Semgrep Academy

Course introduction

Your Trainer

Why should you take this course?

What's in this course?

Secure SDLC & Application Security Program

Threat Modeling

Third Party Components (SCA)

Security Testing

Code Review and Static Analysis

Secure SDLC - Quiz!

#1 Input Validation

Input Validation - More Advice From OWASP

Input Validation: Code Review

#2 Output Encoding

Output Encoding: Code Review

#3 Parameterized queries are required; dynamic queries are forbidden.

Parameterized queries: Code Review

#4 Use the Authorization and Authentication provided by your framework, do not write your own.

Authentication and Password Management – OWASP Advice

#5 Use the identity and session management features available in your framework, network, or cloud provider.

#6 Use all applicable security headers

#7 Do not cache sensitive page data

Caching Sensitive Data: Code Review

#8 Secure Cookies

Thoughts on securing your cookies

#9 Take every possible precaution when performing file uploads

File upload advice from OWASP

Scanning your uploaded files

#10 All errors should be caught, handled, logged, and, if appropriate, alerted upon.

OWASP guidance on logging, alerting and monitoring

Error Handling and Logging Cheat Sheet!

#11 Sensitive or decision-making information should never be stored in URL parameters.

#12 Your application should be served over HTTPS only.

HTTPS Everywhere: Code Review

#13 All data must be encrypted in transit and at rest

#14 Allow users to cut and paste into the password field, to allow for use of password managers.

#15 All connection strings, hashes, passwords and other secrets must be kept in a secret store.

Reasons Secrets Need Management

Secret Management Best Practices

What are 'secrets'?

#16 Hash and salt all passwords.

#17 Keep your stuff up to date!

A special note on APIs

API Security Best Practices - Checklist

We did it!

17 Commandments - PDF Checklist!

Common Vulnerabilities

What is 'OWASP'? What is the 'Top Ten'?

A1: Injection

A2: Broken Authentication

A3: Sensitive Data Exposure

A4: XML External Entities (XXE)

A5: Broken Access Control

A6: Security Misconfiguration

A7: Cross Site Scripting (XSS)

A8: Insecure Deserialization

A9: Using Components with Known Vulnerabilities

A:10 Insufficient Logging and Monitoring

More! Important stuff that is not in the OWASP Top Ten

Buffer Overflows

Insecure Cryptographic Storage

Insecure Communications

Improper Error Handling

Cross Site Request Forgery (CSRF)

Quiz: Common Pitfalls

Key Take Aways

Awesome Books

Semgrep Resources

Course Survey

Thank you for attending Semgrep Academy