New Security testing

After learning about vulnerabilities and attack methods, participants will be introduced to the general approach and methodology of security testing, as well as techniques to detect specific vulnerabilities. Security testing should start with the collection of information about the system (ToC, the target of the assessment), followed by a thorough threat modelling to identify and assess all threats and thus arrive at the most appropriate test plan based on risk analysis.

Security assessments can take place at different steps of the SDLC, so we will discuss design review, code review, system discovery and information gathering, implementation testing, and testing and hardening the environment for secure deployment. A number of different security testing techniques are presented in detail, such as taint analysis and heuristics-based code testing, static code analysis, dynamic web vulnerability testing, or fuzzing. Different types of tools are presented that can be applied to automate the security assessment of software products, as evidenced by several exercises where these tools are run to analyze the vulnerable code already discussed. Several real-life case studies will help to better understand the different vulnerabilities.

This course prepares testers and QA staff to properly plan and accurately execute security tests, select and use the most appropriate tools and techniques, and find hidden security flaws, giving them the basic practical skills they will be able to apply on the next working day.

• From IT security to secure programming: the nature of security, What is risk? IT security vs. secure coding, from vulnerabilities to botnets and cybercrime, the nature of security flaws, from infected computers to targeted attacks.
• Web application security: injection: basic principles, SQL injection (typical SQL injection attack methods, Blind and time-based SQL injection, SQL injection protection methods, impact of data storage frameworks on SQL injection, SQL injection detection), other injection flaws (command injection). Broken authentication: session management threats, session management best practices, session management in Java, setting cookie attributes. sensitive data exposure: transport layer security, HTTPS validation. XML External Entity (XXE): XML Entity Introduction, XML External Entity (XXE) Attack (Resource Involvement, URL Invocation, Parameter Entity, Prevention). Broken access control: Typical access control weaknesses, Insecure Direct Object Reference (IDOR), Protection against IDOR, Testing insecure direct object reference. Security misconfiguration: configuring the environment, insecure file uploads, filtering file uploads - validation and configuration. Cross-Site Scripting (XSS): persistent, echoed, DOM-based, XSS prevention, vulnerability detection, filter bypassing. Insecure deserialization: basics of serialization and deserialization, security challenges, deserialization in Java, denial of service with Java deserialization, from deserialization to code execution, POP payload targeting with InvokerTransformer (Java), real Java deserialization vulnerabilities, issues with deserialization - JSON. Use of components with known vulnerabilities, insufficient logging and monitoring: detection and response.
• Client side security: JavaScript security, same origin policy, simple requests, preflight requests. Clickjacking (protection against clickjacking, protection against frame-busting - rejection of protection scripts, protection against frame-busting). AJAX security: XSS in AJAX, script injection attack in AJAX, XSS protection in AJAX, CSRF protection in AJAX.
• Security testing: functional testing vs. Security testing, security vulnerabilities, priority - risk analysis, security assessments at different SDLC phases, security testing methodology: steps of test design (risk analysis), scoping and information gathering (Stakeholders, tools, security objectives of testing), threat modeling (attacker profiles, threat modeling, threat modeling based on abuse cases, SDL threat modeling, STRIDE threat categories, mapping - elements of DFD, data flow diagram, risk analysis - classification of threats, DREAD risk assessment model), testing steps (deriving test cases, conducting tests, processing test results, threat mitigation concepts, MS SDL standard mitigation techniques, review phase.
• Safety testing techniques and tools: general testing approaches and design review (assessment of safety requirements and identification of safety critical hotspots.
• Source code review: code review for software security, bug analysis, heuristic-based.
• Input validation: concepts, integer problems: negative integer representation, integer overflow, IntOverflow exercise, value of Math.abs(Integer.MIN_VALUE), integer problem (best practices, arithmetic overflow avoidance - addition, arithmetic overflow avoidance - multiplication, arithmetic overflow detection in Java 8, testing integer problems.
• Incorrect use of security functions: typical problems related to the use of security functions, password management (password management and storage, special purpose hash algorithms for storing passwords, Argon2 and PBKDF2 implementations in Java, bcrypt and scrypt implementations in Java, typical errors in password management), static code analysis.
• Implementation testing: manual vs. automated security testing, Penetration testing, stress testing, Proxy servers and sniffers (testing with proxies and sniffers, packet analyzers and proxies), web vulnerability scanners (vulnerability scanner usage, SQL injection tools).
• Deployment environment: assessing the environment, configuration management, hardening (network level protection, server protection - principle of least privilege, hardening the deployment - server administration and access control), Patch and vulnerability management (Patch management, Vulnerability repositories, Vulnerability attributes, Common Vulnerability Scoring System - CVSS, Vulnerability management software.
• Principles of security and secure coding: Matt Bishop's principles of robust programming and Saltzer and Schroeder's security principles.

At least two years' experience in general quality assurance and testing. As the curriculum is in English, a basic knowledge of English at document reading level is required. The lectures will be held in Hungarian.