DES 722: CWE/SANS Top 25 - Threats & Mitagations
This course covers in detail the CWE/SANS Top 25 Most Dangerous Programming Errors, which comprises weaknesses in all types of software applications: Web, Operating System, Mobile, Embedded, Desktop, etc. It is structured in a "teach then do" format, wherein it combines instructor-led training and hands-on labs, in which students implement what they learned with assistance from the instructor.
The two day baseline class is designed for all software development stakeholders, and focuses on gaining a solid understanding of each of the Top 25 Most Dangerous Software Errors.
There are two optional follow-up sessions - one for Developers and one for Testers:
- The Developer-focused day recaps the Top 25 and goes into more detailed code examples of each vulnerability.
- The Tester-focused day includes demonstrations and a hands-on lab where students are able to attack a vulnerable website using the Common Attack Patterns related to the Top 25. It also includes exercises on how to identify and exploit the vulnerabilities, as well as remediation recommendations.
Specific topics covered include:
- Detailed description of each of the Top 25 software weaknesses with demonstrations and code example
- Discussion of detection methods for the Top 25, including an introduction to tools such as Burp Proxy Suite
- Leveraging Threat modeling to better understand potential attack frequency and attacker methods
- Other weaknesses that did not make the Top 25 list but are important to know about
- Attack patterns for each weakness
Upon completion of the two day course, students will be able to:
- Recognize the attributes and causes of each CWE/SANS dangerous programming error
- Understand the practices that help prevent the most common mistakes and lead to the prevention of CWE/SANS coding error
- Recognize how these software security defects/weaknesses can be exploited
- Apply testing techniques to discover weaknesses
The Top 25 Most Dangerous Software Errors
This module is the heart of the course and provides comprehensive details on each of the Top 25 including:
- What the error is, the risk it carries, and how an attacker can exploit it
- Testing considerations and how to detect the error
- Mitigations, countermeasures and common defenses
The Top 25 are divided into these categories to facilitate discussion and demonstration:
- Injection Issues
- Authentication/Authorization Issues
- Untrusted Input
- Buffer Overflows
- Poor Programming
- Broken or Missing Cryptography
This module includes code samples of poorly written code, as well as real-world examples of exploit techniques. Additionally, the instructor will discuss briefly software errors that were considered for inclusion on the Top 25, but did not make it to the final list.
Optional Developer-focus Day
This module focuses on key software security development principles and presents six essential security-engineering practices that will help developers build more secure and robust applications.
Optional Tester-focus Day
This module starts with an overview of security test tools, and browser-based proxy for testing web applications. The remainder of the day is spent in a hands-on lab that allows students to conduct attacks on a vulnerable web application. The instructor will take the theoretical discussion from the previous days and turn it into a practical testing experience. This module covers the following topics:
- Data Leakage/Information Exposure Issues
- Injection Attacks
- Modification of Assumed Immutable Data (MAID) Attacks
- Authentication Issues
- Poor Configuration
- Automated Assessments