MOAT ACADEMY

SECURE CODING BOOTCAMP

with

Why Secure Coding Bootcamp?

Secure coding is the practice of developing computer software in a way that guards against the accidental introduction of security vulnerabilities. A vulnerability is a weakness in an IT system that can be exploited by an attacker to deliver a successful attack; most cybercrimes and frauds are perpetrated through exploitation of vulnerabilities.

At the boot camp, you will gain both working knowledge and practical skills required to design and develop highly protected software with confidence; keeping attackers out. It will also prepare you for the Certnexus Cyber Secure Coder Examination (CSC-201)

During the bootcamp, participants will be able to:

Identify and eliminate vulnerabilities in software projects.

Use a Security by Design approach to design a secure architecture for their software

Leverage on many of the OWASP Top Ten best practices to protect users and data.

Go beyond OWASP Top Ten, and apply Risk based approach to elicit security requirements using methods such as Threat Modelling

Apply various testing methods to find and correct security defects in software.

Maintain deployed software to ensure ongoing security with an ability to conduct forensic investigation in order to detect any security breaches early enough

The fastest-growing cybersecurity skill in 2021 is Application Development Security. It has been predicted that the demand for this competence is determined to rise by 164% in five years. - Atlas VPN team

...Train developers at least annually in up-to-date , secure coding techniques, including how to avoid common coding vulnerabilities. - PCI DSS Requirement

Who is this Programme for?

Individuals

The fastest-growing cybersecurity skill in 2021 is application development security. It has been predicted that the demand will rise by 164% in five years. If you are a software professional interested in keying into this opportunity, this training is for you.

And, if you are a software professional who design and develop software in various programming languages and platforms and are willing to improve your ability to deliver software that are of high quality, particularly regarding security and privacy.

APPLY

Organizations

Do you employ or contract with software developers? Are they certified in secure coding practices? If not, they may be putting your company at risk. Reach out to us to empower your developers and reduce these risks.

Moreso, if you are interested in making your organization meet compliance (such as the PCI-DSS requirement for developers' training in secure coding), our training and certification is most ideal

What You 'll Learn - Course Information

Duration:

4 Days

Time:

Saturdays, 9:00 am – 5:00 pm

Delivery Mode:

Instructor-Led

Pre-requisites:

Database Knowledge or
Programming Skill (in any language)

Course Contents

DAY ONE

The Need for Secure Coding:
- Compliance (examine common regulations related to software/application security: GDPR, HIPAA, SOX, PCI/DSS, ISO 2700 etc)
Common Security Terminologies:
- The CIA Triad and other security goals
- Attack surface vs Attack vector
- Assets(Personal data, Financial data, Service availability, Reputation/brand value, Trust)
- Authentication vs Authorization
- Steps in Attacks
- How humans are the weakest link in a security chain - Social Engineering (Phishing, Spear Phishing), Your role as a developer in preventing social engineering – Case Study/Scenario Analysis
- Motivations for hacking - Hacker Types (black hat, white hat etc) Definitions: Epsionage, Hacktivism
Security of Data at rest: (Low Level Security)
- Low level program execution, Associated vulnerabilities, and mitigations (buffer, heap, stack overflow, overrun) – Exercise step-by-step in buffer overflow.
- Memory Structure: How computer handles data in the memory,What can go wrong? Buffer Overflow, Overrun, code injection (Practical,Defenses Against Low-Level Attacks,Memory Safety,Type Safety)
- Database Security: review of web technologies 2.0 (HTTP GET and POST), virtualization, SQL Injection – vulnerabilities and mitigations (while the attack surface is web application, the target is the data stored in the database)
SQL Injection Exercises:
- LAB step-by-step
- CAPTURE THE FLAG/CHALLENGE
Cryptography
- Encryption (Public keys, Private keys)
- Encryption for Integrity and Non-repudiation
- Hashes – Digital signature
- Exercise: Installation of SSL
Security of Data in Transit / Network Security
- Introduction to the OSI model,
- The HTTP Protocol and the vulnerability of TCP/IP
- Digital certificate and the PKI
- Application of encryption in TLS/SSL
- Application of encryption in Authentication with SSH.
- Secure coding practices with network security.
- Activity 1: use of Packet Sniffer to See how data is being represented as packets when moving via the network.
- Best Coding Practices to Ensure Security at the OSI

DAY TWO

Common Security Terminologies
- Exploits and attacks
Application Security and Attacks (Layer 7 Security):
- Leverage the OWASP top 10 in understanding and protecting against 10 of the most common and important web application security weaknesses
  - A1:2017 Injection - Protect against Injection flaws, such as SQL, NoSQL, OS, and LDAP injection.
  - A2:2017 Broken Authentication - Securely implement Application functions related to authentication and session management
  - A3:2017 Sensitive Data Exposure - protect sensitive data, such as financial, healthcare, and PII
  - A4:2017 XML External Entities (XXE) - Prevent XML processors from evaluating external entity references within your XML document
  - A5:2017 Broken Access Control - Prevent unauthorized access to functionality and/or data
  - A6:2017 Security Misconfiguration
  - A7:2017 Cross-Site Scripting (XSS)- Prevent XSS Flaws
  - A8:2017 Insecure Deserialization
  - A9:2017 Using Components with Known Vulnerabilities
  - A10:2017 Insufficient Logging & Monitoring - Detect security breach and attacks in a timely manner
- Other Application Security Flaws - Session Hijacking, Brute Force Attacks
- Case Study
- Lab Exercise

DAY THREE

Factors that undermine security
Designing for Security (Understand architecture and design industry best practices):
- Applying General Principles for Secure Design (security design principles, defense in depth, fail safe, owasp design pattern,Guidelines for avoiding common flaws - IEEE recommendations, software design patterns )
Security beyond OWASP Top 10: Design Software to counter specific threats:
- Risk-based approach - Threat Modelling, Risk equation
- Prioritizing Vulnerabilities
- Design Patterns
- Design methodologies (DREAD and PASTA)
Case Study/Scenarios
Class Activity (challenge)
Implementation: Analysis of common practices and their security implications
Building security in:
- Secure SDLC: Security Engineering (use cases and abuse cases in eliciting requirements), Threat modelling in Design and architectural design, breakers and builders.
- Exercise (Team) builders and breakers, Security Requirement Engineering
- Job roles and associated secure practices - separation of duties (The role of architect, tester, programmer, project manager, and even the organization [management] in ensuring secure coding/application)
- Via People, Process and technology – Review of sample process improvement models (CMMI, Lean etc) Case Studies and Scenarios.
- Via Organizational Policies (Internal organizational policies)
  - Password policy (Complexity, Frequency of change)
  - Authentication policy (Password, Multi-factor, Tokens, Biometrics)
  - Secure storage of assets (Source code, Documentation, Data)
  - Disposal of development assets
- Finding Vulnerabilities in your software
- gathering intelligence about vulnerabilities in your application
- Definition of Terms (software defects, errors, bugs, failures)
- Following best practices, design patterns – Exercise and challenge
Building Privacy in:
- Privacy by Design
- Data anonymization
- Case studies
- Activity:Handling Privacy errors

DAY FOUR

Security Testing
- Static and Dynamic Code Analysis
- Class Exercise: Demonstrate the difference between static code analysis and dynamic code analysis
- Class Exercise: Make use of penetration testing tools such as Metasploit, Nessus, Kismet, Zap,Nmap
Maintaining Security in Deployed Software:
- Monitoring and logging
Application security Forensics
- Basics of Application Forensic
- Searching for Forensic Evidence in a Compromised Web Server
- Designing your system with auditable logs
- Presenting evidence in court, legal implications
- Introduction to Tools that enhance application forensic
- Practical, Labs
Compliance beyond checkboxes: Examine common /popular regulations and how you can meet them:
- HIPAA, PCI DSS, ISO 27001, Country-specific privacy laws, GDPR
Secure Practices for Decommissioning and uninstallation
Roadmap for the CertNexus Exam

Abiola Ilupeju

Abiola holds an M.Sc in Information Security and Privacy with Distinction from Cardiff University, United Kingdom and B.Sc in Computer Science with Economics from Obafemi Awolowo University Ile-Ife. She is a Certified Ethical Hacker (CEH), and Certified Information System Auditor (CISA), certified in IT Service Management (ITIL), certified in Mobile forensics as a Cellebrite Certified Operator (CCO) and more importantly to you, she is a CertNexus Cyber Secure Coder.

Abiola is an ardent advocate of quality software; passionate about seeing that businesses reap the full benefits of their investments in IT. In 2012 with the top management's buy-in, she formed the quality assurance unit in Upperlink Limited and was the pioneer manager; and within two years of the establishment of the unit, the organization became the second company in west Africa to achieve CMMI Maturity Level 3.

In 2016, as an evidence to her good eye for software quality; she won the "Best Bug Award" at the Testathon (a hackaton for testers) organized by the Global App Testing.

Abiola has over a decade professional experience across varying fields of Information Technology; ranging from being an Application developer, Quality Assurance manager to Information System Auditor . She enjoys programming in Javascript, PHP and Python in which she developed various applications among which is a patented software product,Customer Management and Self-Service portal.

In 2015, she was mentored and trained by the global leader in Cyber Security -Symantec Corporation at their headquarters in California USA. She worked closely with the development team at Symantec, where she was further exposed to various best practices and newer technologies in software development. While at Silicon Valley, She also had the opportunity of interacting with other leading IT companies such as Linkedin, Mozilla, Youtube, Google, Autodesk etc . She is passionate about impacting knowledge into others

Dr. Nhamo Mtetwa

Dr Nhamo Mtetwa has experience of delivering end to end technology including full stack application development and analytics solutions across different sectors of industry over a period of 20 years; he lectured in the Department of Cyber Security and Networks in the School of Computing, Engineering and Built Environment at Glasgow Caledonian University, United Kingdom teaching Database Technologies, Big data Technologies and Secure Coding.

Dr. Nhamo holds a B.Sc in Computer Science and Statistics, an M.Sc in Parallel and Distributed Computing and a PhD in Artificial Intelligence. He has applied data mining and machine learning to problems as diverse as spike detection in recordings from neurons, predicting pest infestation to automatic detection of vulnerabilities in software codebases.
He is currently a Data Science Engineering Manager at a Financial Service Company in United Kingdom

Dr. Nhamo Mtetwa is an innovator, leader, trainer, mentor and a team player with strong analytics and technology skills. Participants will benefit immensely from him especially in the areas of Software security testing and the use of security by design approach in software development.

Dimas Surya

Dimas completed his MSc from Cardiff University, UK (with Indonesia Education scholarship) and has 10+ years experiences as IT Security Consultant.

Dimas currently focuses on Digital Forensic with hands on experienced in sets of Forensic Tools (FTK, EnCase, Cellebrite, Autopsy, X-Ways, etc). Dimas is trained ISO 17025 internal auditor, documentation and implementation, also industrial ISO 27001 and NIST Framework.

He is currently a Digital Forensic Investigator at Indonesia Deposit Insurance Corporation (Lembaga Penjamin Simpanan).
While at the bootcamp, participants will benefit from Dimas especially in the areas of Threat Modelling and Software Reverse Engineering.

Application for our next secure coding bootcamp starting April 10, 2021 is now Open Apply Now

Certification

About

CertNexus is a vendor-neutral certification body, providing emerging technology certifications and micro-credentials for Business, Data, Development, IT, and Security professionals. CertNexus’ mission is to assist in closing the emerging tech global skills gap while providing individuals with a path towards establishing rewarding careers in Cybersecurity, Data Science,Internet of Things, and Artificial Intelligence (AI)/Machine Learning.

CertNexus partners with highly knowledgeable and talented industry experts to ensure the integrity and quality of each exam, with all exams following a rigorous development process.

Laboratory

Hands-on activities to demonstrate concepts utilizing two universal languages Python and Java Script.
Developers who use alternate languages will be able apply the principles from the activities to any coding languages
You will have 180 Days Access to Virtual Lab.

Exam

Exam Code: CSC 210
Number of Items: 80 questions
Passing Score: 70%
Duration: 120 minutes
Exam Options: In person /virtual at Pearson VUE test centers
Item Formats: Multiple Choice/Multiple Response

Tuition

N200,000 (Two Hundred Thousand Naira) which includes Examination Voucher for the CertNexus Cyber Secure Coder