Hello and welcome to the cyber Eri I t secure coding course my name Miss anywhere. And we will be going on this journey together learning about secure coding techniques as well as how the attacks are done
and the appropriate mitigations and counter measures that we can put into our application code. So our agenda for this course is first, there'll be this introduction, which is what you're watching. Now
we're gonna have some additional videos that go through the lab, set up
some demonstration about some tools that we're gonna use, and then a very short description of the vulnerable Web applications will be using.
We will be covering owe us top 10 for 2013 and we're gonna be spending a lot of time in those categories.
Likewise, were going to cover the sands top 25 items,
particularly the areas that are not covered in a wasp.
Well, briefly look at some active defense techniques and then we'll finish up the course with some threat modeling.
Now first, just to let you know a little bit of background about myself. I come from a programming an architectural background for over the past 20 years.
I also author, several security books, one of the books you could actually uses a textbook to complement the material that we're gonna be going through in this class.
The title of the book is Secure coding Field manual, and it is veiled. Want Amazon?
If you would like to contact me, you can reach me at my Twitter account. That's anywhere.
So why should we learn secure coding in the first place? Well, obviously, we know that we need to protect our applications,
which of course, contains our intellectual property.
And there are many, many reasons why we can get into protecting those applications
anything from business reputation to basically making sure that our company stays in business, that we have our jobs.
And then, of course, there are government mandates, in particular regulations that are now requiring organizations to provide secure code training to their developers.
So what exactly are the risks that we're trying to address is we cover this material
mainly Internet show. We're trying to address exploitable code. Now explainable code could be the result of various things. Two of the main areas would be defects or malware. Obviously, defects are unintended.
These are programming bugs
that programmers do and inadvertently create exposure points inside of their code. And then, of course, malware would be that intentional vulnerability, something injected into the code to make it explainable. So what exactly are we going to cover?
We will cover the OSS top 10 for 2013. We will also cover the C W E Sands Top 25 for 2011.
Now, as we go through each section,
there will be case studies that will talk about
Also, there's gonna be lots of demos of the exploits, and mitigations will try to show you some code for the mitigations as we go through those.
And then each module will have a hands on lab where you actually need to perform the exploit against a vulnerable Web application.
Now we might be using burp sweet quite a bit. There also, some browser embedded plug ins that will be using or that you can use if you feel more comfortable.
Also, we're going to cover some of the certain secure coding standards. Now there are tons of these, and so I've only picked out a handful to Sprinkle in with our material, basically to provide some additional clarification and then we'll go into some threat modeling.
So the S top 10 for 2013 we're going to go through this list extensively and then the sands C W E top 25.
Basically, we are going to cover all of the categories that are not previously covered in the O R section,
so I'm listing them out here for your viewing. But realize will go into each one of these in depth
Now there are three main categories that I've broken the material up for the sands top 25 into
the The categories include insecure interaction between components, risky resource management and porous defenses.
If we were to take a look a definition for each one of those, we can see that insecure interaction between components
is exactly that. Well, you've got some sort of weakness that can occur
during the exchange of information or data or in the interaction of components or modules or programs together. Risky resource management
has to do with the handling of your system. Resource is, and some sort of week
now porous defenses. This is where we have programmers that actually do put some sort of defense of technique in place, but unfortunately it's not done correctly or it's misunderstood.
If you were to try to compare the two list together, you would realize just how huge the C W E Sands listing is. They have over some 700 vulnerabilities,
our software errors identified and oh, hospice,
just a very small subset of those errors. And then certain, of course, this is what I have sprinkled into the content
covers all of these major languages,
is thick with a lot of details.
Please go out to their website in. Have a look if you see a language here
So from this point, I would like to direct you to go ahead and start watching the videos that help you through your lab set up.
Then I have a video on a brief explanation of what burp suite is.
And then I have a short video on how you can start up Mattila Day inside of the V M that's available for the course