Web Application Security for PCI DSS- Part 1 (WASEC-PD1) – Outline

Detailed Course Outline

DAY 1

Cyber security basics

  • What is security?
  • Threat and risk
  • Cyber security threat types – the CIA triad
  • Cyber security threat types – the STRIDE model
  • Consequences of insecure software
  • Constraints and the market
  • The dark side
  • Categorization of bugs
    • The Seven Pernicious Kingdoms
    • Common Weakness Enumeration (CWE)
    • CWE Top 25 Most Dangerous Software Weaknesses
  • Cyber security in the finance sector
    • Threats and trends in fintech
  • PCI DSS
    • Overview
    • Requirements and secure coding (Requirements 1-5)
    • Req. 6 – Develop and maintain secure systems and applications
    • Requirement 6.5 – Address common coding vulnerabilities
    • Requirements and secure coding (Requirements 7-12)

The OWASP Top Ten 2021

  • A04 – Insecure Design
    • The STRIDE model of threats
    • Secure design principles of Saltzer and Schroeder
    • Client-side security
      • Frame sandboxing
        • Cross-Frame Scripting (XFS) attacks
        • Lab – Clickjacking
        • Clickjacking beyond hijacking a click
        • Clickjacking protection best practices
        • Lab – Using CSP to prevent clickjacking
  • A05 – Security Misconfiguration
    • Configuration principles
    • Server misconfiguration
    • Cookie security
      • Cookie security best practices
      • Cookie attributes
    • XML entities
      • DTD and the entities
      • Attribute blowup
      • Entity expansion
      • External Entity Attack (XXE)
        • File inclusion with external entities
        • Server-Side Request Forgery with external entities
        • Lab – External entity attack
        • Case study – XXE vulnerability in SAP Store
        • Lab – Prohibiting DTD expansion
  • A06 – Vulnerable and Outdated Components
    • Using vulnerable components
    • Case study – The Equifax data breach
    • Assessing the environment
    • Hardening
    • Untrusted functionality import
    • Vulnerability management
      • Patch management
      • Vulnerability databases
      • Vulnerability rating – CVSS
      • Bug bounty programs
      • DevOps, the build process and CI / CD
  • A09 – Security Logging and Monitoring Failures
    • Logging and monitoring principles
    • Insufficient logging
    • Case study – Plaintext passwords at Facebook
    • Logging best practices
    • Monitoring best practices
    • Firewalls and Web Application Firewalls (WAF)
    • Intrusion detection and prevention
    • Case study – The Marriott Starwood data breach