Secure coding will take place in calendar weeks 31 and 32, i.e. the first two weeks in August. In terms of concept, this lecture has always been a purely online event without any physial presence, i.e. there is no typical exam, but I evaluate the practical work.
There are three tasks:
(1) You need to write a very small REST API.
(2) You must review your own API for the OWASP Top 10 and write a very brief paper about it.
(3) You get access to a vulnerable REST API (GIT over OpenVPN) and have to identify and fix the existing vulnerabilities. You can choose between PHP, Java, Python, Perl, Go, Ruby and Node.js as the programming language. For this I use the “Secure Coding” course on binsec-academy.com as a technical resource. I will later create all user accounts there myself and binsec academy GmbH will of course provide the technical resources free of charge – I am a shareholder in the group of companies.
It has been shown again and again that participants with little or poor programming knowledge find it very difficult. So if you are at war with programming, you should better refrain from this module or plan a steep learning curve! I do not give general programming help.
I will publish tasks 1 and 2 in July so that we can work on them beforehand. For the final grades rating, I primarily use the number of identified and closed vulnerabilities in the code from the 3rd task.
I always put up a certain barrier to be admitted: you have to send me a code snippet of one of the programming languages ​​mentioned above (by email to patrick.sauer@mnd.thm.de), which is related to one of the OWASP Top 10 and contain a vulnerabilities and gives a correct suggestion to fix it. The whole thing must be aes-encrypted via OpenSSL with the password 123456:
tar cz secure-coding-delivery-approval/ | openssl aes-256-cbc -pbkdf2 -e > first name.last name.matriculation number.secure-coding-gabe-zunahme.tar.gz.enc
to test the decryption: cat firstname.lastname.matrikelnummer.secure-coding-gabe-zulassung.tar.gz.enc | openssl aes-256-cbc -pbkdf2 -d | tar xzv
There are usually enough places, otherwise it is first come, first serve.