Secure Coding Masterclass for Healthcare

Provided by

Enquire about this course

About the course

5 Days
Special Notices
Delegates attending this masterclass will be granted access to the Secure Coding Academy digital lab environment for 6 months post course.

The past few years have seen a massive increase in attacks, data breaches and medical identity theft targeting the healthcare industry; there have also been various ransomware attacks paralyzing healthcare computer networks as well as the various medical devices connected to them. The rise of mobile devices used in the industry needs to be addressed as well: there is a huge growth of medical software applications for mobiles and tablets that connect the patient with the organization – carrying and storing personally identifiable information (PII).

Healthcare is one of the business domains where security is absolutely crucial. Vulnerability is not an option when working with life-saving devices.

This training program exclusively targets engineers developing applications or maintaining networks for the healthcare sector. Our dedicated trainers share their experience and expertise through hands-on labs, and give real-life case studies from the healthcare industry – engaging participants in live ethical hacking to reveal the consequences of insecure coding.

Topics Include:

IT security and secure coding
Special threats in the banking and finance sector
Regulations and standards
Web application security (OWASP Top Ten 2017)
Client-side security
Security architecture
Requirements of secure communication
Practical cryptography
Security protocols
Crypto libraries and APIs
Input validation
Security of Web services
Improper use of security features
Object-relational mapping (ORM) security
Improper error and exception handling
Time and state problems
Code quality problems
Denial of service
Security testing techniques
Principles of security and secure coding
Knowledge sources

Prerequisites
There are no specific pre-requisites for this course. However a general understanding of development practices and a broad understanding of current threats would be desired. There are group exercises, and instructor led ‘hands-on’ labs within each module of this course. Delegates can observe the instructor demonstrations or engage fully with each hands-on lab, subject to experience.

The intended audience for this course is primarily Project Managers, Business Analysts, Junior Developers and Designers. Plus anyone with an interest in building and maintaining secure systems lifecycle.

Note: This course is not designed for the experienced software developer and does not cover hands-on coding.

Delegates will learn how to
Understand basic concepts of security, IT security and secure coding
Understand special threats in the banking and finance sector
Understand regulations and standards
Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them
Learn about XML security
Learn how to set up and operate the deployment environment securely
Learn client-side vulnerabilities and secure coding practices
Have a practical understanding of cryptography
Understand the requirements of secure communication
Understand essential security protocols
Understand some recent attacks against cryptosystems
Understand security concepts of Web services
Learn about JSON security
Learn about typical coding mistakes and how to avoid them
Get information about some recent vulnerabilities in the Java framework
Learn about denial of service attacks and protections
Get practical knowledge in using security testing techniques and tools
Get sources and further readings on secure coding practices
Note: This course comes with a number of easy-to-understand exercises providing real-time ethical hacking fun. By accomplishing these exercises with the support of the trainer, participants can analyse vulnerable code snippets and commit attacks against them in order to fully understand the root causes of certain security problems. All exercises are prepared in a plug-and-play manner by using a pre-set desktop virtual machine, which provides a uniform development environment.


Outline
Day 1
IT security and secure coding

Nature of security
What is risk?
IT security vs. secure coding
From vulnerabilities to botnets and cybercrime
Nature of security flaws
Reasons of difficulty
From an infected computer to targeted attacks
Classification of security flaws
Landwehr’s taxonomy
The Seven Pernicious Kingdoms
OWASP Top Ten 2017
CWE most dangerous software errors
SEI CERT secure coding standards
Special threats in the healthcare sector

Threats in healthcare trends and numbers
Attacker model
Most significant targets
Industry and regulatory response to threats
How is cybersecurity different for medical devices?
Attacker tools and vectors
Regulations and standards

HIPAA
What is HIPAA?
Amendments
Who needs to be regulated by HIPAA?
General safety requirements
Implementation requirements
Administrative safeguards
Physical safeguards
Technical safeguards
Fines
Web application security (OWASP Top Ten 2017)

A1 - Injection
Injection principles
SQL injection
Exercise – SQL Injection
Exercise – SQL injection
Typical SQL Injection attack methods
Blind and time-based SQL injection
SQL injection protection methods
Other injection flaws
Command injection
Case study – ImageMagick
A2 - Broken authentication
Session handling threats
Session handling best practices
Setting cookie attributes – best practices
A3 - Sensitive data exposure
Sensitive data exposure
Transport layer security
Enforcing HTTPS
A4 - XML external entity (XXE)
XML Entity introduction
XML bomb
Exercise – XML bomb
XML external entity attack (XXE) – resource inclusion
XML external entity attack – URL invocation
XML external entity attack – parameter entities
Exercise – XXE attack
Case study – XXE in Google Toolbar
Identifying the vulnerability: JSON input processed as XML
A5 - Broken access control
Typical access control weaknesses
Insecure direct object reference (IDOR)
Exercise – Insecure direct object reference
Protection against IDOR
Case study – Molina Healthcare (Exposed patient records)
Exercise – Authorization bypass
Day 2
A6 - Security misconfiguration
Configuration management
Hardening
Patch management
Configuring the environment
Insecure file uploads
Exercise – Uploading executable files
Filtering file uploads – validation and configuration
A7 - Cross-Site Scripting (XSS)
Persistent XSS
Reflected XSS
DOM-based XSS
Exercise – Cross Site Scripting
Exploitation: CSS injection
Exploitation: injecting the <base> tag
Exercise – HTML injection with base tag
XSS prevention
A8 - Insecure deserialization
Deserialization basics
Security challenges of deserialization
From deserialization to code execution
Issues with deserialization – JSON
A9 - Using components with known vulnerabilities
Vulnerability attributes
Common Vulnerability Scoring System – CVSS
A10 - Insufficient logging and monitoring
Detection and response
Logging and log analysis
Intrusion detection systems and Web application firewalls
Client-side security

JavaScript security
Same Origin Policy
Cross Origin Resource Sharing (CORS)
Exercise – Client-side authentication
Client-side authentication and password management
Protecting JavaScript code
Exercise – JavaScript obfuscation
Clickjacking
Exercise – Do you Like me?
Protection against Clickjacking
Anti frame-busting – dismissing protection scripts
Protection against busting frame busting
AJAX security
XSS in AJAX
Script injection attack in AJAX
Exercise – XSS in AJAX
XSS protection in Ajax
Exercise CSRF in AJAX – JavaScript hijacking
CSRF protection in AJAX
HTML5 security
New XSS possibilities in HTML5
HTML5 clickjacking attack – text field injection
HTML5 clickjacking – content extraction
Form tampering
Exercise – Form tampering
Cross-origin requests
HTML proxy with cross-origin request
Exercise – Client side include
Security architecture

(platform and technology dependent topics)
Application level access control
(permissions, sandboxing)
User level access control
Authentication
Authorization
Day 3
Requirements of secure communication

Security levels
Secure acknowledgment
Malicious message absorption
Feasibility of secure acknowledgment
The solution: Clearing Centers
Inadvertent message loss
Integrity
Error detection - Inadvertent message distortion (noise)
Modeling message distortion
Error detection and correction codes
Authenticity - Malicious message manipulation
Modeling message manipulation
Practical integrity protection (detection)
Non-repudiation
Summary
Detecting integrity violation
Confidentiality
Model of encrypted communication
Encryption methods in practice
Strength of encryption algorithms
Remote identification
Requirements of remote identification
Anonymity and traffic analysis
Model of anonymous communication
Traffic analysis
Theoretically strong protection against traffic analysis
Practical protection against traffic analysis
Summary
Relationship between the requirements
Practical cryptography

Cryptosystems
Elements of a cryptosystem
Symmetric-key cryptography
Providing confidentiality with symmetric cryptography
Symmetric encryption algorithms
Block ciphers – modes of operation
Other cryptographic algorithms
Hash or message digest
Hash algorithms
SHAttered
Message Authentication Code (MAC)
Providing integrity and authenticity with a symmetric key
Random numbers and cryptography
Cryptographically-strong PRNGs
Hardware-based TRNGs
Asymmetric (public-key) cryptography
Providing confidentiality with public-key encryption
Rule of thumb – possession of private key
The RSA algorithm
Introduction to RSA algorithm
Encrypting with RSA
Combining symmetric and asymmetric algorithms
Digital signing with RSA
Public Key Infrastructure (PKI)
Man-in-the-Middle (MitM) attack
Digital certificates against MitM attack
Certificate Authorities in Public Key Infrastructure
X.509 digital certificate
Security protocols

Secure network protocols
Specific vs. general solutions
SSL/TLS protocols
Security services
SSL/TLS handshake
Protocol-level vulnerabilities
BEAST
FREAK
FREAK – attack against SSL/TLS
Logjam attack
Padding oracle attacks
Adaptive chosen-ciphertext attacks
Padding oracle attack
CBC decryption
Padding oracle example
Lucky Thirteen
POODLE
Crypto libraries and APIs

(platform and technology dependent topics)
Day 4
Input validation

Input validation concepts
Integer problems
Representation of negative integers
Integer overflow
Integer problem – best practices
Path traversal vulnerability
Path traversal mitigation
Case study – Insufficient URL validation in LastPass
Unvalidated redirects and forwards
Case study – B. Braun SpaceCom
Space: an infusion pump management system
CVE-2017-6018: Open redirect issue in SpaceCom module
Log forging
Some other typical problems with log files
(some additional platform and technology dependent topics)
Security of Web services

SOAP security
SOAP - Simple Object Access Protocol
Transport layer security
Message level security
Security of RESTful web services
Authentication with REST
Authorization with REST
Vulnerabilities in connection with REST
XML security
Introduction
XML parsing
XML injection
(Ab)using CDATA to store XSS payload in XML
Exercise – XML injection
JSON security
Introduction
JSON parsing
Embedding JSON server-side

Enquire

Start date Location / delivery
09 Dec 2019 London Book now

Related article

Congratulations to Qufaro’s CyberEPQ Graduates who attended the Graduation ceremony at The National Museum of Computing on the first weekend of Sep...