What is Exploring Security?
This is a course for software development and product professionals at all levels, including engineers, testers, leaders, managers, and business and product analysts.
Exploring Security is an evolving approach to become more aware of the application and infrastructure security issues that affect your organisation, products, and customers. Every organisation is different, and as a result, each have different needs when it comes to security.
The modules are as follows:
Introducing The Security Triangle – Confidentiality, Integrity and Availability
The opening session will begin with a developing understanding the first principles of application security and how they impact the decisions we make on mitigating security risks in our context.
What are threats? How do they impact your organisations? What are the impacts to you, your stakeholders, customers and users.?
We will explore the potential threats to modern IT infrastructure and products, from unauthorised access and data exposure to complete denial of service.
We will examine, develop and explore a range of personas as models for testing the security of an application. Every kind of user has different needs, and uses software in different ways. How the users will interact with the software will also determine their needs and expectations from a security perspective.
Security Heuristics and Oracles
Security heuristics are some of the most complex and hardest to work with. What is and isn’t a security vulnerability will vary in every context, from static web pages, to complex platforms for retail or banking. We will explore heuristics for our target applications, and how they might be used to identify potential issues.
Also, the sources of information we use to plan and make decisions about our testing will vary considerably also. It’s important to understand how oracles can be applied to support our testing strategies, challenge our biases and help us solve security problems in our own contexts.
Strategies for Security
Once we have built our application security models, we also need to be able to consider the potential strategies and approaches you might want to take. Much of this will depend on the context of your business, your risk profile, and the applications under test.
You’ll need to consider the scope, resources, training, tooling and communication about your security testing strategies. All are key to being successful in developing an awareness and understanding of security risks across the business, and how those risks are perceived by your stakeholders.
Testing Skills for Security
Using vulnerable applications, we will discover how to identify potential issues in applications which relate to the threats, risks and vulnerabilities we have discovered. This will include practising useful techniques and introducing skills such as reconnaissance, information discovery, brute force and fuzzing.
We will also introduce some useful tools to support these techniques, such as spiders, packet sniffers, proxies, scanners and other exciting utilities. These exercises and tools will help us to develop models of our applications, and their potential security risks.
We will also introduce specific techniques to exploit the most common of security vulnerabilities, such as SQL Injection, Cross Site Scripting, Broken Authentication, and Sensitive Data Exposure.
Hacking the Human
The users of software and systems are often considered the weakest link in any system. We will model the behaviours of humans using software, understand their motivations and needs. When planning to hack a target, potential victim or business, a hacker will often need to use social engineering learn as much as they can. We will explore the first principles of social engineering, using the skills learned to evaluate targets, so we can begin to understand how to defend them.
Communicating for Security
Finding flaws and fixing them is only half the battle. You will need to communicate the value of the work you are doing. Security problems and their inherent risks will have a different value for your stakeholders, according to their needs, interests and desired outcomes.
Teams and organisations need to have a common, holistic understanding of what security means for them. How we communicate to others about these problems is as important as finding and fixing them.
We will explore and model how these issues can impact the message you communicate to your stakeholders, both internally and externally. We will consider issues around disclosure, security awareness, ethical behaviour and public exposure.