Oreilly - Introduction to Secure Software

Oreilly - Introduction to Secure Software

by Brian Sletten | Publisher: O'Reilly Media, Inc. | Release Date: March 2016 | ISBN: 9781491943595

https://www.oreilly.com/library/view/introduction-to-secure/9781491943595/

It's an unfortunate truism that many good developers are bad at software security. They cling to the belief that security is something you can just buy and bolt on, but that's not the case. It's not that developers want to be bad at security, they just don't know where to start and where they should go. This video offers a clear route. It begins with a high level overview of today's security threats and the organizational strategies used to counter those threats; it details the roles that SSG members, developers, testers and operations personnel must perform in a security focused SDLC; and finishes with a survey of the protocols, tactics, and tools used to optimize security at the physical, network, application, and perimeter levels.Understand the goals, costs, and limitations of software securityIdentify fifteen types of security attacks such as WebSocket, SQL injection, and TLS HeartbleedDiscover six core principles of software security including Defense in Depth and Fail SecurelyLearn about threat modeling using tools like STRIDE, CAPEC, and attack treesRecognize the capabilities and limitations of password policies, WAFS, and FirewallsReview authentication/authorization techniques like HTTP Digest, OAuth 2 and JWTLearn about the CORS, CSP, and HSTS security policies and protocolsExplore the W3C Web Cryptography Working Group's newest security protocolsBrian Sletten is a software engineer who focuses on security consulting, web architecture, resource-oriented computing, social networking, the Semantic Web, data science, 3D graphics, visualization, scalable systems, and other technologies. He has experience in retail, banking, online games, defense, finance, hospitality and healthcare.

Introduction
- Welcome to the Course 00:04:41
- Attacks in the News 00:13:19
- What We Tell Others 00:09:01
- Trusted vs Trustworthy 00:11:57
- Security Features 00:08:30
- Principle of Least Privilege 00:05:21
- Attacking Infrastructure 00:12:11
- Convincing Developers 00:07:56
- Beyond Perimeter Defense 00:07:10
Security Engineering
- Introduction to Security Engineering 00:10:37
- Economics of Security 00:11:41
- Motivation 00:09:24
- Security Protocols 00:24:31
Software Security
- Introduction to Software Security 00:10:46
- Risk Management 00:05:15
- Security Testing 00:09:32
- Architectural Risk Assessment 00:10:46
- Principle: Protecting the Weakest Link 00:05:55
- Principle: Defense in Depth 00:06:10
- Principle: Fail Securely 00:07:29
- Principle: Least Privilege 00:09:17
- Principle: Log Securely 00:07:07
- Principle: Trust Judiciously 00:09:42
- Tools 00:10:36
Threat Modeling
- Introduction to Threat Modeling 00:06:11
- STRIDE 00:04:52
- Attack Trees 00:09:30
- Accounts 00:13:08
- Web and Cloud 00:08:12
Security in the Organization
- Introduction to Security in the Organization 00:09:52
- Stakeholders 00:07:37
- Teams: Security Teams 00:07:42
- Teams: Developers 00:03:31
- Teams: Operations 00:03:49
- Software Lifecycles 00:07:00
Web Security
- Password Policies 00:19:25
- Feature: HTTP Basic 00:05:24
- Feature: HTTP Digest 00:05:07
- Feature: TLS 00:10:56
- Feature: OAuth 00:19:28
- Feature: HTTP Signatures 00:07:57
- Feature: JWT 00:06:06
- Feature: CORS 00:12:41
- Feature: CSP 00:06:41
- Feature: HSTS 00:05:19
- Feature: WAFs and Firewalls 00:04:09
Attacks
- Attack Overview 00:01:11
- Phishing 00:06:35
- XSS and HTML Injection 00:07:06
- CSRF 00:05:24
- SQL Injection 00:04:22
- TLS Attacks: BEAST, BREACH, CRIME 00:22:17
- TLS Attacks: Heartbleed 00:06:27
- TLS Attacks: POODLE 00:05:58
The Future
- The Future 00:09:32
- Next Steps 00:09:57