Software Development Security
Section 1: Introduction to Secure Software Development Lifecycle
Secure Systems Development Lifecycle (Secure SDLC).
SDLC models (SAMM, BSSIMM, Microsoft).
SDLC practices for Agile:
Trainings.
Governance and metrics.
Policies.
Security Requirements Definitions.
Quality gates/Bug bars.
Security and Privacy risk assessments and reviews.
Design requirements.
Attack surface analysis and reviews.
Threat modeling.
Safe development tools.
Unsafe functions.
Secure coding guidelines.
Static analysis.
Dynamic analysis.
Fuzz testing.
Incident response planning.
Secure configuration guidelines.
Operational security practices.
Secure SDLC implementation guidelines.
Writing good use cases and abuse cases.
Putting the right priorities.
Section 2: JavaScript and Web security.
JavaScript security model.
Same-origin policy.
Frame sandboxing.
Content security policy.
Cross-origin security sharing.
JavaScript signing.
Web-workers security.
Differences in the browser implementations of security features.
Common vulnerabilities:
Cross-Site Scripting.
Reflected XSS.
Stored XSS.
DOM XSS.
Universal XSS (Flash, etc.).
Vulnerable components (JavaScript libraries, Browser plugins).
Lack of CSRF tokens.
Lack of authentication for Ajax requests.
Java applet exploits.
Weak SOP configuration.
Weak SSL protection. SSL stripping. Man in the middle attacks.
Insecure server headers.
Insecure cookie flags.
Insecure WebSockets.
Privacy issues (geolocation, video recording, microphone access).
Click-jacking.
Unsafe coding practice: innerHTML, document.write, eval.
Insecure session management. Session fixation. Weak session timeouts.
Unsafe URL redirects.
SQL injections.
XML and Xpath injections.
Other injections (LDAP, OS command, etc.).
Business logic flaws.
Concurrency and race conditions issues.
Unsafe deserialization.
Unsafe signatures (hash extension attacks).
DDoS attacks and defenses.
SOAP and REST services security.
Metadata leak.
Backup files.
Social engineering attacks and protection measures.
Password policies and account management.
Admin interfaces.
Improper error handling.
Hardcoded credentials.
Directory traversal.
Section 3: .NET and C# security.
Managed code.
NET runtime.
NET security model.
App domains.
Windows security architecture.
Privileges.
Access rights.
ACL management. Null DACL.
Service security groups.
Integrity levels.
Delegation and impersonalization.
Declarative and imperative application permissions.
Class security.
XSS protection.
CSRF tokens.
SQL injection protection.
SSL.
Authentication and authorization.
Cryptography functions.
Weak random number generators.
Secure password and key storage.
Auditing and logging.
Viewstate signing.
Unsafe reflection.
Number overflow handling.
Unsafe native libraries and memory corruption vulnerabilities.
Unsafe array access.
Safe resource permissions (file system, registry, mutexes, etc.).
Secure interprocess communication.
Code signing.
DLL hijacking.
Certificate PINNING.
Thread safety mechanisms.
Obfuscation.
Security of active browser components.
Windows Firewall.
IPv6 support note.
Secure service communication with desktop.
CardSpace.
Section 4: Java specifics
Java Virtual Machine (JVM) and Java Runtime Environment (JRE).
ByteCode Verifier and Classloader;
Security Manager and Access Controller, managing permissions policy.
Java Native Interface (JNI).
Secure Sockets Layer (SSL).
Code signing.
Integer overflow. CVE-2013-1493.
Unsafe deserialization CVE 2008-5353.
Unsafe reflection CVE-2004-2331.
Unsafe inner classes.
CERT coding guidelines.
Oracle coding guidelines.
Section 5: Android specifics
Android security architecture.
SELinux.
Android permissions.
Unix security (process, user, filesystem).
Dalvik.
ART.
Dex file format.
SQL injection for content providers.
Activity hijacking.
Broadcast Theft.
Service hijacking.
Broadcast injection.
Insecure pending intents.
Dos null check.
Intent injection.
Log injection.
Weak randomness generators.
OWASP TOP10 mobile risks for Android.
Unofficial markets.
Section 6 iOS specifics
iOS security architecture.
IOS Secure Coding guide.
iOS sandbox.
iOS permissions.
iOS DRM.
UIWebView risks.
Mach file format.
Keyboard caching.
Insecure URL handlers.
SQL injections.
Keychain.
UDID leaks.
OWASP top 10 mobile risks for iOS.
Section 7. Software protection
Mobile application protection techniques for Android and iOS. Rooting detection, protections from static and dynamic analysis.
