Detaillierter Kursinhalt
DAY 1
Cyber security basics
- What is security?
- Threat and risk
- Cyber security threat types – the CIA triad
- Cyber security threat types – the STRIDE model
- Consequences of insecure software
- Constraints and the market
- The dark side
- Categorization of bugs
- The Seven Pernicious Kingdoms
- Common Weakness Enumeration (CWE)
- CWE Top 25 Most Dangerous Software Weaknesses
- Cyber security in the finance sector
- Threats and trends in fintech
- PCI DSS
- Overview
- Requirements and secure coding (Requirements 1-5)
- Req. 6 – Develop and maintain secure systems and applications
- Requirement 6.5 – Address common coding vulnerabilities
- Requirements and secure coding (Requirements 7-12)
The OWASP Top Ten 2021
- A04 – Insecure Design
- The STRIDE model of threats
- Secure design principles of Saltzer and Schroeder
- Client-side security
- Frame sandboxing
- Cross-Frame Scripting (XFS) attacks
- Lab – Clickjacking
- Clickjacking beyond hijacking a click
- Clickjacking protection best practices
- Lab – Using CSP to prevent clickjacking
- Frame sandboxing
- A05 – Security Misconfiguration
- Configuration principles
- Server misconfiguration
- Cookie security
- Cookie security best practices
- Cookie attributes
- XML entities
- DTD and the entities
- Attribute blowup
- Entity expansion
- External Entity Attack (XXE)
- File inclusion with external entities
- Server-Side Request Forgery with external entities
- Lab – External entity attack
- Case study – XXE vulnerability in SAP Store
- Lab – Prohibiting DTD expansion
- A06 – Vulnerable and Outdated Components
- Using vulnerable components
- Case study – The Equifax data breach
- Assessing the environment
- Hardening
- Untrusted functionality import
- Vulnerability management
- Patch management
- Vulnerability databases
- Vulnerability rating – CVSS
- Bug bounty programs
- DevOps, the build process and CI / CD
- A09 – Security Logging and Monitoring Failures
- Logging and monitoring principles
- Insufficient logging
- Case study – Plaintext passwords at Facebook
- Logging best practices
- Monitoring best practices
- Firewalls and Web Application Firewalls (WAF)
- Intrusion detection and prevention
- Case study – The Marriott Starwood data breach