and Security Engine (BASE) project, the most popular Web interface for the Snort intrusion detection system. Kevin is an instructor for SANS, teaching both SEC504: Hacker Techniques, Exploits, and Incident Handling and SEC542: Web App Pen Testing and Ethical Hacking. He has presented to many organizations, including Infragard, ISACA, ISSA, and the University of Florida.
Tanya Baccam - SANS Senior Instructor Tanya is a SANS senior instructor as well as a SANS courseware author. She provides many security consulting services for clients, such as system audits, vulnerability and risk assessments, database audits, and Web application audits. Tanya has previously worked as the director of assurance services for a security services consulting firm and the manager of infrastructure security for a healthcare organization. She also served as a manager at Deloitte & Touche in the Security Services practice. Throughout her career she’s consulted with many clients about their security architecture, including areas such as perimeter security, network infrastructure design, system audits, Web server security, and database security. She has played an integral role in developing multiple business applications and currently holds the CPA, GCFW, GCIH, CISSP, CISM, CISA, CCNA, and Oracle DBA certifications.
Megan Restuccia - SANS Certified Instructor Megan is currently a certified instructor with the SANS Institute as well as a vice president at Morgan Stanley. She has over 14 years’ experience in information technology with an extensive background in networking in Unix/Linux and Windows environ-ments for both small and large implementations. Megan currently holds professional certifications, including RHCE, CCWD, CISSP, GSEC, and GIAC GREM, and a certificate in GGSC. She also holds a BS in computer science and an MBA from Columbia University. Megan’s most recent focuses were on DLP, security regulations, secure applications design and training, secure infrastructure design, and desktop encryption.
David Rice - SANS Senior Instructor David Rice is an internationally recognized cyber security expert, consulting director for policy reform at the U.S. Cyber Conse-quences Unit, and author of the critically acclaimed book Geekonomics: The Real Cost of Insecure Software. Mr. Rice is a key figure shaping the discussion of cyber security, and his work impacts both U.S. and European cyber security policy. As director of The Monterey Group, a private consulting firm, Mr. Rice advises a variety of clients on a range of issues, including cyber strategy de-velopment and execution, corporate cyber risk management, cyber security metrics, identity management, and secure software development practices.
Jason Montgomery Jason Montgomery is a principal of Active Technologies Group, Inc. (ATGi), an international technology consulting firm based in Columbus, Ohio. Jason leads ATGi’s Software & Application Security practice which evolved out of ATGi’s 15 years of real-world application development experience. Jason has over 14 years of development experience building applications for Fortune 500 companies, Internet Start-ups, as well as State and Federal Government organizations. As a contractor for the Department of Defense, he hardened servers, provided security guidance to developers, revealed and helped mitigate vulnerabilities in federal systems, and built custom applications. 1716
8120
Wo
od
mo
nt
Ave
nu
e
Suit
e 20
5
bet
hes
da,
MD
208
14
This is a must-attend event for anyone involved in application
security. Top instructors will teach you how to write secure code and ensure your applica-
tions are safe from hackers.
Details about the event will be available soon, but you can stay informed by visiting
www.sans-ssi.org