What's Included? We created this Green Belt path for developers coding in JavaScript /Node.js. It includes our standard 13 Green Belt Secure Development lesson with the addition of 20 PHP lessons. Each of our lessons are short and conclude with a brief ten question assessment. The learning module length is purposeful – they are perfect for filling gaps in a developer’s day while code is deploying.
Secure Development Core Lesson Modules
Intro to Secure Development
The definition of secure development and it’s pieces. Each developer has secure development responsibilities. Secure development starts and ends with the developer. Your software, hardware, and infrastructure are only as safe as you make them. Developers are the first line of defense.
The need for secure coding, what are secure coding standards and how does a developer use them, and the potential dangers of Stack Overflow. Languages are complex. Secure coding is about creating code that is correct and secure.
Secure Coding Best Practices: Part 1
Explore the OWASP Proactive Controls, including Define Security Requirements, Leverage Security Frameworks and Libraries, Secure Database Access, Encode and Escape Data, and Validate All Inputs. OWASP Proactive Controls is security information written for developers, by developers.
Secure Coding Best Practices: Part 2
Explore the OWASP Proactive Controls, including Enforce Access Control, Protect Data Everywhere, Implement Security Logging and Monitoring, and Handle All Errors and Exceptions. OWASP Proactive Controls is security information written for developers, by developers.
In this module, we explain how a languages type system is categorized and what the main categories are. We discuss the difference between static and dynamic languages as well as weak and strongly typed languages.
Securing the Development Environment
The threats that your development environment faces, how to reduce development environment risk, and the ten tips to secure your development environment. Development environment threats are real and following simple tips to secure your development environment can significantly reduce your exposure.
Protecting your Code Repository
Why you need to protect your code repository, the security challenges in choosing a repository, the impact of not protecting access credentials and separating secrets in the source code. Your code is your product or application. If it is left unsecured, it could fall into the hands of a competitor.
Producing a Clean, Maintainable, & Secure Code Culture
The sources of complexity in software that led to security vulnerabilities and the twelve laws that act as the foundation for a clean, maintainable, and secure code culture. Developers must strive for secure code. Secure code is both clean and maintainable.
Potential security threats are impacting your release and deployment process and ways to improve the security of your release and deployment process. The release and deployment process is how our code gets delivered to our customers. The introduction of an unauthorized piece of code by an attacker could be devastating.
Designing a Secure App or Product
The four pillars of a secure application or product, secure application or product decisions, and the categories of the design of a secure application or product. A new application or product deserves a secure design. Security becomes a reality through careful design choices.
Thinking Like A Penetration Tester
The tools and methodologies to help a developer think like a penetration tester, how penetration testers use browsers and intercepting proxies, testing, fuzzing, and reverse engineering, and applying the knowledge of these topics to your world as a developer. Developers generally focus on the build; to better secure your applications, products, and systems, think like one who breaks.
Secure Design Principles in Action: Part 1
The economy of mechanism, secure the weakest link, establish trust boundaries, defense in-depth, don’t reinvent the wheel, usable security and default deny. Secure design principles require action to achieve “secure by design.”
Secure Design Principles in Action: Part 2
In this module, we explore secure design principles such as minimizing the attack surface, fail securely, least privileged, separation of duties, do not trust services/ infrastructure, and secure defaults. Employing a common understanding of secure design principles encourages secure design, and secure design equals fewer vulnerabilities.
JavaScript/Node.js
Green Belt Path
Intro to Node.js Security
The components and flow of a Node.js application, the building blocks of a secure Node.js application, and the available resources to assist in securing a Node.js application.
JavaScript: Threat Landscape
The various security threats that exist against JavaScript based applications, how these threats could be used to compromise both client-side and/or server-side JavaScript, and the reasons why you need to practice JavaScript secure coding principles.
JavaScript: Secure Coding Principles
JavaScript Secure Coding Principles for the client-side and server-side, the threat exposed by not following each of the principles, and how to apply each of the JavaScript Secure Coding Principles.
Node.js: Validating & Sanitizing Input
The three primary rules of input validation in a JavaScript context, how to implement input validation both syntactically and semantically, examples of code that utilize syntactical and semantic input validation, and how to do whitelisting in code.
Node.js: Encoding Output
Review Cross Site Scripting (XSS) and why XSS is such a big problem and explore methods to defend against XSS in JavaScript applications, using a combination of template engines, native functions, and libraries to encode all output in your Node.js application.
Review SQL injection and the dangerous impact it can have on a web application and explore the flaw in using concatenation with strings to perform SQL queries, the secure approach to perform queries using parameters, and the availability of tools and techniques to test for SQL injection in a Node.js application.
Node.js: OWASP Top 10, Part 1
Examine the characteristics of Injection, Broken Authentication, and Sensitive Data Exposure as they impact Node.js, and learn how to mitigate Server-Side JS, SQL/NoSQL, and Log Injection, lack of application timeout, sniffing session information, poor password storage, and a lack of encryption at rest and in transit.
Node.js: OWASP Top 10, Part 2
Examine the characteristics of XXE, Broken Access Control, Security Misconfiguration, and XSS as they impact Node.js, and learn how to mitigate XXE, Broken Access Control, Security Misconfiguration, and XSS.
Node.js: OWASP Top 10, Part 3
Examine the characteristics of Insecure Deserialization, Using Components with Known Vulnerabilities, Insufficient Logging & Monitoring, and Server-Side Request Forgery as they impact Node.js, and learn how to mitigate Insecure Deserialization, Using Components with Known Vulnerabilities, Insufficient Logging & Monitoring, and Server-Side Request Forgery.
JavaScript: Third-party JavaScript Management
User interface and analytic JavaScript tags, threats against third-party JavaScript code, the different deployment options for third-party JavaScript, and the available defenses to counter the threats against third-party JavaScript deployment.
Node.js: Secure Software Supply Chain | Part 1
List the classes of Node.js supply chain threats and describe each type of attack. The attacks include the overtaken repo, the primed repo, stealthy swap, and the global object wrap.
Node.js: Secure Software Supply Chain | Part 2
How to vet and curate Node.js packages for your application. The need for a private NPM proxy and which standard and additional security scanning tools you need to screen Node.js packages.
Secure coding with Angular
The Angular built-in security model and what it provides. Security best practices needed to build a secure Angular application - avoiding direct interaction with the DOM, not using bypass methods, using a strict CSP, never generating templates dynamically, never mixing templating languages, using the default Angular HttpClient, scanning Angular components, and using Protactor for the test.
Node.js Security Best Practices | Part 1
Describe the basic security triad for Node.js of validating, test, and automate. We explore various JavaScript secure coding constructs for a Node.js application, including validate all input, normalize strings, lose Objects. assign(), use the last resort catch-wrap, limit the size of requests, and use async for background jobs.
Node.js Security Best Practices | Part 2
Various secure JavaScript coding constructs and Node.js service options for a secure Node.js application. How to handle child processes securely, always use an ORM to interact with the database, use argon2, handle errors, test validation code, and keep your development dependencies apart.
Node.js Security Best Practices | Part 3
Various secure JavaScript coding constructs and Node.js service options for a secure Node.js application. Hiding information, using basic tools that help detect and fix vulnerabilities, always use CSP with Helmet, TLS, run Node.js as a non-root user, and store secrets in a vault.
Node.js: Static Code Analysis
Understand how SAST tools fit into a proper development tool-chain, discern the use cases and advantages of modern SAST tools for Node.js, and select the best tools
Node.js: Threat landscape
Recognize the most common attack vectors on Node.js applications, understand the security concerns associated with the Node Package Manager, and recall the security weaknesses associated with the Node event dispatcher performance under stress.
Secure Coding with React | Part 1
The value invalidating and sanitizing values properly with React, why you should not use dangerous functions in React, and how to build cross-site scripting (XSS) resistant components using validation code and DOMPurify.
Secure Coding with React | Part 2
How to prevent CSV injection, serialize JSON, use Content Security Policy, prevent server-side Redux attacks, utilize lazy loading as a security function, and use the React ESLint plugins to find flaws.
