Securing Web Applications | 2021 OWASP Top Ten and Beyond (Language Neutral)

Upon completion of this course, students will be able to:

• Understand the concepts and terminology behind defensive, secure coding including the phases and goals of a typical exploit
• Establish the first axiom in security analysis of ALL web applications for this course and beyond
• Establish the first axiom in addressing ALL security concerns for this course and beyond
• Ensure that any hacking and bug hunting is performed in a safe and appropriate manner
• Identify defect/bug reporting mechanisms within their organizations
• Avoid common mistakes that are made in bug hunting and vulnerability testing
• Develop an appreciation for the need and value of a multilayered defense in depth
• Understand potential sources for untrusted data
• Understand the consequences for not properly handling untrusted data such as denial of service, cross-site scripting, and injections
• Understand the vulnerabilities of associated with authentication and authorization
• Detect, attack, and implement defenses for authentication and authorization functionality and services
• Understand the dangers and mechanisms behind Cross-Site Scripting (XSS) and Injection attacks
• Detect, attack, and implement defenses against XSS and Injection attacks
• Understand the risks associated with XML processing, software uploads, and deserialization and how to best eliminate or mitigate those risks
• Learn the strengths, limitations, and use for tools such as code scanners, dynamic scanners, and web application firewalls (WAFs)
• Understand techniques and measures that can used to harden web and application servers as well as other components in your infrastructure
• Identify resources to use for ongoing threat intelligence
• Plan next steps after completion of this training

This is an overview-level , lecture and demonstration style course, designed to provide technical application project stakeholders with a first-look or baseline understanding of how to develop well defended web applications.
 

Real-world programming experience is highly recommended for code reviews, but not required.
 

Bug Hunting Foundation Why Hunt Bugs?

• The Language of Cybersecurity
• The Changing Cybersecurity Landscape
• AppSec Dissection of SolarWinds
• The Human Perimeter
• Interpreting the 2021 Verizon Data Breach Investigation Report
• First Axiom in Web Application Security Analysis
• First Axiom in Addressing ALL Security Concerns
• Lab: Case Study in Failure

Safe and Appropriate Bug Hunting/Hacking

• Working Ethically
• Respecting Privacy
• Bug/Defect Notification
• Bug Bounty Programs
• Bug Hunting Mistakes to Avoid

Moving Forward From Hunting Bugs Removing Bugs

• Open Web Application Security Project (OWASP)
• OWASP Top Ten Overview
• Web Application Security Consortium (WASC)
• CERT Secure Coding Standards
• Microsoft Security Response Center
• Software-Specific Threat Intelligence

Foundation for Securing Web Applications Principles of Information Security

• Security is a Lifecycle Issue
• Minimize Attack Surface Area
• Layers of Defense: Tenacious D
• Compartmentalize
• Consider All Application States
• Do NOT Trust the Untrusted
• AppSec Dissection of the Verkada Exploit

Bug Stomping 101 Unvalidated Data

• Buffer Overflows
• Integer Arithmetic Vulnerabilities
• Defining and Defending Trust Boundaries
• Rigorous., Positive Specifications
• Whitelisting vs Blacklisting
• Challenges: Free-Form Text, Email Addresses, and Uploaded Files

A01: Broken Access Control

• Elevation of Privileges
• Insufficient Flow Control
• Unprotected URL/Resource Access/Forceful Browsing
• Metadata Manipulation (JWTs)
• CORS Misconfiguration Issues
• Cross Site Request Forgeries (CSRF)
• CSRF Defenses
• Lab: Spotlight: Verizon

A02: Cryptographic Failures

• Identifing Protection Needs
• Evolving Privacy Considerations
• Options for Protecting Data
• Transport/Message Level Security
• Weak Cryptographic Processing
• Keys and Key Management
• NIST Recommendations

A03: Injection

• Injection Flaws
• SQL Injection Attacks Evolve
• Drill Down on Stored Procedures
• Other Forms of Server-Side Injection
• Minimizing Injection Flaws
• Client-side Injection: XSS
• Persistent, Reflective, and DOM-Based XSS
• Best Practices for Untrusted Data

A04: Insecure Design

• Secure Software Development Processes
• Shifting Left
• Cost of Continually Reinventing
• Leveraging Common AppSec Practices and Control
• Paralysis by Analysis
• Actionable Application Security
• Additional Tools for the Toolbox
• Lab: Actionable AppSec

A05: Security Misconfiguration

• System Hardening
• Risks with Internet-Connected Resources (Servers to Cloud)
• Minimalist Configurations
• Application Whitelisting
• Secure Baseline
• Segmentation with Containers and Cloud
• Demo / Lab: Configuration Guidance
• Resolution of External References
• Safe XML Processing

Bug Stomping 102 A06: Vulnerable and Outdated Components

• Vulnerable Components
• Software Inventory
• Managing Updates: Balancing Risk and Timeliness
• AppSec Dissection of Ongoing Microsoft Exchange Exploits
• Lab: Spotlight: Equifax

A07: Identification and Authentication Failures

• Quality and Protection of Authentication Data
• Proper hashing of passwords
• Handling Passwords on Server Side
• Session Management
• HttpOnly and Security Headers

A08: Software and Data Integrity Failures

• Serialization / Deserialization
• Issues with Consuming Vulnerable Software
• Using Trusted Repositories
• CI/CD Pipeline Issues
• Protecting Software Development Resources

A09: Security Logging and Monitoring Failures

• Detecting Threats and Active Attacks
• Best Practices for Determining What to Log
• Safe Logging in Support of Forensics
• Lab: Auditing and Logging Guidance

A10: Server-Side Request Forgery (SSRF)

• Understanding SSRF
• Remote Resource Access Scenarios
• Complexity of Cloud Services
• SSRF Defense in Depth
• Positive Allow Lists

Moving Forward Applications: What Next?

• Common Vulnerabilities and Exposure
• CWE/SANS Top 25 Most Dangerous SW Errors
• Strength Training: Project Teams/Developers
• Strength Training: IT Organizations
• Lab: Spotlight: Capital One

Additional Topics: Time Permitting SDL Overview

• Attack Phases: Offensive Actions and Defensive Controls
• Secure Software Development Processes
• Shifting Left
• Actionable Items Moving Forward

SDL in Action

• Risk Escalators
• Risk Escalator Mitigation
• SDL Phases
• Actions for each SDL Phase
• SDL Best Practices