Migrating to the cloud introduces immense benefits for companies and individuals in terms of efficiency and costs. With respect to security, the effects are quite diverse, but it is a common perception that using cloud services impacts security in a positive manner. Opinions, however, diverge many times even on defining who is responsible for ensuring the security of cloud resources .Covering IaaS, PaaS and SaaS.
Interested in attending? Have a suggestion about running this event near you?
Register your interest now
Description
Module 1: IT security and secure coding
Lessons:
- Nature of security
- What is risk?
- IT security vs. secure coding
- From vulnerabilities to botnets and cybercrime
- Nature of security flaws
- From an infected computer to targeted attacks
- The Seven Pernicious Kingdoms
- OWASP Top Ten 2017
Module 2: Cloud security basics
Lessons:
- Introduction to cloud security
- What makes cloud applications different?
- Cloud delivery models and security
- Public and private clouds
- Security challenges in the cloud
Module 3: Threats and risks in the clouds
Lessons:
- Requirements and threats of cloud computing
- The Jericho Cloud Cube model
- The Jericho Cloud Cube model – Requirements specification
- Cloud deployment models vs risks
- Threat modeling
- Attacker profiles
- Main attacker profiles in the cloud
- Threat modeling
- Threat modeling based on attack trees
- Threat modeling based on misuse/abuse cases
- Misuse/abuse cases – a simple example
- SDL threat modeling
- The STRIDE threat categories
- Diagramming – elements of a DFD
- Data flow diagram – example
- Threat enumeration – mapping STRIDE to DFD elements
- Risk analysis – classification of threats
- Standard mitigation techniques of MS SDL
- Cloud-specific threats
- Cloud abuse by the attackers
- Insider threats – malicious other tenants
- Problems stemming from virtualization
- Elevation of privilege
- Leakage of sensitive information
- Hard coded secrets
- Exercise – Hard coded passwords
- Intellectual property exposure
- Insecure delegation
Module 4: Cloud security solutions
Lessons:
- Container security
- Virtualization techniques
- Containers vs. VMs
- Evolution of process isolation
- POSIX capabilities
- Linux Containers – LXC
- Docker
- Linking Docker containers
- Docker and POSIX capabilities
- Docker API
- Docker container related threats
- Docker best practices
- XML security
- Introduction
- XML parsing
- XML injection
- (Ab)using CDATA to store XSS payload in XML
- Exercise – XML injection
- Protection through sanitization and XML validation
- XML bomb
- Exercise – XML bomb
Module 5: Practical cryptography
Lessons:
- Rule #1 of implementing cryptography
- Cryptosystems
- Elements of a cryptosystem
- Symmetric-key cryptography
- Providing confidentiality with symmetric cryptography
- Symmetric encryption algorithms
- Modes of operation
- Other cryptographic algorithms
- Hash or message digest
- Hash algorithms
- SHAttered
- Message Authentication Code (MAC)
- Providing integrity and authenticity with a symmetric key
- Random number generation
- Random numbers and cryptography
- Cryptographically-strong PRNGs
- Hardware-based TRNGs
- Testing random number generators
- Asymmetric (public-key) cryptography
- Providing confidentiality with public-key encryption
- Rule of thumb – possession of private key
- Combining symmetric and asymmetric algorithms
- Public Key Infrastructure (PKI)
- Man-in-the-Middle (MitM) attack
- Digital certificates against MitM attack
- Certificate Authorities in Public Key Infrastructure
- X.509 digital certificate
Module 6: Web application security
Lessons:
- Injection
- Injection principles
- SQL injection
- Exercise – SQL injection
- Typical SQL Injection attack methods
- Blind and time-based SQL injection
- SQL injection protection methods
- Detecting SQL Injection
- Detecting SQL Injection – Typical tests
- Detecting SQL Injection – Bypass defenses
- Other injection flaws
- Command injection
- Detecting command injection
- Case study – ImageMagick
- Broken authentication
- Session handling threats
- Session handling best practices
- Setting cookie attributes – best practices
- XML external entity (XXE)
- XML Entity introduction
- XML external entity attack (XXE) – resource inclusion
- XML external entity attack – URL invocation
- XML external entity attack – parameter entities
- Exercise – XXE attack
- Case study – XXE in Google Toolbar
- Cross-Site Scripting (XSS)
- Persistent XSS
- Reflected XSS
- DOM-based XSS
- Exercise – Cross Site Scripting
- XSS prevention
- Detecting XSS vulnerabilities
- Bypassing XSS filters
Module 7: Denial of service
Lessons:
- DoS introduction
- Economic Denial of Sustainability (EDoS)
- Asymmetric DoS
- Regular expression DoS (ReDoS)
- Exercise ReDoS
- ReDoS mitigation
- Case study – ReDos in Stack Exchange
- Hashtable collision attack
- Using hashtables to store data
- Hashtable collision
- Hashtable collision in Java
Module 8: Input validation
Lessons:
- Input validation concepts
- Integer problems
- Representation of negative integers
- Integer overflow
- Exercise IntOverflow
- What is the value of Math.abs(Integer.MIN_VALUE)?
- Integer problem – best practices
- Integer problem – best practices
- Avoiding arithmetic overflow – addition
- Avoiding arithmetic overflow – multiplication
- Detecting arithmetic overflow in Java 8
- Exercise – Using addExact() in Java
- Testing for integer problems
- Path traversal vulnerability
- Path traversal – weak protections
- Path traversal – best practices
- Unvalidated redirects and forwards
- Log forging
- Some other typical problems with log files
Module 9: Data security in the cloud
Lessons:
- Data at rest and in motion
- Data security lifecycle in the cloud
- Controls for data at rest
- Controls for data in motion
- NoSQL security
- NoSQL introduction
- NoSQL attack vectors
- NoSQL authentication issues
- MongoDB security
- MongoDB introduction
- MongoDB security architecture and features
- Authentication and access control
- Document validation in MongoDB
- Securing MongoDB communication via TLS
- Secure configuration and hardening
- Typical MongoDB security issues
- NoSQL injection in MongoDB
- Exercise – MongoDB NoSQL injection
- Preventing NoSQL injection – Mongoose
- Case studies: some past MongoDB weaknesses and vulnerabilities
Module 10: Security audit in the cloud
Lessons:
- Functional testing vs. security testing
- Security vulnerabilities
- Prioritization – risk analysis
- Security testing techniques and tools
- General testing approaches
Module 11: Dynamic security testing
Lessons:
- Manual vs. automated security testing
- Web vulnerability scanners
- Exercise – Using a vulnerability scanner
- SQL injection tools
- Exercise – Using SQL injection tools
Module 12: Securing the cloud environment
Lessons:
- Assessing the environment
- Patch and vulnerability management
- Patch management
- Insecure APIs in the cloud
- Vulnerability repositories
- Vulnerability attributes
- Common Vulnerability Scoring System – CVSS
- Vulnerability management software
- Exercise – checking for vulnerable packages
- Case study - Shellshock
- Shellshock – basics of using functions in bash
- Shellshock – vulnerability in bash
- Exercise - Shellshock
- Shellshock fix and counterattacks
- Exercise – Command override with environment variables
Module 13: Knowledge sources
Lessons:
- Secure coding sources – a starter kit
- Vulnerability databases
- Recommended books – cloud security
Audience Profile
Developers, architect and testers of cloud applications
Prerequisites
Cloud computing, software development