EC-Council - Certified Secure Programmer (ECSP)

Curriculum

The curriculum will focus on your chosen ECSP certification language of either .NET or Java.

Introduction to Application Security

• Become Familiar with. Application Security
• Understand the Need for Application Security
• Key Elements of Framework Architecture Security
• Framework Security Features
• Top 10 Security Attacks For OWASP
• Secure Development Lifecycle (SDL)
• Threat Modeling Process
• Security Testing
• Learn Various Secure Coding Principles
• Guidelines for Developing Secure Codes
• Confidentiality
• Integrity
• Availability
• Minimal attack surface areas
• Secure defaults
• Principle of least privilege
• Principle of defense in depth
• Fail securely
• External systems are insecure
• Separation of duties
• No security by obscurity
• Simplicity
• Fix security issues correctly

Framework Security

• Become Familiar with Framework Architecture
• Learn Framework Runtime Security Model
• Understanding you’re only as secure as your Framework
• Role-Based Security
• Code Access Security (CAS)
• Evidence-Based Security
• Permissions and Permissions Classes
• Become Familiar with Stack Walking Process
• Isolated Storage
• Learn About Class Libraries Security
• .NET Assembly Security
• Understand Common Threats To .NET Assemblies and Classes

Input Validation and Output Encoding

• Understand Need of Input Validation
• Various Input Validation Approaches
• Learn Various Validation Controls
• Understand Common Input Validation Attacks
• Learn Defensive Techniques for XSS Attacks
• Validation Control’s Vulnerabilities
• Learn Mitigation Techniques for Validation Control’s Vulnerabilities
• Learn Defensive Techniques for SQL Injection Attacks
• Learn Output Encoding To Prevent Input Validation Attacks
• Sandboxing to Prevent Input Validation Attacks
• Various Sandboxing Software
• Best Practices for Input Validation

.NET Authentication and Authorization

• Authorization and Authentication Processes
• Understand Common Threats on Authorization and Authentication
• Authentication and Authorization Security Architecture
• Understanding the Security Relationship between IIS and ASP.NET
• Authentication and Its Modes in Detail
• Authorization and Its Types in Detail
• Become Familiar with Impersonation and Delegation Concepts
• Mitigate Authentication and Authorization Vulnerabilities
• Best Practices for Authentication and Authorization
• Become Familiar with Secure Communication Concepts

Secure Session and State Management

• Session Management Concepts
• Security Principles for Session Management Tokens
• Common Threats on Session Management
• The Session Management Techniques
• Various Session Attacks
• Defensive Techniques against Session Attacks
• Become Familiar with Cookie-Based Session Management
• Cookie Security
• Viewstate in .NET or HTTP Session Class in Java - Based Session Management
• Common Threats on Viewstate in .NET or HTTP Session Class in Java
• Viewstate in .NET or HTTP Session Class in Java Security
• Guidelines for Secure Session Management

.NET & Java Cryptography

• Become Familiar with Cryptography in .NET and Java
• Understand Different Types of Cryptographic Attacks In .NET and Java
• Become Familiar with Symmetric Encryption
• Learn How to Secure Symmetric Encryption
• Become Familiar with Asymmetric Encryption
• Learn How to Secure Asymmetric Encryption
• Become Familiar with the Hashing Concept
• Reversing Hashing - EG. Cracking Passwords

Quick Overview on Password Cracking and how it affects programmers

• Learn How to Implement Security in Hashing
• Digital Signatures – If it is valid does that mean it’s not malicious?
• Digital Certificates – The process start to finish
• XML Signatures

Error Handling, Auditing, and Logging

• Errors and Exception Handling
• The Principles of Secure Error Handling
• Different Levels of Exception Handling
• Mitigate Vulnerabilities in Class Level Exception Handling
• Manage Unhandled Errors
• Guidelines and Checklists for Proper Exception Handling
• Become Familiar with Logging and Auditing Process
• Common Threats to Logging and Auditing
• Become Familiar with Log Throttling Process
• Learn How to Implement Windows Log Security against Various Attacks
• Best Practices and Checklists for Auditing and Logging Security
• Various Logging Tools

Secure File Handling

• File Handling Concepts
• Understand File Handling Security Concerns
• Path Traversal Attacks on File Handling
• Learn Defensive Techniques against Path Traversal Attack
• Canonicalization Attack on File Handling
• Learn Defensive Techniques against Canonicalization Attack
• Static Files and their Security
• The Security of File I/O Using Absolute Path and Map path
• Security While Uploading Files
• Become Familiar with the File Extension Handling Concept
• File ACLS
• Checklist for Securely Accessing Files

Configuration Management and Secure Code Review

• Configuration Management
• Common Threats on Configuration Management
• Machine Configuration Files or Web XML or Properties Class in JAVA
• Mitigate the Vulnerabilities in Machine Config Files or Web XML or Properties Class in JAVA
• Application Configuration Files or Web XML or Properties Class in JAVA
• Mitigate the Vulnerabilities in App Config Files or Web XML or Properties Class in JAVA
• Code Access Security Configuration Files or Web XML or Properties Class or Web XML or Properties Class in JAVA
• Policy Configuration Files
• Best Practices for Configuration Management
• Become Familiar with Secure Code Review
• Security Code Review Approaches
• Various Static Code Analysis Tools

JavaScript – Just don’t do it, but if you have to…

• XSS
• Reflected
• Stored
• DOM
• XSRF
• Click Jacking
• Script Injection

Buffer Overflow

• Write and implement a buffer overflow on various vulnerabilities

Reversing Java and .NET

• Both Java and .NET compile to byte code which can be reversed
• Learn techniques to secure your hard earned code.

OWASP Hands-On Labs:

Unvalidated Redirects and Forwards Lab

• Testing the attack
• Fixing the problem on the client side
• Fixing the problem on the server side

Insufficient Transport Layer Protection Lab

• Insecure pages
• Secure login cookies
• Secure other cookies

A8 Failure to Restrict URL Access Lab

• Mounting the attack
• Another hole

Insecure Cryptographic Storage Lab

• Mounting the attack
• Preparing to encrypt the file
• Encrypting the file
• Decrypting the file
• Replaying the attack
• Zeus

Security Misconfiguration Lab

• Problem 1
• Problem 2
• Problem 3
• Problem 4
• Mounting an attack
• Hardening the site

Cross Site Request Forgery Lab

• Preparing
• Mounting the attack
• Hardening the site with a CAPTCHA
• Re-running the attack
• Protecting CSRF with synchronizer token pattern
• Re-running the attack

Insecure Direct Object Reference Lab

• Mounting the attack
• Hardening the site
• Hardening in .Net

Broken Authentication and Session Management Lab

• Mounting the attack
• Hardening the site with IP checking
• Hardening the site with authentication

Cross-Site Scripting Lab

• Testing for a vulnerability
• Mounting the attack
• Hardening the site – encoding output
• Hardening the site – Using the Anti-XSS library

Injection Flaws Lab

• Mounting the attack
• Advanced attack vectors
• Hardening the site with parameters
• Bonus! Hardening the site with a whitelist
• Protecting your update with a whitelist
• Protecting your update with parameters

Information Leakage and Improper Error Handling Lab

• Mounting the attack
• Turning specific errors on
• Create custom error pages
• Capturing the error

Cryptography Lab

• Exploring existing controls

Provider Model Lab

• Exploring existing controls
• Add the link
• Add the page

Click jacking Lab

• Testing the vulnerability
• Protecting with X-Frame-Options
• Protecting with frame-breaking JavaScript

Phishing Lab

• Creating an uncomplicated site
• Routes and default values
• Sending an email

Static Code Analysis Lab

• Testing the attack