Secure Code Reviews,Software Composition Analysis, Basic DevSecOps

SVA and SCA,Basic DevSecOps -Syllabus

Module 1:Threat Modelling and Development of Security Requirements -OWASP

                        What is threat modelling
                        Application of threat model to a building
                                       STRIDE Model
                                       Elements of Models
                                       Data Flow Diagrams
                         SDL Threat Modelling Tool
                                       Creating threat model with SDL threat modelling
                                       Design View
                                       Analysis View
                         Analysing Threats to propose controls
                         Framing security requirements

Module 2:Reading code PHP/.Net/ Java application

                        Reading demo bank application code PHP
                        Reading Altroz/ JAVA application Code
                        Reading Web Goat.Net Application Code
                        Session management

Module 3:Coding Errors 1 –Remediation

                        SQL Injection
                        OS Command Injection
                        Cross Site Scripting
                        Use of Hard-coded Keys/Credentials. –Truffle Hog

Module 4: Coding Errors 2

                         Access Control: Database
                         XML Injection
                         Buffer Overflow
                         Passwords in clear text

Module 5: Automated Code Review Tools

                         Scanning application with automated tool
                         Analysing Results
                         False Positive Analysis

Module 6: Reading Someone else written code

                         Manual code review
                         Source to Sink
                         Keyword based review
                         Dataflow based review
                         Control flow-based review

Module 7: Software Composition Analysis

                         A06:2021 –Vulnerable and Outdated Components
                         Third party components and Open-SourceLibraries
                         Common Vulnerability and Exposures (CVE)
                         National Vulnerability Database (NVD)
                         OWASP Dependency checkers or Equivalent tool

Module 8: DevSecOps

                         DevOps and Software Development Life Cycle
                         Jenkins/AzDevOps Installation
                         Plugins Management
                         Builds Setup
                         Integration with Git
                         Integration with Maven
                         Integration with fortify
                         PowerShell for custom policy definition

Leave a Reply

Your email address will not be published. Required fields are marked *