Web Application Security for PCI DSS

DAY 1

Cyber security basics

• What is security?
• Threat and risk
• Cyber security threat types – the CIA triad
• Cyber security threat types – the STRIDE model
• Consequences of insecure software
• Constraints and the market
• The dark side
• Categorization of bugs
  • The Seven Pernicious Kingdoms
  • Common Weakness Enumeration (CWE)
  • CWE Top 25 Most Dangerous Software Weaknesses
• Cyber security in the finance sector
  • Threats and trends in fintech
• PCI DSS
  • Overview
  • Requirements and secure coding (Requirements 1-5)
  • Req. 6 – Develop and maintain secure systems and applications
  • Requirement 6.5 – Address common coding vulnerabilities
  • Requirements and secure coding (Requirements 7-12)

The OWASP Top Ten 2021

• A04 – Insecure Design
  • The STRIDE model of threats
  • Secure design principles of Saltzer and Schroeder
  • Client-side security
    • Frame sandboxing
      • Cross-Frame Scripting (XFS) attacks
      • Lab – Clickjacking
      • Clickjacking beyond hijacking a click
      • Clickjacking protection best practices
      • Lab – Using CSP to prevent clickjacking
• A05 – Security Misconfiguration
  • Configuration principles
  • Server misconfiguration
  • Cookie security
    • Cookie security best practices
    • Cookie attributes
  • XML entities
    • DTD and the entities
    • Attribute blowup
    • Entity expansion
    • External Entity Attack (XXE)
      • File inclusion with external entities
      • Server-Side Request Forgery with external entities
      • Lab – External entity attack
      • Case study – XXE vulnerability in SAP Store
      • Lab – Prohibiting DTD expansion
• A06 – Vulnerable and Outdated Components
  • Using vulnerable components
  • Case study – The Equifax data breach
  • Assessing the environment
  • Hardening
  • Untrusted functionality import
  • Vulnerability management
    • Patch management
    • Vulnerability databases
    • Vulnerability rating – CVSS
    • Bug bounty programs
    • DevOps, the build process and CI / CD
• A09 – Security Logging and Monitoring Failures
  • Logging and monitoring principles
  • Insufficient logging
  • Case study – Plaintext passwords at Facebook
  • Logging best practices
  • Monitoring best practices
  • Firewalls and Web Application Firewalls (WAF)
  • Intrusion detection and prevention
  • Case study – The Marriott Starwood data breach

DAY 2

The OWASP Top Ten 2021

• A01 – Broken Access Control
  • Access control basics
  • Failure to restrict URL access
  • Confused deputy
    • Insecure direct object reference (IDOR)
    • Lab – Insecure Direct Object Reference
    • Authorization bypass through user-controlled keys
    • Case study – Authorization bypass on Facebook
    • Lab – Horizontal authorization
  • File upload
    • Unrestricted file upload
    • Good practices
    • Lab – Unrestricted file upload
  • Cross-site Request Forgery (CSRF)
    • Lab – Cross-site Request Forgery
    • CSRF best practices
    • CSRF defense in depth
    • Lab – CSRF protection with tokens
• A02 – Cryptographic Failures
  • Information exposure
    • Exposure through extracted data and aggregation
    • Case study – Strava data exposure
    • System information leakage
      • Leaking system information
    • Information exposure best practices
  • Cryptography for developers
    • Cryptography basics
    • Elementary algorithms
      • Random number generation
        • Pseudo random number generators (PRNGs)
        • Cryptographically strong PRNGs
        • Using virtual random streams
        • Lab – Using random numbers
        • Case study – Equifax credit account freeze
    • Confidentiality protection
      • Symmetric encryption
        • Block ciphers
        • Modes of operation
        • Modes of operation and IV – best practices
        • Lab – Symmetric encryption
      • Asymmetric encryption
      • Combining symmetric and asymmetric algorithms

The OWASP Top Ten 2021

• A03 – Injection
  • Injection principles
  • Injection attacks
  • SQL injection
    • SQL injection basics
    • Lab – SQL injection
    • Attack techniques
    • Content-based blind SQL injection
    • Time-based blind SQL injection
  • SQL injection best practices
    • Input validation
    • Parameterized queries
    • Lab – Using prepared statements
    • Case study – Hacking Fortnite accounts
  • Code injection
    • OS command injection
      • OS command injection best practices
      • Case study – Shellshock
      • Lab – Shellshock

DAY 3

The OWASP Top Ten 2021

• A03 – Injection
  • HTML injection – Cross-site scripting (XSS)
    • Cross-site scripting basics
    • Cross-site scripting types
      • Persistent cross-site scripting
      • Reflected cross-site scripting
      • Client-side (DOM-based) cross-site scripting
    • Lab – Stored XSS
    • Lab – Reflected XSS
    • Case study – XSS in Fortnite accounts
    • XSS protection best practices
      • Protection principles – escaping
      • Lab – XSS fix / stored
      • Lab – XSS fix / reflected
      • Additional protection layers – defense in depth

The OWASP Top Ten 2021

• A07 – Identification and Authentication Failures
  • Authentication
    • Authentication basics
    • Multi-factor authentication
    • Time-based One Time Passwords (TOTP)
    • Authentication weaknesses
    • Spoofing on the Web
    • Case study – PayPal 2FA bypass
    • User interface best practices
    • Case study – Information disclosure in Simple Banking for Android
    • Lab – On-line password brute forcing
  • Password management
    • Inbound password management
      • Storing account passwords
      • Password in transit
      • Lab – Is just hashing passwords enough?
      • Dictionary attacks and brute forcing
      • Salting
      • Adaptive hash functions for password storage
      • Password policy
        • NIST authenticator requirements for memorized secrets
        • Password hardening
        • Using passphrases
      • Case study – The Ashley Madison data breach
        • The dictionary attack
        • The ultimate crack
        • Exploitation and the lessons learned
      • Password database migration
        • (Mis)handling null passwords
    • Outbound password management
      • Hard coded passwords
      • Best practices
      • Lab – Hardcoded password
      • Protecting sensitive information in memory
        • Challenges in protecting memory
• A08 – Software and Data Integrity Failures
  • Subresource integrity
    • Importing JavaScript
    • Lab – Importing JavaScript
    • Case study – The British Airways data breach
  • Insecure deserialization
    • Serialization and deserialization challenges
    • Integrity – deserializing untrusted streams
    • Integrity – deserialization best practices
    • Property Oriented Programming (POP)
      • Creating payload
      • Lab – Creating a POP payload
      • Lab – Using the POP payload
      • Summary – POP best practices

Security testing

• Security testing techniques and tools
  • Code analysis
    • Static Application Security Testing (SAST)
  • Dynamic analysis
    • Security testing at runtime
    • Penetration testing
    • Stress testing
    • Dynamic analysis tools
      • Dynamic Application Security Testing (DAST)
      • Web vulnerability scanners
      • SQL injection tools
    • Fuzzing

Wrap up

• Secure coding principles
  • Principles of robust programming by Matt Bishop
• And now what?
  • Software security sources and further reading