EC Council Certified Secure Programmer v1.0

EC-Council's Certified Secure Programmer and Certified Secure Application Developer are being offered to provide the essential and fundamental skills to programmers and application developers in secure programming. The most prevalent reason behind buggy code and vulnerabilities being exploited by hackers and malicious code is the lack of adoption of secure coding practices.
The Certified Secure Programmer and Certified Secure Application Developer programs will ensure that programmers and developers are exposed to the inherent security drawbacks in various programming languages or architectures. They will be further trained to exercise secure programming practices to overcome these inherent drawbacks in order to preempt bugs from the code.
 

Delivered by Data-Sentry

Course Outline

Lesson 1: Introduction to Secure Coding
Secure Coding
Common Security Mistakes
Why Security Mistakes Are Made
Need for Secure Programming
Building Blocks of Software Security
Types of Security Vulnerabilities
Vulnerability Cycle
Types of Attacks
Hackers and Attackers
Risk Assessment and Threat Modeling
STRIDE Threat Model
Common Criteria
Security Architecture
Security Principles
Secure Development Checklists
Use of Privilege

Lesson 2: Designing Secure Architecture

Introduction to Secure Architecture
Application Security
Factors Affecting Application Security
Software Engineering and System Development Life Cycle (SDLC)
Software Development Life Cycle (SDLC) Phases
Software Methodology Models
Agile Methodologies
Extreme Programming (XP)
Unified Modeling Language (UML)
Vulnerabilities and Other Security Issues in a Software Applications
Security Through Obscurity
Buffer Overflows
Format String Vulnerabilities and Race Conditions
Locking Problems
Exception Handling
Fundamentals of Control Granularity
Fail Safe Design Strategies Concepts
Input and Parameter Validation
Encrypting Secrets in Memory and Storage
Scrubbing Information
Privilege Levels for Information Access
Loose Coupling
High Cohesion
Change Management and Version Control
Software Development Best Practices

Lesson 3: Cryptography

Introduction to Cryptography
Encryption
Decryption
Use Of Cryptography
Classical Cryptographic Techniques
Modern Cryptographic Techniques
Cipher
RSA (Rivest Shamir Adleman)
Example: RSA Algorithm
RSA Attacks
Implementing RSA in C++
Data Encryption Standard (DES)
DES Overview
Implementation of DES in Java
RC4, RC5, RC6, Blowfish Overview
RC5
Blowfish Algorithm in C
Message Digest Functions
One-way Bash Functions
MD5
Implementing MD5 in Java
Secure Hash Algorithm
Implementing SHA in Java
SSL (Secure Sockets Layer)
What is SSH?
Algorithms and Security
Disk Encryption
Government Access to Keys (GAK)
Digital Signature
Components of a Digital Signature
Method of Digital Signature Technology
Use of Digital Signature
Digital Signature Standard
Digital Signature Algorithm: Signature Generation/Verification
Digital Signature Algorithms: ECDSA, ElGamal Signature Scheme
Challenges and Opportunities
Digital Certificates
Creating and Verifying a Simple XML Digital Signature in C#
Cleversafe Grid Builder
Pretty Good Privacy
CypherCalc
Command Line Scriptor
CryptoHeaven
Cryptanalysis
Cryptography Attacks
Brute-Force Attack
The distributed.net Organization
Summary

Lesson 4: Buffer Overflows

Buffer Overflows
Reasons for Buffer Overflow Attacks
Why Are Programs/Applications Vulnerable?
Understanding Stacks
Understanding Heaps
Stack-based Buffer Overflow
Heap-based Buffer Overflow
How to Detect Buffer Overflows in a Program
Attacking a Real Program
Defense Against Buffer Overflows
Return Address Defender (RAD)
Tool to Defend Buffer Overflow: StackGuard
Tool to Defend Buffer Overflow: Immunix System
Vulnerability Search – ICAT
Valgrind
Insure++
Buffer Overflow Protection Solution: Libsafe
Comparing Functions of libc and Libsafe
Simple Buffer Overflow in C
Code Analysis
Summary

Lesson 5: Secure C and C++ Programming

Introduction of C/C++
Vulnerable C/C++ Functions
C/C++ Vulnerabilities
GCC Extension to Protect Stack-Smashing Attacks
Heap-Based Buffer Overflow
Off By One/Five Errors
Double Free Vulnerablility
Secure Memory Allocation Tips
Symmetric Encryption
Blowfish Algorithm in C
Public Key Cryptography
Networking
Creating an SSL Client in C++
Creating an SSL Server
Random Number Generation Problem
Random Number API
Anti-Tampering
Erasing Data from Memory Securely Using C/C++
Preventing Memory From Being Paged to Disk
Using Variable Arguments Properly
Signal Handling
Encapsulation in C++
Best Practices for Input Validation
Code Profiling And Memory Debugging Tool: Val grind
Summary

Lesson 6: Secure Java and JSP Programming

Introduction to Java
Java Virtual Machine (JVM)
Java Security
Sandbox Model
Security Issues with Java
SQL Injection Attack
Preventive Measures for SQL Injection
URL Tampering
Denial-of-Service (DoS) Attack on Applet
DoS from Opening Untrusted Windows
Preventing DOS Attacks
.Class File Format
Byte Code Attack
Reverse Engineering/ Decompilation by Mocha
Obfuscation Tools: Jmangle
Cinnabar Canner
Byte Code Verifier
Class Loader
Building a SimpleClassLoader
Security Manager
jarsigner - JAR Signing and Verification Tool
Signing an Applet Using RSA-Signed Certificates
Signing Tools
Getting RSA Certificates
Bundling Java Applets as JAR Files
Signing Java Applets Using Jarsigner
Signing Java Applets Using Netscape Signing Tool
Security Extensions
Java Authentication and Authorization Service (JAAS)
Java Cryptographic Extension (JCE)
Java(TM) Secure Socket Extension (JSSE)
Creating Secure Client Sockets
Creating Secure Server Sockets
Choosing the Cipher Suites
Java GSS Security
Security From Untrusted User Input
Cross Site Scripting
Overcoming Cross Site Scripting Problem
Permissions in Java
How to create new types of permissions?
Security Policy
Specifying an additional Policy File at runtime
Policy Tool
Best practices for developing secure Java Code
Summary

Lesson 7: Secure Java Script and VB Script Programming

Script: Introduction
JavaScript Vulnerability
XSS Attacks
Avoiding XSS?
JavaScript Hijacking
Defending Against JavaScript Hijacking
Decline Malicious Requests
Prevent Direct Execution of the JavaScript Response
Malicious Script Embedded in Client Web Requests
Malicious Script Embedded in Client Web Requests: Effects
Malicious Script Embedded in Client Web Requests: Solution
Tool: Thicket Obfuscator for JavaScript
JavaScript Security in Mozilla
Netscape's SignTool
Privileges
Tool for Encryption: TagsLock Pro
Jash: Javascript Command-Line Debugging Tool
Tool: Script Encoder
Tool: Scrambler
VBScript: CryptoAPI Tools
Signing A Script (Windows Script Host)
Verifying a Script
Signature Verification Policy
Software Restriction Policies for Windows XP
Designing a Software Restriction Policy
Creating Additional Rules
Blocking Malicious Scripts
Summary

Lesson 8: Secure ASP Programming

ASP- Introduction
Improving ASP Design
Using Server-Side Includes
Taking Advantage of VBScript Classes
Using Server.Execute
Using Server.Transfer
The #include Directive
.BAK Files on the Server
Programming Errors
Detecting Exceptions with Scripting Language Error-Handling Mechanisms
Using VBScript to Detect an Error
Using Jscript to Detect an Error
Notifying the Support Team When an Error Occurs Using CheckForError
Attacks on ASP
ASP DypsAntiSpam: A CAPTCHA for ASP
Preventing Automatic Submission With DypsAntiSpam
CAPTCHA: Examples
Using Database and ASP Sessions to Implement ASP Security
Step 1: Create A User Database Table
Step 2: Create And Configure The Virtual Directory
Step 3: Create The Sample Pages
Step 4: Add Validation Code To Pages
Protecting Your ASP Pages
Encoding ASP Code: Script Encoder
Protecting Passwords of ASP Pages with a One-way Hash Function
ASP Best Practices
ASP Best Practices: Error Handling
Summary

Lesson 9: Secure Microsoft.NET Programming

Common Terminology
Microsoft .NET: Introduction
.NET Framework
Security Policy Levels
Security Features in .NET
Key Concepts in .NET Security
Code Access Security (CAS)
Evidence-Based Security
Role-Based Security
Declarative and Imperative Security
Cryptography
Generate Key for Encryption and Decryption
Symmetric Encryption in .Net
Asymmetric Encryption in .Net
Symmetric Decryption in .Net
Asymmetric Decryption in .Net
Protecting Client and Server Data Using Encryption
Cryptographic Signatures
Write a Signature in .Net
Verify a Signature in .Net
Ensuring Data Integrity with Hash Codes
Hash Code Generation
Verification of Hash Code
Permissions
Code Access Permissions
Identity Permissions
Role-Based Security Permissions
SkipVerification
Stack Walk
Writing Secure Class Libraries
Runtime Security Policy
Step-By-Step Configuration of Runtime Security Policies
Creating a Security Policy Deployment Package
Type Safety
Canonicalization
Access Control List Editor
Securing User Credentials and Logon Information
Obfuscation
Dotfuscator: .NET Obfuscator Tool
Administration Tool: Authorization Manager (AzMan) with ASP.Net
ASP.NET Security Architecture
Authentication and Authorization Strategies
URL Authorization
File Authorization
Windows Authentication
Forms Authentication
Passport Authentication
Custom Authentication
Implementing Custom Authentication Scheme
Configuring Security with Mscorcfg.msc
Process Identity for ASP.NET
Impersonation
Impersonation Sample Code
Secure Communication
Storing Secrets
Options for Storing Secrets in ASP.NET
Web.config Vulnerabilities
Securing Session and View State
Web Form Considerations
Securing Web Services
Secure Remoting
Create a Remotable Object
Secure Data Access
.NET Security Tools
Code Access Security Policy Tool: Caspol.exe
Certificate Creation Tool: Makecert.exe
Certificate Manager Tool: Certmgr.exe
Certificate Verification Tool: Chktrust.exe
Permissions View Tool: Permview.exe
PEVerify Tool: Peverify.exe
Best Practices for .NET Security
Summary

Lesson 10: Secure PHP Programming

Introduction to PHP (Hypertext Preprocessor)
PHP Security Blunders
Security Sensitive PHP Functions: File Functions
Security Sensitive PHP Functions: ezmlm_hash
PHP Vulnerabilities
Common PHP Attacks
Secure PHP Practices
Best Practices for PHP Security
Acunetix Web Vulnerability Scanner
Encryption Software: PHP Codelock
Zend Guard
POBS
Summary

Lesson 11: Secure PERL Programming

Introduction: Practical Extraction and Report Language (PERL)
Common Terminology
Security Issues in Perl Scripts
Basic User Input Vulnerabilities
Overcoming Basic User Input Vulnerabilities
Insecure Environmental Variables
Algorithmic Complexity Attacks
Perl: Taint, Strict, and Warnings
Taint Mode
How Does Taint Mode Work?
Taint Checking
Using Tainted Data
Securing the Program Using Taint
Strict Pragma
The Setuid Command
The Perl crypt() Function
Logging Into a Secure Web Site with Perl Script
Secure Log-in Checklist
Program for Secure Log-in
Securing open() Function
Unicodes
Displaying Unicode As Text
Summary

Lesson 12: Secure XML, Web Services and AJAX Programming

Web Application and Web Services
Web Application Vulnerabilities
XML- Introduction
XSLT and XPath
XML Signature
An Enveloped, Enveloping and Detached XML Signature Simultaneously
XML Encryption
Security Considerations for the XML Encryption Syntax
Canonicalization
Validation Process in XML
XML Web Services Security
XML-aware Network Devices Expand Network Layer Security
Security of URI in XML
Security of Opaque Data in XML
Growth of XML as Percentage of Network Traffic
XML Web Services Security Best Practices
XML Security Tools
V-Sentry
Vordel SOAPbox
AJAX- Introduction
Anatomy of an AJAX Interaction (Input Validation Example)
AJAX: Security Issues
How to Prevent AJAX Attacks
Tool: HTML Guardian ™
Tool: Sprajax- AJAX Security Scanner
Tool: DevInspect
Summary

Lesson 13: Secure RPC, ActiveX and DCOM Programming

RPC Introduction
RPC Authentication
RPC Authentication Protocol
NULL Authentication
UNIX Authentication
Data Encryption Standard (DES) Authentication
Diffie-Hellman Encryption
Security Methods
Security Support Provider Interface (SSPI)
Security Support Providers (SSPs)
Secure RPC Protocol
RpcServerRegisterAuthInfo Prevents Unauthorized Users from Calling your Server
RPC Programming Best Practices
Make RPC Function Calls
RPC and the Network
Writing a Secure RPC Client or Server
ActiveX Programming: Introduction
Preventing Repurposing
SiteLock Template
IObjectSafety Interface
Code Signing
Creating a Code Signing Certificate and Signing an ActiveX Component in Windows
Protecting ActiveX Controls
DCOM: Introduction
Security in DCOM
Application-Level Security
Security by Configuration
Programmatic Security
Run As a Launching user
Run As a Interactive User
Run As a Specific User
Security Problem on the Internet
Security on the Internet
Heap Overflow Vulnerability
Workarounds for Heap Overflow Vulnerability
Tool: DCOMbobulator
DCOM Security Best Practices
Summary

Lesson 14: Secure Linux Programming

Introduction
Open Source and Security
Linux File Structure
Basic Linux Commands
Linux Networking Commands
Linux Processes
POSIX Capabilities
UTF-8 Security Issues
UTF-8 Legal Values
Security Linux Programming Advantages
Requirements for Security Measure Assurance
Enabling Source Address Verification
Linux iptables and ipchains
Controlling Access by MAC Address
Permitting SSH Access Only
Network Access Control
Layers of Security for Incoming Network Connections
Prohibiting Root Logins on Terminal Devices
Authentication Techniques
Authorization Controls
Running a Root Login Shell
Protecting Outgoing Network Connections
Logging in to a Remote Host
Invoking Remote Programs
Copying Remote Files
Public-key Authentication between OpenSSH Client and Server
Authenticating in Cron Jobs
Protecting Files
File Permissions
Shared Directory
Encrypting Files
Listing Your Keyring
Signing and Encrypting Files
Encrypting Directories
POP/IMAP Mail Server
Testing an SSL Mail Connection
Securing POP/IMAP with SSL and Pine
SMTP Server
Testing and Monitoring
Testing Login Passwords (John the Ripper)
Testing Login Passwords (CrackLib)
Testing Search Path
Searching Filesystems Effectively
Finding Setuid (or Setgid) Programs
Securing Device Special Files
Looking for Rootkits
Tracing Processes
Observing Network Traffic
Detecting Insecure Network Protocols
Detecting Intrusions with Snort
Log Files (syslog)
Testing a Syslog Configuration
Logwatch Filter
Structure Program Internals and Approach
Minimize Privileges Sample Code
Filter Cross-Site Malicious Content on Input
Filter HTML/URIs that may be Re-Presented
Avoid Buffer Overflow
Language-Specific Issues
Linux Application Auditing Tool: grsecurity
Summary

Lesson 15: Secure Linux Kernel Programming

Introduction to Kernels
Building a Linux Kernel
Procedures to Follow Post-Build
Compiling a Linux Kernel
Summary

Lesson 16: Secure Xcode Programming

Introduction to Xcode
Mac OS X applications
Cocoa
Carbon
AppleScript
Script Editor
Script Window
Common Data Security Architecture (CDSA)
Secure Transport API Set and Cryptographic Service Provider (CSP)
Creating SSL Certificate on Mac OS X Server
Using SSL with the Web Server
Setting up SSL for LDAP
rotecting Security Information
Security in Mac OS X
Security Management Using System Preferences
Authentication Methods
Encrypted disk images
Networking Security Standards
Personal firewall
Checklist of Recommended steps required to secure Mac OS X
Summary

Lesson 17: Secure Oracle PL/SQL Programming

Introduction: PL/SQL
Security Issues in Oracle
SQL Injection Attacks
Defending Against SQL Injection Attacks
SQL Manipulation
Code Injection Attack
Function Call Injection Attack
Buffer Overflow and Other Vulnerabilities
DBMS_SQL Vulnerabilities in PL/SQL
Protecting DBMS_SQL in PL/SQL
Types of Database Vulnerability/Attacks
Password Management Policy
Auditing Policy
Oracle Policy Manager
Oracle Label Security (OLS)
Create an Oracle Label Security Policy
Step 1: Define the Policy
Step 2: Define the Components of the Labels
Step 3: Identify the Set of Valid Data Labels
Step 4: Apply Policy to Tables and Schemas
Step 5: Authorize Users
Step 6: Create and Authorize Trusted Program Units (Optional)
Step 7: Configure Auditing (Optional)
Oracle Identity Management
Security Tools
Secure Backups: Tool
Obfuscation
Obfuscation Sample Code
Encryption Using DBMS_CRYPTO
Advanced Security Option
Row Level Security
Oracle Database Vaults: Tool
Auditing
Auditing Methods
Audit Options
View Audit Trail
Fine-Grained Auditing (FGA)
Oracle Auditing Tools (OAT)
Testing PL/SQL Programs
SQL Unit Testing Tools: SPUnit
SQL Unit Testing Tools: TSQLUnit
SQL Unit Testing Tools: utPLSQL
Steps to Use utPLSQL
Summary

Lesson 18: Secure SQL Server Programming

Introduction
SQL Server Security Model: Login
Creating an SQL Server Login
Database User
Guest User
Permissions
Database Engine Permissions Hierarchy
Roles
User-Defined Roles
Application roles
Security Features of MS-SQL Server 2005
SQL Server Security Vulnerabilities
SQL Injection Attacks
Preventing SQL Injection Attacks
Sqlninja: SQL Server Injection Tool
Data Encryption
Built-in Encryption Capabilities
Encryption Keys
Encryption Hierarchy
Transact-SQL
Create Symmetric Key in T-SQL
Create Asymmetric Key in T-SQL
Certificates
Create Certificate in T-SQL
SQL Server Security: Administrator Checklist
SQL Server Installation
Best Practices for Database Object Authorization
Auditing and Intrusion Detection
Enabling Auditing
Database Security Auditing Tools
Summary

Lesson 19: Secure Network Programming

Basic Network Concepts
Basic Web Concepts
Network Programming
Benefits of Secure Network Programming
Network Interface
Securing Sockets
Ports
UDP Datagram and Sockets
Internet Address
Connecting to secure websites
URL Decoder
Reading Directly from a URL
Content Handler
Cookie Policy
RMI Connector
.Net : Internet Authentication
Network Scanning Tool: ScanFi
Network Programming Best Practices
Summary

Lesson 20: Windows Socket Programming

Introduction to Windows Sockets
Windows NT and Windows 2000 Sockets Architecture
Socket Programming
Client Side Socket Programming
Initializing a Socket and Connecting
Server-Side Socket Programming
Creating a Server
Winsock 2.0
Winsock Linking Methods
Starting a Winsock 2 API
Accepting Connections: AcceptEx
WinSock: TransmitFile and TransmitPackets
Grabbing a Web Page Using Winsock
Generic File – Grabbing Application
Writing Client Applications
TCP Client Application Sample Code
Writing Server Applications
TCP Server Application Sample Code
Winsock Secure Socket Extensions
WSADeleteSocketPeerTargetName Function
WSAImpersonateSocketPeer Function
WSAQuerySocketSecurity
WSARevertImpersonation Function
WSASetSocketPeerTargetName Function
WSASetSocketSecurity Function
SOCKET_SECURITY_SETTINGS
Using WinSock to Execute a Web Attack
Using Winsock to Execute a Remote Buffer Overflow
MDACDos Application
Summary

Lesson 21: Writing Shellcodes

Shellcode Introduction
Shellcode Development Tools
Remote Shellcode
Port Binding Shellcode
FreeBSD Port Binding Shellcode
Clean Port Binding Shellcode
Socket Descriptor Reuse Shellcode
Local Shellcode
The execve Shellcode
Executing /bin/sh
Byte Code
The setuid Shellcode
The chroot Shellcode
Breaking of chroot jails (Traditional Method)
Breaking Out of Chroot Jails on Linux Kernels
Windows Shellcode
Shellcode Examples
Steps to Execute Shell Code Assembly
The Write System Call
Linux Shellcode for “Hello, world!”
The Write System Call in FreeBSD
The execve Shellcode in C
FreeBSD execve jmp/call Style
FreeBSD execve Push Style
FreeBSD execve Push Style, Several Arguments
Implementation of execve on Linux
Linux Push execve Shellcode
System Calls
The Socket System Call
The Bind System Call
The Listen System Call
The Accept System Call
The dup2 System Calls
The execve System Call
Linux Port Binding Shellcode
Compile, Print, and Test Shellcode
Reverse Connection Shellcode
Socket Reusing Shellcode
Linux Implementation of Socket Reusing Shellcode
Reusing File Descriptors
Using the setuid Root
Using the ltrace utility
Using GDB
Assembly Implementation
SysCall Trace
RW Shellcode
Encoding Shellcode
Decoder Implementation and Analysis
Decoder Implementation Program
Results of Implementation Program
OS-Spanning Shellcode
Assembly Creation
Summary

Lesson 22: Writing Exploits

Introduction to Writing Exploits
Targeting Vulnerabilities
Remote and Local Exploits
Remote and Local Exploits
A Two-Stage Exploit
Format String Attacks
Using %n Character
Fixing Format String Bugs
User-Supplied Format String Vulnerability CVE-2000-0763
TCP/IP Vulnerabilities
Race Conditions
File Race Conditions
Signal Race Conditions
Input Validation Error in a man Program
Case Study: ‘man’ Input Validation Error (Snippet 1)
Case Study: ‘man’ Input Validation Error (Snippet 2)
Writing Exploits and Vulnerability Checking Programs
Stack Overflow Exploits
Memory Organization
Stack Overflows
Finding Exploitable Stack Overflows in Open-Source Software
Finding Exploitable Stack Overflows in Closed-Source Software
Heap Corruption Exploits
Doug Lea Malloc
Figure: Dlmalloc Chunk
Figures: Fake Chunk, Overwritten Chunk
OpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow Vulnerability CAN-2002-0656
Exploitation
Exploitation Sample Code
The Complication
Improving the Exploit
Integer Bug Exploits
Integer Wrapping
Program: Addition-Based Integer Wrapping
Multiplication-Based Integer Wrapping
Bypassing Size Checks
Using the Metasploit Framework
Determining Attack Vector
Finding the Offset: Overwriting the Return Address
The First Attack String
Overwriting EIP with a Known Pattern
Selecting a Control Vector
Finding a Return Address
Selecting the Search Method in the Metasploit Opcode Database
Search Method in Metasploit Opcode Database
Using the Return Address
Increasing Reliability with a Nop Sled
Choosing a Payload and Encoder
List of Available Encoders
Choosing a Payload and Encoder: msfencode Results
The msfweb Payload Generation
Setting msfweb Payload Options
msfweb Generated and Encoded Payload
Integrating Exploits into Framework
Summary

Lesson 23: Programming Port Scanners and Hacking Tools

Port Scanner
libpcap
Packet Capturing Example
Saving Captured Packets to a File
The wiretap Library
Adding a new file format to the wiretap library
The wtap Struct
Creating a New Dissector
Programming the Dissector
Adding a tap Module
Nessus Attack Scripting Language (NASL)
Writing Personal-Use Tools in NASL
Programming in the Nessus Framework
Porting to and from NASL
Metasploit Framework (MSF)
msfweb Interface
Selecting the Exploit Module
The msfconsole Interface
The msfcli Interface
Updating the MSF
Writing Basic Rules
The Rule Header
Rule Options
Writing Advanced Rules: Perl-Compatible Regular Expressions (PCRE)
The Byte_test and Byte_jump Function
Optimizing Rules
Testing Rules
Writing Detection Plugins
Netcat Source Code
Summary

Lesson 24: Secure Mobile phone and PDA Programming

Mobile Phone Programming
Different OS Structure in Mobile Phone
Symbian Operating System
Guidelines for Securing Symbian OS
PalmOS
PalmOS Vulnerabilities
HotSync Vulnerability
Creator ID Switching
Windows Mobile
Calling Secure Web Services
Security Practices for Windows Mobile Programming
Comparison of Common Programming Tasks
PDA Programming
PDA Security Issues
Security Policies for PDAs
PDA Security Products
PDA Security Vendors
Java 2 Micro Edition (J2ME)
J2ME Architecture
J2ME Security Issues
CLDC Security
Mobile Information Device Profile (MIDP)
MIDP Security
Programming the BlackBerry With J2ME
Security and Trust Services API (SATSA) for J2ME: The Security APIs
Certificate Enrollment in SATSA
Generating a Private Key and Certificate Signing Request in SATSA
Verifying the CSR
Storing a Certificate into the Certificate Local Store
Data Integrity with Message Digests
Generating a Message Digest
Verifying a Message Digest
Authentication With Digital Signatures
Signing a byte Array for Authentication Purposes
Verifying a Digital Signature using SATSA
Data Confidentiality - Using Ciphers for Data Encryption
Using Cipher to Encrypt Data using a Symmetric Encryption
Using Cipher to Decrypt Data using a Symmetric Encryption
Security Issues in Bluetooth
Security Attacks in Bluetooth Devices
Bluetooth security
Bluetooth Security : Key Management
Tool: Bluekey
Tool: BlueWatch
Tool: BlueSweep
Tool: Bluediving
Tool: Smartphone Security Client
Tool: BlueFire Mobile Security Enterprise Edition
Mobile Phone Security Tips
Defending Cell Phones and PDAs Against Attack
Antivirus Tools for Mobile Devices
F-Secure Antivirus for Palm OS
Summary

Lesson 25: Secure Game Designing

Game Designing Introduction
Threats to Online Gaming
Game Authoring Tools
Game Engine
Best Practices for Secure Game Designing
Summary

Lesson 26: Securing E-Commerce Applications

Purpose of Secure E-Commerce Application
E-Business Concepts: Secure Electronic Transaction (SET)
Using SET
Secure Socket Layer (SSL)
SSL Certificates
VeriSign SSL Certificates
Entrust SSL Certificates
Digital Certificates
Digital Signature
Digital Signature Algorithms: ECDSA, ElGamal Signature Scheme
HACKER SAFE® Certification
HACKER SAFE Technology
Guidelines for Developing Secure E-Commerce Applications
Summary

Lesson 27: Software Activation, Piracy Blocking and Automatic Updates

Software Activation: Introduction
Software Activation Process
Software Activation: Advantages
Activation Explained
Online License Management Server
Activation Policies
Policy Control Parameters
Piracy
The Effects of piracy
Piracy Blocking
Digital Right Management (DRM)
Software Piracy Protection Strategies
Copy protection for DVDs
Application Framework –DVD Copy Protection System
Content Protection During Digital Transmission
Watermark System Design Issues
Costs Effectiveness
False Positives Rate
Interaction with MPEG compression
Detector Placement
Copy Generation Management
Tool: Crypkey
EnTrial Key Generation
EnTrial Distribution File
EnTrial Product & Package Initialization Dialog
Windows Automatic Updates
Summary

Lesson 28: Secure Application Testing

Software Development Life Cycle (SDLC)
Introduction to Testing
Types of Testing
White Box Testing
Types of White Box Testing
Dynamic White-Box Testing
Integration Test
Regression Testing
System Testing
Black Box Testing
Load Testing
Strategies For Load Testing
Functional Testing
Testing Steps
Creating Test Strategy
Creating Test Plan
Creating Test Cases and Test Data
Executing, Bug Fixing and Retesting
Classic Testing Mistakes
User Interface Errors
Good User Interfaces
Use Automatic Testing and Tools
Generic Code Review Che
Software Testing Best Practices
Testing Tool
Real Time Testing
Summary

Lesson 29: Writing Secure Documentation and Error Messages

Error Message
Common Error Messages
Error Messages: Categories
Good Error Message
Error Message in a Well-designed Application
Good Error Message Example
Miscommunications in Error Messages
Error Message Usability Checklist
Guidelines For Creating Effective Error Messages
Best Practices for Designing Error Messages
Error Messages: Examples
Security Issues in an Error Message
Security Precautions in Documentation
Summary

Audience

The ECSP certification is intended for programmers who are responsible for designing and building secure Windows/Web based applications with .NET/Java Framework. It is designed for developers who have C#, C++, Java, PHP, ASP, .NET and SQL development skills.