Don’t fall prey to attackers. - SANS Software, IT ... · PDF fileSEC504 Hacker Techniques, Exploits, and Incident Handling ... SANS Application Security curriculum features courses

C U R R I C U L U M

www.sans.org/security-training/curriculums/developer

Don’t fall prey to attackers. Over 80% of today’s vulnerabilities are found in the application layer. Learn how to avoid the security issues rather than fixing the problems post design, development or deployment. Train and certify your teams and contractors in the core competencies for secure application development.

Programming

Tips and Resources

Inside!

S A N S A P P L I C A T I O N S E C U R I T Y T R A I N I N G

SANS AppSec Curriculum 2010 www.sans-ssi.org 1

Recommended Curriculum

DEV522 Defending Web

Applications Security Essentials Pg 2



DEV534 Secure Code Review for

Java Web Apps (One-Day) Pg 3

Job / Role in Organization

Developer

Architect

QA/Tester

Senior Developer/ Technical

Team Lead

Security

ManagerFor more information on these courses, visit

www.sans.org/security-training/curriculums/developer

&

& &

DEV530 Essential Secure

Coding in Java/JEE (Two-Days)

DEV533 Secure Coding

in .NET (Two-Days)

OR OR

DEV542 Web App Penetration Testing

and Ethical Hacking GWAPT Pg 7

DEV538 Web Application

Pentesting Hands-On Immersion Pg 5

OR







DEV304 Software Security

Awareness

&

&

&

DEV542 Web App Penetration Testing

and Ethical Hacking GWAPT Pg 7

SEC504 Hacker Techniques, Exploits,

and Incident Handling GCIH

&

DEV541 Secure Coding in

Java/JEE (Four-Days) GSSP-JAVA Pg 6

DEV544 Secure Coding in .NET (Four-Days)

GSSP-NET Pg 9OR OR

DEV541 Secure Coding in

Java/JEE (Four-Days) GSSP-JAVA Pg 6

DEV544 Secure Coding in .NET (Four-Days)

GSSP-NET Pg 9


in C & C++ (Two-Days) Pg 8





OR OR

Design & TestDEV522

Defending Web Applications Security

Essentials Pg 2

DEV542Web App Penetration

Testing and Ethical Hacking Pg 7

Code ReviewDEV534

Secure Code Review for Java Web Apps (One-Day) Pg 3

DEV530Essential Secure

Coding in Java/JEE (Two-Days)

DEV544Secure Coding

in .NET (Four-Days) Pg 9

DEV543Secure Coding


DEV541Secure Coding

in Java/JEE (Four-Days) Pg 6

DEV545Secure Coding

in PHP (Four-Days) Pg 10

Secure Coding

C U R R I C U L U M

C U R R I C U L U M b y J o b R o L e

SANS Application Security curriculum features courses for developers as well as security professionals who want to master the practical steps necessary for defending applications, systems, and networks against the most dangerous threats. The courses are intensive, immersion training full of immediately useful techniques. They were developed through a consensus process involving hundreds of developers, architects, administrators, security managers, and information security professionals. They address secure coding principles, security fundamentals and awareness, and the in-depth technical aspects of the most crucial areas of application security, secure coding, and IT security. NOTe: These courses cover the CWe/SANS Top 25 as well as the OWASP Top 10 as appropriate for each language.

SANS Software Security Institute Web site The learning doesn’t end when class is over. SANS Software Security Institute Web site features the App Sec Street Fighter blog, free research, news, and resources to keep you up to date with the most recent attack vectors and application vulnerabilities as well as full course descriptions of the developer curriculum, information on GIAC certification, and upcoming events. Visit www.sans-ssi.org – new content is added regularly, so please visit often. And don’t forget to share this information with your fellow developers and security professionals.

Frank Kim

Dear Colleague,

News of data breaches, corporate hacks, and cyber crime top the

headlines. It is widely accepted that many of these threats are the

result of insecure software. Security should not be an afterthought

for software that we rely on every day to power our Web sites,

businesses, and other critical infrastructure. It is our trust in these

applications that enables organizations and customers to operate

and interact.

Software development is an involved process with many stakeholders throughout the

SDLC. everyone involved in creating software, from developers, architects, testers, and

managers to security professionals, should have some knowledge about current security

threats and the need for software assurance and security. Application security is no

longer a nice to have, it is emerging as the minimum standard of due care for the delivery

of applications that are essential to business, personal data, and our national security.

To help you build secure software and applications that are resistant to attack, SANS has

created an application security curriculum with classes in secure coding, Web application

security, secure code review, security testing, and software security awareness. These

courses are written and taught by world-class instructors who are also everyday

practitioners working on building secure applications; people who are defending their

applications against the same threats you face!

SANS also has a number of free resources that cover these very threats. There are many

great ways to stay informed and get involved. I hope to see you online or at an event!

Sincerely,

Frank Kim,

Application Security Curriculum Lead

C O N T E N T SDEV522 DefendingWebApplicationsSecurityEssentials . . . . . . . . . . . . . . . . . . . . . . . 2DEV534 SecureCodeReviewforJavaWebApps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3DEV536 SecureCodingforPCICompliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4DEV538 WebApplicationPenTestingHands-OnImmersion . . . . . . . . . . . . . . . . . . . . 5DEV541 SecureCodinginJava/JEE:DevelopingDefensibleApplications . . . . . . . . 6DEV542 WebAppPenetrationTestingandEthicalHacking . . . . . . . . . . . . . . . . . . . . . 7DEV543 SecureCodinginC&C++:DevelopingDefensibleApplications . . . . . . . . 8DEV544 SecureCodingin .NET:DevelopingDefensibleApplications . . . . . . . . . . . . 9DEV545 SecureCodinginPHP:DevelopingDefensibleApplications . . . . . . . . . . . 10SANSTrainingOptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Top25ProgrammingErrorsandSANSCorporateLicense . . . . . . . . . . . . . . . . . . . . . . . 12SecureDevelopmentTechniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-15ApplicationSecurityResources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Instructors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Six-Day Course

36 CPE Credits

Laptop Required

What You Will Learn• Security in SDLC

• Authentication schemes for Web apps

• Authentication attacks and defense

• Access control and user management

• Cryptography in Web apps

• SSL best practices

• Session management in Web apps

• Cross-site request forgery

• Various injection attacks

• SQL injection and blind SQL injection attack and defense

• Cross-site scripting and defense

• HTTP response splitting defense

• Honeypot

• Intrusion detection within applications

• Incident handling of Web applications

• Safe single sign-on with third party

• SOAP

• XML schema attacks

• WSDL enumeration

• XPath injection

• SAML

• XML encryption

• JSON object and security

• AJAX attack scenarios

Who Should Attend• Application developers

• Application security analysts or managers

• Application architects

• Penetration testers who are interested in learning about defense strategies

• Security professionals who are interested in learning about application security

• Auditors who need to understand defensive mechanisms in applications

SANS AppSec Curriculum 2010 www.sans-ssi.org

TrainingOptions(Visit page 11 for more details)Live events • vLive!2

Defending Web applications is critical!

In battle an attacker is exposed and at massive disadvantage when fighting against a well entrenched defender. This course will teach you how to build defense-in-depth, allowing you to detect and expose an attacker early. Learn about the ‘tripwires and obstacles’ that savvy defenders use to detect, channel, and thwart attacks! The course material distills the experience of two top defenders of embattled Web sites, and builds on the industry consensus research of the CWe/SANS Top 25 programming errors (CWe 25) and the oWASP Top 10.

Mitigation strategies from an infrastructure, architecture, and coding perspective will be discussed alongside real-world implementations that really work. The testing aspect of vulnerabilities will also be covered so you can ensure your application is tested for the vulnerabilities discussed in class.

The class goes beyond classic Web applications and includes coverage of Web 2.0 technologies like AJAX and Web services.

To maximize the benefit for a wider range of audiences, the discussions in this course will be programming language agnostic. Focus will be maintained on security strategies rather than coding level implementation.

The course will cover the topics outlined by oWASP’s Top 10 risks document, as well as additional issues the authors found of importance in their day-to-day Web application development practice. An example of the topics that will be covered include:

• Infrastructure security

• Server configuration

• Authentication mechanisms

• Application language configuration

• A pplication coding errors like SQL injection and cross site scripting

• Cross site request forging

• Authentication bypass

• Web services and related flaws

• Web 2.0 and it’s use of Web services

• XPATH and XQUERY languages and injection

• Business logic flaws

The course will make heavy use of hands-on exercises. It will conclude with a large defensive exercise, reinforcing the lessons learned throughout the week.

DEV522 Defending Web Applications Security Essentials

This course focuses on Web application vulnerabilities and shows you how to conduct code reviews for security by examining open source Web applications built with Java.

All software development projects produce at least one artifact – CoDe! Conducting security focused code reviews can be one of the most effective methods of finding severe application vulnerabilities and is becoming an integral part of many secure software development processes.

you will learn how to manually spot security issues and how to use an automated static analysis tool to speed up the code review process. you will also learn some practical approaches to integrating security code review into your Software Development Life Cycle (SDLC). This hands-on class culminates in a Code Review Challenge where you test what you’ve learned to find security issues in a real-world application.

Prerequisites

• A thorough knowledge of Java/Jee and Web technology

• you should be comfortable reading code

• SeC541 Secure Coding in Java/Jee is recommended, but not required, preparation for this course

Additional information: www.sans.org/security-training/ secure-code-review-java-web-apps-1192-mid

One-Day Course

6 CPE Credits

Laptop Required

What You Will Learn• Find security issues such as

- Cross Site Scripting (XSS)

- Cross Site Request Forgery (CSRF)

- SQL Injection

- HTTP Response Splitting

- Parameter Manipulation

- Authentication & Authorization

- Session Management

- error handling

• Conduct manual code review

• Use static analysis tools

• FindBugs

• Integrate code review into the SDLC

Who Should Attend• Anyone conducting code reviews

on Web applications built with Java

• enterprise Web application developers

• Professional software developers

• Java ee programmers

• Security professionals


TrainingOptions(Visit page 11 for more details)Live events • OnSite 3

DEV534Secure Code Review for Java Web Apps

Two-Day Course

12 CPE Credits

Laptop Required

Prerequisites

Students should have at least several months of coding experience, preferably Web application coding experience. It is best if the student is familiar with one of the following languages: Perl, PHP, C, C++, Java, or Ruby.

Looking for a great software development resource?

SANS Software Security Institute Web site (www.sans-ssi.org) is a community-focused site offering AppSec professionals a one-stop resource to learn, discuss, and share current developments in the field. It also provides information regarding SANS AppSec training, GIAC certification, and upcoming events. New content is added regularly, so please visit often. And don’t forget to share this information with your fellow application security, developer, and IT security professionals.


TrainingOptions(Visit page 11 for more details)Live events • OnDemand • OnSite4

The audit procedure documents for PCI 1.2 tell the

auditor that they should look for evidence that Web

application programmers in a PCI environment have

had “training for secure coding techniques.” The

problem that many businesses are facing, however,

is, “What is that and where can I get it?” This course

packs a thorough explanation and examination of

the oWASP top ten issues, which are the foundation

of the PCI requirement, into a two-day course.

Throughout the course we will look at examples

of the types of flaws that secure coding protects

against, examine how the flaw might be exploited

and then focus on how to correct that code.

Coupled with the lectures, there are more than ten

hands-on exercises where the students will have the

opportunity to test out their new skills identifying

flaws in code, fixing code, and writing secure code.

All of the exercises are available in Perl, PHP, C/C++,

Ruby and Java. This will allow the student to try their

hand at any of the major Web application coding

languages that they work with in addition to some

of the supporting languages that might be at work

behind the scenes. Students are not required to

be familiar with all of these languages but should

be proficient in at least one of them. Lectures are

presented using a more or less code-neutral format.

For more information on this course, visit author

Dave Hoelzer’s Blog:

http://www.sans.org/info/29399

DEV536 Secure Coding for PCI Compliance

Web Application Pen Testing Hands-On Immersion

In the first half of 2008, five million Web sites were compromised by automated SQL injection attacks.

The hackers’ goal was to inject links to malicious content

in order to infect the users of the Web application. These

automated attacks do not show any sign of stopping and

will likely visit your Web applications in the near future.

Don’t want to be a part of the statistics? Performing

runtime testing is essential to making your Web site

secure. Developer 538 is a two-day course focusing on up-

to-date, hands-on testing of Web application security.

This fast-paced course is ideal for students who have

a basic understanding of Web application security

vulnerabilities and testing methodologies and are

looking to refresh and upgrade their skill set in pen

testing Web applications. It is also well suited to

infrastructure pen testers who are expanding testing

scope to Web applications. If you are going to be testing

Web applications in the next few months, this course

will help you brush up on your Web application security

testing knowledge. Whatever your level is, it will give

you confidence to know that you have the hands-

on experience to perform testing against common

vulnerabilities.

This action-packed, two-day course has a strong, hands-on

focus -- exercises are designed to give you experience with

real-world vulnerabilities. Throughout the two days, you

will be using various testing concepts to test vulnerable

Web applications. The target applications are as realistic

as possible. The labs are structured so both novices and

intermediate students can enjoy the learning experience.

Two-Day Course

12 CPE Credits

Laptop Required

What You Will Learn• Web Fingerprinting

• Input Manipulation

• Blind SQL Injection

• Non-obvious Session Issues

• Brute Forcing Credentials

• Cross-Site Scripting

• Code Review

Who Should Attend• Infrastructure penetration testers

who are trying to expand into pen testing Web applications

• Developers who are interested in testing their applications against common vulnerabilities

• QA testers who are responsible for testing security vulnerabilities in applications

• Information security professionals with some background in hacker exploits


TrainingOptions(Visit page 11 for more details)Live events • OnSite 5

DEV538

Secure Coding in Java/JEE: Developing

Defensible AppsFour-Day Course

24 CPE Credits

Laptop Required

What You Will Learn• Web Application Attacks & Defense - Cross Site Scripting (XSS) - Cross Site Request Forgery (CSRF) - SQL Injection - HTTP Response Splitting - Parameter Manipulation• Java Security Manager• Race conditions• Logging & error Handling• Authentication - Basic & Forms Based Authentication - Client certificate Authentication - Spring Security• Session Management - Attacks, Defense, and Best Practices• Access Control• encryption - JSSe & JCA

Who Should Attend• Developers who want to build more

secure applications• Java ee programmers• Software engineers• Software architects• This class is focused specifically on

software development but is accessible enough for anyone who’s comfortable working with code and has an interest in understanding the developer’s perspective including:

- Application security auditors - Technical project managers - Senior software QA specialists - Penetration testers who want a deeper

understanding of target applications or who want to provide more detailed vulnerability remediation options

Get GSSP-JAVA Certified

www.giac.org


TrainingOptions(Visit page 11 for more details)Live events • OnDemand • OnSite6

Learn how to code securely in Java to prevent application layer attacks – most courses simply talk about the threats – we’ll teach you to avoid them.

DEV541: Secure Coding in Java/JEE: Developing Defensible Applications is a comprehensive course

covering a huge set of skills and knowledge; it’s not

a high-level theory course. It’s about real program-

ming. In this course you will examine actual code,

work with real tools, build applications, and gain

confidence in the resources you need for the journey

to improving security of Java applications.

Rather than learning how to use a set of tools, you’ll

learn concepts of secure programming by looking

at a specific piece of code, identifying a security

flaw, and implementing a fix for the flaw.

For more information visit: www.sans.org/security-training/secure-coding-in-java-jee-developing-defensible-applications-912-mid

Prerequisites Students should have at least one year’s experience working

with the Jee framework and should have thorough knowledge of Java language and Web technology.

A two-day Java essentials course is available. Visit www.sans.org/security-training/

essential-secure-coding-in-java-jee-1332-mid for more details.

DEV541 Web App Penetration Testing and Ethical Hacking

Assess Your Web Apps in Depth

Web applications are a major point of vulnerability in organizations today. Web app holes have resulted in the theft of millions of credit cards, major financial and reputational damage for hundreds of enterprises, and even the compromise of thousands of browsing machines that visited Web sites altered by attackers. In this intermediate to advanced level class, you’ll learn the art of exploiting Web applications so you can find flaws in your enterprise’s Web apps before the bad guys do.

Day One: We will study the attacker’s view of the Web as well as learn an attack methodology and how the pen-tester uses JavaScript within the test.

Day Two: Covers the art of reconnaissance, specifically targeted to Web applications. We will also examine the mapping phase as we interact with a real application to determine its internal structure.

Day Three: Continues our test by starting the discovery phase using the information we gathered on day two. We will focus on application/server-side discovery.

Day Four: Continues discovery, focusing on client-side portions of the application, such as Flash objects and Java applets.

Day Five: We will move into the final stage of exploitation. Students will use advanced exploitation methods to gain further access within the application.

Day Six: Is a Capture the Flag event where the students will be able to use the methodology and techniques explored during class to find and exploit the vulnerabilities within an intranet site.

Throughout the class, you will discover the context behind the attacks so that you intuitively understand the real-life applications of our exploitation. In the end, you will be able to assess your own organization’s Web applications to find some of the most common and damaging Web application vulnerabilities today.

Six-Day Course

36 CPE Credits

Laptop Required

What You Will Learn• The four-step process for Web

application penetration testing through detailed, hands-on exercises

• How to inject SQL into back end databases by understanding how attackers exfiltrate sensitive data

• How to utilize Cross-Site Scripting attacks to dominate a target infrastructure in our unique hands-on laboratory environment

• To explore various other Web app vulnerabilities in depth with tried-and-true techniques for finding them using a structured testing regimen.

• The tools and methods of the attacker, so that you can be a powerful defender.

Who Should Attend• General Security Practitioners

• Web Site Designers

• Web Architects

• Developers

Get GWAPT Certified

www.giac.org


TrainingOptions(Visit page 11 for more details)Live events • OnDemand • OnSite 7

DEV542

Two-Day Course

12 CPE Credits

Laptop Required

What You Will Learn• Off by one errors

• Problems with NTBSs

• Causes of buffer overflows

• Causes of heap overflows

• Common memory management errors

• Integer promotion standards

• Side effects of integer promotions

• Common integer errors

• Common semaphore issues

• File I/O errors

• Review process for identifying coding errors

Who Should AttendThis class is focused specifically on software development but is accessible enough for anyone who’s comfortable working with code and has an interest in understanding the developer’s perspective:

• Software developers and architects

• Senior software QA specialists

• System and security administrators

• Penetration testers

Prerequisites • experience with programming in C &

C++ coding.


TrainingOptions(Visit page 11 for more details)Live events8

The emphasis of the class is a hands-on examination of the practical aspects of securing C & C++ applications during development.

The C and C++ programming languages are the bedrock for most operating systems, major network services, embedded systems, and system utilities. even though C and, to a lesser extent, C++ are well understood languages, the flexibility of the language and inconsistencies in the standard C libraries have led to an enormous number of discovered vulnerabilities over the years. The unfortunate truth is that there are probably more undiscovered vulnerabilities than there are known vulnerabilities!

During this two-day course, it covers all of the most common programming flaws that affect C and C++ code. The course will specifically cover the issues identified by the GSSP (GIAC Secure Software Programmer) blueprint for C/C++ with some additional items from the CeRT Secure Coding Standard. each issue is described clearly with examples. Throughout the course students are asked to identify flaws in modern versions of common open-source software to provide hands-on experience identifying these issues in existing code. exercises also require students to provide secure solutions to coding problems in order to demonstrate mastery of the subject.

Looking for a great software development resource? SANS Software Security Institute Web site (www.sans-ssi.org) is a community-focused site offering AppSec professionals a one-stop resource to learn, discuss, and share current developments in the field. It also provides information regarding SANS AppSec training, GIAC certification, and upcoming events. New content is added regularly, so please visit often. And don’t forget to share this information with your fellow application security, developer, and IT security professionals.

DEV543 Secure Coding in .NET: Developing Defensible Apps

ASP.NET and the .NET framework have provided Web developers with tools that allow them an unprecedented degree of flexibility and productivity.

on the other hand, these sophisticated tools make it easier than ever to miss the little details that allow security vulnerabilities to creep into an application. Since ASP.NeT, 2.0 Microsoft has done a fantastic job of integrating security into the ASP.NeT framework, but the onus is still on application developers to understand the limitations of the framework and ensure that their own code is secure.

During this four-day course we will analyze the defensive strategies and technical underpinnings of the ASP.NeT framework and learn where, as a developer, you can leverage defensive technologies in the framework, where you need to build security in by hand. We’ll also examine strategies for building applications that will be secure both today and in the future.

Rather than focusing on traditional Web attacks from the attacker’s perspective, this class will show developers first how to think like an attacker, and will then focus on the latest defensive techniques specific to the ASP.NeT environment. The emphasis of the class is a hands-on examination of the practical aspects of securing .NeT applications during development.

Have you ever wondered if ASP.NeT Request Validation is effective? Have you been concerned that XML Web services might be introducing unexamined security issues into your application? Should you feel un-easy relying solely only on the security controls built into the ASP.NeT framework? Secure Coding in ASP.NeT will answer these questions and far more.

Four-Day Course

24 CPE Credits

Laptop Required

What You Will Learn• Web Application Attacks - Cross Site Scripting - Cross Site Request Forgery (CSRF) - SQL Injection - HTTP Response Splitting - Parameter Manipulation• Web Application Proxies • Using Fiddler• Code Access Security • Assemblies • Global Assembly Cache • execution Model • Authentication - IIS / ASP.NeT pluggable

authentication architecture - Basic & Digest Authentication - .NeT Form Based Authentication

Framework - Windows Authentication - Authorization, OS security, and

Impersonation - SSL Client Certificates - Authentication Policies• NeT encryption Services - encryption Principals - Securing communications - Protecting data at rest• Strong and Weak Named Assemblies • The Common Language Runtime • Security Zones • evidence • Code Groups • Permissions • Hacking .NeT Security

Who Should AttendThis class is focused specifically on software development but is accessible enough for anyone who’s comfortable working with code and has an interest in understanding the developer’s perspective: • Software developers and architects• Senior software QA specialists• System and security administrators• Penetration testers


TrainingOptions(Visit page 11 for more details)Live events • OnDemand • OnSite 9

DEV544

Get GSSP-.NET Certified

www.giac.org

Prerequisites experience with programming in ASP.NeT using either Visual Basic or C#. All class work will be performed in C#.While this class briefly reviews basic Web attacks, some prior understanding of issues such as XSS and SQL injection is recommended.

Secure Coding in C & C++: Developing

Defensible Apps

SANS Training Options


TrainingOptions(Visit page 11 for more details)Live Training events • OnDemand • OnSite10

DEV545Four-Day Course

24 CPE Credits

Laptop Required

What You Will Learn• How to review code, find errors, and

fix them yourself

• Different options to authenticate users, from simple methods built into your server and browser to more complex custom authentication schemes

• How to use sessions securely and how to provide access control to resources

• Options for logging your users’ actions. We even included a section on how to connect to Web services and how to offer your own, again, with the emphasis on how to do so securely.

• Techniques to avoid SQL injection

• How to deal with uploaded files

• Procedures to securely handle credit cards

• How to send e-mail and PGP sign or encrypt it

• How to execute shell commands securely

Who Should Attend• PHP programmers

• PHP code auditors

• Security professionals who work with PHP code

11

Coding in PHP without this knowledge results in insecure code and exposes your applications and data to unnecessary risks.

PHP as a programming language has a very easy learning curve. you can get started in minutes writing complex Web sites. Sadly, this ease of use and code-as-you-go approach frequently leads to insecure code. PHP provides a lot of freedom to do things wrong.

Coding securely in PHP requires some extra thought and knowledge, which we will provide in this class. Coding in PHP without this knowledge can lead to problems, as insecure coding means exposing your data and your customers.

DeV545 covers all aspects of what is needed to code securely in PHP. We will not spend a lot of time explain-ing how to code in PHP. Instead we will dive right into the more advanced concepts, starting with additional PHP modules, like Suhosin, and how they can be used to harden your PHP application. We will not just tell you that input validation is important; instead, we will show you real code on how to do it right.

The course uses a Linux virtual machine for exercises with PHP 5, Apache, and MySQL, but our focus will be on PHP. Users of Apache/PHP on Windows or users of other databases, like oracle and Postgresql, will find that 90% of the course applies to them as well.

Prerequisites A good understanding of PHP and SQL is required to attend this class. A good understanding of Web-based applications is also required. Students should also have worked with PHP

for at least a few months.

Secure Coding in PHP: Developing Defensible

ApplicationsContact SANS today to learn how we can build a custom training package using all of these formats for your organization. Having a variety of training formats allows SANS to develop

the most technical and enriching training experience at the best price. We can tailor a program that allows you to take advantage of each delivery method and ensure your team

receives not just the training, but the understanding they need to stay secure.

Number of People Training Options

Individuals Live Training events, onDemand, or vLive!

Groups of 15 or More onSite,onDemand, or vLive!

Large Groups of 50 or More enterprise Solutions: onDemand or vLive!

Live Training Events The Most Trusted Name for Information Security Training

SANSoffersclassesthroughouttheyearinmanymajorUScitiesaswellasEurope,Australia,Canada,Asia,India,andDubai .Thesetrainingeventsfeatureanywherefromonetooverfiftyclassesatthesamelocation .SANSeventsoffermuchmorethanjusttraining–thisistheplacetonetworkwithotherapplicationsecurityprofessionals,gaininformationonnewvendorproducts,participateinonsite/onlinechallengesandcontests,andlistentoworld-classguestspeakers .www .sans .org/security-training/bylocation/index_na .php

SANS OnSite Your Location - Your Schedule

WiththeSANSOnSiteprogramyoucanbringacombinationofhigh-qualitycontentandworld-recognizedinstructorstoyourlocationandrealizesignificantsavingsinemployeetravelcosts .www .sans .org/onsite

SANS vLive! Live Virtual Instruction

SANSvLive!usescutting-edgewebcasttechnologytoprovidealiveclassroomexperiencewithSANStopinstructors,butdeliversitoverthewebtostudentsparticipatingfromtheirhomesandoffices .vLive!coursesareinteractiveandallowstudentstoshareideas,resourcesandexperienceswiththeirinstructorsbefore,during,andaftertrainingsessions .Eachsessionisalsorecordedprovidingflexibilityifastudentneedstomissasessionorsimplywishestoreviewthematerialatalaterdate .www .sans .org/vlive

SANS OnDemand Online Training and Assessment

SANSOnDemandallowsstudentstoaccessSANS’high-qualitytraining‘anytime,anywhere’usingSANS’advancedonlinedeliverysystem .Studentsreceivetrainingfromthesametop-notchSANSinstructorswhoteachatourlivetrainingevents,andthesystembringsthetrueSANSexperiencerighttoyouremployees’desktops,whichisconvenientandsavesyoutravelcosts .Plusourintegratedcourseware,onlineassessments,hands-onexercises,andonlinementorallowstudentstoreallygraspthematerialbeingtaught!www .sans .org/ondemand

• Highest-quality SANS training• Unlimited reach • Rapid deployment (<1 week)• Host of extras only available to licensees • Measureable results• Unlimited SANS training online• Full course curriculum

• .mp3 audio files for offline study and mobile devices

• Future proof – any new courses already included by track

• Management control tools• SANS Reporting tools• Updates• Dramatically-reduced costs

SANS Corporate LicenseWhat is a Corporate License and what does it include?

How many of these questions can you answer with confidence?

• Where are the gaps in our programmers’ secure coding knowledge and skills?• Which of our programmers and contractors have the strongest secure coding skills?• Do any of the current job candidates or potential contractors have solid secure

programming skills?• Do we have at least one security-savvy programmer on every critical development project?

If you want a better way to answer any of these questions, consider training and save with a Corporate License.

(Feb. 16, 2010) In Washington, D.C., experts from more than 30 U.S. and international cyber security organizations jointly released a new list of the 25 most dangerous programming errors that enable security bugs, cyber espionage, and cyber crime. These 25 programming errors, and their “on the cusp cousins” have been the cause of nearly every major type of cyber attack, including recent penetrations of Google, power systems, military systems, and millions of other attacks on small businesses and home users. A global effort to eliminate these programming errors is the first step against organized cyber criminals, and the persistent threat from competing nation states.

In addition to the most common programming errors, acquisition experts agreed on a standard for contract language between software buyers and developers. The use of this contract language helps ensure buyers are not held liable for software containing faulty code. Coding errors are a common gateway for attackers to penetrate networks.

Experts Announce Agreement on the 25 Most Dangerous Programming Errors - And How to Fix Them

Top 25 Programming Errors and SANS Corporate License

13

The Top 25 Programming Errors will have four major impacts:

• Software buyers will be able to buy much safer software. • Employers will be able to ensure they have programmers who can write more secure code.• Programmers will have tools that consistently measure the security of the software they

are writing. • Colleges will be able to teach secure coding more confidently.

How Will the Top 25 Programming Errors Be Used?

Secure Develop ment Techniques

Java/JEE Tips1) Perform data validation with a security API such as OWASP ESAPI

See the following paper for some examples that use eSAPI for data validation: www.sans.org/reading_room/application_security/protecting_web_apps.pdf

2) Use PreparedStatements with properly bound variables

bAD:String query = “SELECT id FROM users WHERE userid = ‘” + userid + “’”;PreparedStatement stmt = con.prepareStatement(query);ResultSet rs = stmt.executeQuery();

GooD:String query = “SELECT id FROM users WHERE userid = ?”;PreparedStatement stmt = con.prepareStatement(query);stmt.setString(1, userid)ResultSet rs = stmt.executeQuery();

3) Don’t perform security-critical operations based on data from HttpServletRequest parameters

bAD:String role = request.getParameter(“role”);if (role != null && role.equals(“admin”) { // do admin stuff}

4) Use a framework like Spring Security or ESAPI for authentication and authorization

See the following sites for additional information: http://static.springsource.org/spring-security http://www.owasp.org/index.php/eSAPI

5) Don’t use instance variables in Servlets

bAD:public class BadServlet extends HttpServlet { private String primaryKey; // don’t do this! ...}

Excerpt from the WhatWorks Top 35 Secure Development Techniques – See the full list at www.sans.org/whatworks/poster-spring-2010.pdf

S e c u r e D e v e l o p m e n t Te c h n i q u e sExcerpt from the WhatWorks Top 35 Secure Development Techniques – See the full list at www.sans.org/whatworks/poster-spring-2010.pdf

1514

PHP Tips1) Use prepared SQL statements.

bAD: mysql_db_query(“select id from users where username=’$Username’”)

beTTeR:$Stmt=$DB->prepare(“select id from users where username=?”);$Stmt=$DB->bind_param(“s”,$Username);$Stmt->execute();

2) Enable and configure Suhosin

See http://www.hardened-php.net/suhosin for details about Suhosin.

3) Extract data from super globals inside validation functions only

bAD: $UserID=$_POST[‘userid’];if ( ! is_int($userID) ) { $UserID=0;}

4) Replace “print” statements with a wrapper function escaping HTML tags like

bAD: print $value;

beTTeR:safe_out($value);

function safe_out($value) { $value=htmlentities($value,ENT_QUOTES,’UTF-8’); print $value;}

C and C++ Tips1) Validate input from all untrusted data sources.

2) Compile code using the highest warning level available for your compiler and eliminate warnings by modifying the code.

3) Create a software architecture and design your software to implement and enforce security policies.

4) Keep the design as simple and small as possible.

5) Base access decisions on permission rather than exclusion.

beTTeR: $UserID=get_userid(‘userid’); function get_userid($name) { $value=$_POST[$name]; if ( is_int($value) ) { return $value; } return FALSE; }

.NET Tips1) For data validation, follow the Constrain,

Reject/Replace, Assign (to local variable) paradigm.

2) Use a validation abstraction layer to make validating data easier and more consistent.

3) Validate data from any and all untrusted sources – including cookies, URL parameters, Form Fields, HTTP Headers, as well as inputs from external systems.Code example combined for first three items above:string sanitizedLastName = null;ValidationUtility.TryValidateAndSanitizeLastName(txtLastName.Text, out sanitizedLastName) { // Success, use sanitizedLastName. Never use txtLastName.Text // again. Simplifies code review.} else { // Failed, NEVER display txtLastName.Text back to user or use // again in code}

// Centralize Validationpublic class ValidationUtility { public static bool TryValidateAndSanitizeLastName (string unsanitizedLastName, out string sanitizedLastName) { // Fail Securely bool isValid = false; // Step 1: Constrain. Use whitelists, not blacklists. if (Regex.IsMatch(unsanitizedLastName, “^[a-z’]+$”, RegexOptions.IgnoreCase)) { // Step 2: Replace, substitue any potential bad characters with // something safe for storage. E.g., the tick ‘ char with the // pipe | char unsanitizedLastName = unsanitizedLastName.Replace(‘\’’, ‘|’); isValid = true; // 3. Assign sanitizedLastName = unsanitizedLastName; } else { // Communicate intent to humans reading the code. isValid = false;x sanitizedLastName = null; } return isValid; }}

4) Use Microsoft’s AntiXSS library to counter XSS attacks. Encode all untrusted output.Available AntiXSS methods: HtmlEncode(), HtmlAttributeEncode(), JavascriptEncode(), VisualBasicScriptEncode(), UrlEncode(), XmlEncode(), XmlAttributeEncode().

<div>Welcome, <%= AntiXss.HtmlEncode(Request.Form[“FullName”]); %></div>

“Personally, I favor coding in unstructured languages like Perl and PHP for all the wrong reasons.”

-Johannes Ullrich, PhD

1. Assessments to gauge developers’ and contractors’ abilities to code securely in a specific language: Java and .NET Contact [email protected] for more information.

2. Top 25 Programming Errors Learn about the 25 most dangerous programming errors that enable security bugs, cyber espionage, and cyber crime. See page 12 for more information.

www.sans.org/top25-programming-errors

3. Procurement language Draft language to help you ensure that contracts for application development, management and maintenance require the contractors to consider and build security into the process. This concept has proven critical to countless organizations by helping them to avoid security issues late in the development cycle and by eliminating or significantly mitigating potential threats resulting from insecure code.

www.sans.org/appseccontract

4. Get GIAC Certified GIAC certifications that allow individuals to prove that they are trained and qualified to work on the development and maintenance of your critical applications. GIAC is ANSI accredited. Certifications are available in the following key application security disciplines:

• GWAPT GIAC Web Application Penetration Tester This certification measures an individual’s understanding of Web application exploits and

penetration testing methodology.

• GSSP-JAVA GIAC Secure Software Programmer in Java

• GSSP-.NET GIAC Secure Software Programmer in .NET

• GSSP-C GIAC Secure Software Programmer in C & C++

The GIAC Secure Software Programmer was designed for individuals who are responsible for coding secure software applications, identifying shortfalls in the security knowledge of other programmers, ensuring other programmers have adequate secure coding skills, and advanced secure programming skills. GIAC Certified Secure Software Programmers (GSSP) have the knowledge, skills, and abilities to write secure code and recognize security shortcomings in existing code.

5. Stay In Touch with the AppSec Community Find free resources and materials related to application security. SANS Software Security

Institute Web site features the App Sec Street Fighter blog, free research, news, and resources to keep you up to date with the most recent attack vectors and application vulnerabilities as well as full course descriptions of the developer curriculum, information on GIAC certification, and upcoming events. New content is added regularly, so please visit often. And don’t forget to share this information with your fellow developers and security

professionals. www.sans-ssi.org

6. Application Security Street Fighter Blog https://blogs.sans.org/appsecstreetfighter

7. AppSec - Discuss Alumni listserv to facilitate discussion between alumni of appsec courses. Allows alumni to share knowledge and keep from reinventing the wheel.

Application Security Resources Instructors

Frank Kim - SANS Certified Instructor and Curriculum Lead for SANS’ Application Security Curriculum Frank Kim is a co-founder and principal with Think Security Consulting (www.thinksec.com), a San Francisco Bay area based ap-plication security consulting firm. Frank is an author and instructor for SANS SEC541: Secure Coding in Java/JEE. He has over ten years of experience developing applications using Java/Java EE and has designed and developed Web applications for large health care, technology, insurance, and consulting companies. Frank currently focuses on integrating security into the software develop-ment life cycle by doing penetration testing, security assessments, architecture reviews, code reviews, and training. Frank holds the CISSP, GPEN, GCIH, GCFA, GCIA, and GSSPJava certifications and is a Sun Certified Java Developer and Programmer.

Johannes Ullrich, PhD - SANS Certified Instructor As chief research officer for the SANS Institute, Johannes is currently responsible for the SANS Internet Storm Center (ISC) and the GIAC Gold program. He founded DShield.org in 2000, which is now the data collection engine behind the ISC. His work with the ISC has been widely recognized, and in 2004, Network World named him one of the 50 most powerful people in the networking industry. Prior to working for SANS, Johannes worked as a lead support engineer for a Web development company and as a research physicist. Johannes holds a PhD in Physics from SUNY Albany and is located in Jacksonville, Florida. He also enjoys blogging about application security tips.

Jason Lam - SANS Certified Instructor Jason is a senior security analyst at a major financial institution in Canada. His recent SANS Institute courseware development includes Defending Web Application Security Essentials and Web Application Pen Testing Hands-On Immersion. Jason started his career as a programmer before moving on to ISP network administration, where he handled network security incidents, which sparked his interest in information security. Jason specializes in Web application security, penetration testing, and intrusion detec-tion. He currently holds a BA in computer science from York University in Toronto, Ontario, as well as the CISSP, GCIA, GCFW, GCUX, GCWN, and GCIH certifications.

Kevin Johnson - SANS Certified Instructor Kevin Johnson is a senior security analyst with InGuardians, LLC. Kevin came to security from a development and system admin-istration background. He has many years of experience performing security services for Fortune 100 companies, and in his spare time he contributes to a large number of open source security projects. Kevin founded and leads the development on the Basic Analysis and Security Engine (BASE) project, the most popular Web interface for the Snort intrusion detection system. Kevin is an instructor for SANS, teaching both SEC504: Hacker Techniques, Exploits, and Incident Handling and SEC542: Web App Pen Testing and Ethical Hacking. He has presented to many organizations, including Infragard, ISACA, ISSA, and the University of Florida.

Tanya Baccam - SANS Senior Instructor Tanya is a SANS senior instructor as well as a SANS courseware author. She provides many security consulting services for clients, such as system audits, vulnerability and risk assessments, database audits, and Web application audits. Tanya has previously worked as the director of assurance services for a security services consulting firm and the manager of infrastructure security for a healthcare organization. She also served as a manager at Deloitte & Touche in the Security Services practice. Throughout her career she’s consulted with many clients about their security architecture, including areas such as perimeter security, network infrastructure design, system audits, Web server security, and database security. She has played an integral role in developing multiple business applications and currently holds the CPA, GCFW, GCIH, CISSP, CISM, CISA, CCNA, and Oracle DBA certifications.

Megan Restuccia - SANS Certified Instructor Megan is currently a certified instructor with the SANS Institute as well as a vice president at Morgan Stanley. She has over 14 years’ experience in information technology with an extensive background in networking in Unix/Linux and Windows environ-ments for both small and large implementations. Megan currently holds professional certifications, including RHCE, CCWD, CISSP, GSEC, and GIAC GREM, and a certificate in GGSC. She also holds a BS in computer science and an MBA from Columbia University. Megan’s most recent focuses were on DLP, security regulations, secure applications design and training, secure infrastructure design, and desktop encryption.

David Rice - SANS Senior Instructor David Rice is an internationally recognized cyber security expert, consulting director for policy reform at the U.S. Cyber Conse-quences Unit, and author of the critically acclaimed book Geekonomics: The Real Cost of Insecure Software. Mr. Rice is a key figure shaping the discussion of cyber security, and his work impacts both U.S. and European cyber security policy. As director of The Monterey Group, a private consulting firm, Mr. Rice advises a variety of clients on a range of issues, including cyber strategy de-velopment and execution, corporate cyber risk management, cyber security metrics, identity management, and secure software development practices.

Jason Montgomery Jason Montgomery is a principal of Active Technologies Group, Inc. (ATGi), an international technology consulting firm based in Columbus, Ohio. Jason leads ATGi’s Software & Application Security practice which evolved out of ATGi’s 15 years of real-world application development experience. Jason has over 14 years of development experience building applications for Fortune 500 companies, Internet Start-ups, as well as State and Federal Government organizations. As a contractor for the Department of Defense, he hardened servers, provided security guidance to developers, revealed and helped mitigate vulnerabilities in federal systems, and built custom applications. 1716

8120

Wo

od

mo

nt

Ave

nu

e

Suit

e 20

5

bet

hes

da,

MD

208

14

This is a must-attend event for anyone involved in application

security. Top instructors will teach you how to write secure code and ensure your applica-

tions are safe from hackers.

Details about the event will be available soon, but you can stay informed by visiting

www.sans-ssi.org

Don’t fall prey to attackers. - SANS Software, IT ... · PDF fileSEC504 Hacker Techniques, Exploits, and Incident Handling ... SANS Application Security curriculum features courses

Documents