secure-sw-dev-fundamentals: Secure Software Development Fundamentals courses (from the OpenSSF Best Practices WG) Part I: Requirements, Design, and Reuse Motivation: Why Is It Important to Secure Software? Motivation: Why Take This course? What Does “Security” Mean? What Is Privacy and Why It Is Important Development Processes / Defense-in-Breadth What Are Security Design Principles? Widely-Recommended Secure Design Principles Complete Mediation (Non-Bypassability) The Rest of the Saltzer & Schroeder Design Principles Reusing External Software Basics of Reusing Software Selecting (Evaluating) Open Source Software Downloading and Installing Reusable Software Input Validation Basics Introduction How Do You Validate Input? Input Validation: Numbers and Text Input Validation: A Few Simple Data Types Sidequest: Text, Unicode, and Locales Introduction to Regular Expressions Using Regular Expressions for Text Input Validation Countering ReDoS Attacks on Regular Expressions Input Validation: Beyond Numbers and Text Input Data Structures (XML, HTML, CSV, JSON, & File Uploads) Minimizing Attack Surface, Identification, Authentication, and Authorization Search Paths and Environment Variables (including setuid/setgid Programs) Special Inputs: Secure Defaults and Secure Startup Consider Availability on All Inputs Consider Availability on All Inputs Introduction Processing Data Securely: General Issues Prefer Trusted Data. Treat Untrusted Data as Dangerous Avoid Default & Hardcoded Credentials Avoid Incorrect Conversion or Cast Processing Data Securely: Undefined Behavior / Memory Safety Countering Out-of-Bounds Reads and Writes (Buffer Overflow) Double-free, Use-after-free, and Missing Release Processing Data Securely: Calculate Correctly Avoid Integer Overflow, Wraparound, and Underflow Introduction to Securely Calling Programs Introduction to Securely Calling Programs - The Basics Calling Other Programs: Injection and Filenames SQL Injection Vulnerability SQL Injection: Parameterized Statements SQL Injection: DBMS (Server) side vs. Application (client) side SQL Injection: Alternatives to Parameterized Statements OS Command (Shell) injection Filenames (Including Path Traversal and Link Following) Calling Other Programs: Other Issues Call APIs for Programs and Check What Is Returned Countering Denial-of-Service (DoS) Attacks Introduction to Sending Output Countering Cross-Site Scripting (XSS) Content Security Policy (CSP)
Other HTTP Hardening Headers
Open Redirects and Forwards HTML target and JavaScript window.open() Using Inadequately Checked URLs / Server-Side Request Forgery (SSRF) Same-Origin Policy and Cross-Origin Resource Sharing (CORS) Format Strings and Templates Minimize Feedback / Information Exposure Avoid caching sensitive information Part III: Verification and More Specialized Topics Software Composition Analysis (SCA)/Dependency Analysis Dynamic Analysis Overview Other Verification Topics Combining Verification Approaches Threat Modeling/Attack Modeling Introduction to Threat Modeling Introduction to Cryptography Symmetric/Shared Key Encryption Algorithms Cryptographic Hashes (Digital Fingerprints) Public-Key (Asymmetric) Cryptography Cryptographically Secure Pseudo-Random Number Generator (CSPRNG) Transport Layer Security (TLS) Other Topics in Cryptography Vulnerability Disclosures Receiving Vulnerability Reports Respond To and Fix the Vulnerability in a Timely Way Sending Vulnerability Reports to Others Harden the Development Environment (Including Build and CI/CD Pipeline) & Distribution Environment Distributing, Fielding/Deploying, Operations, and Disposal Artificial Intelligence (AI), Machine Learning (ML), and Security Part IV: Supporting Materials Not Part of the Course OWASP Top 10 and CWE Top 25 OWASP Top 10 (2017 edition) CWE Top 25 (2019 edition) Part I: Requirements, Design, and Reuse Motivation: Why Is It Important to Secure Software? Motivation: Why Take This course? What Does “Security” Mean? What Is Privacy and Why It Is Important Development Processes / Defense-in-Breadth What Are Security Design Principles? Widely-Recommended Secure Design Principles Complete Mediation (Non-Bypassability) The Rest of the Saltzer & Schroeder Design Principles Reusing External Software Basics of Reusing Software Selecting (Evaluating) Open Source Software Downloading and Installing Reusable Software Input Validation Basics Introduction How Do You Validate Input? Input Validation: Numbers and Text Input Validation: A Few Simple Data Types Sidequest: Text, Unicode, and Locales Introduction to Regular Expressions Using Regular Expressions for Text Input Validation Countering ReDoS Attacks on Regular Expressions Input Validation: Beyond Numbers and Text Input Data Structures (XML, HTML, CSV, JSON, & File Uploads) Minimizing Attack Surface, Identification, Authentication, and Authorization Search Paths and Environment Variables (including setuid/setgid Programs) Special Inputs: Secure Defaults and Secure Startup Consider Availability on All Inputs Consider Availability on All Inputs Introduction Processing Data Securely: General Issues Prefer Trusted Data. Treat Untrusted Data as Dangerous Avoid Default & Hardcoded Credentials Avoid Incorrect Conversion or Cast Processing Data Securely: Undefined Behavior / Memory Safety Countering Out-of-Bounds Reads and Writes (Buffer Overflow) Double-free, Use-after-free, and Missing Release Processing Data Securely: Calculate Correctly Avoid Integer Overflow, Wraparound, and Underflow Introduction to Securely Calling Programs Introduction to Securely Calling Programs - The Basics Calling Other Programs: Injection and Filenames OS Command (Shell) injection Filenames (Including Path Traversal and Link Following) Calling Other Programs: Other Issues Call APIs for Programs and Check What Is Returned Countering Denial-of-Service (DoS) Attacks Introduction to Sending Output Countering Cross-Site Scripting (XSS) Content Security Policy (CSP)
Other HTTP Hardening Headers
Open Redirects and Forwards HTML target and JavaScript window.open() Using Inadequately Checked URLs / Server-Side Request Forgery (SSRF) Same-Origin Policy and Cross-Origin Resource Sharing (CORS) Format Strings and Templates Minimize Feedback / Information Exposure Avoid caching sensitive information Part III: Verification and More Specialized Topics Software Composition Analysis (SCA)/Dependency Analysis Dynamic Analysis Overview Other Verification Topics Combining Verification Approaches Threat Modeling/Attack Modeling Introduction to Threat Modeling Introduction to Cryptography Symmetric/Shared Key Encryption Algorithms Cryptographic Hashes (Digital Fingerprints) Public-Key (Asymmetric) Cryptography Cryptographically Secure Pseudo-Random Number Generator (CSPRNG) Transport Layer Security (TLS) Other Topics in Cryptography Vulnerability Disclosures Receiving Vulnerability Reports Respond To and Fix the Vulnerability in a Timely Way Sending Vulnerability Reports to Others Harden the Development Environment (Including Build and CI/CD Pipeline) & Distribution Environment Distributing, Fielding/Deploying, Operations, and Disposal Artificial Intelligence (AI), Machine Learning (ML), and Security Part IV: Supporting Materials Not Part of the Course OWASP Top 10 and CWE Top 25 OWASP Top 10 (2017 edition) CWE Top 25 (2019 edition)