Secure Code Reviews,Software Composition Analysis, Basic DevSecOps
SVA and SCA,Basic DevSecOps -Syllabus
Module 1:Threat Modelling and Development of Security Requirements -OWASP
What is threat modelling
Application of threat model to a building
STRIDE Model
Elements of Models
Data Flow Diagrams
SDL Threat Modelling Tool
Creating threat model with SDL threat modelling
Design View
Analysis View
Analysing Threats to propose controls
Framing security requirements
Module 2:Reading code PHP/.Net/ Java application
Reading demo bank application code PHP
Reading Altroz/ JAVA application Code
Reading Web Goat.Net Application Code
Session management
Session
Cookie
Module 3:Coding Errors 1 –Remediation
SQL Injection
OS Command Injection
Cross Site Scripting
Use of Hard-coded Keys/Credentials. –Truffle Hog
CSRF
Module 4: Coding Errors 2
Access Control: Database
XML Injection
Buffer Overflow
Passwords in clear text
Module 5: Automated Code Review Tools
Scanning application with automated tool
Analysing Results
False Positive Analysis
Module 6: Reading Someone else written code
Manual code review
Source to Sink
Keyword based review
Dataflow based review
Control flow-based review
Module 7: Software Composition Analysis
A06:2021 –Vulnerable and Outdated Components
Third party components and Open-SourceLibraries
Common Vulnerability and Exposures (CVE)
National Vulnerability Database (NVD)
OWASP Dependency checkers or Equivalent tool
Module 8: DevSecOps
DevOps and Software Development Life Cycle
Jenkins/AzDevOps Installation
Plugins Management
Builds Setup
Integration with Git
Integration with Maven
Integration with fortify
PowerShell for custom policy definition