Secure Coding: Using Components with Known Vulnerabilities

https://www.pluralsight.com/courses/secure-coding-using-components-known-vulnerabilities

by Peter Mosmans

Course Overview
  1. Course Overview
Using Components with Known Vulnerabilities
  1. Course and Module Introduction
  2. Demo: Finding Exploitable Components
    • nvd.nist.gov list soft vulnerability
  3. What Is Using Components with Known Vulnerabilities?
  4. OWASP Top 10 2017 and Using Components with Known Vulnerabilities
    • Vulnerable and Outdated Components is part of OWASP top 10
  5. Software Life Cycle
  6. Module Summary
Managing Unsupported or Out-of-date Commercial Software
  1. Module Introduction
  2. Common Platform Enumeration (CPE)
    • Open standard to uniformly describe Information technology systems, Software and Packages
      • it solves product naming issues
      • used to better map products against vulnerabilities
  3. Finding Published Vulnerabilities
    • In 1999, the Common Vulnerabilities and Exposures standard was developed.
    • Finding Published Vulnerabilities
      • CVE entries
        • National Vulnerability Database (NVD)
      • Vulnerabilities without CVE entry
        • Vendor-specific webpages
        • Changelogs
        • Source code
        • Search engines
        • Commercial subscriptions
    • to request a CVE:
      • https://cveform.mitre.org/
  4. Virtual Patching
    • Virtual Patching is
      • Blocking an attack vector
      • Preventing exploitation
    • Why Virtual Patching
      • No access to source code
      • No access to environment
      • Lack of resources
      • Minimize time to fix
      • Costs
    • Where to Apply Virtual Patches
      • Not in the component itself
      • Any software in front of the vulnerable component
        • Web application firewall
        • Web server plugin
        • Application layer filter
        • Web server or proxy configuration
    • Issues with Virtual Patching
      • Difficult
      • Often only specific exploit is blocked
      • Error prone
      • Can block legitimate traffic
      • Difficult to maintain
  5. Demo: Finding Vulnerabilities and Creating a Virtual Patch
  6. Trust When Installing or Updating Components
    • use a packet manager when possible
    • prefer signed packages 
  7. Demo: Secure Installation of Node.js
  8. Module Summary
Managing Bespoke Software That Uses Third Party Libraries
  1. Module Introduction
  2. Versioning
    • Different Types Of Versioning
      • Calendar based versioning
      • Sequence based versioning
      • Semantic versioning (MAJOR . MINOR . PATCH)
        • for more info: https://semver.org/
  3. Software Composition Analysis
  4. Automatically Mapping Software Versions against Vulnerabilities
    • tooling for finding vulnerabilities
      • OWASP Dependency Check
        • Plugs into CI/CD environment
      • Specific frameworks
        • npm audit
        • SafeNuGet (.net)
        • Retire.js (javascript)
      • Commercial offerings
        • Snyk
        • dependabot
  5. Demo: Automatically Mapping Software Versions against Vulnerabilities
    • demo of using OWASP Dependency-Check
  6. Module Summary
Patch Management Process
  1. Module Introduction
  2. Hardening
    • Component Hardening
      • - Apply principle of least privilege
      • - Remove unused dependencies
      • - Remove documentation
      • - Remove samples
      • - Disable default accounts
      • - Follow security announcements
  3. Patch Management Process
  4. Module and Course Summary

Comments

Post a Comment

Popular posts from this blog

Angular Routing and Navigation Playbook

Image
https://www.pluralsight.com/courses/angular-routing-navigation-playbook by Lara Newsom Course Overview Course Overview Course Introduction and Code Examples Course Introduction and Code Examples Basic Angular Routing Setup Introduction to Angular Routing Discussion: Angular RouterModule Exports Demo: Bootstrap Angular RouterModule Discussion: Declaring Routes angular has tow route path match strategies: prefix based or full match prefix is the default Demo: Declaring Default and Home Routes two options for declaring a default route: {path: ' ', componenet: DefaultComponent} {path: ' ', redirectTo: 'home', pathMatch: 'full'} Discussion: Child Routes and Route Order Demo: Declaring a Wildcard Route wild card routes is: path: '**' to enabled logging all navigation events to the console, enable tracing Demo: Hooking into Router Events Routing in Standalone Component Applications Introduction to Standalone Components and Routing Demo: Bootstrapping Ro...
Read more

Working with Files in C# 10

https://www.pluralsight.com/courses/c-sharp-10-working-files by Jason Roberts Course Overview Course Overview Sandbox Managing Files and Directories Introduction Creating a New Console App Checking if a File Exists you can use to check if file path is an absolute path: Path.IsPathFullyQualified Getting the Parent Directory of a Path Checking if a Directory Exists and Creating New Directories Copying a File Moving a File Getting the File Extension from a File Name Checkpoint 01- Get the Parent Directory for a Path Changing a Filename Extension Checkpoint 02 - Get the Extension Part of a Filename Deleting a Directory Enumerating All the Files in a Directory Summary Exercise 01- Copying and Deleting Files Monitoring the File System for Changes Introduction Introducing the FileSystemWatcher Class The IntemalBufferSize Property Configuring Notification Filters Additional Properties Refactoring to Use a FileSystemWatcher use FileSystemWatcher to watch for file changes in a folder Checkpo...
Read more

Mastering Git

https://app.pluralsight.com/library/courses/master-git/table-of-contents by Paolo Perrotta Module 1: Course Overview Course Overview Module 2: The Four Areas: Introduction Version Check About This Training A Note About the Command Line Introducing the Four Areas The Working Area The Repository The Index Module 3: The Four Areas: Basic Workflow Revisiting the Basics Moving Data to the Right Moving Data to the Left Removing Files Renaming Files A Quick Summary Module 4: The Four Areas: Git Reset Understanding Reset A Reset Example More Reset Examples Module 5: The Four Areas: Advanced Tools Stashing Data Solving Conflicts Working with Paths Committing Parts of a File Introducing Switch and Restore Git Is a Toolbox Module 6: History: Exploring the Past Becoming a History Surgeon Referencing Commits to show changes in a commit: git show HEAD to show changes in a commit parent: git show HEAD^ Tracking Changes in History Browsing the Log Module 7: History: Fixing Mistakes Reviewing the Golde...
Read more