T1518

Ladda ner som PDF

Microsoft SDL core training

The Combined SDL core training gives an insight into secure software design, development and testing through Microsoft Secure Development Lifecycle (SDL). It provides a level 100 overview of the fundamental building blocks of SDL, followed by design techniques to apply to detect and fix flaws in early stages of the development process.

Audience

Project managers, software developers, architects and testers

Prior knowledge

Preparedness: Basic software development

Language

The course is taught in English (Contact us if you prefer Swedish).

Courseware

Material in English

Dealing with the development phase, the course gives an overview of the typical security relevant programming bugs of both managed and native code. Attack methods are presented for the discussed vulnerabilities along with the associated mitigation techniques, all explained through a number of hands-on exercises providing live hacking fun for the participants. Introduction of different security testing methods is followed by demonstrating the effectiveness of various testing tools. Participants can understand the operation of these tools through a number of practical exercises by applying the tools to the already discussed vulnerable code.

 

Principles and techniques:CIA (Confidentiality,IntegrityAvailability), the STRIDE model (Spoofing,Tampering,Repudiation,Information Disclosure,Denial of Service,Elevation of Privilege), attack surface reduction, defense in depth, principle of least privilege, secure defaults, threat modeling, attack trees, misuse cases, the STRIDE per element approach, diagram validation; risk assessment, white- and black-box testing, penetration testing, code review and structured code review, automated testing; privacy compliance, types of privacy-sensitive data, Privacy Enhancing Technologies (PET) and best practices.

Security vulnerability highlights:Buffer Overflow (BOF), integer problems in C, Java and .NET, Calendar/ZoneInfo deserialization... Läs mer

Dealing with the development phase, the course gives an overview of the typical security relevant programming bugs of both managed and native code. Attack methods are presented for the discussed vulnerabilities along with the associated mitigation techniques, all explained through a number of hands-on exercises providing live hacking fun for the participants. Introduction of different security testing methods is followed by demonstrating the effectiveness of various testing tools. Participants can understand the operation of these tools through a number of practical exercises by applying the tools to the already discussed vulnerable code.

 

Principles and techniques:CIA (Confidentiality,IntegrityAvailability), the STRIDE model (Spoofing,Tampering,Repudiation,Information Disclosure,Denial of Service,Elevation of Privilege), attack surface reduction, defense in depth, principle of least privilege, secure defaults, threat modeling, attack trees, misuse cases, the STRIDE per element approach, diagram validation; risk assessment, white- and black-box testing, penetration testing, code review and structured code review, automated testing; privacy compliance, types of privacy-sensitive data, Privacy Enhancing Technologies (PET) and best practices.

Security vulnerability highlights:Buffer Overflow (BOF), integer problems in C, Java and .NET, Calendar/ZoneInfo deserialization bug (CVE 2008-5353) in Java, Java Denial-of-Service (DoS) (the “2.2250738585072012e-308 bug”), problem with inner classes in Java, string termination attacks, implementation of ICloneable, using the [Serializable] attribute, attacking PostBack and ViewState, password management, weak cryptography, and many more...

Exercises and demonstrated tools:exploiting stack overflow – executing shell codes; applying mitigation techniques; circumventing them by return-to-libc attack; exploring SQL Injection; committing Cross-Site Scripting (XSS); security scanner tools; exploit collections; google hacking; blind SQL injection tools; XSS testers; proxy servers and sniffers; fuzzers; source code analyzers.

Utbildningen levereras i samarbete med

Kurs-ID: T1518
Längd: 2 dagar
Pris exkl moms: 20 450 kr

Lämna dina kontaktuppgifter om du önskar en företagsintern utbildning.

Tipsa