Cloud Application Security in Python for AWS

Day 1

Cyber security basics

• What is security?
• Threat and risk
• Cyber security threat types
• Consequences of insecure software
• Cloud security basics
  • Cloud infrastructure basics
  • Cloud architectures and security
  • The Cloud Cube Model
  • Attack surface in the cloud
• Cloud data security
  • Data confidentiality and integrity in the cloud
  • Data privacy in the cloud
  • Compliance considerations
• Cloud deployment security
  • Hardening cloud deployments
  • Security of jump boxes
  • Serverless computing and security
• Cloud security standards and best practices
  • SOC compliance
  • CSA controls
  • Other standards

The OWASP Top Ten

• OWASP Top 10 – 2017
• A1 – Injection
  • Injection principles
  • Injection attacks
  • SQL injection
    • SQL injection basics
    • Lab – SQL injection
    • Attack techniques
    • Content-based blind SQL injection
    • Time-based blind SQL injection
  • NoSQL injection
    • NoSQL injection specialties
    • NoSQL injection in MongoDB
    • NoSQL injection in DynamoDB
  • SQL injection best practices
    • Input validation
    • Parameterized queries
    • Lab – SQL injection best practices
    • Additional considerations
    • Case study – Hacking Fortnite accounts
    • SQL injection protection and ORM
  • Parameter manipulation
    • CRLF injection
      • Log forging
      • Lab – Log forging
      • Log forging – best practices
      • HTTP response splitting
  • Code injection
    • Code injection via input()
    • OS command injection
      • Lab – Command injection
      • OS command injection best practices
      • Avoiding command injection with the right APIs
      • Lab – Command injection best practices
      • Case study – Shellshock
      • Lab – Shellshock
      • Case study – Command injection via ping
  • Script injection
    • Server-side template injection (SSTI)
    • Lab – Template injection

Day 2 The OWASP Top Ten

• A2 – Broken Authentication
  • Authentication
    • Authentication basics
    • Multi-factor authentication
    • Multi-factor authentication best practices
    • Authentication weaknesses – spoofing
    • Spoofing on the Web
    • Case study – PayPal 2FA bypass
    • User interface best practices
    • Lab – On-line password brute forcing
  • Single sign-on (SSO)
    • Single sign-on concept
    • OAuth2
      • OAuth2 basics
      • OAuth2 in practice
      • Best practices
      • Configuration best practices
      • Case study – Stealing SSO tokens from Epic Games accounts
    • SAML
      • SAML basics
      • SAML profiles
      • SAML security
  • Password management
    • Inbound password management
      • Storing account passwords
      • Password in transit
      • Lab – Is just hashing passwords enough?
      • Dictionary attacks and brute forcing
      • Salting
      • Adaptive hash functions for password storage
      • Password policy
      • NIST authenticator requirements for memorized secrets
      • Password hardening
      • Using passphrases
      • Case study – The Ashley Madison data breach
      • The dictionary attack
      • The ultimate crack
      • Exploitation and the lessons learned
      • Password database migration
      • (Mis)handling None passwords
    • Outbound password management
      • Hard coded passwords
      • Best practices
      • Lab – Hardcoded password
      • Protecting sensitive information in memory
      • Challenges in protecting memory
  • Session management
    • Session management essentials
    • Why do we protect session IDs – Session hijacking
    • Session fixation
    • Session invalidation
    • Session ID best practices
    • Session handling in Flask
    • Cross-site Request Forgery (CSRF)
      • Lab – Cross-site Request Forgery
      • CSRF best practices
      • CSRF defense in depth
      • Lab – CSRF protection with tokens
    • Cookie security
      • Cookie security best practices
      • Cookie attributes
  • A3 – Sensitive Data Exposure
    • Information exposure
    • Exposure through extracted data and aggregation
    • Case study – Strava data exposure
    • System information leakage
      • Leaking system information
    • Information exposure best practices
  • A4 – XML External Entities (XXE)
    • DTD and the entities
    • Entity expansion
    • Lab – Billion laughs attack
    • External Entity Attack (XXE)
      • File inclusion with external entities
      • Server-Side Request Forgery with external entities
      • Lab – External entity attack
      • Case study – XXE vulnerability in SAP Store
      • Preventing XXE
      • Lab – Using non-vulnerable parsers

Day 3

The OWASP Top Ten

• A5 – Broken Access Control
  • Access control basics
  • Failure to restrict URL access
  • Confused deputy
    • Insecure direct object reference (IDOR)
    • Lab – Insecure Direct Object Reference
    • Case study – Authorization bypass on Facebook
    • Authorization bypass through user-controlled keys
    • Lab – Horizontal authorization
  • File upload
    • Unrestricted file upload
    • Good practices
    • Lab – Unrestricted file upload
• A7 – Cross-site Scripting (XSS)
  • Cross-site scripting basics
  • Cross-site scripting types
    • Persistent cross-site scripting
    • Reflected cross-site scripting
    • Client-side (DOM-based) cross-site scripting
    • Lab – Stored XSS
    • Lab – Reflected XSS
    • Case study – XSS in Fortnite accounts
  • XSS protection best practices
    • Protection principles – escaping
    • XSS protection APIs in Python
    • XSS protection in Jinja2
    • Lab – XSS fix / stored
    • Lab – XSS fix / reflected
    • Additional protection layers
    • Client-side protection principles
• A8 – Insecure Deserialization
  • Serialization and deserialization challenges
  • Integrity – deserializing untrusted streams
  • Deserialization with pickle
  • Lab – Deserializing with Pickle
  • PyYAML deserialization challenges
  • Integrity – deserialization best practices
• A9 – Using Components with Known Vulnerabilities
  • Using vulnerable components
  • Assessing the environment
  • Hardening
  • Untrusted functionality import
  • Malicious packages in Python
  • Importing JavaScript
  • Lab – Importing JavaScript
  • Case study – The British Airways data breach
  • Vulnerability management
    • Patch management
    • Vulnerability management
    • Bug bounty programs
    • Vulnerability databases
    • Vulnerability rating – CVSS
    • DevOps, the build process and CI / CD
    • Dependency checking in Python
    • Lab – Detecting vulnerable components
• A10 – Insufficient Logging & Monitoring
  • Logging and monitoring principles
  • Insufficient logging
  • Case study – Plaintext passwords at Facebook
  • Logging best practices
  • Monitoring best practices
• Web application security beyond the Top Ten
  • Client-side security
  • Same Origin Policy
    • Lab – Same-origin policy demo
  • Tabnabbing
  • Frame sandboxing
    • Cross-Frame Scripting (XFS) attack
    • Lab – Clickjacking
    • Clickjacking beyond hijacking a click
    • Clickjacking protection best practices
    • Lab – Using CSP to prevent clickjacking

Day 4

Cloud infrastructure security

• Container security
  • Container security concerns
  • Containerization, virtualization, and security
  • Attack surface of container technologies
  • Container security tools
• Docker security
  • Docker and security
  • Docker security features
  • Common Docker security mistakes
  • Docker security best practices
  • Hardening Docker
  • Lab – Static analysis of Docker image
• Kubernetes security
  • The Kubernetes architecture and security
  • Common Kubernetes security mistakes
  • Securing Kubernetes hosts
  • Best practices for Kubernetes access control
  • Building secure Kubernetes images
  • Secure deployment of Kubernetes containers
  • Protecting Kubernetes deployments at runtime
  • Lab – Scanning a Kubernetes image for vulnerabilities
• AWS security
  • Security considerations
    • AWS and security
    • AWS security features
    • The AWS shared responsibility model
    • AWS cloud compliance
    • AWS hardening
    • Security tools for AWS
  • Identity and access management (IAM)
    • Identity and access management in AWS
    • Access tokens
    • Groups, roles and credentials
  • Data security
    • Data security in AWS
    • Policies
    • Storing cryptographic keys
    • Protecting data at rest
    • Protecting data in transit
  • Detection and monitoring
    • Utilizing AWS monitoring for security
    • Protecting logs
    • The AWS Security Hub

API security

• Input validation
  • Input validation principles
    • Blacklists and whitelists
    • Data validation techniques
    • Lab – Input validation
    • What to validate – the attack surface
    • Where to validate – defense in depth
    • When to validate – validation vs transformations
    • Output sanitization
    • Encoding challenges
    • Unicode challenges
    • Lab – Encoding challenges
    • Validation with regex
  • Integer handling problems
    • Representing signed numbers
    • Integer visualization
    • Integers in Python
    • Integer overflow
    • Integer overflows in ctypes and numpy
  • Value manipulation
    • Setting manipulation
    • Manipulating critical state data
    • Resource manipulation
  • Open redirects and forwards
    • Case study – Unvalidated redirect at Epic Games
    • Open redirects and forwards – best practices
  • Files and streams
    • Path traversal
    • Path traversal-related examples
    • Additional challenges in Windows
    • Virtual resources
    • Path traversal best practices
  • Format string issues

XML security

• XML validation
• XML injection
  • XPath injection
  • Blind XPath injection

JSON security

• JSON validation
• JSON injection
• Dangers of JSONP
• JSON/JavaScript hijacking
• Best practices
• Case study – ReactJS vulnerability in HackerOne

Day 5

Denial of service

• Denial of Service
• Flooding
• Resource exhaustion
• Sustained client engagement
• Infinite loop
• Economic Denial of Sustainability (EDoS)
• Algorithm complexity issues
  • Regular expression denial of service (ReDoS)
    • Lab – ReDoS in Python
    • Dealing with ReDoS

Cryptography for developers

• Cryptography basics
• Cryptography in Python
• Elementary algorithms
  • Random number generation
    • Pseudo random number generators (PRNGs)
    • Cryptographically strong PRNGs
    • Using virtual random streams
    • Weak and strong PRNGs
    • Using random numbers in Python
    • Lab – Using random numbers in Python
    • Case study – Equifax credit account freeze
  • Hashing
    • Hashing basics
    • Common hashing mistakes
    • Hashing in Python
    • Lab – Hashing in Python
• Confidentiality protection
  • Symmetric encryption
    • Block ciphers
    • Modes of operation
    • Modes of operation and IV – best practices
    • Symmetric encryption in Python
    • Lab – Symmetric encryption in in Python
  • Asymmetric encryption
  • Combining symmetric and asymmetric algorithms
• Integrity protection
  • Message Authentication Code (MAC)
    • MAC in Python
    • Lab – Calculating MAC in Python
  • Digital signature
    • Digital signature in Python
    • Lab – Digital signature with ECDSA in Python
• Public Key Infrastructure (PKI)
  • Some further key management challenges
  • Certificates
    • Chain of trust
    • Certificate management – best practices
• Transport security
  • Transport security weaknesses
  • The TLS protocol
    • TLS basics
    • TLS features (changes in v1.3)
    • The handshake in a nutshell (v1.3)
    • TLS best practices
    • TLS authentication best practices
    • Lab – Using a secure socket in Python
    • HTTP Strict Transport Security (HSTS)
    • Lab – Setting HSTS in Python

Wrap up

• Secure coding principles
  • Principles of robust programming by Matt Bishop
  • Secure design principles of Saltzer and Schröder
• And now what?
  • Software security sources and further reading
  • Python resources