WA3358
Security Fundamentals for Software Engineers Training
This Security fundamentals course covers basic security concepts and more advanced topics, such as threat modeling and risk management. By the end of this course, students understand the principles of information security, apply security concepts to real-world situations, implement security controls to protect information assets, evaluate the security of information systems, and manage information security risks.
Course Details
Duration
3 days
Prerequisites
- Basic to advanced programming skills in a common development language such as but not limited to C, Java, JavaScript, or Python
- Understanding of the software development lifecycle
Target Audience
- New software developers
- Experienced software developers needing security concepts
- Software development managers
- Database and data analysts tasked with development support
Skills Gained
- Understand fundamental security principles
- Apply the Zero Trust model to enhance security
- Mitigate the OWASP Top 10 web application vulnerabilities
- Apply encryption and decryption techniques to protect data
- Implement secure authentication and authorization mechanisms
- Manage identities and privileged accounts effectively
- Securely manage and protect sensitive information
- Implement security best practices specific to the MERN stack
- Adopt a proactive security mindset throughout the development lifecycle
Course Outline
- Security Concepts
- Introduction
- CIA Triad
- Confidentiality
- Integrity
- Availability
- Identification
- Authentication, Authorization, and Accounting (AAA)
- Principle of Least Privilege
- Separation of Duties
- Non-repudiation
- Defense in Depth
- Defense in Depth as a Developer
- Software Security Terminology
- Software Security Terminology
- Common Threats
- Common Attacks
- Zero Trust
- Zero Trust Core Principles
- Never Trust, Always Verify
- Assume Breach
- Apply Least-privilege
- The Zero Trust Maturity Model
- Identities
- Devices
- Network
- Applications and Workloads
- Data
- Zero Trust and Developers
- OWASP Top Ten
- The OWASP Top Ten
- OWASP Top 10
- OWASP Testing Framework
- 2021 OWASP Top 10 Details
- Injection
- Broken Authentication
- Sensitive Data Exposure
- XML External Entity (XXE)
- Broken Access Control
- Security Misconfigurations
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Insuficient Logging & Monitoring
- Encryption and Decryption
- Encryption and Decryption
- Three Key Ideas
- Terminology
- Cryptographic Terminology
- Symmetric Encryption
- Some Common Symmetric Algorithms
- Asymmetric Encryption
- Common Asymmetric Algorithms
- Hashing
- Secure Hashing Algorithm
- Public Key Infrastructure
- Digital Certificates
- Certificate Authorities
- X.509 Certificates
- Parts of a certificate
- Secure Sockets Layer/Transport Security Layer
- SSL (TLS) Certificate
- HTTPS
- HTTPS Provides
- How does HTTPS work?
- HTTPS and Certificates
- Digital Signatures
- Code-signing Certificates
- Authentication and Authorization
- What is Authentication?
- Authentication Factors
- Authentication vs. Authorization
- Introduction to Single Sign-On (SSO)
- SSO Workflow
- Single Logout (SLO)
- Advantages of SSO
- Implementing SSO for MERN Stack
- Choose an SSO provider
- Authentication and Authorization in MERN
- Integrate SSO into your application
- Test and secure your SSO implementation:
- OAuth 2
- OAuth Roles
- OAuth Protocol Flow
- OpenID Connect
- OpenID Connect
- IAM and PAM
- Identity and Access Management (IAM)
- Privileged Account Management (PAM)
- PAM User Audience
- PAM Access Control
- PAM and IAM Compared
- IAM Tools and Libraries
- PAM Tools and Libraries
- Secrets Management
- Secrets Management Guidelines
- Separate Secrets from Source Code
- Use a Secure Configuration Approach
- Employ Encryption for Secrets
- Utilize Secrets Management Tools
- Follow Security Best Practices
- JSON Web Tokens
- JSON Web Tokens (JWT)
- JWT Guidelines
- JSON Web Tokens Best Practices
- Signing JWTs
- Signing Tokens
- JWT Dos
- JWT Don’ts
- Risk Management, Governance, and Compliance
- Secure Architecture and Design General Principles
- Secure Architecture and Design for MERN Principles
- Supply Chain Security
- NIST Cybersecurity Framework
- Identify
- Protect
- Detect
- Respond
- Recover
- Open-source Vulnerability Management
- Data Classification and Protection
- Classification Controls
- Define and Document
- Travelers Data Classifications
- Restricted information
- Regulated Personal Information
- Confidential information
- Internal information
- Public information
- Threat Modeling
- Basic Steps
- STRIDE Overview
- DREAD Risk Assessment
- Data flow
- MongoDB Security Best Practices
- Use strong authentication mechanisms:
- Limit remote access
- Implement role-based access control
- Encrypt your data
- Keep MongoDB up to date
- Implement proper input validation
- Enable auditing and monitoring
- Encrypting Data in MongoDB
- What are HTTP Security Headers?
- helmet.js
- Why Use helmet.js?
- Installing helmet.js
- Implementing helmet.js
- Content Security Policy (CSP)
- X-XSS-Protection and X-Frame-Options
- React Security Best Practices
- The React Virtual DOM is not enough
- Regularly update third-party packages and dependencies
- Encrypt sensitive data
- Implement authentication and authorization
- Validate and sanitize user input
- Protect against cross-site scripting (XSS) attacks
- Securely handle session management
- Implement secure communication
- Follow React security best practices
- Keep your code modular and readable
- Perform security testing
- Node Security Best Practices
- Node in the application flow
- Regularly update packages and dependencies
- Encrypt sensitive data
- Implement secure authentication
- Use security linters and scanners
- Secure transmission of data
- Control access and permissions
- Validate and sanitize user input
- Implement logging and monitoring
- Perform security testing
- Follow security best practices for the entire MERN stack
- Security is a PROCESS
