Code responsibly with generative AI in PythonCRWGAIPCYCydrillCY-CRWGAIP1.0<ul>
<li>Understanding the essentials of responsible AI</li><li>Getting familiar with essential cyber security concepts</li><li>Understanding how cryptography supports security</li><li>Learning how to use cryptographic APIs correctly in Python</li><li>Understanding Web application security issues</li><li>Detailed analysis of the OWASP Top Ten elements</li><li>Putting Web application security in the context of Python</li><li>Going beyond the low hanging fruits</li><li>Managing vulnerabilities in third party components</li><li>All this put into the context of GitHub Copilot</li></ul><p>General Python and Web development</p><p>Python developers using Copilot or other GenAI tools</p><h4>Day 1</h4><h4>Coding responsibly with GenAI</h4><ul>
<li>What is responsible AI?</li><li>What is security?</li><li>Threat and risk</li><li>Cyber security threat types – the CIA triad</li><li>Consequences of insecure software</li><li>Security and responsible AI in software development</li><li>GenAI tools in coding: Copilot, Codeium and others</li><li>The OWASP Top Ten from Copilot’s perspective
<ul>
<li>The OWASP Top Ten 2021
<ul>
<li>A01 – Broken Access Control
<ul>
<li>Access control basics</li><li>Failure to restrict URL access</li><li>Confused deputy</li><li>Insecure direct object reference (IDOR)</li><li>Path traversal</li><li>Lab – Insecure Direct Object Reference</li><li>Path traversal best practices</li><li>Lab – Experimenting with path traversal in Copilot</li><li>Authorization bypass through user-controlled keys</li><li>Case study – Remote takeover of Nexx garage doors and alarms</li><li>Lab – Horizontal authorization (exploring with Copilot)</li><li>File upload
<ul>
<li>Unrestricted file upload</li><li>Good practices</li><li>Lab – Unrestricted file upload (exploring with Copilot)</li></ul></li></ul></li><li>A02 – Cryptographic Failures
<ul>
<li>Cryptography for developers</li><li>Cryptography basics</li><li>Cryptography in Python</li><li>Elementary algorithms</li><li>Hashing
<ul>
<li>Hashing basics</li><li>Hashing in Python</li><li>Lab – Hashing in Python (exploring with Copilot)</li></ul></li><li>Random number generation
<ul>
<li>Pseudo random number generators (PRNGs)</li><li>Cryptographically secure PRNGs</li><li>Weak PRNGs</li><li>Using random numbers</li><li>Lab – Using random numbers in Python (exploring with Copilot)</li><li>Lab – Secure PRNG use in Copilot</li></ul></li><li>Confidentiality protection
<ul>
<li>Symmetric encryption
<ul>
<li>Block ciphers</li><li>Modes of operation</li><li>Modes of operation and IV – best practices</li><li>Symmetric encryption in Python</li><li>Lab – Symmetric encryption in Python (exploring with Copilot)</li></ul></li><li>Asymmetric encryption</li><li>Combining symmetric and asymmetric algorithms</li></ul></li></ul></li></ul></li></ul></li></ul><h4>Day 2</h4><h4>The OWASP Top Ten from Copilot’s perspective</h4><ul>
<li>A03 – Injection
<ul>
<li>Injection principles</li><li>Injection attacks
<ul>
<li>SQL injection
<ul>
<li>SQL injection basics</li><li>Lab – SQL injection</li><li>Attack techniques
<ul>
<li>Content-based blind SQL injection</li><li>Time-based blind SQL injection</li></ul></li><li>SQL injection best practices</li><li>Input validation</li><li>Parameterized queries</li><li>Lab – Using prepared statements</li><li>Lab – Experimenting with SQL injection in Copilot</li><li>Database defense in depth</li><li>Case study – SQL injection against US airport security</li></ul></li><li>Code injection
<ul>
<li>Code injection via input()</li><li>OS command injection</li><li>Lab – Command injection</li><li>OS command injection best practices</li><li>Avoiding command injection with the right APIs</li><li>Lab – Command injection best practices</li><li>Lab – Experimenting with command injection in Copilot</li><li>Case study – Shellshock</li><li>Lab – Shellshock</li><li>Case study – Command injection in Ivanti security appliances</li></ul></li><li>HTML injection – Cross-site scripting (XSS)
<ul>
<li>Cross-site scripting basics</li><li>Cross-site scripting types
<ul>
<li>Persistent cross-site scripting</li><li>Reflected cross-site scripting</li><li>Client-side (DOM-based) cross-site scripting</li></ul></li><li>Lab – Stored XSS</li><li>Lab – Reflected XSS</li><li>Case study – XSS to RCE in Teltonika routers</li><li>XSS protection best practices</li><li>Protection principles – escaping</li><li>XSS protection APIs in Python</li><li>XSS protection in Jinja2</li><li>Lab – XSS fix / stored (exploring with Copilot)</li><li>Lab – XSS fix / reflected (exploring with Copilot)</li><li>Case study – XSS vulnerabilities in DrayTek Vigor routers</li></ul></li></ul></li><li>A04 – Insecure Design
<ul>
<li>The STRIDE model of threats</li><li>Secure design principles of Saltzer and Schroeder
<ul>
<li>Economy of mechanism</li><li>Fail-safe defaults</li><li>Complete mediation</li><li>Open design</li><li>Separation of privilege</li><li>Least privilege</li><li>Least common mechanism</li><li>Psychological acceptability</li></ul></li><li>Client-side security
<ul>
<li>Same Origin Policy</li><li>Simple request</li><li>Preflight request</li><li>Cross-Origin Resource Sharing (CORS)</li><li>Lab – Same-origin policy demo</li><li>Frame sandboxing</li><li>Cross-Frame Scripting (XFS) attacks</li><li>Lab – Clickjacking</li><li>Clickjacking beyond hijacking a click</li><li>Clickjacking protection best practices</li><li>Lab – Using CSP to prevent clickjacking (exploring with Copilot)</li></ul></li></ul></li></ul>
<h4>Day 3</h4>
<h4>The OWASP Top Ten from Copilot’s perspective</h4>
<ul>
<li>A05 – Security Misconfiguration
<ul>
<li>Configuration principles</li><li>Server misconfiguration</li><li>Python configuration best practices</li><li>Configuring Flask</li><li>Cookie security
<ul>
<li>Cookie attributes</li></ul></li><li>XML entities
<ul>
<li>DTD and the entities</li><li>Entity expansion</li><li>External Entity Attack (XXE)</li><li>File inclusion with external entities</li><li>Server-Side Request Forgery with external entities</li><li>Lab – External entity attack</li><li>Preventing XXE</li><li>Lab – Prohibiting DTD</li><li>Case study – XXE vulnerability in Ivanti products</li><li>Lab – Experimenting with XXE in Copilot</li></ul></li></ul></li><li>A06 – Vulnerable and Outdated Components
<ul>
<li>Using vulnerable components</li><li>Untrusted functionality import</li><li>Malicious packages in Python</li><li>Case study – The Polyfill.io supply chain attack</li><li>Vulnerability management</li><li>Lab – Finding vulnerabilities in third-party components</li><li>Security of AI generated code</li><li>Practical attacks against code generation tools</li><li>Dependency hallucination via generative AI</li><li>Case study – A history of GitHub Copilot weaknesses (up to mid 2024)</li></ul></li><li>A07 – Identification and Authentication Failures
<ul>
<li>Authentication
<ul>
<li>Authentication basics</li><li>Multi-factor authentication (MFA)</li><li>Case study – The InfinityGauntlet attack</li><li>Time-based One Time Passwords (TOTP)</li></ul></li><li>Password management
<ul>
<li>Inbound password management</li><li>Storing account passwords</li><li>Password in transit</li><li>Lab – Is just hashing passwords enough?</li><li>Dictionary attacks and brute forcing</li><li>Salting</li><li>Adaptive hash functions for password storage</li><li>Lab – Using adaptive hash functions in Python</li><li>Lab – Using adaptive hash functions in Copilot</li><li>Password policy</li><li>NIST authenticator requirements for memorized secrets</li><li>Password database migration</li></ul></li></ul></li><li>A08 – Software and Data Integrity Failures
<ul>
<li>Integrity protection
<ul>
<li>Message Authentication Code (MAC)</li><li>Calculating HMAC in Python</li><li>Lab – Calculating MAC in Python</li></ul></li><li>Digital signature
<ul>
<li>Digital signature in Python</li></ul></li><li>Subresource integrity
<ul>
<li>Importing JavaScript</li><li>Lab – Importing JavaScript (exploring with Copilot)</li><li>Case study – The British Airways data breach</li></ul></li></ul></li><li>A10 – Server-side Request Forgery (SSRF)
<ul>
<li>Server-side Request Forgery (SSRF)</li><li>Case study – SSRF in Ivanti Connect Secure</li></ul></li><li>Wrap up
<ul>
<li>Secure coding principles</li><li>Principles of robust programming by Matt Bishop</li><li>And now what?</li><li>Software security sources and further reading</li><li>Python resources</li><li>Responsible AI principles in software development</li><li>Generative AI – Resources and additional guidance</li></ul></li></ul></li></ul><ul>
<li>Coding responsibly with GenAI</li><li>The OWASP Top Ten from Copilot's perspective</li><li>Wrap up</li></ul>- Understanding the essentials of responsible AI
- Getting familiar with essential cyber security concepts
- Understanding how cryptography supports security
- Learning how to use cryptographic APIs correctly in Python
- Understanding Web application security issues
- Detailed analysis of the OWASP Top Ten elements
- Putting Web application security in the context of Python
- Going beyond the low hanging fruits
- Managing vulnerabilities in third party components
- All this put into the context of GitHub CopilotGeneral Python and Web developmentPython developers using Copilot or other GenAI toolsDay 1
Coding responsibly with GenAI
- What is responsible AI?
- What is security?
- Threat and risk
- Cyber security threat types – the CIA triad
- Consequences of insecure software
- Security and responsible AI in software development
- GenAI tools in coding: Copilot, Codeium and others
- The OWASP Top Ten from Copilot’s perspective
- The OWASP Top Ten 2021
- A01 – Broken Access Control
- Access control basics
- Failure to restrict URL access
- Confused deputy
- Insecure direct object reference (IDOR)
- Path traversal
- Lab – Insecure Direct Object Reference
- Path traversal best practices
- Lab – Experimenting with path traversal in Copilot
- Authorization bypass through user-controlled keys
- Case study – Remote takeover of Nexx garage doors and alarms
- Lab – Horizontal authorization (exploring with Copilot)
- File upload
- Unrestricted file upload
- Good practices
- Lab – Unrestricted file upload (exploring with Copilot)
- A02 – Cryptographic Failures
- Cryptography for developers
- Cryptography basics
- Cryptography in Python
- Elementary algorithms
- Hashing
- Hashing basics
- Hashing in Python
- Lab – Hashing in Python (exploring with Copilot)
- Random number generation
- Pseudo random number generators (PRNGs)
- Cryptographically secure PRNGs
- Weak PRNGs
- Using random numbers
- Lab – Using random numbers in Python (exploring with Copilot)
- Lab – Secure PRNG use in Copilot
- Confidentiality protection
- Symmetric encryption
- Block ciphers
- Modes of operation
- Modes of operation and IV – best practices
- Symmetric encryption in Python
- Lab – Symmetric encryption in Python (exploring with Copilot)
- Asymmetric encryption
- Combining symmetric and asymmetric algorithms
Day 2
The OWASP Top Ten from Copilot’s perspective
- A03 – Injection
- Injection principles
- Injection attacks
- SQL injection
- SQL injection basics
- Lab – SQL injection
- Attack techniques
- Content-based blind SQL injection
- Time-based blind SQL injection
- SQL injection best practices
- Input validation
- Parameterized queries
- Lab – Using prepared statements
- Lab – Experimenting with SQL injection in Copilot
- Database defense in depth
- Case study – SQL injection against US airport security
- Code injection
- Code injection via input()
- OS command injection
- Lab – Command injection
- OS command injection best practices
- Avoiding command injection with the right APIs
- Lab – Command injection best practices
- Lab – Experimenting with command injection in Copilot
- Case study – Shellshock
- Lab – Shellshock
- Case study – Command injection in Ivanti security appliances
- HTML injection – Cross-site scripting (XSS)
- Cross-site scripting basics
- Cross-site scripting types
- Persistent cross-site scripting
- Reflected cross-site scripting
- Client-side (DOM-based) cross-site scripting
- Lab – Stored XSS
- Lab – Reflected XSS
- Case study – XSS to RCE in Teltonika routers
- XSS protection best practices
- Protection principles – escaping
- XSS protection APIs in Python
- XSS protection in Jinja2
- Lab – XSS fix / stored (exploring with Copilot)
- Lab – XSS fix / reflected (exploring with Copilot)
- Case study – XSS vulnerabilities in DrayTek Vigor routers
- A04 – Insecure Design
- The STRIDE model of threats
- Secure design principles of Saltzer and Schroeder
- Economy of mechanism
- Fail-safe defaults
- Complete mediation
- Open design
- Separation of privilege
- Least privilege
- Least common mechanism
- Psychological acceptability
- Client-side security
- Same Origin Policy
- Simple request
- Preflight request
- Cross-Origin Resource Sharing (CORS)
- Lab – Same-origin policy demo
- Frame sandboxing
- Cross-Frame Scripting (XFS) attacks
- Lab – Clickjacking
- Clickjacking beyond hijacking a click
- Clickjacking protection best practices
- Lab – Using CSP to prevent clickjacking (exploring with Copilot)
Day 3
The OWASP Top Ten from Copilot’s perspective
- A05 – Security Misconfiguration
- Configuration principles
- Server misconfiguration
- Python configuration best practices
- Configuring Flask
- Cookie security
- Cookie attributes
- XML entities
- DTD and the entities
- Entity expansion
- External Entity Attack (XXE)
- File inclusion with external entities
- Server-Side Request Forgery with external entities
- Lab – External entity attack
- Preventing XXE
- Lab – Prohibiting DTD
- Case study – XXE vulnerability in Ivanti products
- Lab – Experimenting with XXE in Copilot
- A06 – Vulnerable and Outdated Components
- Using vulnerable components
- Untrusted functionality import
- Malicious packages in Python
- Case study – The Polyfill.io supply chain attack
- Vulnerability management
- Lab – Finding vulnerabilities in third-party components
- Security of AI generated code
- Practical attacks against code generation tools
- Dependency hallucination via generative AI
- Case study – A history of GitHub Copilot weaknesses (up to mid 2024)
- A07 – Identification and Authentication Failures
- Authentication
- Authentication basics
- Multi-factor authentication (MFA)
- Case study – The InfinityGauntlet attack
- Time-based One Time Passwords (TOTP)
- Password management
- Inbound password management
- Storing account passwords
- Password in transit
- Lab – Is just hashing passwords enough?
- Dictionary attacks and brute forcing
- Salting
- Adaptive hash functions for password storage
- Lab – Using adaptive hash functions in Python
- Lab – Using adaptive hash functions in Copilot
- Password policy
- NIST authenticator requirements for memorized secrets
- Password database migration
- A08 – Software and Data Integrity Failures
- Integrity protection
- Message Authentication Code (MAC)
- Calculating HMAC in Python
- Lab – Calculating MAC in Python
- Digital signature
- Digital signature in Python
- Subresource integrity
- Importing JavaScript
- Lab – Importing JavaScript (exploring with Copilot)
- Case study – The British Airways data breach
- A10 – Server-side Request Forgery (SSRF)
- Server-side Request Forgery (SSRF)
- Case study – SSRF in Ivanti Connect Secure
- Wrap up
- Secure coding principles
- Principles of robust programming by Matt Bishop
- And now what?
- Software security sources and further reading
- Python resources
- Responsible AI principles in software development
- Generative AI – Resources and additional guidance- Coding responsibly with GenAI
- The OWASP Top Ten from Copilot's perspective
- Wrap up3 days2250.002250.002250.002250.002250.00