Web Application Security for PCI DSS

Web Application Security for PCI DSSWASEC-PCIDSSCYCydrillCY-WASEC-PCIDSS1.0<ul> <li>Getting familiar with essential cyber security concepts</li><li>Learning about security specialties of the finance sector</li><li>Having essential understanding of PCI DSS requirements</li><li>Managing vulnerabilities in third party components</li><li>Understanding Web application security issues</li><li>Detailed analysis of the OWASP Top Ten elements</li><li>Putting Web application security in the context of any programming language</li><li>Going beyond the low hanging fruits</li><li>Understanding how cryptography supports security</li><li>Getting familiar with security testing techniques and tools</li></ul>None for plenary, general Web development for secure codingManagers and developers working on Web applications in finance<ul> <li>Cyber security basics</li><li>The OWASP Top Ten 2021</li><li>Security testing</li><li>Wrap up</li></ul>DAY 1 Cyber security basics <ul> <li>What is security?</li><li>Threat and risk</li><li>Cyber security threat types – the CIA triad</li><li>Cyber security threat types – the STRIDE model</li><li>Consequences of insecure software</li><li>Constraints and the market</li><li>The dark side</li><li>Categorization of bugs <ul> <li>The Seven Pernicious Kingdoms</li><li>Common Weakness Enumeration (CWE)</li><li>CWE Top 25 Most Dangerous Software Weaknesses</li></ul></li><li>Cyber security in the finance sector <ul> <li>Threats and trends in fintech</li></ul></li><li>PCI DSS <ul> <li>Overview</li><li>Requirements and secure coding (Requirements 1-5)</li><li>Req. 6 – Develop and maintain secure systems and applications</li><li>Requirement 6.5 – Address common coding vulnerabilities</li><li>Requirements and secure coding (Requirements 7-12)</li></ul></li></ul>The OWASP Top Ten 2021 <ul> <li>A04 – Insecure Design <ul> <li>The STRIDE model of threats</li><li>Secure design principles of Saltzer and Schroeder</li><li>Client-side security <ul> <li>Frame sandboxing <ul> <li>Cross-Frame Scripting (XFS) attacks</li><li>Lab – Clickjacking</li><li>Clickjacking beyond hijacking a click</li><li>Clickjacking protection best practices</li><li>Lab – Using CSP to prevent clickjacking</li></ul></li></ul></li></ul></li><li>A05 – Security Misconfiguration <ul> <li>Configuration principles</li><li>Server misconfiguration</li><li>Cookie security <ul> <li>Cookie security best practices</li><li>Cookie attributes</li></ul></li><li>XML entities <ul> <li>DTD and the entities</li><li>Attribute blowup</li><li>Entity expansion</li><li>External Entity Attack (XXE) <ul> <li>File inclusion with external entities</li><li>Server-Side Request Forgery with external entities</li><li>Lab – External entity attack</li><li>Case study – XXE vulnerability in SAP Store</li><li>Lab – Prohibiting DTD expansion</li></ul></li></ul></li></ul></li><li>A06 – Vulnerable and Outdated Components <ul> <li>Using vulnerable components</li><li>Case study – The Equifax data breach</li><li>Assessing the environment</li><li>Hardening</li><li>Untrusted functionality import</li><li>Vulnerability management <ul> <li>Patch management</li><li>Vulnerability databases</li><li>Vulnerability rating – CVSS</li><li>Bug bounty programs</li><li>DevOps, the build process and CI / CD</li></ul></li></ul></li><li>A09 – Security Logging and Monitoring Failures <ul> <li>Logging and monitoring principles</li><li>Insufficient logging</li><li>Case study – Plaintext passwords at Facebook</li><li>Logging best practices</li><li>Monitoring best practices</li><li>Firewalls and Web Application Firewalls (WAF)</li><li>Intrusion detection and prevention</li><li>Case study – The Marriott Starwood data breach</li></ul></li></ul>DAY 2 The OWASP Top Ten 2021 <ul> <li>A01 – Broken Access Control <ul> <li>Access control basics</li><li>Failure to restrict URL access</li><li>Confused deputy <ul> <li>Insecure direct object reference (IDOR)</li><li>Lab – Insecure Direct Object Reference</li><li>Authorization bypass through user-controlled keys</li><li>Case study – Authorization bypass on Facebook</li><li>Lab – Horizontal authorization</li></ul></li><li>File upload <ul> <li>Unrestricted file upload</li><li>Good practices</li><li>Lab – Unrestricted file upload</li></ul></li><li>Cross-site Request Forgery (CSRF) <ul> <li>Lab – Cross-site Request Forgery</li><li>CSRF best practices</li><li>CSRF defense in depth</li><li>Lab – CSRF protection with tokens</li></ul></li></ul></li><li>A02 – Cryptographic Failures <ul> <li>Information exposure <ul> <li>Exposure through extracted data and aggregation</li><li>Case study – Strava data exposure</li><li>System information leakage <ul> <li>Leaking system information</li></ul></li><li>Information exposure best practices</li></ul></li><li>Cryptography for developers <ul> <li>Cryptography basics</li><li>Elementary algorithms <ul> <li>Random number generation <ul> <li>Pseudo random number generators (PRNGs)</li><li>Cryptographically strong PRNGs</li><li>Using virtual random streams</li><li>Lab – Using random numbers</li><li>Case study – Equifax credit account freeze</li></ul></li></ul></li><li>Confidentiality protection <ul> <li>Symmetric encryption <ul> <li>Block ciphers</li><li>Modes of operation</li><li>Modes of operation and IV – best practices</li><li>Lab – Symmetric encryption</li></ul></li><li>Asymmetric encryption</li><li>Combining symmetric and asymmetric algorithms</li></ul></li></ul></li></ul></li></ul>The OWASP Top Ten 2021 <ul> <li>A03 – Injection <ul> <li>Injection principles</li><li>Injection attacks</li><li>SQL injection <ul> <li>SQL injection basics</li><li>Lab – SQL injection</li><li>Attack techniques</li><li>Content-based blind SQL injection</li><li>Time-based blind SQL injection</li></ul></li><li>SQL injection best practices <ul> <li>Input validation</li><li>Parameterized queries</li><li>Lab – Using prepared statements</li><li>Case study – Hacking Fortnite accounts</li></ul></li><li>Code injection <ul> <li>OS command injection <ul> <li>OS command injection best practices</li><li>Case study – Shellshock</li><li>Lab – Shellshock</li></ul></li></ul></li></ul></li></ul>DAY 3 The OWASP Top Ten 2021 <ul> <li>A03 – Injection <ul> <li>HTML injection – Cross-site scripting (XSS) <ul> <li>Cross-site scripting basics</li><li>Cross-site scripting types <ul> <li>Persistent cross-site scripting</li><li>Reflected cross-site scripting</li><li>Client-side (DOM-based) cross-site scripting</li></ul></li><li>Lab – Stored XSS</li><li>Lab – Reflected XSS</li><li>Case study – XSS in Fortnite accounts</li><li>XSS protection best practices <ul> <li>Protection principles – escaping</li><li>Lab – XSS fix / stored</li><li>Lab – XSS fix / reflected</li><li>Additional protection layers – defense in depth</li></ul></li></ul></li></ul></li></ul>The OWASP Top Ten 2021 <ul> <li>A07 – Identification and Authentication Failures <ul> <li>Authentication <ul> <li>Authentication basics</li><li>Multi-factor authentication</li><li>Time-based One Time Passwords (TOTP)</li><li>Authentication weaknesses</li><li>Spoofing on the Web</li><li>Case study – PayPal 2FA bypass</li><li>User interface best practices</li><li>Case study – Information disclosure in Simple Banking for Android</li><li>Lab – On-line password brute forcing</li></ul></li><li>Password management <ul> <li>Inbound password management <ul> <li>Storing account passwords</li><li>Password in transit</li><li>Lab – Is just hashing passwords enough?</li><li>Dictionary attacks and brute forcing</li><li>Salting</li><li>Adaptive hash functions for password storage</li><li>Password policy <ul> <li>NIST authenticator requirements for memorized secrets</li><li>Password hardening</li><li>Using passphrases</li></ul></li><li>Case study – The Ashley Madison data breach <ul> <li>The dictionary attack</li><li>The ultimate crack</li><li>Exploitation and the lessons learned</li></ul></li><li>Password database migration <ul> <li>(Mis)handling null passwords</li></ul></li></ul></li><li>Outbound password management <ul> <li>Hard coded passwords</li><li>Best practices</li><li>Lab – Hardcoded password</li><li>Protecting sensitive information in memory <ul> <li>Challenges in protecting memory</li></ul></li></ul></li></ul></li></ul></li><li>A08 – Software and Data Integrity Failures <ul> <li>Subresource integrity <ul> <li>Importing JavaScript</li><li>Lab – Importing JavaScript</li><li>Case study – The British Airways data breach</li></ul></li><li>Insecure deserialization <ul> <li>Serialization and deserialization challenges</li><li>Integrity – deserializing untrusted streams</li><li>Integrity – deserialization best practices</li><li>Property Oriented Programming (POP) <ul> <li>Creating payload</li><li>Lab – Creating a POP payload</li><li>Lab – Using the POP payload</li><li>Summary – POP best practices</li></ul></li></ul></li></ul></li></ul>Security testing <ul> <li>Security testing techniques and tools <ul> <li>Code analysis <ul> <li>Static Application Security Testing (SAST)</li></ul></li><li>Dynamic analysis <ul> <li>Security testing at runtime</li><li>Penetration testing</li><li>Stress testing</li><li>Dynamic analysis tools <ul> <li>Dynamic Application Security Testing (DAST)</li><li>Web vulnerability scanners</li><li>SQL injection tools</li></ul></li><li>Fuzzing</li></ul></li></ul></li></ul>Wrap up <ul> <li>Secure coding principles <ul> <li>Principles of robust programming by Matt Bishop</li></ul></li><li>And now what? <ul> <li>Software security sources and further reading</li></ul></li></ul>- Getting familiar with essential cyber security concepts - Learning about security specialties of the finance sector - Having essential understanding of PCI DSS requirements - Managing vulnerabilities in third party components - Understanding Web application security issues - Detailed analysis of the OWASP Top Ten elements - Putting Web application security in the context of any programming language - Going beyond the low hanging fruits - Understanding how cryptography supports security - Getting familiar with security testing techniques and toolsNone for plenary, general Web development for secure codingManagers and developers working on Web applications in finance- Cyber security basics - The OWASP Top Ten 2021 - Security testing - Wrap upDAY 1 Cyber security basics - What is security? - Threat and risk - Cyber security threat types – the CIA triad - Cyber security threat types – the STRIDE model - Consequences of insecure software - Constraints and the market - The dark side - Categorization of bugs - The Seven Pernicious Kingdoms - Common Weakness Enumeration (CWE) - CWE Top 25 Most Dangerous Software Weaknesses - Cyber security in the finance sector - Threats and trends in fintech - PCI DSS - Overview - Requirements and secure coding (Requirements 1-5) - Req. 6 – Develop and maintain secure systems and applications - Requirement 6.5 – Address common coding vulnerabilities - Requirements and secure coding (Requirements 7-12) The OWASP Top Ten 2021 - A04 – Insecure Design - The STRIDE model of threats - Secure design principles of Saltzer and Schroeder - Client-side security - Frame sandboxing - Cross-Frame Scripting (XFS) attacks - Lab – Clickjacking - Clickjacking beyond hijacking a click - Clickjacking protection best practices - Lab – Using CSP to prevent clickjacking - A05 – Security Misconfiguration - Configuration principles - Server misconfiguration - Cookie security - Cookie security best practices - Cookie attributes - XML entities - DTD and the entities - Attribute blowup - Entity expansion - External Entity Attack (XXE) - File inclusion with external entities - Server-Side Request Forgery with external entities - Lab – External entity attack - Case study – XXE vulnerability in SAP Store - Lab – Prohibiting DTD expansion - A06 – Vulnerable and Outdated Components - Using vulnerable components - Case study – The Equifax data breach - Assessing the environment - Hardening - Untrusted functionality import - Vulnerability management - Patch management - Vulnerability databases - Vulnerability rating – CVSS - Bug bounty programs - DevOps, the build process and CI / CD - A09 – Security Logging and Monitoring Failures - Logging and monitoring principles - Insufficient logging - Case study – Plaintext passwords at Facebook - Logging best practices - Monitoring best practices - Firewalls and Web Application Firewalls (WAF) - Intrusion detection and prevention - Case study – The Marriott Starwood data breach DAY 2 The OWASP Top Ten 2021 - A01 – Broken Access Control - Access control basics - Failure to restrict URL access - Confused deputy - Insecure direct object reference (IDOR) - Lab – Insecure Direct Object Reference - Authorization bypass through user-controlled keys - Case study – Authorization bypass on Facebook - Lab – Horizontal authorization - File upload - Unrestricted file upload - Good practices - Lab – Unrestricted file upload - Cross-site Request Forgery (CSRF) - Lab – Cross-site Request Forgery - CSRF best practices - CSRF defense in depth - Lab – CSRF protection with tokens - A02 – Cryptographic Failures - Information exposure - Exposure through extracted data and aggregation - Case study – Strava data exposure - System information leakage - Leaking system information - Information exposure best practices - Cryptography for developers - Cryptography basics - Elementary algorithms - Random number generation - Pseudo random number generators (PRNGs) - Cryptographically strong PRNGs - Using virtual random streams - Lab – Using random numbers - Case study – Equifax credit account freeze - Confidentiality protection - Symmetric encryption - Block ciphers - Modes of operation - Modes of operation and IV – best practices - Lab – Symmetric encryption - Asymmetric encryption - Combining symmetric and asymmetric algorithms The OWASP Top Ten 2021 - A03 – Injection - Injection principles - Injection attacks - SQL injection - SQL injection basics - Lab – SQL injection - Attack techniques - Content-based blind SQL injection - Time-based blind SQL injection - SQL injection best practices - Input validation - Parameterized queries - Lab – Using prepared statements - Case study – Hacking Fortnite accounts - Code injection - OS command injection - OS command injection best practices - Case study – Shellshock - Lab – Shellshock DAY 3 The OWASP Top Ten 2021 - A03 – Injection - HTML injection – Cross-site scripting (XSS) - Cross-site scripting basics - Cross-site scripting types - Persistent cross-site scripting - Reflected cross-site scripting - Client-side (DOM-based) cross-site scripting - Lab – Stored XSS - Lab – Reflected XSS - Case study – XSS in Fortnite accounts - XSS protection best practices - Protection principles – escaping - Lab – XSS fix / stored - Lab – XSS fix / reflected - Additional protection layers – defense in depth The OWASP Top Ten 2021 - A07 – Identification and Authentication Failures - Authentication - Authentication basics - Multi-factor authentication - Time-based One Time Passwords (TOTP) - Authentication weaknesses - Spoofing on the Web - Case study – PayPal 2FA bypass - User interface best practices - Case study – Information disclosure in Simple Banking for Android - Lab – On-line password brute forcing - Password management - Inbound password management - Storing account passwords - Password in transit - Lab – Is just hashing passwords enough? - Dictionary attacks and brute forcing - Salting - Adaptive hash functions for password storage - Password policy - NIST authenticator requirements for memorized secrets - Password hardening - Using passphrases - Case study – The Ashley Madison data breach - The dictionary attack - The ultimate crack - Exploitation and the lessons learned - Password database migration - (Mis)handling null passwords - Outbound password management - Hard coded passwords - Best practices - Lab – Hardcoded password - Protecting sensitive information in memory - Challenges in protecting memory - A08 – Software and Data Integrity Failures - Subresource integrity - Importing JavaScript - Lab – Importing JavaScript - Case study – The British Airways data breach - Insecure deserialization - Serialization and deserialization challenges - Integrity – deserializing untrusted streams - Integrity – deserialization best practices - Property Oriented Programming (POP) - Creating payload - Lab – Creating a POP payload - Lab – Using the POP payload - Summary – POP best practices Security testing - Security testing techniques and tools - Code analysis - Static Application Security Testing (SAST) - Dynamic analysis - Security testing at runtime - Penetration testing - Stress testing - Dynamic analysis tools - Dynamic Application Security Testing (DAST) - Web vulnerability scanners - SQL injection tools - Fuzzing Wrap up - Secure coding principles - Principles of robust programming by Matt Bishop - And now what? - Software security sources and further reading3 Tage2250.002250.002250.002250.002250.002250.002250.002250.002250.00