Seminar / Kurs : CASEC-JAWS - Cloud application security in Java for AWS - Classroom Training

CASEC-JAWS - Cloud application security in Java for AWS - Classroom Training - English - Seminar / Kurs von Fast Lane Institute for Knowledge Transfer

Inhalte

Day 1

Cyber security basics
- What is security?
- Threat and risk
- Cyber security threat types – the CIA triad
- Cyber security threat types – the STRIDE model
- Consequences of insecure software
Cloud security basics
- Cloud infrastructure basics
- The Cloud Cube Model and Zero Trust Architecture
The OWASP Top Ten 2021
- The OWASP Top 10 2021
- A01 - Broken Access Control
  - Access control basics
  - Failure to restrict URL access
  - Confused deputy
  - File upload
  - Open redirects and forwards
  - Cross-site Request Forgery (CSRF)
- A02 - Cryptographic Failures
  - Information exposure
  - Cryptography for developers
Day 2
- A02 - Cryptographic Failures (continued)
  - Cryptography for developers
  - Transport security
- A03 - Injection
  - Injection principles
  - Injection attacks
  - SQL injection
  - NoSQL injection
  - Parameter manipulation
  - Code injection
  - HTML injection - Cross-site scripting (XSS)
Day 3
- A04 - Insecure Design
  - The STRIDE model of threats
  - Secure design principles of Saltzer and Schroeder
  - Client-side security
- A05 - Security Misconfiguration
  - Configuration principles
  - Server misconfiguration
  - AWS configuration best practices
  - Cookie security
  - XML entities
- A06 - Vulnerable and Outdated Components
  - Using vulnerable components
  - Assessing the environment
  - Hardening
  - Untrusted functionality import
  - Vulnerability management
- A07 - Identification and Authentication Failures
  - Authentication
  - Session management
  - Identity and access management (IAM)
Day 4
- A07 - Identification and Authentication Failures (continued)
  - Password management
- A08 - Software and Data Integrity Failures
  - Integrity protection
  - Subresource integrity
  - Insecure deserialization
- A09 - Security Logging and Monitoring Failures
  - Logging and monitoring principles
  - Log forging
  - Log forging – best practices
  - Case study – Log interpolation in log4j
  - Case study – The Log4Shell vulnerability (CVE-2021-44228)
  - Case study – Log4Shell follow-ups (CVE-2021-45046, CVE-2021-45105)
  - Lab – Log4Shell
  - Logging best practices
  - Detection and monitoring
- A10 - Server-side Request Forgery (SSRF)
  - Server-side Request Forgery (SSRF)
  - Case study – SSRF and the Capital One breach
Cloud securityAWS security
- Security considerations
- Data security in the cloud
Day 5Cloud security
- Container security
  - Container security concerns
  - Containerization, virtualization and security
  - The attack surface
  - Docker security
  - Kubernetes security

The OWASP Top Ten 2021

Web application security beyond the Top Ten

Code quality
Denial of service

Input validation

Input validation principles
Denylists and allowlists
What to validate – the attack surface
Where to validate – defense in depth
When to validate – validation vs transformations
Validation with regex
Integer handling problems
- Representing signed numbers
- Integer visualization
- Integer overflow
- Lab – Integer overflow
- Signed / unsigned confusion in Java
- Case study – The Stockholm Stock Exchange
- Integer truncation
- Best practices
Files and streams
- Path traversal
- Lab – Path traversal
- Path traversal-related examples
- Additional challenges in Windows
- Virtual resources
- Path traversal best practices
- Lab – Path canonicalization
Unsafe reflection
- Reflection without validation
- Lab – Unsafe reflection
Unsafe native code
- Native code dependence
- Lab – Unsafe native code
- Best practices for dealing with native code

Wrap up

Secure coding principles
And now what?

Day 1

Cyber security basics
- What is security?
- Threat and risk
- Cyber security threat types – the CIA triad
- Cyber security threat types – the STRIDE model
- Consequences of insecure software
Cloud security ba ...

Mehr Informationen >>

Lernziele