September 5, 2022 to September 8, 2022
10:00 / 14:00
GN4-3 WP9 -Task 2: Software Governance & Support
Gerard Frankowski Mikołaj Dobski Paweł Berus Dawid Kuliński
4 days, 4 hours a day, virtual training
Secure Code Workshop SCT offers an intensive hands-on training on secure software development.
In this 12th edition of the SCT we concentrate on proper handling of data sent to applications you develop – we will focus on application security with data validation and fuzz testing as the two key topics. While data validation has been ubiquitous throughout our Secure Code Trainings, this year data validation will be structured around OWASP.
The workshop combines best practices, frameworks such as (OWASP ASVS), models for development teams to match Continuous Development/Integration methodology and the Secure Development Life Cycle Paradigm, tools including Static Application Security Testing, and hands-on exercises in the Fuzz testing workshops where you’ll learn to apply fuzz testing to identify more data validation errors in applications. In the traditional Hackme workshop you’ll hack a vulnerable application yourself based on the standards we will teach.
The workshop has been designed for developers in the GÉANT project who need to produce secure software, and for security specialists looking for application security from a development perspective. To successfully participate in the hands on exercises, participants should have coding skills as a minimum and preferably understand the principles of the most common software development
- A short reminder – what is OWASP ASVS?
- Future development plans of the standard
- Why cover V5 and V6 this year?
- ASVS as a source of security requirements for arbitrary systems and applications.
Fuzz testing (part 1) – Introduction and basic concepts
Introduction to fuzzing (aka fuzz testing) – fuzzing in SDLC
- General concept
- What to fuzz?
- Black box vs. coverage fuzzing
- Fuzzing success stories
Fuzz testing (part 2) – Overview of selected tools and short workshop introduction
Presentation of the dedicated fuzzing tools, platforms and frameworks, e.g.:
- Grizzly Browser Fuzzing
Value your time, safe your budget, sleep better!
This series of talks will introduce, describe and provide your with real life stories of how a mission-critical code was developed where focus was not only on features, but delivering them to be secure out-of-the box. We will show you why and how to incorporate your software security from the very beginning of its design, through development and finally in maintenance.
Validation, Sanitization and Encoding
Extra introduction to the HackMe contest, presenting in the details knowledge that not only is crucial for secure coders, but additionally will be necessary to capture the HackMe flag!
OWASP ASVS V5 – Validation, Sanitization and Encoding:
- V5.1 Input Validation
- V5.2 Sanitization and Sandboxing
- V5.3 Output Encoding and Injection Prevention
- V5.4 Memory, String and Unmanaged Code
- V5.5 Deserialization Prevention
Writing Hacker Proof Code – Data Protection
OWASP ASVS V8 – Data Protection
- V8.1 General Data Protection
- V8.2 Client-Side Data Protection
- V8.3 Sensitive Private Data
Information on several tools to perform static source code review (or SAST – Static Application Security Testing) that are available free of charge and work under different operating systems. Examples of mentioned tools include cppcheck (for C/C++), Bandit (for Python) and VCG (multilingual). Additionally, repositories of information about SAST tools will be presented.
Preparations and instructions
Introduction to the HackMe contest – presentation of the test application, verifying access, explanation of the tasks to be done during the contest.
A good way of verifying knowledge about security issues gained during the training is to practically trying to exploit these issues. HackMe application will allow to exploit common Web application security problems, gain flags for each successfully exploited vulnerability and add points to the user’s account.
Explanation of the HackMe tasks and presentation of the proper solutions. Summary of the results and announcement of the best SCT22 hacker (who will be provisioned a winner certificate plus a reward).
full training agenda available at SCT22 wiki
How to take part in SCT
- Get approval from your organisation/ WP leader for your time spent on these trainings (4-5 hours each day)
- To register click below. Please note that spaces are limited!
- A link to the training platforms will be provided before the start
- BYOL (Bring Your Own Laptop) workshops. Fluent English is also expected! Participants should have a practical knowledge of programming languages covered by the particular part
- Read our Quick Tips to get as much as possible out of online training
Participants should have a practical knowledge of their primary programming language(s)
Who should attend?
This training is primarily targeted to software developers and security specialists from NRENs participating in the GÉANT Project.
Not a Project participant? Leave your interest and inquiry with firstname.lastname@example.org
About SCT training
Secure Code Training is organized and hosted by the GEANT project Software Governance and Support team. The workshops specifically focus on methodologies to write secure software programs and are freely available to the GÉANT Project NREN community. The Secure Coding Training focuses on areas that affect the development and analysis of application’s source code. SCT presentations and recordings are available to GÉANT project members and affiliated NRENs and can be accessed at the relevant SCT wiki.