~ Outlines are based on CertNexus CSC (Cyber Secure Coder)
Secure coding is a set of practices that applies security considerations to how software will be coded and encrypted to best defend against cyber attack or vulnerabilities. [NTT Security AppSec Solutions]
- What is secure coding? - developer.tech.gov.sg
{Awesome Works in Progress}
- Identifying the Need for Security in Your Software Projects
- Handling Vulnerabilities
- Designing for Security
- Developing Secure Code
- Implementing Common Protections
- Testing Software Security
- Maintaining Security in Deployed Software
- References
- Security Throughout the Development Process
- What are the Microsoft SDL practices? - microsoft.com
- Microsoft Security Development Lifecycle (SDL) - microsoft.com
- Understand the information security lifecycle - protectivesecurity.govt.nz
- Business Requirements
- All stakeholders should be involved
- Engaging Stakeholders for Project Success - pmi.org
- Standards and Compliance Requirements
- Government Regulations e.g.
- HIPAA - Health Insurance Portability and Accountability Act
- FISMA - Federal Information Security Management Act
- SOX - Sarbanes-Oxley Act
- GLBA - Gramm-Leach-Bliley Act
- New York State Information Security Breach and Notification Act learn more
- FFIEC - Federal Financial Institutions Examination Council
- GDPR - General Data Protection Regulation (EU)
- CCPA - California Consumer Privacy Act
- NCSS and NIAF (UAE)
- Insdustry Standards e.g.
- COBIT - Control Objectives for Information and Related Technology
- ITIL - Information Technology Infrastructure Library
- ISO/IEC 27000 - Information Security Management System Standards
- GASSP/GAISP - Generally Accepted System Security Principles and Generally Accepted Information Security Principles
- SABSA - Sherwood Applied Business Security Architecture
- NIST - National Institute of Standards and Technology
- PCI DSS - Payment Card Industry Data Security Standard
- Cases
- Microsoft compliance offerings - Learn how Microsoft products and services help your organization meet regulatory compliance standards.
- Government Regulations e.g.
- User Impact
- Colonial Hack Shows U.S. Must Diversify Its Oil Reserves - bloomberg.com
- HAFNIUM targeting Exchange Servers with 0-day exploits
- خطوة غير مسبوقة.. FBI يخترق مئات الحواسيب عن بُعد - alarabiya.net
- Stuxnet | A Weapon We Can’t Control - nytimes.com
- Zero-day
- World's Biggest Data Breaches & Hacks - informationisbeautiful.net
- User Expectations
- Users expect applications to operate in a secure manner and without any error.
- Sample Terms of Use Template - termsfeed.com
- Platform Requirements
- Consequences of Not Meeting Security Requirements
- Guidelines for Identifying Security Requirements and Expectations
- Identify sources of security requirements
- Elicit and prioritize security requirements
- Meet Standards and Compliance Requirements
- Identifying Security Requirements and Expectations
- Three Ps of Software Security
- The 3 Ps of Comprehensive Cybersecurity - cisco.com
- The 3 P’s of Cybersecurity - cmitsolutions.com
- Software Security Terminology
- The Dummies Guide to Cyber Security Terminology - metacompliance.com
- Identifying Factors That Undermine Security
- Builders and Breakers
- Hacking
- Hacking - malwarebytes.com
- Ethical hacker ⭐ - techtarget.com
- Different Types of Hackers: The 6 Hats Explained - sectigostore.com
- Phases of an Attack
- The seven phases of a cyber attack - dnv.comsectigostore.com
- Common Attack Patterns
- The 5 Most Common Attack Patterns of 2014 - tripwire.com
- List of Attacks (OWASP) 🌟 - owasp.org
- Flood Attacks also known as Denial of Service (DoS) attacks. In a flood attack, attackers send a very high volume of traffic to a system so that it cannot examine and allow permitted network traffic.
- Reconnaissance
- Gain Access Privileges
- Brute force attacks
- How Secure is My Password - howsecureismypassword.net
- Popular tools for brute-force attacks 📰 - infosecinstitute.com
- Authentication abuse
- Authentication bypass
- Brute force attacks
- Memory Manipulation
- Reverse Engineering
- Functionality misuse
- What Is Phishing? - comptia.org
- Sustained Client Engagement
- Action Spoofing
- Case Study: Protecting Against a Password Attack
- Case Studies in Poor Password Management - infosecinstitute.com (Dimitar Kostadinov)
- Guidelines for Identifying Software Security Vulnerabilities
- Identifying Vulnerabilities in an Application
- Cracking a Password Hash
- MD5 Hash Generator - md5hashgenerator
- Password Hash Cracker - crackstation.net
- Password Cracking with Hashcat - cryptokait.com
- How to crack passwords with Hashcat
- Fixing a Password Hash Vulnerability
- Vulnerability Intelligence
- Enabling Defenders With Vulnerability Intelligence - fireeye.com
- Exploits
- Guidelines for Researching Vulnerabilities and Exploits
- CAPEC - Common Attack Pattern Enumerations and Classifications - mitre.org | MITRE
- Identifying Sources for Vulnerability Intelligence
- Software Defects
- Difference between Defect, Error, Bug, Failure and Fault! - 360logica.com
- Causes of Software Defects
- Flaw in the design; Bugs; 3rd party code; Change in the context; ...
- Guidelines for Preventing Security Defects
- Preventing Security Defects
- Problems in Third*Party Code
- Problems in Standard Libraries
- Dependencies
- Encryption Validation
- Security of Host Systems and Service Providers
- Guidelines for Using Third*Party Code and Services
- Host Platform Configuration
- Hypervisor Vulnerabilities
- What is a hypervisor? - vmware.com
- The vulnerabilities of hypervisors - techadvisory.org
- Guidelines for Managing Vulnerabilities in External Hosts and Services
- Identifying Vulnerabilities in a Software Project
- Examining the Project Files
- Error Messaging
- Error Handling
- Improper Error Handling - owasp.org
- Fail-Safe | A system or plan that comes into operation in the event of something going wrong or that is in place to prevent such an occurrence.
- Failure Recovery
- Guidelines for Secure Error Handling
- Identifying Software Defects and Misconfiguration
- The Human Element in Software Security
- Vulnerabilities Attributed to the Human Element
- Social Engineering Attacks
- 5 Social Engineering Attacks to Watch Out For - David Bisson
- User Input
- Input Validation
- Input Validation Cheat Sheet - owasp.org
- Syntactic validation should enforce correct syntax of structured fields (e.g. SSN, date, currency symbol).
- Semantic validation should enforce correctness of their values in the specific business context (e.g. start date is before end date, price is within expected range).
- Tools
- RegEx Tester - regextester.com
- Blacklist vs Whitelist
- Input Validation Cheat Sheet - owasp.org
- Security Policy Enforcement
- Guidelines for Managing People Risks
- Managing People Risks
- Development Process Approaches
- Building Security In
- The CIA Triad
- Requirements Phase
- Design Phase
- Development Phase
- Testing Phase
- Security Testing Tools
- Deployment Phase
- Maintenance Phase
- Development Process Security
- Guidelines for Software Development Processes
- Managing Software Development Process Risks
- Security in the Design Phase
- ~50% of software security issues are due to design flaws
- The design phase refers to functions typically performed by a software architect (strategic design of the entire system)
- Integrate security into every phase of your development process
- Security by Obscurity vs. Security by Design
- Open-source and the “security through obscurity” fallacy - efrontlearning.com
- National Institute of Standards and Technology (NIST) specifically recommends against using closed source as a way to secure the software (i.e. “security through obscurity”)
- Hiding source code is a bad way to assume you’ll achieve security, because even a powerful and highly proprietary company can’t guarantee that source code won’t leak out.
- OWASP Security Design Principles ⭐
- Secure Design Principles - OWASP
- Minimize attack surface area learn more
- Establish secure defaults
- Least privilege
- Defense in depth (aka layered defense)
- Fail securely
- Don't trust services
- Separation of duties (aka separation of privilege)
- Avoid Security by Obscurity
- Economy of Mechanism (Keep It Simple, Stupid "KISS")
- Fix security issues correctly
- Secure Design Principles - OWASP
- Software Design Patterns
- In software engineering, a software design pattern is a general, reusable solution to a commonly occurring problem within a given context in software design. learn more
- Security Patterns
- Modular Design
- Separation of Concerns (SoC) - deviq.com
- Benefits of Modular Design
- Small manageable tasks; Reduce errors; Resuse; Maintainability
- With a modular design, the parts do not always add up to the whole. Even though each module is essentially secure, the system as a whole may not be secure due to the complexity of interactions between modules.
- The Balance Between Defense in Depth and Simplicity
- KISS (“Keep It Simple Security“)
- The last layer of defense for your deployment should be the ability to respond quickly.
- Guidelines for Avoiding Common Design Mistakes - synopsys.com
- Avoiding Common Security Design Flaws
- Earn or give, but never assume, trust. - ieee.org
- Use an authentication mechanism that cannot be bypassed or tampered with.
- Authorize after you authenticate.
- Strictly separate data and control instructions, and never process control instructions received from untrusted sources.
- Define an approach that ensures that all data are explicitly validated.
- Use cryptography correctly.
- Identify sensitive data and how they should be handled.
- Always consider the users.
- Understand how integrating external components changes your attack surface.
- Be flexible when considering future changes to objects and actors.
- Avoiding Common Security Design Flaws
- The Risk Equation
- Risk = Threats x Vulnerabilities x Consequences
- Threat Modeling
- Microsoft Threat Modeling
- Microsoft Threat Modeling - microsoft.com
- SeaSponge
- Application Threat Modeling - owasp.org
- 12 Available Methods (Threat Modeling) - cmu.edu
- Threat Modeling ⭐ - synopsys.com |
- Benefits of Threat Modeling
- Microsoft Threat Modeling
- Threat Modeling Process
- Define General Security Objectives and Scope (Step-1)
- Tooling and Documentation
- Microsoft Threat Modeling Tool
- OWASP Threat Dragon
- SecuriCAD by Foreseeti
- ThreatModeler
- Assets
- Decompose the Software (Step-2)
- Trust Levels
- Entry and Exit Points
- External Dependencies
- Data Flow Diagrams
- Diagramming Symbols
- Diagramming the Catalog Application
- Identify and Rank Threats (Step-3)
- STRIDE
- STRIDE chart - microsoft.com
- PASTA
- Misuse Cases
- Misuse cases (aka abuse cases or attack scenarios) are a form of use case that describes actions that should be prevented
- Security Zones
- Strategies for Ranking Threats
- DREAD
- Qualitative Risk Analysis with the DREAD Model - infosecinstitute.com
- Risk Response Strategies
- Severity
- Risks Outside Your Control
- Guidelines for Identifying and Ranking Threats
- Counter Each Threat (Step-4)
- Countermeasures
- Identifying Threats and Countermeasures
- Define General Security Objectives and Scope (Step-1)
- Development Documentation and Deliverables
- Application and Data Integrity
- Python Dependency Security - pyup.io | Keep your Python dependencies secure, up-to-date & compliant
- GitHub-native Dependabot - You can use Dependabot to keep the packages you use updated to the latest versions.
- Common General Programming Errors
- Inappropriate use of dangerous functions, APIs, and system calls
- Use of deprecated libraries
- Buffer overruns
- Race conditions
- Integer range issues
- Out of bounds array indexing
- Unhandled exceptions
- Memory leaks
- Dangling and null pointer references
- Unused code
- Uninitialized variables
- Injection vulnerabilities
- Insecure Deserialization
- Guidelines for Secure Coding
- Researching Your Secure Coding Checklist
- Buffer Overrun Defects
- Buffer Overflows
- Guidelines to Prevent Buffer Overflow Defects
- Buffer Overreads
- Guidelines to Prevent Buffer Overread Defects
- Integer Overflows
- Guidelines to Prevent Integer Overflow Defects
- Uncontrolled Format Strings
- Insecure Output Encoding
- XXE Attacks
- Guidelines to Prevent Uncontrolled Format String Defects
- Race Condition
- Impact of Race Conditions on Threading/Multiprocessing
- Guidelines to Prevent Race Condition Defects
- Performing a Memory*Based Attack
- OWASP Top Ten Platform Vulnerabilities
- OWASP Top 10 - OWASP GitHub
- OWASP Top 10 - Detectify - detectify.com
- Authentication
- Authorization
- Broken Authentication
- Guidelines to Prevent Web Vulnerability Defects
- Guidelines to Prevent Mobile App Vulnerability Defects
- Guidelines to Prevent Internet of Things Vulnerability Defects
- Desktop Application Vulnerabilities
- DLL Injection
- Shellcode Injection
- Debugger Security
- Differences Among Desktop Platforms
- Managed vs. Unmanaged
- Desktop Application Attack Vectors
- Development Tool and Project Configuration
- Guidelines to Prevent Desktop Application Vulnerabilities
- Finding Common Web Vulnerabilities Topic C: Prevent Privacy Vulnerabilities
- Privacy Vulnerability Defects
- Privacy by Design
- Data Anonymization
- Guidelines to Prevent Privacy Vulnerability Defects
- Handling Privacy Defects
- Web Sessions
- Secure Session Management
- Methods for Passing Session IDs
- Access Control
- Guidelines for Secure Session Management
- User Provisioning
- Password Recovery
- Account Lockouts
- Guidelines for Secure Password Management
- Handling Authentication and Authorization Defects
- Encryption
- Uses for Encryption
- Cryptographic Lifecycle
- Symmetric Encryption
- Asymmetric Encryption
- Hashing
- Digital Signatures
- Digital Signature Non*repudiation
- Digital Certificates
- PKI
- PKI Components
- The PKI Process
- Key Management
- Key Management Factors
- Certificate Revocation
- Guidelines for Protecting Data in Transit and at Rest
- Protecting Data in Transit and at Rest
- Error Handling
- Uses for Error Handling
- Error Messaging
- Logging
- Guidelines for Implementing Error Handling and Logging
- Reviewing Error Handling
- Improving Error Handling
- Sensitive Data
- Output Restrictions
- Function Level Access Control
- Missing Function Level Access Control - detectify.com
- What is Missing Function Level Access Control? 📺 - Detectify
- Case Study: Cross*Site Scripting Defect
- Guidelines for Protecting Sensitive Data and Functions
- Protecting Sensitive Data and Functions
- Staging a Persisted XSS Attack on an Administrator Function
- Case Study: SQL Injection Defect
- Query Parameterization
- Database Connection Credential Protection
- Guidelines for Protecting Database Access
- Protecting Database Access
- The Role of Testing
- Test early and test often.
- View software design and implementation from an attacker's perspective.
- Think of threat modeling as a form of testing (Testing the design).
- Mindsets; penetrate and patch, penetrate and improve, building security in
- Phases of Software Testin
- Development Testing
- Separation of duties (SoD; also known as Segregation of Duties) is the concept of having more than one person required to complete a task.
- Dynamic analysis is the testing and evaluation of an application during runtime. Static analysis is the testing and evaluation of an application by examining the code without executing the application. Learn more
- Unit Testing
- Input Validation; Output Encoding; Session Management (A&A); Encryption; Error Handling; Logging
- Integration Testing
- White box testing (Source Code); Gray box testing; Black box testing
- Documentation and Deliverables for Testing
- Input: Business requirements; SRS; Threat Models; Data flow Diagram
- Output: Vulnerability Reports; Quality Assurance Reports
- Manual Inspection and Code Review
- Security Analysis | A detailed process to ensure that software operates at a level of security consistent with the potential harm that could result from the loss, inaccuracy, alteration, unavailability, or misuse of the data and resources that it uses, controls, and protects.
- Looking at your code from a different perspective will find problems or ask questions that you haven't considered.
- Code Review Strategies
- Formal
- Fagan Inspection | A formal analysis process that includes a series of structured activities involving multiple participants and phases—such as planning, inspection, rework, and verification. The objective is to reveal defects in programming code.
- Informal
- Over the wall (aks Pass Around)
- Over the shoulder
- Pair Programming
- Formal
- Guidelines for Security Testing
- Performing Manual Inspection and Review
- Web Server e.g., dotnet new web; dotnet watch
- IP Address e.g., MVC - Block IP Address Using Action Filter
- Query String (Whitelist, Length, Data type)
- Authentication e.g., Authorize, AllowAnonymous
- Directory browsing
- Performing Manual Inspection and Review
- Static Code Analysis
- Static Code Analysis | The process of using a computer program to find problems in code, without actually executing the code.
- Strategies for Using Static Analysis
- Dynamic Code Analysis
- Guidelines for Code Analysis
- Performing Code Analysis
- Automated Testing
- Unit Testing
- Guidelines for Using Automated Testing Tools
- Using a Test Suite to Automate Unit Testing
- Emerging Security Problems
- Situational Awareness
- Bug Bounty Program
- Security Monitoring
- Intrusion Detection and Prevention
- What is an intrusion prevention system? - vmware.com
- Best Intrusion Detection and Prevention Systems for 2021 (Guide to IDPS) - esecurityplanet.com
- Monitor Placement
- Logging
- Guidelines for Monitoring and Logging a Deployed Application
- Monitoring and Logging a Deployed Application
- Maintenance
- Patches and Updates
- What is Regression Testing? - smartbear.com
- Uninstallation and Deprovisioning
- Guidelines for Maintaining Security of Deployed Software
- Maintaining Security After Deployment
- Corrective Maintenance
- Adaptive Maintenance
- Perfective Maintenance
- Preventive Maintenance
- How to Analyze Code for Vulnerabilities - OWASP DevSlop
- Secure Password Generator - passwordsgenerator.net
- Improving ASP.NET Core Security By Putting Your Cookies On A Diet - nestenius.se
- The Top 8 Cybersecurity Predictions for 2021-2022 - gartner.com
- 57 Cybersecurity Terms You Should Know in 2021 - securityscorecard.com
- The Story of Cryptography: History - ghostvolt.com
- All About CWE: Common Weakness Enumeration - parasoft.com
- 13 tools for checking the security risk of open-source dependencies - techbeacon.com
- Companies Lose $400 Billion to Hackers Each Year - inc.com | A new report also finds that companies will spend $170 billion on cybersecurity measures in 2020.
- LHN - latesthackingnews.com
- Microsoft
- Microsoft compliance offerings - microsoft.com
- ISO/IEC 27001 - iso.org
- NIST - nist.gov | The National Institute of Standards and Technology
- OWASP - owasp.org | The Open Web Application Security Project is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
- OWASP
- OWASP Top 10 - owasp.org
- OWASP SAMM - owaspsamm.org
- Web Security Testing Guide (WSTG)
- OWASP Proactive Controls ⭐ - The OWASP Top Ten Proactive Controls describes the most important control and control categories that every architect and developer should absolutely, 100% include in every project.
- OWASP Secure Coding Practices-Quick Reference Guide
- OWASP Developer Guide ⭐
- OWASP Cheat Sheet Series
- MITRE
- CAPEC - mitre.org | Common Attack Pattern Enumeration and Classification
- CWE - mitre.org | Common Weakness Enumeration
- CVE - mitre.org | Common Vulnerabilities and Exposures
- CVE-CWE-CAPEC Relationships - mitre.org
- ATT&CK - mitre.org | MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
- PCI Security Standards - pcisecuritystandards.org
- Exploit Database - exploit-db.com | Exploits for Penetration Testers, Researchers, and Ethical Hackers
- SANS - sans.org | SANS Institute is the most trusted resource for cybersecurity training, certifications and research.
- CVE Details - cvedetails.com | The ultimate security vulnerability datasource
- CNA - CVE Numbering Authority - gitlab.com
- Information Security Database (English/Arabic) - uw.edu (University of Washington)
- The Signals Intelligence Agency (SIA), fka the National Electronic Security Authority (NESA)
- Workplace (Meta) - workplace.com
- National Cyber Awareness System (Current Activity) - cisa.gov
- Threat Map - fireeye.com
- OpenSSL Heartbeat (Heartbleed) 📺 - Fierce Outlaws
- Cracking Stuxnet, a 21st-century cyber weapon - Ralph Langner
- How the US East Coast Lost Half It's Oil to 1 Hacker - RealLifeLore
- Networking (The New Boston) - thenewboston.com