Back to course catalog

Secure coding master course for banking and finance

  • CL-IFINT
  • 5 days
  • Java, C#/.NET/ASP.NET, Web

Description

“Money makes the world go round....” – remember? And yes: it is your responsibility to secure all that. As a fintech company you have to take up the challenge, and beat the bad guys with bomb-proof, secure applications!

If there is a domain where security is critical, it is definitely fintech. Vulnerability is not an option if you want to stay a trusted and reliable vendor with systems and applications that certainly comply with PCI-DSS requirements. You need devoted secure coders with high-level professional attitude and developers eager to fight all coding problems: yes, you need a skilled team of software engineers.

Want to know why? Just for the record: even though IT security best practices are widely available, 90% of security incidents stem from common vulnerabilities as a result of ignorance and malpractice. So, you better keep loaded in all possible ways with up to date knowledge about secure coding – unless you wanna cry!

We offer a training program exclusively targeting engineers developing applications for the banking and finance sector. Our dedicated trainers share their experience and expertise through hands-on labs, and give real-life case studies from the banking industry – engaging participants in live hacking fun to reveal all consequences of insecure coding.

Participants attending this course will

  • Understand basic concepts of security, IT security and secure coding
  • Understand security considerations in the SDLC
  • Understand special threats in the banking and finance sector
  • Understand regulations and standards
  • Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them
  • Learn about XML security
  • Learn client-side vulnerabilities and secure coding practices
  • Have a practical understanding of cryptography
  • Understand the requirements of secure communication
  • Understand essential security protocols
  • Understand some recent attacks against cryptosystems
  • Understand security concepts of Web services
  • Learn about JSON security
  • Learn about typical coding mistakes and how to avoid them
  • Get information about some recent vulnerabilities in the Java framework
  • Learn about denial of service attacks and protections
  • Get practical knowledge in using security testing techniques and tools
  • Learn how to set up and operate the deployment environment securely
  • Get sources and further readings on secure coding practices

Outline

  • IT security and secure coding
  • Special threats in the banking and finance sector
  • Regulations and standards
  • Web application security (OWASP Top Ten 2017)
  • Client-side security
  • Security architecture
  • Requirements of secure communication
  • Practical cryptography
  • Crypto libraries and APIs
  • Security protocols
  • Input validation
  • Security of Web services
  • Improper use of security features
  • Object-relational mapping (ORM) security
  • Improper error and exception handling
  • Time and state problems
  • Code quality problems
  • Denial of service
  • Security testing techniques and tools
  • Deployment environment
  • Principles of security and secure coding
  • Knowledge sources

Course information

Preparedness

Advanced desktop and Web application development

Exercises

Hands-on

Delivery methods

Onsite / Virtual classroom

Course reviews

Table of contents

  • Day 1
  • Day 2
  • Day 3
  • Day 4
  • Day 5
  • IT security and secure coding
    • Nature of security
    • What is risk?
    • IT security vs. secure coding
    • From vulnerabilities to botnets and cybercrime
      • Nature of security flaws
      • From an infected computer to targeted attacks
    • Classification of security flaws
      • Landwehr’s taxonomy
      • The Seven Pernicious Kingdoms
      • OWASP Top Ten 2017
      • CWE/SANS top 25 most dangerous software errors
      • SEI CERT secure coding standards
    • Security in the software development lifecycle
      • Building Security In Maturity Model (BSIMM)
      • Software Assurance Maturity Model (SAMM)
      • Microsoft Security Development Lifecycle (SDL)
  • Special threats in the banking and finance sector
    • Banking and finance threats – trends
    • Banking and finance threats – some numbers
    • Attacker profiles
    • Most significant targets
    • Attacker tools and vectors
  • Regulations and standards
    • The fintech cybersecurity regulatory / compliance landscape
    • Important organizations and regulations from an IT standpoint
    • Data protection
    • Breach disclosure obligations
    • FDIC Cyber Risk Management Standards for fintech (proposed)
      • FDIC CRMS at a glance
      • FDIC CRMS – planned scope
      • FDIC CRMS – governance and risk management
      • FDIC CRMS – dependency management
      • FDIC CRMS – response
    • PCI DSS compliance
      • PCI DSS at a glance
      • The main assets protected by PCI-DSS
      • Requirements
      • Requirement 6 – Develop and maintain secure systems and applications
        • 6.1 – Identifying vulnerabilities, risk management
        • 6.2 – Patching
        • 6.3 – Secure software development
        • 6.4 – Policies and procedures
        • 6.5 – Train developers in secure coding best practices
        • 6.6 – Security assessment and attack detection
        • 6.7 – Documentation and enforcement
  • Web application security (OWASP Top Ten 2017)
    • A1 - Injection
      • Injection principles
      • SQL injection
        • Exercise – SQL injection
        • Typical SQL Injection attack methods
        • Blind and time-based SQL injection
        • SQL injection protection methods
      • Other injection flaws
        • Command injection
        • Case study – ImageMagick
    • A2 - Broken authentication
      • Session handling threats
      • Session handling best practices
      • Setting cookie attributes – best practices
      • Case study – Authentication issues in Danish online banking
        • Danske Bank website debug mode information leak
        • A potential session hijack
      • Cross site request forgery (CSRF)
        • Login CSRF
        • CSRF prevention
  • Web application security (OWASP Top Ten 2017)
    • A3 - Sensitive data exposure
      • Sensitive data exposure
      • Case study – Distributed guessing attack against payment cards
        • Information leakage weaknesses in online payment systems
        • Practical guessing attack
        • Real-world exploitation and countermeasures
      • Transport layer security
        • Enforcing HTTPS
    • A4 - XML external entity (XXE)
      • XML Entity introduction
      • XML external entity attack (XXE) – resource inclusion
      • XML external entity attack – URL invocation
      • XML external entity attack – parameter entities
      • Exercise – XXE attack
      • Case study – XXE in TGI Friday's ordering system
        • Identifying the vulnerability: JSON input processed as XML
    • A5 - Broken access control
      • Typical access control weaknesses
      • Insecure direct object reference (IDOR)
      • Exercise – Insecure direct object reference
      • Protection against IDOR
      • Case study – Facebook Notes
    • A6 - Security misconfiguration
      • Security misconfiguration
      • Configuring the environment
      • Insecure file uploads
      • Exercise – Uploading executable files
      • Filtering file uploads – validation and configuration
    • A7 - Cross-Site Scripting (XSS)
      • Persistent XSS
      • Reflected XSS
      • DOM-based XSS
      • Exercise – Cross Site Scripting
      • Exploitation: CSS injection
      • Exploitation: injecting the tag
      • XSS prevention
    • A8 - Insecure deserialization
      • Serialization and deserialization basics
      • Security challenges of deserialization
      • Issues with deserialization – JSON
    • A9 - Using components with known vulnerabilities
    • A10 - Insufficient logging and monitoring
      • Detection and response
      • Logging and log analysis
      • Intrusion detection systems and Web application firewalls
  • Client-side security
    • JavaScript security
    • Same Origin Policy
    • Simple requests
    • Preflight requests
    • Exercise – Client-side authentication
    • Client-side authentication and password management
    • Protecting JavaScript code
    • Clickjacking
      • Clickjacking
      • Exercise – IFrame, Where is My Car?
      • Protection against Clickjacking
      • Anti frame-busting – dismissing protection scripts
      • Protection against busting frame busting
    • AJAX security
      • XSS in AJAX
      • Script injection attack in AJAX
      • Exercise – XSS in AJAX
      • XSS protection in AJAX
      • Exercise CSRF in AJAX – JavaScript hijacking
      • CSRF protection in AJAX
    • HTML5 security
      • New XSS possibilities in HTML5
      • HTML5 clickjacking attack – text field injection
      • HTML5 clickjacking – content extraction
      • Form tampering
      • Exercise – Form tampering
      • Cross-origin requests
      • HTML proxy with cross-origin request
      • Exercise – Client side include
  • Security architecture
    • (platform and technology dependent topics)
    • Application level access control
      • (permissions, sandboxing)
    • User level access control
      • Authentication
      • Authorization
  • Requirements of secure communication
    • Security levels
    • Secure acknowledgment
      • Malicious message absorption
        • Feasibility of secure acknowledgment
        • The solution: Clearing Centers
      • Inadvertent message loss
    • Integrity
      • Error detection - Inadvertent message distortion (noise)
        • Modeling message distortion
        • Error detection and correction codes
      • Authenticity - Malicious message manipulation
        • Modeling message manipulation
        • Practical integrity protection (detection)
      • Non-repudiation
        • Non-repudiation
      • Summary
        • Detecting integrity violation
    • Confidentiality
      • Model of encrypted communication
      • Encryption methods in practice
      • Strength of encryption algorithms
    • Remote identification
      • Requirements of remote identification
    • Anonymity and traffic analysis
      • Model of anonymous communication
      • Traffic analysis
      • Theoretically strong protection against traffic analysis
      • Practical protection against traffic analysis
    • Summary
      • Relationship between the requirements
  • Practical cryptography
    • Rule #1 of implementing cryptography
    • Cryptosystems
      • Elements of a cryptosystem
    • Symmetric-key cryptography
      • Providing confidentiality with symmetric cryptography
      • Symmetric encryption algorithms
      • Modes of operation
    • Other cryptographic algorithms
      • Hash or message digest
      • Hash algorithms
      • SHAttered
      • Message Authentication Code (MAC)
      • Providing integrity and authenticity with a symmetric key
      • Random number generation
        • Random numbers and cryptography
        • Cryptographically-strong PRNGs
        • Hardware-based TRNGs
        • Case study – Equifax account freeze PIN code generation
        • Case study – Tesco Bank fraud
    • Asymmetric (public-key) cryptography
      • Providing confidentiality with public-key encryption
      • Rule of thumb – possession of private key
      • The RSA algorithm
        • Introduction to RSA algorithm
        • Encrypting with RSA
        • Combining symmetric and asymmetric algorithms
        • Digital signing with RSA
    • Public Key Infrastructure (PKI)
      • Man-in-the-Middle (MitM) attack
      • Digital certificates against MitM attack
      • Certificate Authorities in Public Key Infrastructure
      • X.509 digital certificate
  • Crypto libraries and APIs
  • Security protocols
    • The TLS protocol
      • SSL and TLS
      • Usage options
      • Security services of TLS
      • SSL/TLS handshake
    • Protocol-level vulnerabilities
      • BEAST
    • Padding oracle attacks
      • Adaptive chosen-ciphertext attacks
      • Padding oracle attack
      • CBC decryption
      • Padding oracle example
      • POODLE
  • Input validation
    • Input validation concepts
    • Integer problems
      • Representation of negative integers
      • Integer overflow
      • Integer problem – best practices
        • Integer problem – best practices
      • Case study – Integer overflow in the Stockholm Stock Exchange
        • Integer wraparound problem when purchasing stocks
    • Path traversal vulnerability
      • Path traversal – weak protections
      • Path traversal – best practices
      • Case study – Insufficient URL validation in LastPass
    • Unvalidated redirects and forwards
    • Log forging
      • Some other typical problems with log files
    • (some additional platform and technology dependent topics)
  • Security of Web services
    • Securing web services – two general approaches
    • SOAP - Simple Object Access Protocol
    • Security of RESTful web services
      • Authenticating users in RESTful web services
      • Authentication with JSON Web Tokens (JWT)
      • Authorization with REST
      • Vulnerabilities in connection with REST
    • XML security
      • Introduction
      • XML parsing
      • XML injection
        • (Ab)using CDATA to store XSS payload in XML
        • Exercise – XML injection
        • Protection through sanitization and XML validation
        • XML bomb
        • Exercise – XML bomb
    • JSON security
      • Embedding JSON server-side
      • JSON injection
      • JSON hijacking
      • Case study – XSS via spoofed JSON element
  • Improper use of security features
    • Typical problems related to the use of security features
    • Password management
      • Exercise – Weakness of hashed passwords
      • Password management and storage
      • Special purpose hash algorithms for password storage
      • Case study – the Ashley Madison data breach
        • The loginkey token
        • Revealing the passwords with brute forcing
      • Typical mistakes in password management
        • Sensitive info in memory - minimize the attack surface
    • Case study – Equifax password management issues
  • Object-relational mapping (ORM) security
  • Improper error and exception handling
    • Typical problems with error and exception handling
  • Time and state problems
  • Code quality problems
  • Denial of service
    • DoS introduction
    • Asymmetric DoS
    • Case study – ReDos in Stack Exchange
    • Hashtable collision attack
      • Using hashtables to store data
      • Hashtable collision
  • Security testing techniques and tools
    • General testing approaches
    • Source code review
      • Code review for software security
      • Taint analysis
      • Heuristic-based
      • Static code analysis
        • Static code analysis
    • Testing the implementation
      • Manual vs. automated security testing
      • Penetration testing
      • Stress tests
      • Fuzzing
        • Automated security testing - fuzzing
        • Challenges of fuzzing
      • Proxy servers and sniffers
        • Testing with proxies and sniffers
        • Packet analyzers and proxies
        • Exercise – Testing with proxy
        • Proxying HTTPS traffic
        • Case study – The Lenovo Superfish incident
      • Web vulnerability scanners
        • Exercise – Using a vulnerability scanner
        • SQL injection tools
        • Exercise – Using SQL injection tools
  • Deployment environment
    • Assessing the environment
      • Assessing the environment
      • Searching for online devices with SHODAN
      • Exercise – using SHODAN
      • Finding weaknesses with search engines
      • Exercise – Finding weaknesses with search engines
      • Testing random number generators
    • Configuration management
      • Configuration management
    • Hardening
      • Hardening
      • Network-level hardening
      • Server hardening – principle of least privilege
      • Hardening the deployment – server administration
      • Hardening the deployment – access control
    • Patch and vulnerability management
      • Patch management
      • Vulnerability repositories
      • Vulnerability attributes
      • Software identification through CPE and SWID
      • Common Vulnerability Scoring System – CVSS
      • Vulnerability management software
      • Exercise – checking for vulnerable packages
  • Principles of security and secure coding
    • Matt Bishop’s principles of robust programming
    • The security principles of Saltzer and Schroeder
    • SEI Cert top 10 secure coding practices
  • Knowledge sources
    • Secure coding sources – a starter kit
    • Vulnerability databases

Get more information

Send inquiry
Loading...
Sending...