We created this Green Belt path for developers coding in C#/.NET. It includes our standard 13 Green Belt Secure Development lesson with the addition of 32 C#/.NET lessons. Each of our lessons are short and conclude with a brief ten question assessment. The learning module length is purposeful – they are perfect for filling gaps in a developer’s day while code is deploying.
Secure Development Core Lesson Modules
Intro to Secure Development
The definition of secure development and it’s pieces. Each developer has secure development responsibilities. Secure development starts and ends with the developer. Your software, hardware, and infrastructure are only as safe as you make them. Developers are the first line of defense.
The need for secure coding, what are secure coding standards and how does a developer use them, and the potential dangers of Stack Overflow. Languages are complex. Secure coding is about creating code that is correct and secure.
Secure Coding Best Practices: Part 1
Explore the OWASP Proactive Controls, including Define Security Requirements, Leverage Security Frameworks and Libraries, Secure Database Access, Encode and Escape Data, and Validate All Inputs. OWASP Proactive Controls is security information written for developers, by developers.
Secure Coding Best Practices: Part 2
Explore the OWASP Proactive Controls, including Enforce Access Control, Protect Data Everywhere, Implement Security Logging and Monitoring, and Handle All Errors and Exceptions. OWASP Proactive Controls is security information written for developers, by developers.
In this module, we explain how a languages type system is categorized and what the main categories are. We discuss the difference between static and dynamic languages as well as weak and strongly typed languages.
Securing the Development Environment
The threats that your development environment faces, how to reduce development environment risk, and the ten tips to secure your development environment. Development environment threats are real and following simple tips to secure your development environment can significantly reduce your exposure.
Protecting your Code Repository
Why you need to protect your code repository, the security challenges in choosing a repository, the impact of not protecting access credentials and separating secrets in the source code. Your code is your product or application. If it is left unsecured, it could fall into the hands of a competitor.
Producing a Clean, Maintainable, & Secure Code Culture
The sources of complexity in software that led to security vulnerabilities and the twelve laws that act as the foundation for a clean, maintainable, and secure code culture. Developers must strive for secure code. Secure code is both clean and maintainable.
Potential security threats are impacting your release and deployment process and ways to improve the security of your release and deployment process. The release and deployment process is how our code gets delivered to our customers. The introduction of an unauthorized piece of code by an attacker could be devastating.
Designing a Secure App or Product
The four pillars of a secure application or product, secure application or product decisions, and the categories of the design of a secure application or product. A new application or product deserves a secure design. Security becomes a reality through careful design choices.
Thinking Like A Penetration Tester
The tools and methodologies to help a developer think like a penetration tester, how penetration testers use browsers and intercepting proxies, testing, fuzzing, and reverse engineering, and applying the knowledge of these topics to your world as a developer. Developers generally focus on the build; to better secure your applications, products, and systems, think like one who breaks.
Secure Design Principles in Action: Part 1
The economy of mechanism, secure the weakest link, establish trust boundaries, defense in-depth, don’t reinvent the wheel, usable security and default deny. Secure design principles require action to achieve “secure by design.”
Secure Design Principles in Action: Part 2
In this module, we explore secure design principles such as minimizing the attack surface, fail securely, least privileged, separation of duties, do not trust services/ infrastructure, and secure defaults. Employing a common understanding of secure design principles encourages secure design, and secure design equals fewer vulnerabilities.
Syntactic & Semantic Input Validation
Input-validation focuses on preventing improperly-formed data from entering the system. Input validation is one of the defenses against the injection class of attacks. Syntactic and semantic input validation explores the basic types of input validation and how to perform them in the Java context. Review the three primary rules of input validation and code examples for performing syntactical and semantic input validation. A review of whitelisting with a code example is also covered.
Input Validation with Range Checks, Regex, & Enums
Input validation is a multi-faceted toolbox, and this module adds Intermediate level input validation techniques for .NET, including range checks to evaluate minimum and maximum values for numbers and dates, use of regular expressions as input validation techniques, validation of e-mail addresses, and using enums to validate all types of data.
Web Input Validation: MVC
Model-based validation is the first line of defense against malicious web input. Learn how to implement web input validation performed in a Model-View-Controller or MVC context for ASP.NET Core MVC and API. Explore the difference between client and server-side input validation and realize the depth of different web technologies that exist within .NET.
Web Input Validation: MVC client-side
Input validation is available on both the server and client-side. Learn how to implement web input validation for MVC client-side using input and validation tag helpers and HTML helpers.
Web Input Validation: Webforms and Webpages
While Web Forms and Pages are not the latest and greatest, they still require the same level of input validation as any new code. Developers work with new applications but must also support the maintenance of existing applications. Input validation is essential in new and existing apps. Learn input validation strategies for ASP.NET Web Forms and Web Pages and how to validate input for ASP.NET Web Pages 2 and 3 and ASP.NET Web Forms.
Parameterization with SQL
SQL is foundational within web applications, and improperly validating input to SQL results in a data breach. SQL injection can have a devastating impact on a web application. Recognize the flaw in using concatenation with strings to perform SQL queries, and learn the secure approach to execute SQL queries using parameterized queries.
Securely Working with SQL
Secure SQL is more than just parameterized queries. SQL Injection can sneak in through stored procedures, Hibernate 5 ORM, Hibernate 5 Criteria, and Java Stream API. Excessive privilege on the database server can provide an attacker unbridled access if they exploit an underlying vulnerability. Error information from your application can assist an attacker in fine-tuning an attack. Learn how to mitigate all these issues.
Insecure use of XML can result in an XML External Entity (XXE) attack, which may lead to the disclosure of confidential data, denial of service, server-side request forgery, and port scanning from the parser’s machine. Explore how to create and parse XML using safe methods and learn to construct XXE-free XML.
Avoiding Insecure Serialization & Deserialization
Java has many ways of serializing and deserializing data. Deserializing untrusted data with an insecure deserializer can lead to remote code execution and complete system compromise. Serializing without the proper attributes can expose sensitive data. Learn the risk of exposing sensitive data via serialization, explore unsafe and safe methods for serialization with Java, investigate unsafe and safe methods for deserialization using both Java's native binary format and JSON, and prevent serialization/deserialization vulnerabilities by validating the data types being deserialized.
Encoding and escaping are defensive techniques meant to stop an injection or cross-site scripting attack. Review the concept of Cross-Site Scripting or XSS and consider why XSS is such a big problem and explore the different methods to defend against XSS in Java, including the OWASP Java Encoder and the various methods of secure JSP output encoding. Learn how to spot XSS and fix the associated problem in your code.
Authentication: Basic and Windows
Basic and Windows authentication are widespread in corporate internal environments and may exist in legacy code. Developers must know how to implement and fix it properly. Explore the steps to perform basic authentication and windows integrated authentication securely.
Form authentication is the modern approach for authentication with web applications. Examine how server-side stateful sessions with client-side ids and stateless bearer-tokens for authentication work. Learn which authentication type is best for specific scenarios and explore examples of how to implement form-based authentication in Java using Spring Security, and which password encoders are safe to use.
Token authentication is primarily used for API and 3rd party external provider integration. Learn how to unpack an original token request and response, and how a token gets used from the end-point to the server-side. Explore code examples of token-based authentication in action.
JSON Web Tokens are an alternative for authentication. Understand how JSON Web Token (JWT) based authentication works and weigh the pros and cons to determine if JWT is right for your application. Explore examples of how to implement JWT securely.
Authentication: External authentication
External authentication protocols provide single sign-on (SSO) capabilities, allowing users to have a unique username and password that gives access to multiple web applications. Learn the different types of external authentication, including OAuth, OpenID Connect, and WS-Fed. Explore library-based solutions to implement external authentication and code examples of how to use OAuth, Open ID Connect, and WS-Fed.
Authentication: .NET Core Identity
.NET Core Identity provides many robust security features for authentication directly in the framework. Explore general guidance for authentication in a .NET Core Identity context. Consider how to implement different authentication-related security features such as enforcing strong passwords, email confirmation, and account lockout.
CSRF results in any allowed logged-in user action performed without user’s knowledge or consent (ex. transfer of funds, change of account password, purchase and shipment of merchandise). An open redirect results in a user being forwarded to an attacker’s site even though the link they clicked on appeared to go to a legitimate site; the attacker spoofs the official website and tricks the user into believing that the user continues to work/interact with the official site. Walkthrough an example of CSRF and Open Redirect and explore Java-specific solutions to address CSRF and Open Redirect.
Authorization: Simple, Role-Based, & View-Based
Authorization enforces access control within your application, both for users and administrators. Java has multiple solutions for access control. Explore code examples of implementing the various authorization types.
Authorization: Claims & Policy
Authorization enforces access control within your application, both for users and administrators. Understand how claims and policy authorization work and explore the steps to implement claims and policy authorization.
.NET has older styles of performing authorization. While you would not want to use these as a starting point, developers may have to fix bugs in legacy applications that uses IIS URL Authz, ASP.NET Authz, Webforms role-based, or WCF authorization. If a developer finds an implementation with permission challenges or bugs, they will be prepared to fix the issues.
Session and cookies track the results of the previous authentication and improve user experience. Explore session and cookie basics and warnings. Review the Session state implementation in ASP.NET (Core) and the importance of data protection for session cache. Learn how to implement sessions and cookies for models and Razor pages and consider all the available cookie options and their most secure settings.
Logging is useful to understand the activities of the system, which aids in diagnosing of problems, both security, and non-security. Logging frameworks make it easy to write logs to different places by simply changing a configuration. Explore the popular logging frameworks for Java, including SLF4J, LogBack, and Log4j2. Understand the differences between unstructured and structured logging and how to implement each of the popular logging frameworks.
Error Handling and Exceptions
Improper error handling can cause information leakage, which can assist/enable an attacker. Investigate how to generate exceptions securely through various .NET methods. Learn how to recognize information leakages via error-messaging mechanisms that can be exploited by attackers, and how to mitigate via sanitizing/homogenizing such messages to reveal as little as possible to a potential attacker.
HTTPS is the protocol that, together with TLS, enables data in transit confidentiality protection. Experience the creation of a Certificate Signing Request with Tomcat and installation of a certificate and investigate how to use Let’s Encrypt and certbot for free certificates.
Content Security Policy is an effective "defense in depth" technique that helps prevent content injection attacks. It is a declarative policy that informs the user agent what valid sources to load from are. Explore Content Security Policy headers, source lists, and policy directives and how to implement CSP based on example policies.
Security headers enhance the security capabilities of your web applications, servers, and user’s browsers. Understand the various security headers available to your web applications including CORS, and how to implement security headers in Spring.
A common concern is persisting confidential data on untrusted storage for later retrieval. Data Protection APIs provide simple, easy-to-use, correct encryption/decryption methods to ensure confidentiality & data integrity. An application is only as secure as the keys that it protects; if keys are not stored properly, the security of the entire application is at risk. Learn how to implement the Data Protection API and perform proper key management.
Passwords are still the most common method that we use to authenticate our users. Each application must adequately protect the passwords that it stores and enable protection through hashing the password. Storage of secrets must occur securely. Learn how to implement password hashing and how to utilize different security mechanisms.
File-upload-related attacks cause resource exhaustion and Denial-of-Service (DoS), and also could be used to upload an attack that the application processes. Explore the potential risks of file upload and mitigations to minimize risk. Learn how to implement file upload with MVC securely.
Multi-threaded scenarios require thread-safe programming (constructs/patterns) to avoid bugs. Without thread safety, flaws will lead to security vulnerabilities. Explore the different classes of timing issues and how to implement threads safely.
Application Secrets Storage
Applications need secrets and must ditch the environment variable approach to security. Unpack the secret of secure secrets storage. Explore HashiCorp Vault and Amazon Secrets Manager to securely store application secrets. Implement examples of key-value storage, data encryption, and transparent protection of application properties programmatically and via the command-line.
Different ways of writing the most vulnerable code possible, including creating SQL queries with string concatenation, skipping input validation/sanitization, skip output encoding, disable CSRF protection, and using software with known third-party vulnerabilities. Looking at how to do something badly can be a fun way to see what we should and should not do.