Code responsibly with generative AI in C# (desktop applications)

Code responsibly with generative AI in C# (desktop applications)CRWGAICCYCydrillCY-CRWGAIC1.0<ul> <li>Understanding the essentials of responsible AI</li><li>Getting familiar with essential cyber security concepts</li><li>Input validation approaches and principles</li><li>Identify vulnerabilities and their consequences</li><li>Learn the security best practices in C#</li><li>Correctly implementing various security features</li><li>Managing vulnerabilities in third party components</li><li>Understanding how cryptography supports security</li><li>Learning how to use cryptographic APIs correctly in C#</li><li>All this put into the context of GitHub Copilot</li></ul><h4></h4> <h4></h4><p>General C# development</p><p>C# developers using Copilot or other GenAI tools</p><h4>Day 1</h4><h4>Coding responsibly with GenAI</h4><ul> <li>What is responsible AI?</li><li>What is security?</li><li>Threat and risk</li><li>Cyber security threat types – the CIA triad</li><li>Consequences of insecure software</li><li>Security and responsible AI in software development</li><li>GenAI tools in coding: Copilot, Codeium and others</li><li>Input validation <ul> <li>Input validation principles</li><li>Denylists and allowlists</li><li>What to validate – the attack surface</li><li>Where to validate – defense in depth</li><li>When to validate – validation vs transformations</li></ul></li><li>Injection <ul> <li>Code injection</li><li>OS command injection</li><li>Lab – Command injection</li><li>OS command injection best practices</li><li>Avoiding command injection with the right APIs</li><li>Lab – Command injection best practices</li><li>Lab – Experimenting with command injection in Copilot</li><li>Case study – Command injection in Ruckus</li></ul></li><li>Integer handling problems <ul> <li>Representing signed numbers</li><li>Integer visualization</li><li>Integer overflow</li><li>Lab – Integer overflow</li><li>Signed / unsigned confusion</li><li>Case study – The Stockholm Stock Exchange</li><li>Lab – Signed / unsigned confusion</li><li>Lab – Experimenting with signed / unsigned confusion in Copilot</li><li>Integer truncation</li><li>Best practices</li><li>Upcasting</li><li>Precondition testing</li><li>Postcondition testing</li><li>Integer handling in C#</li><li>Lab – Checked arithmetics</li><li>Lab – Experimenting with integer overflow in Copilot</li></ul></li><li>Files and streams <ul> <li>Path traversal</li><li>Lab – Path traversal</li><li>Additional challenges in Windows</li><li>Case study – File spoofing in WinRAR</li><li>Path traversal best practices</li><li>Lab – Path canonicalization</li><li>Lab – Experimenting with path traversal in Copilot</li></ul></li></ul><h4>Day 2</h4><h4>Input validation</h4><ul> <li>Unsafe reflection <ul> <li>Reflection without validation</li><li>Lab – Unsafe reflection</li><li>Lab – Experimenting with unsafe reflection in Copilot</li></ul></li><li>Unsafe native code <ul> <li>Native code dependence</li><li>Lab – Unsafe native code</li><li>Best practices for dealing with native code</li></ul></li><li>Security features <ul> <li>Authentication <ul> <li>Authentication basics</li><li>Multi-factor authentication (MFA)</li><li>Case study – The InfinityGauntlet attack</li><li>Time-based One Time Passwords (TOTP)</li></ul></li><li>Password management <ul> <li>Inbound password management</li><li>Storing account passwords</li><li>Password in transit</li><li>Lab – Is just hashing passwords enough?</li><li>Dictionary attacks and brute forcing</li><li>Salting</li><li>Adaptive hash functions for password storage</li><li>Lab – Using adaptive hash functions in C#</li><li>Lab – Using adaptive hash functions in Copilot</li><li>Case study – Veeam missing authentication and cleartext password storage</li><li>Password policy</li><li>NIST authenticator requirements for memorized secrets</li><li>Password database migration</li><li>Hard coded passwords</li><li>Best practices</li><li>Lab – Hardcoded password</li></ul></li><li>Protecting sensitive information in memory <ul> <li>Challenges in protecting memory</li><li>Case study – Microsoft secret key theft via dump files</li><li>Storing sensitive data in memory</li><li>Case study – KeePass password leakage via strings</li></ul></li><li>Information exposure <ul> <li>Exposure through extracted data and aggregation</li><li>Case study – Strava data exposure</li></ul></li><li>Platform security <ul> <li>.NET platform security</li><li>Protecting .NET code and applications</li><li>Code signing</li></ul></li><li>Denial of service <ul> <li>Flooding</li><li>Resource exhaustion</li><li>Algorithmic complexity issues</li><li>Regular expression denial of service (ReDoS)</li><li>Lab – ReDoS</li><li>Lab – Experimenting with ReDoS in Copilot</li><li>Dealing with ReDoS</li></ul></li><li>Using vulnerable components <ul> <li>Case study – The Polyfill.io supply chain attack</li><li>Vulnerability management</li><li>Lab – Finding vulnerabilities in third-party components</li></ul></li><li>Security of AI generated code <ul> <li>Practical attacks against code generation tools</li><li>Dependency hallucination via generative AI</li><li>Case study – A history of GitHub Copilot weaknesses (up to mid 2024)</li></ul></li></ul> <h4>Day 3</h4> <h4>Cryptography for developers</h4> <ul> <li>Cryptography basics</li><li>Crypto APIs in C#</li><li>Elementary algorithms</li><li>Hashing <ul> <li>Hashing basics</li><li>Hashing in C#</li><li>Lab – Hashing in C# (exploring with Copilot)</li></ul></li><li>Random number generation <ul> <li>Pseudo random number generators (PRNGs)</li><li>Cryptographically secure PRNGs</li><li>Weak and strong PRNGs</li><li>Using random numbers in C#</li><li>Lab – Using random numbers in C# (exploring with Copilot)</li><li>Case study – Equifax credit account freeze</li></ul></li><li>Confidentiality protection <ul> <li>Symmetric encryption <ul> <li>Block ciphers</li><li>Modes of operation</li><li>Modes of operation and IV – best practices</li><li>Symmetric encryption in C#</li><li>Symmetric encryption in C# with streams</li><li>Lab – Symmetric encryption in C# (exploring with Copilot)</li><li>Case study – Padding oracle used in RCE against Citrix ShareFile</li></ul></li><li>Asymmetric encryption <ul> <li>The RSA algorithm</li><li>RSA in C#</li><li>Combining symmetric and asymmetric algorithms</li></ul></li><li>Key exchange and agreement <ul> <li>Key exchange</li><li>Diffie-Hellman key agreement algorithm</li><li>Key exchange pitfalls and best practices</li></ul></li></ul></li><li>Integrity protection <ul> <li>Message Authentication Code (MAC)</li><li>Calculating HMAC in C#</li><li>Lab – Calculating MAC in C#</li><li>Digital signature <ul> <li>Digital signature with RSA</li><li>Elliptic Curve Cryptography</li><li>ECC basics</li><li>Digital signature with ECC</li><li>Digital signature in C#</li><li>Lab – Digital signature with ECDSA in C#</li></ul></li></ul></li><li>Common software security weaknesses <ul> <li>Code quality <ul> <li>Code quality and security</li></ul></li><li>Data handling <ul> <li>Initialization and cleanup</li><li>Class initialization cycles</li><li>Lab – Initialization cycles (exploring with Copilot)</li></ul></li><li>Object oriented programming pitfalls <ul> <li>Inheritance and overriding</li><li>Mutability</li><li>Lab – Mutable object (exploring with Copilot)</li></ul></li><li>Serialization <ul> <li>Serialization and deserialization challenges</li><li>Integrity – deserializing untrusted streams</li><li>Integrity – deserialization best practices</li><li>Look ahead deserialization</li><li>Property Oriented Programming (POP)</li><li>Creating a POP payload</li><li>Lab – Creating a POP payload</li><li>Lab – Using the POP payload</li><li>Case study – Deserialization RCE in Veeam</li></ul></li></ul></li><li>Wrap up <ul> <li>Secure coding principles</li><li>Principles of robust programming by Matt Bishop</li><li>Secure design principles of Saltzer and Schroeder</li><li>And now what?</li><li>Software security sources and further reading</li><li>.NET and C# resources</li><li>Responsible AI principles in software development</li><li>Generative AI – Resources and additional guidance</li></ul></li></ul></li></ul>- Understanding the essentials of responsible AI - Getting familiar with essential cyber security concepts - Input validation approaches and principles - Identify vulnerabilities and their consequences - Learn the security best practices in C# - Correctly implementing various security features - Managing vulnerabilities in third party components - Understanding how cryptography supports security - Learning how to use cryptographic APIs correctly in C# - All this put into the context of GitHub CopilotGeneral C# developmentC# developers using Copilot or other GenAI toolsDay 1 Coding responsibly with GenAI - What is responsible AI? - What is security? - Threat and risk - Cyber security threat types – the CIA triad - Consequences of insecure software - Security and responsible AI in software development - GenAI tools in coding: Copilot, Codeium and others - Input validation - Input validation principles - Denylists and allowlists - What to validate – the attack surface - Where to validate – defense in depth - When to validate – validation vs transformations - Injection - Code injection - OS command injection - Lab – Command injection - OS command injection best practices - Avoiding command injection with the right APIs - Lab – Command injection best practices - Lab – Experimenting with command injection in Copilot - Case study – Command injection in Ruckus - Integer handling problems - Representing signed numbers - Integer visualization - Integer overflow - Lab – Integer overflow - Signed / unsigned confusion - Case study – The Stockholm Stock Exchange - Lab – Signed / unsigned confusion - Lab – Experimenting with signed / unsigned confusion in Copilot - Integer truncation - Best practices - Upcasting - Precondition testing - Postcondition testing - Integer handling in C# - Lab – Checked arithmetics - Lab – Experimenting with integer overflow in Copilot - Files and streams - Path traversal - Lab – Path traversal - Additional challenges in Windows - Case study – File spoofing in WinRAR - Path traversal best practices - Lab – Path canonicalization - Lab – Experimenting with path traversal in Copilot Day 2 Input validation - Unsafe reflection - Reflection without validation - Lab – Unsafe reflection - Lab – Experimenting with unsafe reflection in Copilot - Unsafe native code - Native code dependence - Lab – Unsafe native code - Best practices for dealing with native code - Security features - Authentication - Authentication basics - Multi-factor authentication (MFA) - Case study – The InfinityGauntlet attack - Time-based One Time Passwords (TOTP) - Password management - Inbound password management - Storing account passwords - Password in transit - Lab – Is just hashing passwords enough? - Dictionary attacks and brute forcing - Salting - Adaptive hash functions for password storage - Lab – Using adaptive hash functions in C# - Lab – Using adaptive hash functions in Copilot - Case study – Veeam missing authentication and cleartext password storage - Password policy - NIST authenticator requirements for memorized secrets - Password database migration - Hard coded passwords - Best practices - Lab – Hardcoded password - Protecting sensitive information in memory - Challenges in protecting memory - Case study – Microsoft secret key theft via dump files - Storing sensitive data in memory - Case study – KeePass password leakage via strings - Information exposure - Exposure through extracted data and aggregation - Case study – Strava data exposure - Platform security - .NET platform security - Protecting .NET code and applications - Code signing - Denial of service - Flooding - Resource exhaustion - Algorithmic complexity issues - Regular expression denial of service (ReDoS) - Lab – ReDoS - Lab – Experimenting with ReDoS in Copilot - Dealing with ReDoS - Using vulnerable components - Case study – The Polyfill.io supply chain attack - Vulnerability management - Lab – Finding vulnerabilities in third-party components - Security of AI generated code - Practical attacks against code generation tools - Dependency hallucination via generative AI - Case study – A history of GitHub Copilot weaknesses (up to mid 2024) Day 3 Cryptography for developers - Cryptography basics - Crypto APIs in C# - Elementary algorithms - Hashing - Hashing basics - Hashing in C# - Lab – Hashing in C# (exploring with Copilot) - Random number generation - Pseudo random number generators (PRNGs) - Cryptographically secure PRNGs - Weak and strong PRNGs - Using random numbers in C# - Lab – Using random numbers in C# (exploring with Copilot) - Case study – Equifax credit account freeze - Confidentiality protection - Symmetric encryption - Block ciphers - Modes of operation - Modes of operation and IV – best practices - Symmetric encryption in C# - Symmetric encryption in C# with streams - Lab – Symmetric encryption in C# (exploring with Copilot) - Case study – Padding oracle used in RCE against Citrix ShareFile - Asymmetric encryption - The RSA algorithm - RSA in C# - Combining symmetric and asymmetric algorithms - Key exchange and agreement - Key exchange - Diffie-Hellman key agreement algorithm - Key exchange pitfalls and best practices - Integrity protection - Message Authentication Code (MAC) - Calculating HMAC in C# - Lab – Calculating MAC in C# - Digital signature - Digital signature with RSA - Elliptic Curve Cryptography - ECC basics - Digital signature with ECC - Digital signature in C# - Lab – Digital signature with ECDSA in C# - Common software security weaknesses - Code quality - Code quality and security - Data handling - Initialization and cleanup - Class initialization cycles - Lab – Initialization cycles (exploring with Copilot) - Object oriented programming pitfalls - Inheritance and overriding - Mutability - Lab – Mutable object (exploring with Copilot) - Serialization - Serialization and deserialization challenges - Integrity – deserializing untrusted streams - Integrity – deserialization best practices - Look ahead deserialization - Property Oriented Programming (POP) - Creating a POP payload - Lab – Creating a POP payload - Lab – Using the POP payload - Case study – Deserialization RCE in Veeam - Wrap up - Secure coding principles - Principles of robust programming by Matt Bishop - Secure design principles of Saltzer and Schroeder - And now what? - Software security sources and further reading - .NET and C# resources - Responsible AI principles in software development - Generative AI – Resources and additional guidance3 days2250.002250.002250.002250.002250.00