Embed security into the software development life cycle. Discover how to use offline security testing to validate your code and uncover vulnerabilities.
Overview
Syllabus
Introduction
- The importance of offline testing
- What you should know
- Security in the SDLC
- Development methodologies
- Programming languages
- Security frameworks
- Intro to the OWASP Top Ten
- Other notable OWASP projects
- Top 25 Software Errors
- BSIMM
- Building your test lab
- Preparing your checklist
- Internal project plans
- Communication planning
- Change control policy
- Security incident response policy
- Logging and monitoring policy
- Third-party agreements
- OWASP ASVS
- Challenges of assessing source code
- OWASP Code Review Project
- Bytecode scanners
- Binary code scanners
- Code review models
- Application threat modeling
- Code review metrics
- Demo: Codacy
- Demo: SonarQube
- The OWASP Top Ten
- A1: Injection
- A2: Broken authentication
- A3: Sensitive data exposure
- A4: XML external entities (XXE)
- A5: Broken access control
- A6: Security misconfiguration
- A7: Cross-site scripting (XSS)
- A8: Insecure deserialization
- A9: Using components with known vulnerabilities
- A10: Insufficient logging and monitoring
- Next steps
Taught by
Jerod Brennen
