Secure Coding for all languages

1
Introduction to Secure Coding - The Basics
2
Secure SDLC & Application Security Program
- Secure SDLC & Application Security Program
- Threat Modeling
- Third Party Components (SCA)
- Security Testing
- Code Review and Static Analysis
- Secure SDLC - Quiz!
3
Secure Coding Basics
- #1 Input Validation
- Input Validation - More Advice From OWASP
- Input Validation: Code Review
- #2 Output Encoding
- Output Encoding: Code Review
- #3 Parameterized queries are required; dynamic queries are forbidden.
- Parameterized queries: Code Review
- #4 Use the Authorization and Authentication provided by your framework, do not write your own.
- Authentication and Password Management – OWASP Advice
- #5 Use the identity and session management features available in your framework, network, or cloud provider.
- #6 Use all applicable security headers
- #7 Do not cache sensitive page data
- Caching Sensitive Data: Code Review
- #8 Secure Cookies
- Thoughts on securing your cookies
- #9 Take every possible precaution when performing file uploads
- File upload advice from OWASP
- Scanning your uploaded files
- #10 All errors should be caught, handled, logged, and, if appropriate, alerted upon.
- OWASP guidance on login, alerting and monitoring
- Error Handling and Logging Cheat Sheet!
- #11 Sensitive or decision-making information should never be stored in URL parameters.
- #12 Your application should be served over HTTPS only.
- HTTPS Everywhere: Code Review
- #13 All data must be encrypted in transit and at rest
- #14 Allow users to cut and paste into the password field, to allow for use of password managers.
- #15 All connection strings, hashes, passwords and other secrets must be kept in a secret store.
- Reasons Secrets Need Management
- Secret Management Best Practices
- What are 'secrets'?
- #16 Hash and salt all passwords.
- #17 Keep your stuff up to date!
- A special note on APIs
- API Security Best Practices - Checklist
- We did it!
- 17 Commandments - PDF Checklist!
4
PCI DSS - for Devs!
- What is PCI and why do we need to be compliant?
- PCI Compliance - Jump Start!
- PCI DSS #1 - Firewalls
- PCI DSS #2 - Reset Default Passwords
- PCI DSS #3 - Protect stored cardholder data
- PCI DSS #4 - Encrypt transmission of cardholder data
- PCI DSS #5 - Use Antivirus Software
- PCI DSS #6 - Develop and Maintain Secure Systems and Applications
- PCI DSS #7 - Restrict access to cardholder data
- PCI DSS #8 - Assign a unique ID to each person
- PCI DSS #9 - Restrict physical access to cardholder data
- PCI DSS #10 - Track and monitor access to network and data
- PCI DSS #11 - Regular Security Testing
- PCI DSS #12 - Maintain a policy that addresses information security
- PCI DSS - for Devs - The PDF!
5
The OWASP Top Ten and other Common Pitfalls
- Common Vulnerabilities
  FREE PREVIEW
- What is 'OWASP'? What is the 'Top Ten'?
  FREE PREVIEW
- A1: Injection
- A2: Broken Authentication
- A3: Sensitive Data Exposure
- A4: XML External Entities (XXE)
- A5: Broken Access Control
- A6: Security Misconfiguration
- A7: Cross Site Scripting (XSS)
- A8: Insecure Deserialization
- A9: Using Components with Known Vulnerabilities
- A:10 Insufficient Logging and Monitoring
- More! Important stuff that is not in the OWASP Top Ten
- Buffer Overflows
- Insecure Cryptographic Storage
- Insecure Communications
- Improper Error Handling
- Cross Site Request Forgery (CSRF)
- Quiz: Common Pitfalls
6
Conclusion and Resources
- Key Take Aways
- Awesome Books
- Community Resources
- Thank You!
- Feedback to help us be better

Secure Coding Course

What's in this course?

Secure Coding Virtual Live Training

Course curriculum

Introduction to Secure Coding - The Basics

Secure SDLC & Application Security Program

Secure Coding Basics

PCI DSS - for Devs!

The OWASP Top Ten and other Common Pitfalls

Conclusion and Resources