Back to course catalog

Secure coding for banking and finance

CL-VFINT
3 days
Java, C#/.NET/ASP.NET, Web
Course page in PDF Inquiry

Course information

Preparedness

General desktop and Web application development

Exercises

Hands-on

Delivery methods

Classroom

Course Reviews

Very broad overview, excellent! I liked repeating basic principles and the very good explanations of hard-to-understand things. The trainer had very good and clear speaking skills even for non-native English speaking audience.

September 2016, Prague, Czech Republic

View all reviews

Description

“Money makes the world go round....” – remember? And yes: it is your responsibility to secure all that. As a fintech company you have to take up the challenge, and beat the bad guys with bomb-proof, secure applications!

If there is a domain where security is critical, it is definitely fintech. Vulnerability is not an option if you want to stay a trusted and reliable vendor with systems and applications that certainly comply with PCI-DSS requirements. You need devoted secure coders with high-level professional attitude and developers eager to fight all coding problems: yes, you need a skilled team of software engineers.

Want to know why? Just for the record: even though IT security best practices are widely available, 90% of security incidents stem from common vulnerabilities as a result of ignorance and malpractice. So, you better keep loaded in all possible ways with up to date knowledge about secure coding – unless you wanna cry!

We offer a training program exclusively targeting engineers developing applications for the banking and finance sector. Our dedicated trainers share their experience and expertise through hands-on labs, and give real-life case studies from the banking industry – engaging participants in live hacking fun to reveal all consequences of insecure coding.

Participants attending this course will

  • Understand basic concepts of security, IT security and secure coding
  • Understand special threats in the banking and finance sector
  • Understand regulations and standards
  • Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them
  • Learn about XML security
  • Learn client-side vulnerabilities and secure coding practices
  • Learn about JSON security
  • Learn about denial of service attacks and protections
  • Have a practical understanding of cryptography
  • Understand essential security protocols
  • Get sources and further readings on secure coding practices

Outline

  • IT security and secure coding
  • Special threats in the banking and finance sector
  • Regulations and standards
  • Web application security (OWASP Top Ten 2017)
  • Client-side security
  • XML security
  • JSON security
  • Denial of service
  • Practical cryptography
  • Security protocols
  • Principles of security and secure coding
  • Knowledge sources

Table of Contents

  • Day 1
    • IT security and secure coding
      • Nature of security
      • What is risk?
      • IT security vs. secure coding
      • From vulnerabilities to botnets and cybercrime
        • Nature of security flaws
        • Reasons of difficulty
        • From an infected computer to targeted attacks
      • Classification of security flaws
        • Landwehr’s taxonomy
        • The Seven Pernicious Kingdoms
        • OWASP Top Ten 2017
        • CWE/SANS top 25 most dangerous software errors
        • SEI CERT secure coding standards
    • Special threats in the banking and finance sector
      • Banking and finance threats – trends
      • Banking and finance threats – some numbers
      • Attacker profiles
      • Most significant targets
      • Attacker tools and vectors
    • Regulations and standards
      • The fintech cybersecurity regulatory / compliance landscape
      • Important organizations and regulations from an IT standpoint
      • Data protection
      • Breach disclosure obligations
      • PCI DSS compliance
        • PCI DSS at a glance
        • The main assets protected by PCI-DSS
        • Requirements
    • Web application security (OWASP Top Ten 2017)
      • A1 - Injection
        • Injection principles
        • SQL injection
          • Exercise – SQL injection
          • Typical SQL Injection attack methods
          • Blind and time-based SQL injection
          • SQL injection protection methods
          • Effect of data storage frameworks on SQL injection
        • Other injection flaws
          • Command injection
          • Case study – ImageMagick
      • A2 - Broken authentication
        • Session handling threats
        • Session handling best practices
        • Setting cookie attributes – best practices
        • Case study – Authentication issues in Danish online banking
          • Danske Bank website debug mode information leak
          • A potential session hijack
        • Cross site request forgery (CSRF)
          • CSRF prevention
      • A3 - Sensitive data exposure
        • Sensitive data exposure
        • Case study – Distributed guessing attack against payment cards
          • Information leakage weaknesses in online payment systems
          • Practical guessing attack
          • Real-world exploitation and countermeasures
        • Transport layer security
          • Enforcing HTTPS
  • Day 2
    • Web application security (OWASP Top Ten 2017)
      • A4 - XML external entity (XXE)
        • XML Entity introduction
        • XML external entity attack (XXE) – resource inclusion
        • XML external entity attack – URL invocation
        • XML external entity attack – parameter entities
        • Exercise – XXE attack
        • Case study – XXE in TGI Friday's ordering system
          • Identifying the vulnerability: JSON input processed as XML
      • A5 - Broken access control
        • Typical access control weaknesses
        • Insecure direct object reference (IDOR)
        • Exercise – Insecure direct object reference
        • Protection against IDOR
        • Case study – Facebook Notes
      • A6 - Security misconfiguration
        • Configuring the environment
        • Insecure file uploads
        • Exercise – Uploading executable files
        • Filtering file uploads – validation and configuration
      • A7 - Cross-Site Scripting (XSS)
        • Persistent XSS
        • Reflected XSS
        • DOM-based XSS
        • Exercise – Cross Site Scripting
        • XSS prevention
      • A8 - Insecure deserialization
        • Deserialization basics
        • Security challenges of deserialization
        • Issues with deserialization – JSON
      • A9 - Using components with known vulnerabilities
        • Vulnerability attributes
        • Common Vulnerability Scoring System – CVSS
      • A10 - Insufficient logging and monitoring
        • Detection and response
        • Logging and log analysis
    • Client-side security
      • JavaScript security
      • Same Origin Policy
      • Simple requests
      • Preflight requests
      • Exercise – Client-side authentication
      • Client-side authentication and password management
      • Protecting JavaScript code
      • Clickjacking
        • Clickjacking
        • Exercise – IFrame, Where is My Car?
        • Protection against Clickjacking
        • Anti frame-busting – dismissing protection scripts
        • Protection against busting frame busting
      • AJAX security
        • XSS in AJAX
        • Script injection attack in AJAX
        • Exercise – XSS in AJAX
        • XSS protection in AJAX
        • Exercise CSRF in AJAX – JavaScript hijacking
        • CSRF protection in AJAX
      • HTML5 security
        • New XSS possibilities in HTML5
        • HTML5 clickjacking attack – text field injection
        • HTML5 clickjacking – content extraction
        • Form tampering
        • Exercise – Form tampering
        • Cross-origin requests
        • HTML proxy with cross-origin request
        • Exercise – Client side include
    • XML security
      • Introduction
      • XML parsing
      • XML injection
        • (Ab)using CDATA to store XSS payload in XML
        • Exercise – XML injection
        • Protection through sanitization and XML validation
        • XML bomb
        • Exercise – XML bomb
    • JSON security
      • Embedding JSON server-side
      • JSON injection
      • JSON hijacking
      • Case study – XSS via spoofed JSON element
    • Denial of service
      • DoS introduction
      • Asymmetric DoS
      • Case study – ReDos in Stack Exchange
      • Hashtable collision attack
        • Using hashtables to store data
        • Hashtable collision
  • Day 3
    • Practical cryptography
      • Rule #1 of implementing cryptography
      • Cryptosystems
        • Elements of a cryptosystem
      • Symmetric-key cryptography
        • Providing confidentiality with symmetric cryptography
        • Symmetric encryption algorithms
        • Modes of operation
      • Other cryptographic algorithms
        • Hash or message digest
        • Hash algorithms
        • SHAttered
        • Message Authentication Code (MAC)
        • Providing integrity and authenticity with a symmetric key
        • Random numbers and cryptography
        • Cryptographically-strong PRNGs
        • Hardware-based TRNGs
      • Asymmetric (public-key) cryptography
        • Providing confidentiality with public-key encryption
        • Rule of thumb – possession of private key
        • The RSA algorithm
          • Introduction to RSA algorithm
          • Encrypting with RSA
          • Combining symmetric and asymmetric algorithms
          • Digital signing with RSA
      • Public Key Infrastructure (PKI)
        • Man-in-the-Middle (MitM) attack
        • Digital certificates against MitM attack
        • Certificate Authorities in Public Key Infrastructure
        • X.509 digital certificate
    • Security protocols
      • Secure network protocols
      • Specific vs. general solutions
      • SSL/TLS protocols
        • Security services
        • SSL/TLS handshake
      • Improper use of security features
        • Typical problems related to the use of security features
        • Insecure randomness
          • Case study – Equifax account freeze PIN code generation
          • Case study – Tesco Bank fraud
        • Password management
          • Exercise – Weakness of hashed passwords
          • Password management and storage
          • Special purpose hash algorithms for password storage
          • Case study – the Ashley Madison data breach
          • Typical mistakes in password management
        • Case study – Equifax password management issues
      • Input validation
        • Input validation concepts
        • Integer problems
          • Representation of negative integers
          • Integer overflow
          • Integer problem – best practices
          • Case study – Integer overflow in the Stockholm Stock Exchange
        • Path traversal vulnerability
          • Path traversal – best practices
        • Unvalidated redirects and forwards
        • Log forging
          • Some other typical problems with log files
    • Principles of security and secure coding
      • Matt Bishop’s principles of robust programming
      • The security principles of Saltzer and Schroeder
      • SEI Cert top 10 secure coding practices
    • Knowledge sources
      • Secure coding sources – a starter kit
      • Vulnerability databases
Show full table of contents

Get more information