Web Application Security for PCI DSS (WASEC-PCIDSS) – Outline

Detailed Course Outline

DAY 1

Cyber security basics

  • What is security?
  • Threat and risk
  • Cyber security threat types – the CIA triad
  • Cyber security threat types – the STRIDE model
  • Consequences of insecure software
  • Constraints and the market
  • The dark side
  • Categorization of bugs
    • The Seven Pernicious Kingdoms
    • Common Weakness Enumeration (CWE)
    • CWE Top 25 Most Dangerous Software Weaknesses
  • Cyber security in the finance sector
    • Threats and trends in fintech
  • PCI DSS
    • Overview
    • Requirements and secure coding (Requirements 1-5)
    • Req. 6 – Develop and maintain secure systems and applications
    • Requirement 6.5 – Address common coding vulnerabilities
    • Requirements and secure coding (Requirements 7-12)

The OWASP Top Ten 2021

  • A04 – Insecure Design
    • The STRIDE model of threats
    • Secure design principles of Saltzer and Schroeder
    • Client-side security
      • Frame sandboxing
        • Cross-Frame Scripting (XFS) attacks
        • Lab – Clickjacking
        • Clickjacking beyond hijacking a click
        • Clickjacking protection best practices
        • Lab – Using CSP to prevent clickjacking
  • A05 – Security Misconfiguration
    • Configuration principles
    • Server misconfiguration
    • Cookie security
      • Cookie security best practices
      • Cookie attributes
    • XML entities
      • DTD and the entities
      • Attribute blowup
      • Entity expansion
      • External Entity Attack (XXE)
        • File inclusion with external entities
        • Server-Side Request Forgery with external entities
        • Lab – External entity attack
        • Case study – XXE vulnerability in SAP Store
        • Lab – Prohibiting DTD expansion
  • A06 – Vulnerable and Outdated Components
    • Using vulnerable components
    • Case study – The Equifax data breach
    • Assessing the environment
    • Hardening
    • Untrusted functionality import
    • Vulnerability management
      • Patch management
      • Vulnerability databases
      • Vulnerability rating – CVSS
      • Bug bounty programs
      • DevOps, the build process and CI / CD
  • A09 – Security Logging and Monitoring Failures
    • Logging and monitoring principles
    • Insufficient logging
    • Case study – Plaintext passwords at Facebook
    • Logging best practices
    • Monitoring best practices
    • Firewalls and Web Application Firewalls (WAF)
    • Intrusion detection and prevention
    • Case study – The Marriott Starwood data breach

DAY 2

The OWASP Top Ten 2021

  • A01 – Broken Access Control
    • Access control basics
    • Failure to restrict URL access
    • Confused deputy
      • Insecure direct object reference (IDOR)
      • Lab – Insecure Direct Object Reference
      • Authorization bypass through user-controlled keys
      • Case study – Authorization bypass on Facebook
      • Lab – Horizontal authorization
    • File upload
      • Unrestricted file upload
      • Good practices
      • Lab – Unrestricted file upload
    • Cross-site Request Forgery (CSRF)
      • Lab – Cross-site Request Forgery
      • CSRF best practices
      • CSRF defense in depth
      • Lab – CSRF protection with tokens
  • A02 – Cryptographic Failures
    • Information exposure
      • Exposure through extracted data and aggregation
      • Case study – Strava data exposure
      • System information leakage
        • Leaking system information
      • Information exposure best practices
    • Cryptography for developers
      • Cryptography basics
      • Elementary algorithms
        • Random number generation
          • Pseudo random number generators (PRNGs)
          • Cryptographically strong PRNGs
          • Using virtual random streams
          • Lab – Using random numbers
          • Case study – Equifax credit account freeze
      • Confidentiality protection
        • Symmetric encryption
          • Block ciphers
          • Modes of operation
          • Modes of operation and IV – best practices
          • Lab – Symmetric encryption
        • Asymmetric encryption
        • Combining symmetric and asymmetric algorithms

The OWASP Top Ten 2021

  • A03 – Injection
    • Injection principles
    • Injection attacks
    • SQL injection
      • SQL injection basics
      • Lab – SQL injection
      • Attack techniques
      • Content-based blind SQL injection
      • Time-based blind SQL injection
    • SQL injection best practices
      • Input validation
      • Parameterized queries
      • Lab – Using prepared statements
      • Case study – Hacking Fortnite accounts
    • Code injection
      • OS command injection
        • OS command injection best practices
        • Case study – Shellshock
        • Lab – Shellshock

DAY 3

The OWASP Top Ten 2021

  • A03 – Injection
    • HTML injection – Cross-site scripting (XSS)
      • Cross-site scripting basics
      • Cross-site scripting types
        • Persistent cross-site scripting
        • Reflected cross-site scripting
        • Client-side (DOM-based) cross-site scripting
      • Lab – Stored XSS
      • Lab – Reflected XSS
      • Case study – XSS in Fortnite accounts
      • XSS protection best practices
        • Protection principles – escaping
        • Lab – XSS fix / stored
        • Lab – XSS fix / reflected
        • Additional protection layers – defense in depth

The OWASP Top Ten 2021

  • A07 – Identification and Authentication Failures
    • Authentication
      • Authentication basics
      • Multi-factor authentication
      • Time-based One Time Passwords (TOTP)
      • Authentication weaknesses
      • Spoofing on the Web
      • Case study – PayPal 2FA bypass
      • User interface best practices
      • Case study – Information disclosure in Simple Banking for Android
      • Lab – On-line password brute forcing
    • Password management
      • Inbound password management
        • Storing account passwords
        • Password in transit
        • Lab – Is just hashing passwords enough?
        • Dictionary attacks and brute forcing
        • Salting
        • Adaptive hash functions for password storage
        • Password policy
          • NIST authenticator requirements for memorized secrets
          • Password hardening
          • Using passphrases
        • Case study – The Ashley Madison data breach
          • The dictionary attack
          • The ultimate crack
          • Exploitation and the lessons learned
        • Password database migration
          • (Mis)handling null passwords
      • Outbound password management
        • Hard coded passwords
        • Best practices
        • Lab – Hardcoded password
        • Protecting sensitive information in memory
          • Challenges in protecting memory
  • A08 – Software and Data Integrity Failures
    • Subresource integrity
      • Importing JavaScript
      • Lab – Importing JavaScript
      • Case study – The British Airways data breach
    • Insecure deserialization
      • Serialization and deserialization challenges
      • Integrity – deserializing untrusted streams
      • Integrity – deserialization best practices
      • Property Oriented Programming (POP)
        • Creating payload
        • Lab – Creating a POP payload
        • Lab – Using the POP payload
        • Summary – POP best practices

Security testing

  • Security testing techniques and tools
    • Code analysis
      • Static Application Security Testing (SAST)
    • Dynamic analysis
      • Security testing at runtime
      • Penetration testing
      • Stress testing
      • Dynamic analysis tools
        • Dynamic Application Security Testing (DAST)
        • Web vulnerability scanners
        • SQL injection tools
      • Fuzzing

Wrap up

  • Secure coding principles
    • Principles of robust programming by Matt Bishop
  • And now what?
    • Software security sources and further reading