Cloud Application Security in Python for AWS

Cloud Application Security in Python for AWSCASEC-PAWSCYCydrillCY-CASEC-PAWS1.0<ul> <li>Getting familiar with essential cyber security concepts</li><li>Understand cloud security specialties</li><li>Understanding Web application security issues</li><li>Detailed analysis of the OWASP Top Ten elements</li><li>Putting Web application security in the context of Python</li><li>Going beyond the low hanging fruits</li><li>Managing vulnerabilities in third party components</li><li>Learn to deal with cloud infrastructure security</li><li>Identify vulnerabilities and their consequences</li><li>Learn the security best practices in Python</li><li>Input validation approaches and principles</li><li>Understanding how cryptography can support application security</li><li>Learning how to use cryptographic APIs correctly in Python</li></ul>General Python and Web developmentPython developers working on Web applications and AWS<ul> <li>Cyber security basics</li><li>The OWASP Top Ten</li><li>Cloud infrastructure security</li><li>API security</li><li>XML security</li><li>JSON security</li><li>Denial of service</li><li>Cryptography for developers</li><li>Wrap up</li></ul>Day 1 Cyber security basics <ul> <li>What is security?</li><li>Threat and risk</li><li>Cyber security threat types</li><li>Consequences of insecure software</li><li>Cloud security basics <ul> <li>Cloud infrastructure basics</li><li>Cloud architectures and security</li><li>The Cloud Cube Model</li><li>Attack surface in the cloud</li></ul></li><li>Cloud data security <ul> <li>Data confidentiality and integrity in the cloud</li><li>Data privacy in the cloud</li><li>Compliance considerations</li></ul></li><li>Cloud deployment security <ul> <li>Hardening cloud deployments</li><li>Security of jump boxes</li><li>Serverless computing and security</li></ul></li><li>Cloud security standards and best practices <ul> <li>SOC compliance</li><li>CSA controls</li><li>Other standards</li></ul></li></ul>The OWASP Top Ten <ul> <li>OWASP Top 10 – 2017</li><li>A1 - Injection <ul> <li>Injection principles</li><li>Injection attacks</li><li>SQL injection <ul> <li>SQL injection basics</li><li>Lab – SQL injection</li><li>Attack techniques</li><li>Content-based blind SQL injection</li><li>Time-based blind SQL injection</li></ul></li><li>NoSQL injection <ul> <li>NoSQL injection specialties</li><li>NoSQL injection in MongoDB</li><li>NoSQL injection in DynamoDB</li></ul></li><li>SQL injection best practices <ul> <li>Input validation</li><li>Parameterized queries</li><li>Lab – SQL injection best practices</li><li>Additional considerations</li><li>Case study – Hacking Fortnite accounts</li><li>SQL injection protection and ORM</li></ul></li><li>Parameter manipulation <ul> <li>CRLF injection <ul> <li>Log forging</li><li>Lab – Log forging</li><li>Log forging – best practices</li><li>HTTP response splitting</li></ul></li></ul></li><li>Code injection <ul> <li>Code injection via input()</li><li>OS command injection <ul> <li>Lab – Command injection</li><li>OS command injection best practices</li><li>Avoiding command injection with the right APIs</li><li>Lab – Command injection best practices</li><li>Case study – Shellshock</li><li>Lab - Shellshock</li><li>Case study – Command injection via ping</li></ul></li></ul></li><li>Script injection <ul> <li>Server-side template injection (SSTI)</li><li>Lab – Template injection</li></ul></li></ul></li></ul>Day 2 The OWASP Top Ten <ul> <li>A2 - Broken Authentication <ul> <li>Authentication <ul> <li>Authentication basics</li><li>Multi-factor authentication</li><li>Multi-factor authentication best practices</li><li>Authentication weaknesses - spoofing</li><li>Spoofing on the Web</li><li>Case study – PayPal 2FA bypass</li><li>User interface best practices</li><li>Lab – On-line password brute forcing</li></ul></li><li>Single sign-on (SSO) <ul> <li>Single sign-on concept</li><li>OAuth2 <ul> <li>OAuth2 basics</li><li>OAuth2 in practice</li><li>Best practices</li><li>Configuration best practices</li><li>Case study – Stealing SSO tokens from Epic Games accounts</li></ul></li><li>SAML <ul> <li>SAML basics</li><li>SAML profiles</li><li>SAML security</li></ul></li></ul></li><li>Password management <ul> <li>Inbound password management <ul> <li>Storing account passwords</li><li>Password in transit</li><li>Lab – Is just hashing passwords enough?</li><li>Dictionary attacks and brute forcing</li><li>Salting</li><li>Adaptive hash functions for password storage</li><li>Password policy</li><li>NIST authenticator requirements for memorized secrets</li><li>Password hardening</li><li>Using passphrases</li><li>Case study – The Ashley Madison data breach</li><li>The dictionary attack</li><li>The ultimate crack</li><li>Exploitation and the lessons learned</li><li>Password database migration</li><li>(Mis)handling None passwords</li></ul></li><li>Outbound password management <ul> <li>Hard coded passwords</li><li>Best practices</li><li>Lab – Hardcoded password</li><li>Protecting sensitive information in memory</li><li>Challenges in protecting memory</li></ul></li></ul></li><li>Session management <ul> <li>Session management essentials</li><li>Why do we protect session IDs – Session hijacking</li><li>Session fixation</li><li>Session invalidation</li><li>Session ID best practices</li><li>Session handling in Flask</li><li>Cross-site Request Forgery (CSRF) <ul> <li>Lab – Cross-site Request Forgery</li><li>CSRF best practices</li><li>CSRF defense in depth</li><li>Lab – CSRF protection with tokens</li></ul></li><li>Cookie security <ul> <li>Cookie security best practices</li><li>Cookie attributes</li></ul></li></ul></li><li>A3 - Sensitive Data Exposure <ul> <li>Information exposure</li><li>Exposure through extracted data and aggregation</li><li>Case study – Strava data exposure</li><li>System information leakage <ul> <li>Leaking system information</li></ul></li><li>Information exposure best practices</li></ul></li><li>A4 - XML External Entities (XXE) <ul> <li>DTD and the entities</li><li>Entity expansion</li><li>Lab – Billion laughs attack</li><li>External Entity Attack (XXE) <ul> <li>File inclusion with external entities</li><li>Server-Side Request Forgery with external entities</li><li>Lab – External entity attack</li><li>Case study – XXE vulnerability in SAP Store</li><li>Preventing XXE</li><li>Lab – Using non-vulnerable parsers</li></ul></li></ul></li></ul></li></ul>Day 3 The OWASP Top Ten <ul> <li>A5 - Broken Access Control <ul> <li>Access control basics</li><li>Failure to restrict URL access</li><li>Confused deputy <ul> <li>Insecure direct object reference (IDOR)</li><li>Lab – Insecure Direct Object Reference</li><li>Case study – Authorization bypass on Facebook</li><li>Authorization bypass through user-controlled keys</li><li>Lab – Horizontal authorization</li></ul></li><li>File upload <ul> <li>Unrestricted file upload</li><li>Good practices</li><li>Lab – Unrestricted file upload</li></ul></li></ul></li><li>A7 - Cross-site Scripting (XSS) <ul> <li>Cross-site scripting basics</li><li>Cross-site scripting types <ul> <li>Persistent cross-site scripting</li><li>Reflected cross-site scripting</li><li>Client-side (DOM-based) cross-site scripting</li><li>Lab – Stored XSS</li><li>Lab – Reflected XSS</li><li>Case study – XSS in Fortnite accounts</li></ul></li><li>XSS protection best practices <ul> <li>Protection principles - escaping</li><li>XSS protection APIs in Python</li><li>XSS protection in Jinja2</li><li>Lab – XSS fix / stored</li><li>Lab – XSS fix / reflected</li><li>Additional protection layers</li><li>Client-side protection principles</li></ul></li></ul></li><li>A8 - Insecure Deserialization <ul> <li>Serialization and deserialization challenges</li><li>Integrity – deserializing untrusted streams</li><li>Deserialization with pickle</li><li>Lab – Deserializing with Pickle</li><li>PyYAML deserialization challenges</li><li>Integrity – deserialization best practices</li></ul></li><li>A9 - Using Components with Known Vulnerabilities <ul> <li>Using vulnerable components</li><li>Assessing the environment</li><li>Hardening</li><li>Untrusted functionality import</li><li>Malicious packages in Python</li><li>Importing JavaScript</li><li>Lab – Importing JavaScript</li><li>Case study – The British Airways data breach</li><li>Vulnerability management <ul> <li>Patch management</li><li>Vulnerability management</li><li>Bug bounty programs</li><li>Vulnerability databases</li><li>Vulnerability rating – CVSS</li><li>DevOps, the build process and CI / CD</li><li>Dependency checking in Python</li><li>Lab – Detecting vulnerable components</li></ul></li></ul></li><li>A10 - Insufficient Logging & Monitoring <ul> <li>Logging and monitoring principles</li><li>Insufficient logging</li><li>Case study – Plaintext passwords at Facebook</li><li>Logging best practices</li><li>Monitoring best practices</li></ul></li><li>Web application security beyond the Top Ten <ul> <li>Client-side security</li><li>Same Origin Policy <ul> <li>Lab – Same-origin policy demo</li></ul></li><li>Tabnabbing</li><li>Frame sandboxing <ul> <li>Cross-Frame Scripting (XFS) attack</li><li>Lab - Clickjacking</li><li>Clickjacking beyond hijacking a click</li><li>Clickjacking protection best practices</li><li>Lab – Using CSP to prevent clickjacking</li></ul></li></ul></li></ul>Day 4 Cloud infrastructure security <ul> <li>Container security <ul> <li>Container security concerns</li><li>Containerization, virtualization, and security</li><li>Attack surface of container technologies</li><li>Container security tools</li></ul></li><li>Docker security <ul> <li>Docker and security</li><li>Docker security features</li><li>Common Docker security mistakes</li><li>Docker security best practices</li><li>Hardening Docker</li><li>Lab – Static analysis of Docker image</li></ul></li><li>Kubernetes security <ul> <li>The Kubernetes architecture and security</li><li>Common Kubernetes security mistakes</li><li>Securing Kubernetes hosts</li><li>Best practices for Kubernetes access control</li><li>Building secure Kubernetes images</li><li>Secure deployment of Kubernetes containers</li><li>Protecting Kubernetes deployments at runtime</li><li>Lab – Scanning a Kubernetes image for vulnerabilities</li></ul></li><li>AWS security <ul> <li>Security considerations <ul> <li>AWS and security</li><li>AWS security features</li><li>The AWS shared responsibility model</li><li>AWS cloud compliance</li><li>AWS hardening</li><li>Security tools for AWS</li></ul></li><li>Identity and access management (IAM) <ul> <li>Identity and access management in AWS</li><li>Access tokens</li><li>Groups, roles and credentials</li></ul></li><li>Data security <ul> <li>Data security in AWS</li><li>Policies</li><li>Storing cryptographic keys</li><li>Protecting data at rest</li><li>Protecting data in transit</li></ul></li><li>Detection and monitoring <ul> <li>Utilizing AWS monitoring for security</li><li>Protecting logs</li><li>The AWS Security Hub</li></ul></li></ul></li></ul>API security <ul> <li>Input validation <ul> <li>Input validation principles <ul> <li>Blacklists and whitelists</li><li>Data validation techniques</li><li>Lab – Input validation</li><li>What to validate – the attack surface</li><li>Where to validate – defense in depth</li><li>When to validate – validation vs transformations</li><li>Output sanitization</li><li>Encoding challenges</li><li>Unicode challenges</li><li>Lab – Encoding challenges</li><li>Validation with regex</li></ul></li><li>Integer handling problems <ul> <li>Representing signed numbers</li><li>Integer visualization</li><li>Integers in Python</li><li>Integer overflow</li><li>Integer overflows in ctypes and numpy</li></ul></li><li>Value manipulation <ul> <li>Setting manipulation</li><li>Manipulating critical state data</li><li>Resource manipulation</li></ul></li><li>Open redirects and forwards <ul> <li>Case study – Unvalidated redirect at Epic Games</li><li>Open redirects and forwards – best practices</li></ul></li><li>Files and streams <ul> <li>Path traversal</li><li>Path traversal-related examples</li><li>Additional challenges in Windows</li><li>Virtual resources</li><li>Path traversal best practices</li></ul></li><li>Format string issues</li></ul></li></ul>XML security <ul> <li>XML validation</li><li>XML injection <ul> <li>XPath injection</li><li>Blind XPath injection</li></ul></li></ul>JSON security <ul> <li>JSON validation</li><li>JSON injection</li><li>Dangers of JSONP</li><li>JSON/JavaScript hijacking</li><li>Best practices</li><li>Case study – ReactJS vulnerability in HackerOne</li></ul>Day 5 Denial of service <ul> <li>Denial of Service</li><li>Flooding</li><li>Resource exhaustion</li><li>Sustained client engagement</li><li>Infinite loop</li><li>Economic Denial of Sustainability (EDoS)</li><li>Algorithm complexity issues <ul> <li>Regular expression denial of service (ReDoS) <ul> <li>Lab – ReDoS in Python</li><li>Dealing with ReDoS</li></ul></li></ul></li></ul>Cryptography for developers <ul> <li>Cryptography basics</li><li>Cryptography in Python</li><li>Elementary algorithms <ul> <li>Random number generation <ul> <li>Pseudo random number generators (PRNGs)</li><li>Cryptographically strong PRNGs</li><li>Using virtual random streams</li><li>Weak and strong PRNGs</li><li>Using random numbers in Python</li><li>Lab – Using random numbers in Python</li><li>Case study – Equifax credit account freeze</li></ul></li><li>Hashing <ul> <li>Hashing basics</li><li>Common hashing mistakes</li><li>Hashing in Python</li><li>Lab – Hashing in Python</li></ul></li></ul></li><li>Confidentiality protection <ul> <li>Symmetric encryption <ul> <li>Block ciphers</li><li>Modes of operation</li><li>Modes of operation and IV – best practices</li><li>Symmetric encryption in Python</li><li>Lab – Symmetric encryption in in Python</li></ul></li><li>Asymmetric encryption</li><li>Combining symmetric and asymmetric algorithms</li></ul></li><li>Integrity protection <ul> <li>Message Authentication Code (MAC) <ul> <li>MAC in Python</li><li>Lab – Calculating MAC in Python</li></ul></li><li>Digital signature <ul> <li>Digital signature in Python</li><li>Lab – Digital signature with ECDSA in Python</li></ul></li></ul></li><li>Public Key Infrastructure (PKI) <ul> <li>Some further key management challenges</li><li>Certificates <ul> <li>Chain of trust</li><li>Certificate management – best practices</li></ul></li></ul></li><li>Transport security <ul> <li>Transport security weaknesses</li><li>The TLS protocol <ul> <li>TLS basics</li><li>TLS features (changes in v1.3)</li><li>The handshake in a nutshell (v1.3)</li><li>TLS best practices</li><li>TLS authentication best practices</li><li>Lab – Using a secure socket in Python</li><li>HTTP Strict Transport Security (HSTS)</li><li>Lab – Setting HSTS in Python</li></ul></li></ul></li></ul>Wrap up <ul> <li>Secure coding principles <ul> <li>Principles of robust programming by Matt Bishop</li><li>Secure design principles of Saltzer and Schröder</li></ul></li><li>And now what? <ul> <li>Software security sources and further reading</li><li>Python resources</li></ul></li></ul>- Getting familiar with essential cyber security concepts - Understand cloud security specialties - Understanding Web application security issues - Detailed analysis of the OWASP Top Ten elements - Putting Web application security in the context of Python - Going beyond the low hanging fruits - Managing vulnerabilities in third party components - Learn to deal with cloud infrastructure security - Identify vulnerabilities and their consequences - Learn the security best practices in Python - Input validation approaches and principles - Understanding how cryptography can support application security - Learning how to use cryptographic APIs correctly in PythonGeneral Python and Web developmentPython developers working on Web applications and AWS- Cyber security basics - The OWASP Top Ten - Cloud infrastructure security - API security - XML security - JSON security - Denial of service - Cryptography for developers - Wrap upDay 1 Cyber security basics - What is security? - Threat and risk - Cyber security threat types - Consequences of insecure software - Cloud security basics - Cloud infrastructure basics - Cloud architectures and security - The Cloud Cube Model - Attack surface in the cloud - Cloud data security - Data confidentiality and integrity in the cloud - Data privacy in the cloud - Compliance considerations - Cloud deployment security - Hardening cloud deployments - Security of jump boxes - Serverless computing and security - Cloud security standards and best practices - SOC compliance - CSA controls - Other standards The OWASP Top Ten - OWASP Top 10 – 2017 - A1 - Injection - Injection principles - Injection attacks - SQL injection - SQL injection basics - Lab – SQL injection - Attack techniques - Content-based blind SQL injection - Time-based blind SQL injection - NoSQL injection - NoSQL injection specialties - NoSQL injection in MongoDB - NoSQL injection in DynamoDB - SQL injection best practices - Input validation - Parameterized queries - Lab – SQL injection best practices - Additional considerations - Case study – Hacking Fortnite accounts - SQL injection protection and ORM - Parameter manipulation - CRLF injection - Log forging - Lab – Log forging - Log forging – best practices - HTTP response splitting - Code injection - Code injection via input() - OS command injection - Lab – Command injection - OS command injection best practices - Avoiding command injection with the right APIs - Lab – Command injection best practices - Case study – Shellshock - Lab - Shellshock - Case study – Command injection via ping - Script injection - Server-side template injection (SSTI) - Lab – Template injection Day 2 The OWASP Top Ten - A2 - Broken Authentication - Authentication - Authentication basics - Multi-factor authentication - Multi-factor authentication best practices - Authentication weaknesses - spoofing - Spoofing on the Web - Case study – PayPal 2FA bypass - User interface best practices - Lab – On-line password brute forcing - Single sign-on (SSO) - Single sign-on concept - OAuth2 - OAuth2 basics - OAuth2 in practice - Best practices - Configuration best practices - Case study – Stealing SSO tokens from Epic Games accounts - SAML - SAML basics - SAML profiles - SAML security - Password management - Inbound password management - Storing account passwords - Password in transit - Lab – Is just hashing passwords enough? - Dictionary attacks and brute forcing - Salting - Adaptive hash functions for password storage - Password policy - NIST authenticator requirements for memorized secrets - Password hardening - Using passphrases - Case study – The Ashley Madison data breach - The dictionary attack - The ultimate crack - Exploitation and the lessons learned - Password database migration - (Mis)handling None passwords - Outbound password management - Hard coded passwords - Best practices - Lab – Hardcoded password - Protecting sensitive information in memory - Challenges in protecting memory - Session management - Session management essentials - Why do we protect session IDs – Session hijacking - Session fixation - Session invalidation - Session ID best practices - Session handling in Flask - Cross-site Request Forgery (CSRF) - Lab – Cross-site Request Forgery - CSRF best practices - CSRF defense in depth - Lab – CSRF protection with tokens - Cookie security - Cookie security best practices - Cookie attributes - A3 - Sensitive Data Exposure - Information exposure - Exposure through extracted data and aggregation - Case study – Strava data exposure - System information leakage - Leaking system information - Information exposure best practices - A4 - XML External Entities (XXE) - DTD and the entities - Entity expansion - Lab – Billion laughs attack - External Entity Attack (XXE) - File inclusion with external entities - Server-Side Request Forgery with external entities - Lab – External entity attack - Case study – XXE vulnerability in SAP Store - Preventing XXE - Lab – Using non-vulnerable parsers Day 3 The OWASP Top Ten - A5 - Broken Access Control - Access control basics - Failure to restrict URL access - Confused deputy - Insecure direct object reference (IDOR) - Lab – Insecure Direct Object Reference - Case study – Authorization bypass on Facebook - Authorization bypass through user-controlled keys - Lab – Horizontal authorization - File upload - Unrestricted file upload - Good practices - Lab – Unrestricted file upload - A7 - Cross-site Scripting (XSS) - Cross-site scripting basics - Cross-site scripting types - Persistent cross-site scripting - Reflected cross-site scripting - Client-side (DOM-based) cross-site scripting - Lab – Stored XSS - Lab – Reflected XSS - Case study – XSS in Fortnite accounts - XSS protection best practices - Protection principles - escaping - XSS protection APIs in Python - XSS protection in Jinja2 - Lab – XSS fix / stored - Lab – XSS fix / reflected - Additional protection layers - Client-side protection principles - A8 - Insecure Deserialization - Serialization and deserialization challenges - Integrity – deserializing untrusted streams - Deserialization with pickle - Lab – Deserializing with Pickle - PyYAML deserialization challenges - Integrity – deserialization best practices - A9 - Using Components with Known Vulnerabilities - Using vulnerable components - Assessing the environment - Hardening - Untrusted functionality import - Malicious packages in Python - Importing JavaScript - Lab – Importing JavaScript - Case study – The British Airways data breach - Vulnerability management - Patch management - Vulnerability management - Bug bounty programs - Vulnerability databases - Vulnerability rating – CVSS - DevOps, the build process and CI / CD - Dependency checking in Python - Lab – Detecting vulnerable components - A10 - Insufficient Logging & Monitoring - Logging and monitoring principles - Insufficient logging - Case study – Plaintext passwords at Facebook - Logging best practices - Monitoring best practices - Web application security beyond the Top Ten - Client-side security - Same Origin Policy - Lab – Same-origin policy demo - Tabnabbing - Frame sandboxing - Cross-Frame Scripting (XFS) attack - Lab - Clickjacking - Clickjacking beyond hijacking a click - Clickjacking protection best practices - Lab – Using CSP to prevent clickjacking Day 4 Cloud infrastructure security - Container security - Container security concerns - Containerization, virtualization, and security - Attack surface of container technologies - Container security tools - Docker security - Docker and security - Docker security features - Common Docker security mistakes - Docker security best practices - Hardening Docker - Lab – Static analysis of Docker image - Kubernetes security - The Kubernetes architecture and security - Common Kubernetes security mistakes - Securing Kubernetes hosts - Best practices for Kubernetes access control - Building secure Kubernetes images - Secure deployment of Kubernetes containers - Protecting Kubernetes deployments at runtime - Lab – Scanning a Kubernetes image for vulnerabilities - AWS security - Security considerations - AWS and security - AWS security features - The AWS shared responsibility model - AWS cloud compliance - AWS hardening - Security tools for AWS - Identity and access management (IAM) - Identity and access management in AWS - Access tokens - Groups, roles and credentials - Data security - Data security in AWS - Policies - Storing cryptographic keys - Protecting data at rest - Protecting data in transit - Detection and monitoring - Utilizing AWS monitoring for security - Protecting logs - The AWS Security Hub API security - Input validation - Input validation principles - Blacklists and whitelists - Data validation techniques - Lab – Input validation - What to validate – the attack surface - Where to validate – defense in depth - When to validate – validation vs transformations - Output sanitization - Encoding challenges - Unicode challenges - Lab – Encoding challenges - Validation with regex - Integer handling problems - Representing signed numbers - Integer visualization - Integers in Python - Integer overflow - Integer overflows in ctypes and numpy - Value manipulation - Setting manipulation - Manipulating critical state data - Resource manipulation - Open redirects and forwards - Case study – Unvalidated redirect at Epic Games - Open redirects and forwards – best practices - Files and streams - Path traversal - Path traversal-related examples - Additional challenges in Windows - Virtual resources - Path traversal best practices - Format string issues XML security - XML validation - XML injection - XPath injection - Blind XPath injection JSON security - JSON validation - JSON injection - Dangers of JSONP - JSON/JavaScript hijacking - Best practices - Case study – ReactJS vulnerability in HackerOne Day 5 Denial of service - Denial of Service - Flooding - Resource exhaustion - Sustained client engagement - Infinite loop - Economic Denial of Sustainability (EDoS) - Algorithm complexity issues - Regular expression denial of service (ReDoS) - Lab – ReDoS in Python - Dealing with ReDoS Cryptography for developers - Cryptography basics - Cryptography in Python - Elementary algorithms - Random number generation - Pseudo random number generators (PRNGs) - Cryptographically strong PRNGs - Using virtual random streams - Weak and strong PRNGs - Using random numbers in Python - Lab – Using random numbers in Python - Case study – Equifax credit account freeze - Hashing - Hashing basics - Common hashing mistakes - Hashing in Python - Lab – Hashing in Python - Confidentiality protection - Symmetric encryption - Block ciphers - Modes of operation - Modes of operation and IV – best practices - Symmetric encryption in Python - Lab – Symmetric encryption in in Python - Asymmetric encryption - Combining symmetric and asymmetric algorithms - Integrity protection - Message Authentication Code (MAC) - MAC in Python - Lab – Calculating MAC in Python - Digital signature - Digital signature in Python - Lab – Digital signature with ECDSA in Python - Public Key Infrastructure (PKI) - Some further key management challenges - Certificates - Chain of trust - Certificate management – best practices - Transport security - Transport security weaknesses - The TLS protocol - TLS basics - TLS features (changes in v1.3) - The handshake in a nutshell (v1.3) - TLS best practices - TLS authentication best practices - Lab – Using a secure socket in Python - HTTP Strict Transport Security (HSTS) - Lab – Setting HSTS in Python Wrap up - Secure coding principles - Principles of robust programming by Matt Bishop - Secure design principles of Saltzer and Schröder - And now what? - Software security sources and further reading - Python resources5 Tage3750.003750.003750.003750.003750.003750.003750.003750.003750.003750.003750.00