From af7cb77e014cdf6b22324502923f11690243f7a3 Mon Sep 17 00:00:00 2001 From: mkoppmann Date: Tue, 27 Jan 2026 23:55:19 +0100 Subject: [PATCH] Add learning objectives and extend curriculum --- .../01.00 - Objectives.md | 11 + .../02.00 - Objectives.md | 11 + .../03.Authorisation/03.00 - Objectives.md | 11 + .../04.00 - Objectives.md | 11 + .../05.00 - Objectives.md | 11 + .../06.Error Handling/06.00 - Objectives.md | 11 + .../06.01 - Error Handling.md | 147 ++++++- .../07.Secure Logging/07.00 - Objectives.md | 11 + .../07.01 - Secure Logging.md | 221 +++++++++- .../08.00 - Objectives.md | 12 + .../08.01 - Data Protection and Privacy.md | 182 ++++++++- .../09.00 - Objectives.md | 11 + .../09.01 - Secure Communications.md | 245 ++++++++++- .../10.00 - Objectives.md | 11 + .../10.01 - Software Supply Chain Security.md | 2 +- .../11.00 - Objectives.md | 11 + .../11.01 - Business Logic Security.md | 225 +++++++++- .../12.00 - Objectives.md | 11 + ....01 - Secure File and Resource Handling.md | 224 +++++++++- .../13.00 - Objectives.md | 12 + ...3.01 - API and Web Service Security_WIP.md | 307 ++++++++++++-- .../14.00 - Objectives.md | 11 + .../15.00 - Objectives.md | 12 + .../15.01 - Security of and for AI.md | 383 +++++++++++++++++- 24 files changed, 1998 insertions(+), 106 deletions(-) diff --git a/2.Curriculum/01.Security Architecture and Threat Modelling/01.00 - Objectives.md b/2.Curriculum/01.Security Architecture and Threat Modelling/01.00 - Objectives.md index db61272..8bea71a 100644 --- a/2.Curriculum/01.Security Architecture and Threat Modelling/01.00 - Objectives.md +++ b/2.Curriculum/01.Security Architecture and Threat Modelling/01.00 - Objectives.md @@ -1,5 +1,16 @@ # Objectives for Module 1 - Security Architecture and Threat Modelling +## Learning Objectives + +After completing this module, developers will be able to: + +- Understand and apply threat modelling methodologies to identify security risks +- Interpret data flows and trust boundaries to secure application interfaces +- Apply Secure by Design principles across different architecture layers +- Translate threat model outputs into actionable secure development requirements + +--- + ## Knowledge The student will need knowledge of the following topics for Module 1:\ What is security architecture\ diff --git a/2.Curriculum/02.Authentication and Credential Management/02.00 - Objectives.md b/2.Curriculum/02.Authentication and Credential Management/02.00 - Objectives.md index 64fe322..55e43ab 100644 --- a/2.Curriculum/02.Authentication and Credential Management/02.00 - Objectives.md +++ b/2.Curriculum/02.Authentication and Credential Management/02.00 - Objectives.md @@ -1,5 +1,16 @@ # Objectives for Module 2 - Authentication and Credential Management +## Learning Objectives + +After completing this module, developers will be able to: + +- Implement secure authentication mechanisms including SSO, MFA, and OpenID +- Apply proper credential lifecycle management practices +- Implement secure session management with appropriate cookie attributes +- Securely handle JWT tokens with proper validation and security controls + +--- + ## Knowledge The student will need knowledge of the following topics for Module 1:\ diff --git a/2.Curriculum/03.Authorisation/03.00 - Objectives.md b/2.Curriculum/03.Authorisation/03.00 - Objectives.md index 83c9965..4b1f7e0 100644 --- a/2.Curriculum/03.Authorisation/03.00 - Objectives.md +++ b/2.Curriculum/03.Authorisation/03.00 - Objectives.md @@ -1,5 +1,16 @@ # Objectives for Module 3 - Authorisation +## Learning Objectives + +After completing this module, developers will be able to: + +- Implement access control models including RBAC and ABAC +- Apply principles of least privilege, deny by default, and segregation of duties +- Prevent horizontal and vertical privilege escalation vulnerabilities +- Implement object-level and function-level access control (OLAC and FLAC) + +--- + ## Knowledge diff --git a/2.Curriculum/04.Input Validation and Output Encoding/04.00 - Objectives.md b/2.Curriculum/04.Input Validation and Output Encoding/04.00 - Objectives.md index 8ff3f88..710bfd0 100644 --- a/2.Curriculum/04.Input Validation and Output Encoding/04.00 - Objectives.md +++ b/2.Curriculum/04.Input Validation and Output Encoding/04.00 - Objectives.md @@ -1,5 +1,16 @@ # Objectives for Module 4 - Input Validation and Output Encoding +## Learning Objectives + +After completing this module, developers will be able to: + +- Implement comprehensive input validation strategies for various data types +- Apply appropriate encoding and escaping techniques to prevent injection attacks +- Distinguish between client-side and server-side validation requirements +- Prevent common vulnerabilities including SQL injection, XSS, and command injection + +--- + ## Knowledge diff --git a/2.Curriculum/05.Cryptography and Key Management/05.00 - Objectives.md b/2.Curriculum/05.Cryptography and Key Management/05.00 - Objectives.md index d1da048..3c3cc7f 100644 --- a/2.Curriculum/05.Cryptography and Key Management/05.00 - Objectives.md +++ b/2.Curriculum/05.Cryptography and Key Management/05.00 - Objectives.md @@ -1,5 +1,16 @@ # Objectives for Module 5 - Cryptography and Key Management +## Learning Objectives + +After completing this module, developers will be able to: + +- Apply cryptographic solutions appropriately for confidentiality, integrity, and authenticity +- Select secure cipher suites and algorithms while avoiding deprecated options +- Implement proper key management including generation, storage, rotation, and deletion +- Recognize and defend against common cryptographic attacks + +--- + ## Knowledge diff --git a/2.Curriculum/06.Error Handling/06.00 - Objectives.md b/2.Curriculum/06.Error Handling/06.00 - Objectives.md index c6e2b84..0c4a469 100644 --- a/2.Curriculum/06.Error Handling/06.00 - Objectives.md +++ b/2.Curriculum/06.Error Handling/06.00 - Objectives.md @@ -1,5 +1,16 @@ # Objectives for Module 6 - Error Handling +## Learning Objectives + +After completing this module, developers will be able to: + +- Implement secure exception handling patterns that prevent information disclosure +- Design fail-secure systems that maintain security during error conditions +- Configure appropriate error logging without exposing sensitive data +- Apply framework-specific error handling best practices + +--- + ## Knowledge diff --git a/2.Curriculum/06.Error Handling/06.01 - Error Handling.md b/2.Curriculum/06.Error Handling/06.01 - Error Handling.md index 5e11b28..e8e5ab6 100644 --- a/2.Curriculum/06.Error Handling/06.01 - Error Handling.md +++ b/2.Curriculum/06.Error Handling/06.01 - Error Handling.md @@ -1,12 +1,147 @@ # Module 6. Error Handling -6.1 The importance of error handling for applications +## 6.1 The Importance of Error Handling for Applications -6.2 Reasons why stack traces should not be displayed +### Security Implications -6.3 The various ways in which errors can be handled +- Error handling as a security control +- Information disclosure through errors +- Attack surface reduction through proper error handling +- Error handling in defense-in-depth strategy -6.4 Error logging -- Error data that should be logged -- Error data that should be sanitised before being logged +### Business Impact +- User experience considerations +- System reliability and availability +- Audit and compliance requirements + +--- + +## 6.2 Secure Exception Handling Patterns + +### Exception Handling Best Practices + +- Catch specific exceptions rather than generic ones +- Handle exceptions at appropriate layers +- Avoid empty catch blocks +- Clean up resources in finally blocks or using patterns + +### Exception Propagation + +- When to catch vs. propagate exceptions +- Exception wrapping and chaining +- Custom exception classes for security events + +--- + +## 6.3 Error Message Sanitization + +### Reasons Why Stack Traces Should Not Be Displayed + +- Reveals internal application structure +- Exposes file paths and line numbers +- May disclose database schema or queries +- Aids attackers in reconnaissance + +### Safe Error Messages + +- Generic user-facing error messages +- Error codes for support reference +- Separate detailed logging for developers +- Localization of error messages + +--- + +## 6.4 Fail-Secure vs Fail-Open Design + +### Fail-Secure Principles + +- Deny access when errors occur +- Default to restrictive state +- Maintain security invariants during failures + +### Implementation Strategies + +- Authorization defaults on error +- Session handling during exceptions +- Transaction rollback on security errors +- Circuit breaker patterns + +--- + +## 6.5 Global Error Handlers + +### Centralized Error Handling + +- Application-level exception handlers +- Middleware for error processing +- Consistent error response formatting +- Error classification and routing + +### Framework-Specific Implementations + +- Web application error pages +- API error response standards +- Microservices error propagation +- Event-driven error handling + +--- + +## 6.6 Error Logging Without Sensitive Data Exposure + +### Error Data That Should Be Logged + +- Timestamp and request ID +- Error type and code +- User identifier (if authenticated) +- Request context (sanitized) +- Stack traces (in secure logs only) + +### Error Data That Should Be Sanitized Before Being Logged + +- Passwords and credentials +- Session tokens +- Personal identifiable information +- Credit card numbers +- API keys and secrets + +--- + +## 6.7 Framework-Specific Error Handling + +### Web Frameworks + +- Custom error pages configuration +- Exception filters and middleware +- Content negotiation for error responses +- CORS considerations for errors + +### API Frameworks + +- Consistent error schema +- HTTP status code selection +- Rate limit error handling + +--- + +## 6.8 Production vs Development Error Modes + +### Development Mode + +- Detailed error messages enabled +- Stack traces visible +- Debug information available +- Hot reload and development tools + +### Production Mode + +- Generic error messages +- No stack traces to users +- Structured logging to secure systems +- Performance-optimized error handling + +### Configuration Management + +- Environment-based configuration +- Secure defaults +- Detection of misconfiguration diff --git a/2.Curriculum/07.Secure Logging/07.00 - Objectives.md b/2.Curriculum/07.Secure Logging/07.00 - Objectives.md index f97b0ee..bc5d7f4 100644 --- a/2.Curriculum/07.Secure Logging/07.00 - Objectives.md +++ b/2.Curriculum/07.Secure Logging/07.00 - Objectives.md @@ -1,5 +1,16 @@ # Objectives for Module 7 - Secure Logging +## Learning Objectives + +After completing this module, developers will be able to: + +- Implement comprehensive logging for security-relevant events +- Prevent log injection attacks and protect log integrity +- Design centralized logging architectures with proper retention policies +- Apply structured logging formats with correlation IDs for distributed systems + +--- + ## Knowledge diff --git a/2.Curriculum/07.Secure Logging/07.01 - Secure Logging.md b/2.Curriculum/07.Secure Logging/07.01 - Secure Logging.md index 6ed4752..aa6f8bf 100644 --- a/2.Curriculum/07.Secure Logging/07.01 - Secure Logging.md +++ b/2.Curriculum/07.Secure Logging/07.01 - Secure Logging.md @@ -1,23 +1,212 @@ # Module 7. Secure Logging -7.1 Assets / resources for which logging needs to be enabled or created -- APIs -- web application -- server side code -- kubernetes -- PRs -- activities on image registry +## 7.1 What to Log -7.2 Using logging libraries like log4j +### Security Events to Log -7.3 Attributes of events and logs -- time stamp -- identity -- action performed +- Authentication events (success and failure) +- Authorization decisions (grants and denials) +- Input validation failures +- Application errors and exceptions +- Administrative actions +- Data access and modifications +- Session management events -7.4 What not to log -- passwords -- data elements that have regulatory or legal or statutory requirements like personally identifiable information or card holder data -- etc +### Assets and Resources for Logging +- APIs and web applications +- Server-side code and services +- Kubernetes and container orchestration +- Pull requests and code changes +- Activities on image registry +- Database access and queries +- File system operations +--- + +## 7.2 What NOT to Log + +### Sensitive Data to Exclude + +- Passwords and credentials +- Session tokens and API keys +- Data elements with regulatory requirements: + - Personally Identifiable Information (PII) + - Cardholder data (PCI DSS) + - Protected Health Information (PHI) +- Credit card numbers +- Social security numbers +- Encryption keys and secrets + +### Data Masking Techniques + +- Partial masking (showing last 4 digits) +- Tokenization in logs +- Hashing for correlation without exposure +- Field-level exclusion + +--- + +## 7.3 Log Injection Prevention + +### Attack Vectors + +- Newline injection for log forging +- Escape sequence injection +- Format string attacks +- Log file path traversal + +### Prevention Techniques + +- Input sanitization before logging +- Encoding special characters +- Using structured logging formats +- Parameterized log messages + +--- + +## 7.4 Logging Libraries and Frameworks + +### Using Logging Libraries (e.g., Log4j, SLF4J, Winston) + +- Configuration best practices +- Security considerations in logging frameworks +- Version management and patching +- Avoiding vulnerable configurations + +### Logging Levels + +- ERROR: Security incidents and failures +- WARN: Suspicious activities +- INFO: Normal security events +- DEBUG: Detailed diagnostic (not in production) + +--- + +## 7.5 Attributes of Events and Logs + +### Essential Log Fields + +- Timestamp (with timezone) +- Identity (user, service, or system) +- Action performed +- Resource affected +- Outcome (success/failure) +- Source IP address +- Request/correlation ID +- Session identifier + +### Context Information + +- Application and version +- Environment (prod/staging/dev) +- Server/container identifier +- Request method and path + +--- + +## 7.6 Centralized Logging Architecture + +### Architecture Components + +- Log aggregation services +- Log shippers and agents +- Central log storage +- Search and analysis tools + +### Benefits + +- Unified view across services +- Improved incident response +- Compliance evidence collection +- Cross-service correlation + +--- + +## 7.7 Log Integrity and Tamper Detection + +### Integrity Mechanisms + +- Write-once log storage +- Cryptographic log signing +- Hash chaining +- Secure timestamps + +### Access Controls + +- Read-only access for most users +- Separate log administration +- Audit trail for log access +- Immutable audit logs + +--- + +## 7.8 Log Retention Policies + +### Retention Considerations + +- Regulatory requirements (GDPR, PCI DSS, HIPAA) +- Legal hold requirements +- Storage costs +- Investigation needs + +### Implementation + +- Automated log rotation +- Archival to cold storage +- Secure log deletion +- Retention period enforcement + +--- + +## 7.9 SIEM Integration + +### Integration Points + +- Real-time log streaming +- Alert generation +- Correlation rules +- Incident response workflows + +### Security Monitoring + +- Anomaly detection +- Threat intelligence integration +- Behavioral analysis +- Compliance dashboards + +--- + +## 7.10 Structured Logging Formats + +### JSON Logging + +- Consistent field naming +- Nested object support +- Machine-readable format +- Easy parsing and indexing + +### Log Schema Standards + +- Common Event Format (CEF) +- Log Event Extended Format (LEEF) +- Elastic Common Schema (ECS) +- OpenTelemetry logging + +--- + +## 7.11 Correlation IDs for Distributed Tracing + +### Implementation + +- Generate unique IDs at entry point +- Propagate through all services +- Include in all log messages +- Pass through async operations + +### Benefits + +- End-to-end request tracking +- Distributed debugging +- Performance analysis +- Security incident investigation diff --git a/2.Curriculum/08.Data Protection and Privacy/08.00 - Objectives.md b/2.Curriculum/08.Data Protection and Privacy/08.00 - Objectives.md index 900832d..e2ef3cf 100644 --- a/2.Curriculum/08.Data Protection and Privacy/08.00 - Objectives.md +++ b/2.Curriculum/08.Data Protection and Privacy/08.00 - Objectives.md @@ -1,5 +1,17 @@ # Objectives for Module 8 - Data Protection and Privacy +## Learning Objectives + +After completing this module, developers will be able to: + +- Implement data classification and handling procedures based on sensitivity levels +- Apply encryption and protection techniques for data at rest and in use +- Implement data minimization and anonymization techniques +- Design and implement secure data deletion and retention policies +- Understand regulatory requirements and translate them into technical controls + +--- + ## Knowledge diff --git a/2.Curriculum/08.Data Protection and Privacy/08.01 - Data Protection and Privacy.md b/2.Curriculum/08.Data Protection and Privacy/08.01 - Data Protection and Privacy.md index 7c3849f..4cc04b2 100644 --- a/2.Curriculum/08.Data Protection and Privacy/08.01 - Data Protection and Privacy.md +++ b/2.Curriculum/08.Data Protection and Privacy/08.01 - Data Protection and Privacy.md @@ -1,14 +1,176 @@ -# Module 8. Legislations +# Module 8. Data Protection and Privacy -8.1 Legislations and their need -- What are legislations? -- Why are they needed +## 8.1 Data Classification and Handling -8.2 Data and applicable legislations -- Applicable legislations for data (for example General Data Protection Regulation (GDPR)) -- Principles of legislations for data +### Data Classification Levels -8.2 Data legislations and security controls -- secure coding -- security testing +- Public data +- Internal data +- Confidential data +- Restricted/Highly sensitive data +### Classification-Based Controls + +- Access controls per classification level +- Encryption requirements by data type +- Storage and transmission requirements +- Retention and disposal policies + +### Data Inventory and Discovery + +- Identifying sensitive data in applications +- Data flow mapping +- Automated data discovery tools + +--- + +## 8.2 Data Encryption at Rest + +### Encryption Strategies + +- Full disk encryption +- Database encryption (TDE) +- File-level encryption +- Field-level encryption for sensitive columns + +### Key Management for Data at Rest + +- Encryption key storage +- Key rotation procedures +- Hardware Security Modules (HSMs) +- Cloud key management services + +### Implementation Considerations + +- Performance impact +- Searchability of encrypted data +- Backup and recovery procedures + +--- + +## 8.3 Data Minimization + +### Principles + +- Collect only necessary data +- Limit data retention periods +- Reduce data copies and replicas +- Purpose limitation + +### Implementation Techniques + +- Data collection forms review +- API response filtering +- Log data reduction +- Database schema design for minimization + +--- + +## 8.4 Anonymization and Pseudonymization + +### Anonymization Techniques + +- Data masking +- Generalization +- Data swapping +- Noise addition + +### Pseudonymization + +- Tokenization +- Hashing with salt +- Encryption-based pseudonymization +- Reversible vs irreversible techniques + +### Testing Data Protection + +- Using anonymized data in test environments +- Synthetic data generation +- Data subset creation + +--- + +## 8.5 Secure Data Deletion + +### Deletion Methods + +- Secure overwriting +- Cryptographic erasure +- Physical destruction +- Cloud data deletion verification + +### Deletion Considerations + +- Backup data deletion +- Cached and replicated data +- Third-party data sharing +- Audit trail for deletions + +### Right to Erasure Implementation + +- User data deletion requests +- Cascading deletions +- Deletion verification + +--- + +## 8.6 Privacy by Design + +### Core Principles + +- Proactive not reactive +- Privacy as the default +- Privacy embedded into design +- Full functionality without privacy trade-offs +- End-to-end security +- Visibility and transparency +- Respect for user privacy + +### Developer Implementation + +- Privacy impact assessments +- Data protection in system architecture +- Consent management +- User preference handling + +--- + +## 8.7 Regulatory Requirements and Technical Controls + +### Key Regulations + +- General Data Protection Regulation (GDPR) +- California Consumer Privacy Act (CCPA) +- Health Insurance Portability and Accountability Act (HIPAA) +- Payment Card Industry Data Security Standard (PCI DSS) + +### Translating Requirements to Code + +- Access control implementation +- Audit logging requirements +- Data subject rights implementation +- Cross-border data transfer controls + +### Secure Coding for Compliance + +- Input validation for personal data +- Secure storage patterns +- Consent verification in code +- Privacy-preserving APIs + +--- + +## 8.8 Testing Data Protection Controls + +### Testing Approaches + +- Data leakage testing +- Encryption validation +- Access control testing +- Deletion verification testing + +### Compliance Verification + +- Automated compliance scanning +- Privacy control auditing +- Penetration testing for data exposure diff --git a/2.Curriculum/09.Secure Communications/09.00 - Objectives.md b/2.Curriculum/09.Secure Communications/09.00 - Objectives.md index 0a20443..4c8d693 100644 --- a/2.Curriculum/09.Secure Communications/09.00 - Objectives.md +++ b/2.Curriculum/09.Secure Communications/09.00 - Objectives.md @@ -1,5 +1,16 @@ # Objectives for Module 9 - Secure Communications +## Learning Objectives + +After completing this module, developers will be able to: + +- Configure TLS 1.2 and 1.3 with appropriate cipher suites +- Implement certificate management including pinning and mTLS +- Apply HTTP Strict Transport Security (HSTS) and related browser security controls +- Secure internal service-to-service and WebSocket communications + +--- + ## Knowledge diff --git a/2.Curriculum/09.Secure Communications/09.01 - Secure Communications.md b/2.Curriculum/09.Secure Communications/09.01 - Secure Communications.md index 8ede5f9..56d5677 100644 --- a/2.Curriculum/09.Secure Communications/09.01 - Secure Communications.md +++ b/2.Curriculum/09.Secure Communications/09.01 - Secure Communications.md @@ -1,19 +1,242 @@ # Module 9. Secure Communications -9.1. What is secure communication +## 9.1 What is Secure Communication -9.2 Impact of not having secure communications -- Vulnerabilties that result from not having secure communications +### Definition and Scope -9.3 Securing communications -- Data in transit -- Implementing design decisions for secure communications with secure coding (for example certificate pinning in mobile applications) +- Protecting data in transit +- Authentication of communication endpoints +- Confidentiality and integrity guarantees +- Non-repudiation considerations -9.3 Supporting controls for secure communications -- Certificates and cipher suites -- Assets that should be configured with certificates -- Key management -- Security controls for browsers and cookies that support secure communications +### Security Properties +- Encryption of data +- Message authentication +- Protection against replay attacks +- Forward secrecy +--- +## 9.2 Impact of Not Having Secure Communications + +### Vulnerabilities That Result from Insecure Communications + +- Man-in-the-middle attacks +- Eavesdropping and data theft +- Session hijacking +- Credential theft +- Data tampering + +### Business and Compliance Impact + +- Regulatory violations (PCI DSS, HIPAA, GDPR) +- Reputation damage +- Data breach liability +- Loss of customer trust + +--- + +## 9.3 TLS 1.2 and 1.3 Configuration + +### TLS Version Selection + +- TLS 1.3 as preferred version +- TLS 1.2 as minimum acceptable +- Deprecation of TLS 1.0 and 1.1 +- SSL protocol prohibition + +### Configuration Best Practices + +- Strong cipher suite selection +- Proper protocol negotiation +- Session resumption security +- Renegotiation controls + +--- + +## 9.4 Cipher Suite Selection + +### Recommended Cipher Suites + +- AEAD ciphers (AES-GCM, ChaCha20-Poly1305) +- ECDHE for key exchange +- RSA or ECDSA for authentication +- SHA-256 or higher for hashing + +### Cipher Suites to Avoid + +- RC4, DES, 3DES +- MD5, SHA-1 +- Export-grade ciphers +- NULL ciphers +- Anonymous key exchange + +--- + +## 9.5 Certificate Management + +### Certificate Lifecycle + +- Certificate generation and CSR +- Certificate issuance and validation +- Certificate renewal procedures +- Certificate revocation (CRL, OCSP) + +### Certificate Security + +- Private key protection +- Key length requirements (RSA 2048+, ECDSA 256+) +- Certificate chain validation +- Wildcard certificate considerations + +### Certificate Transparency + +- CT log monitoring +- Detecting unauthorized certificates +- CT enforcement in browsers + +--- + +## 9.6 Certificate Pinning + +### Implementation Approaches + +- Public key pinning +- Certificate pinning +- SPKI hash pinning + +### Platform-Specific Implementation + +- Mobile application pinning +- Browser HPKP (deprecated) considerations +- API client pinning + +### Pinning Considerations + +- Backup pin requirements +- Key rotation planning +- Failure mode handling +- Emergency bypass procedures + +--- + +## 9.7 Mutual TLS (mTLS) + +### Use Cases + +- Service-to-service authentication +- Zero trust architectures +- API client authentication +- IoT device authentication + +### Implementation + +- Client certificate issuance +- Certificate validation on both ends +- Certificate-based identity extraction +- Revocation checking + +--- + +## 9.8 Perfect Forward Secrecy (PFS) + +### Importance + +- Protection of past sessions +- Ephemeral key exchange +- Limiting impact of key compromise + +### Implementation + +- ECDHE cipher suites +- DHE cipher suites +- Key exchange parameter sizing + +--- + +## 9.9 HTTP Strict Transport Security (HSTS) + +### Implementation + +- HSTS header configuration +- max-age directive settings +- includeSubDomains directive +- preload list submission + +### Deployment Considerations + +- Gradual rollout approach +- Mixed content resolution +- Subdomain impact assessment + +--- + +## 9.10 Browser and Cookie Security Controls + +### Secure Cookie Attributes + +- Secure flag requirement +- HttpOnly flag +- SameSite attribute +- Cookie prefixes (__Secure-,__Host-) + +### Related Headers + +- Content-Security-Policy +- X-Content-Type-Options +- X-Frame-Options +- Referrer-Policy + +--- + +## 9.11 Deprecated Protocols and Migration + +### Deprecated Protocols + +- SSL 2.0 and SSL 3.0 +- TLS 1.0 and TLS 1.1 +- Legacy cipher suites + +### Migration Strategies + +- Client compatibility assessment +- Gradual deprecation timeline +- Monitoring for legacy connections +- Communication with stakeholders + +--- + +## 9.12 Internal Service Communication Security + +### Service Mesh Security + +- Sidecar proxy encryption +- mTLS between services +- Service identity management +- Traffic policies + +### Internal Network Encryption + +- VPN and tunneling +- Network segmentation +- East-west traffic encryption +- Key management for internal services + +--- + +## 9.13 WebSocket Security + +### Secure WebSocket (WSS) + +- TLS for WebSocket connections +- Origin validation +- Authentication mechanisms +- Message validation + +### WebSocket-Specific Concerns + +- Connection hijacking prevention +- Rate limiting +- Input validation for messages +- Proper connection termination diff --git a/2.Curriculum/10.Malicious Code and Software Supply Chain Security including usage of open source software/10.00 - Objectives.md b/2.Curriculum/10.Malicious Code and Software Supply Chain Security including usage of open source software/10.00 - Objectives.md index d78b164..ebe1177 100644 --- a/2.Curriculum/10.Malicious Code and Software Supply Chain Security including usage of open source software/10.00 - Objectives.md +++ b/2.Curriculum/10.Malicious Code and Software Supply Chain Security including usage of open source software/10.00 - Objectives.md @@ -1,5 +1,16 @@ # Objectives for Module 10 - Software Supply Chain Security +## Learning Objectives + +After completing this module, developers will be able to: + +- Implement comprehensive input validation and output encoding strategies +- Implement secure deserialization and domain security controls +- Manage software dependencies securely using SCA tools +- Evaluate and select open source software with security and licensing considerations + +--- + ## Knowledge diff --git a/2.Curriculum/10.Malicious Code and Software Supply Chain Security including usage of open source software/10.01 - Software Supply Chain Security.md b/2.Curriculum/10.Malicious Code and Software Supply Chain Security including usage of open source software/10.01 - Software Supply Chain Security.md index dfe9153..1e00b51 100644 --- a/2.Curriculum/10.Malicious Code and Software Supply Chain Security including usage of open source software/10.01 - Software Supply Chain Security.md +++ b/2.Curriculum/10.Malicious Code and Software Supply Chain Security including usage of open source software/10.01 - Software Supply Chain Security.md @@ -1,4 +1,4 @@ -# Module 10. Malicious Code and Software Supply Chain Security including usage of open source software: +# Module 10. Malicious Code and Software Supply Chain Security including usage of open source software 10.1 Vulnerabilities in applications - web, mobile, low-code-no-code, etc. - SQL / LDAP / OS injection diff --git a/2.Curriculum/11.Business Logic Security/11.00 - Objectives.md b/2.Curriculum/11.Business Logic Security/11.00 - Objectives.md index 0090882..6ca3223 100644 --- a/2.Curriculum/11.Business Logic Security/11.00 - Objectives.md +++ b/2.Curriculum/11.Business Logic Security/11.00 - Objectives.md @@ -1,5 +1,16 @@ # Objectives for Module 11 - Business Logic Security +## Learning Objectives + +After completing this module, developers will be able to: + +- Identify and prevent race conditions and TOCTOU vulnerabilities +- Implement secure multi-step workflows resistant to bypass attacks +- Apply anti-automation controls and business rule validation +- Prevent price manipulation, cart tampering, and abuse scenarios + +--- + ## Knowledge diff --git a/2.Curriculum/11.Business Logic Security/11.01 - Business Logic Security.md b/2.Curriculum/11.Business Logic Security/11.01 - Business Logic Security.md index 6d02ed6..fd1c020 100644 --- a/2.Curriculum/11.Business Logic Security/11.01 - Business Logic Security.md +++ b/2.Curriculum/11.Business Logic Security/11.01 - Business Logic Security.md @@ -1,15 +1,220 @@ # Module 11. Business Logic Security -11.1 Business logic security -- What is business logic security -- Why is it needed +## 11.1 Business Logic Security Fundamentals -11.2 Business logic and applicable security controls +### What is Business Logic Security -11.3 Secure failing -- Business logic not met -- Environment failing in which the business logic resides -- Failure of upstream and downstream elements -- Technical or hardware failure +- Security of application-specific rules and workflows +- Protection of business processes from abuse +- Ensuring intended behavior under all conditions -11.3 Testing business logic +### Why is it Needed + +- Cannot be detected by automated scanners +- Application-specific vulnerabilities +- Financial and reputational impact +- Compliance requirements + +--- + +## 11.2 Race Conditions and TOCTOU Vulnerabilities + +### Time-of-Check to Time-of-Use (TOCTOU) + +- Understanding the vulnerability pattern +- File system race conditions +- Database state race conditions +- Session state race conditions + +### Prevention Techniques + +- Atomic operations +- Proper locking mechanisms +- Transaction isolation levels +- Optimistic concurrency control +- Check-and-act atomicity + +--- + +## 11.3 Workflow Bypass Attacks + +### Common Bypass Patterns + +- Skipping authentication steps +- Bypassing payment processing +- Circumventing approval workflows +- Direct object reference manipulation + +### Prevention Strategies + +- Server-side state validation +- Step sequence enforcement +- Cryptographic tokens for state +- Session-bound workflow state + +--- + +## 11.4 Price Manipulation and Cart Tampering + +### Attack Vectors + +- Client-side price modification +- Quantity manipulation +- Currency conversion exploitation +- Bundle pricing abuse +- Discount stacking exploits + +### Prevention Techniques + +- Server-side price calculation +- Signed cart tokens +- Order integrity verification +- Price validation at checkout +- Audit logging of price changes + +--- + +## 11.5 Anti-Automation Controls + +### Automation Threats + +- Bot attacks on business processes +- Scraping sensitive information +- Automated account creation +- Ticket/inventory scalping +- Credential stuffing + +### Control Mechanisms + +- CAPTCHA and challenges +- Rate limiting per user/IP +- Behavioral analysis +- Device fingerprinting +- Proof-of-work challenges + +--- + +## 11.6 Business Rule Validation + +### Server-Side Validation + +- All business rules enforced on server +- Input validation against business constraints +- Cross-field validation +- Temporal validation (business hours, deadlines) + +### Edge Case Handling + +- Boundary conditions +- Negative values and overflows +- Empty and null handling +- Maximum limits enforcement + +--- + +## 11.7 State Machine Security + +### Secure State Transitions + +- Valid state transition enforcement +- Preventing invalid state jumps +- State integrity verification +- Rollback handling + +### Implementation Patterns + +- State design pattern +- Database-backed state +- Audit trail of transitions +- Timeout handling + +--- + +## 11.8 Multi-Step Process Integrity + +### Securing Multi-Step Processes + +- Step sequence validation +- Data consistency across steps +- Timeout and abandonment handling +- Partial completion scenarios + +### Transaction Integrity + +- ACID properties enforcement +- Distributed transaction handling +- Compensation transactions +- Saga pattern implementation + +--- + +## 11.9 Inventory and Quantity Manipulation + +### Vulnerabilities + +- Negative quantity orders +- Integer overflow in quantities +- Race conditions in inventory checks +- Reserved inventory abuse + +### Prevention + +- Quantity range validation +- Atomic inventory operations +- Reservation timeouts +- Inventory reconciliation + +--- + +## 11.10 Coupon and Discount Abuse Prevention + +### Abuse Scenarios + +- Coupon code guessing/enumeration +- Single-use coupon reuse +- Stacking incompatible discounts +- Referral program abuse +- Loyalty point manipulation + +### Prevention Strategies + +- Strong coupon code generation +- Server-side usage tracking +- Discount compatibility rules +- Velocity checking +- Account-level abuse detection + +--- + +## 11.11 Secure Failing + +### Business Logic Not Met + +- Graceful handling of validation failures +- Clear user communication +- Secure state on failure + +### Environment Failures + +- Handling upstream/downstream failures +- Circuit breaker patterns +- Fallback behaviors +- Technical/hardware failure handling + +--- + +## 11.12 Testing Business Logic + +### Testing Approaches + +- Business logic unit tests +- Integration testing for workflows +- Abuse case testing +- Boundary value testing + +### Security Testing + +- Manual testing for logic flaws +- Fuzzing business processes +- Penetration testing focus areas +- Automated regression testing diff --git a/2.Curriculum/12.Secure File and Resource Handling/12.00 - Objectives.md b/2.Curriculum/12.Secure File and Resource Handling/12.00 - Objectives.md index 3688272..aa49b74 100644 --- a/2.Curriculum/12.Secure File and Resource Handling/12.00 - Objectives.md +++ b/2.Curriculum/12.Secure File and Resource Handling/12.00 - Objectives.md @@ -1,5 +1,16 @@ # Objectives for Module 12 - Secure File and Resource Handling +## Learning Objectives + +After completing this module, developers will be able to: + +- Implement secure file upload validation including type, size, and content verification +- Prevent path traversal, Zip Slip, and file inclusion vulnerabilities +- Apply secure file storage and download practices +- Protect against SSRF attacks in file operations + +--- + ## Knowledge diff --git a/2.Curriculum/12.Secure File and Resource Handling/12.01 - Secure File and Resource Handling.md b/2.Curriculum/12.Secure File and Resource Handling/12.01 - Secure File and Resource Handling.md index e35dbe9..2734397 100644 --- a/2.Curriculum/12.Secure File and Resource Handling/12.01 - Secure File and Resource Handling.md +++ b/2.Curriculum/12.Secure File and Resource Handling/12.01 - Secure File and Resource Handling.md @@ -1,13 +1,221 @@ -# Module 12. Secure File Handling and secure resource handling +# Module 12. Secure File and Resource Handling -12.1 Input validation -- Validation of types of file -- Validation for malware +## 12.1 File Upload Validation -12.2 Using user input with functions - dynamic and static -- User paths and absolute paths +### Type Validation -12.3 Processing of files by web servers -- Secure ways of processing the files +- File extension validation +- MIME type verification +- Magic byte/file signature checking +- Content-Type header validation +### Size Validation +- Maximum file size limits +- Request size limits +- Chunked upload handling +- Storage quota enforcement + +### Content Validation + +- Image dimension validation +- Document structure validation +- Archive content inspection +- Executable content detection + +--- + +## 12.2 MIME Type Validation vs Sniffing + +### MIME Type Security + +- Server-side MIME type detection +- X-Content-Type-Options: nosniff +- Content-Type response headers +- Preventing MIME confusion attacks + +### Validation Best Practices + +- Multiple validation layers +- Never trust client-provided MIME type +- Validate actual file content +- Whitelist allowed types + +--- + +## 12.3 Malware Scanning Integration + +### Implementation Approaches + +- Antivirus API integration +- Sandbox analysis for uploads +- Quarantine workflows +- Asynchronous scanning patterns + +### Scanning Considerations + +- Scanning before storage +- Periodic re-scanning +- Zero-day protection limitations +- Performance impact management + +--- + +## 12.4 Path Traversal Prevention + +### Attack Patterns + +- Directory traversal (../) +- Absolute path injection +- Encoded traversal sequences +- Null byte injection + +### Prevention Techniques + +- Canonicalization of paths +- Whitelist base directories +- Filename sanitization +- Chroot/jail environments + +--- + +## 12.5 Zip Slip Vulnerability Prevention + +### Understanding Zip Slip + +- Archive extraction vulnerabilities +- Path traversal in archives +- Symlink attacks in archives + +### Prevention + +- Validate extracted file paths +- Extract to isolated directories +- Check for path traversal in filenames +- Limit extraction depth and file count + +--- + +## 12.6 Using User Input with File Functions + +### Secure Path Handling + +- Avoid user input in file paths +- Use indirect references (IDs) +- Validate against allowed paths +- Separate storage from web root + +### Static vs Dynamic Files + +- Static file serving security +- Dynamic file generation +- Temporary file handling +- User paths vs absolute paths + +--- + +## 12.7 Secure File Storage + +### Storage Location Security + +- Store outside web root +- Use non-guessable filenames +- Implement access controls +- Separate storage by sensitivity + +### Cloud Storage Security + +- Pre-signed URLs with expiration +- Bucket policies and ACLs +- Encryption at rest +- Access logging + +--- + +## 12.8 Secure File Download Headers + +### Security Headers for Downloads + +- Content-Disposition: attachment +- X-Content-Type-Options: nosniff +- Content-Type accuracy +- Cache-Control for sensitive files + +### Download Security + +- Authorization before download +- Download link expiration +- Rate limiting downloads +- Audit logging + +--- + +## 12.9 Temporary File Handling + +### Secure Temporary Files + +- Secure temporary directories +- Unique filename generation +- Proper permission settings +- Cleanup after use + +### Race Condition Prevention + +- Atomic file operations +- Exclusive file creation +- Avoiding predictable names + +--- + +## 12.10 Server-Side Request Forgery (SSRF) in File Operations + +### SSRF Attack Vectors + +- URL-based file fetching +- Image processing from URLs +- Document import features +- Webhook URL validation + +### Prevention Techniques + +- URL allowlisting +- Protocol restrictions (HTTP/HTTPS only) +- Private IP range blocking +- DNS rebinding protection +- Request timeout limits + +--- + +## 12.11 Remote File Inclusion (RFI) and Local File Inclusion (LFI) + +### Understanding the Vulnerabilities + +- RFI: Including remote files in execution +- LFI: Including local files in execution +- Log poisoning attacks +- PHP wrapper exploitation + +### Prevention Strategies + +- Disable remote file includes +- Whitelist includable files +- Input validation for file parameters +- Proper file permission configuration + +--- + +## 12.12 Web Server File Processing + +### Secure Ways of Processing Files + +- Sandboxed processing environments +- Resource limits for processing +- Timeout enforcement +- Output sanitization + +### Configuration Security + +- Disable directory listing +- Proper handler configuration +- Execution prevention in upload directories +- Access control for sensitive files diff --git a/2.Curriculum/13.API and Web Service Security/13.00 - Objectives.md b/2.Curriculum/13.API and Web Service Security/13.00 - Objectives.md index f37d354..3279939 100644 --- a/2.Curriculum/13.API and Web Service Security/13.00 - Objectives.md +++ b/2.Curriculum/13.API and Web Service Security/13.00 - Objectives.md @@ -1,5 +1,17 @@ # Objectives for Module 13 - API and Web Service Security +## Learning Objectives + +After completing this module, developers will be able to: + +- Identify and mitigate OWASP API Security Top 10 vulnerabilities +- Implement secure authentication and authorization for APIs +- Apply proper input validation and rate limiting techniques for APIs +- Secure different API types including REST, GraphQL, SOAP, and gRPC +- Implement secure webhook patterns and API gateway configurations + +--- + ## Knowledge diff --git a/2.Curriculum/13.API and Web Service Security/13.01 - API and Web Service Security_WIP.md b/2.Curriculum/13.API and Web Service Security/13.01 - API and Web Service Security_WIP.md index 44c6792..6ace75e 100644 --- a/2.Curriculum/13.API and Web Service Security/13.01 - API and Web Service Security_WIP.md +++ b/2.Curriculum/13.API and Web Service Security/13.01 - API and Web Service Security_WIP.md @@ -1,43 +1,272 @@ -# Module 13 - API and Web Service Security - -13.1 Security vulnerabilities in APIs and web services -- OWASP Top 10 risks for APIs -- Authenticaion -- Authorisation - object level and function -- SSRF -- Security mis-configuration -- Privilege escalation -- etc. - -13.2 Addressing the vulnerabilities with secure coding -- Input validation -- Authentication -- Enforcing authorisation -- Validating business rules -- Addressing SSRF -- Network segmentation -- etc. - -13.3 Vulnerabilities while using third party APIs -- Cross Origin Resouorce Sharing configuration -- Authenticatoin and Authorisation -- Validating data - -13.4 Webhooks -- Vulnerabilities - - Clear text communication - - Missing verification - message and origin of the request - - Replay attacks - - Missing validation - data and schema - - lack of expiry times -- Addressing vulnerabilties - - Certificates - - Session management - - Authentication of endpoints - - data and schema validation - - +# Module 13. API and Web Service Security +## 13.1 Security Vulnerabilities in APIs and Web Services +### OWASP API Security Top 10 (2023) +- API1:2023 - Broken Object Level Authorization (BOLA) +- API2:2023 - Broken Authentication +- API3:2023 - Broken Object Property Level Authorization +- API4:2023 - Unrestricted Resource Consumption +- API5:2023 - Broken Function Level Authorization (BFLA) +- API6:2023 - Unrestricted Access to Sensitive Business Flows +- API7:2023 - Server-Side Request Forgery (SSRF) +- API8:2023 - Security Misconfiguration +- API9:2023 - Improper Inventory Management +- API10:2023 - Unsafe Consumption of APIs + +--- + +## 13.2 API Authentication + +### OAuth 2.0 + +- Authorization code flow with PKCE +- Client credentials flow for service-to-service +- Token validation and verification +- Scope management and enforcement + +### API Keys + +- Secure key generation and storage +- Key rotation policies +- Key scope and permission limiting +- Avoiding key exposure in URLs and logs + +### JWT (JSON Web Tokens) + +- Token structure and validation +- Algorithm selection (RS256 vs HS256) +- Claims validation (exp, iat, iss, aud) +- Token refresh and revocation strategies +- Avoiding sensitive data in JWT payloads + +--- + +## 13.3 API Authorization + +### Object Level Authorization + +- Validate user access to specific resources +- Implement consistent authorization checks +- Avoid relying on client-provided IDs without validation + +### Function Level Authorization + +- Role-based endpoint access +- Administrative function protection +- HTTP method restrictions per role + +### Attribute-Based Access Control for APIs + +- Dynamic authorization based on context +- Policy enforcement points in API gateway + +--- + +## 13.4 Rate Limiting and Throttling + +### Implementation Strategies + +- Per-user rate limits +- Per-endpoint rate limits +- Global rate limits +- Sliding window vs fixed window algorithms + +### Quota Management + +- API usage quotas and tiers +- Burst handling +- Rate limit headers (X-RateLimit-Limit, X-RateLimit-Remaining) + +### Protection Against Abuse + +- Denial of Service prevention +- Credential stuffing mitigation +- Brute force protection + +--- + +## 13.5 Input Validation for APIs + +### Request Validation + +- Schema validation (JSON Schema, OpenAPI) +- Content-type validation +- Size limits for request bodies +- Parameter type and format validation + +### Data Sanitization + +- Input encoding and escaping +- SQL injection prevention in API queries +- NoSQL injection prevention +- Command injection prevention + +### Output Encoding + +- Response content-type headers +- Preventing XSS in API responses +- Avoiding sensitive data in error messages + +--- + +## 13.6 REST API Security + +### Secure Design Principles + +- Use proper HTTP methods (GET, POST, PUT, DELETE) +- Stateless authentication +- HTTPS enforcement +- Proper status code usage + +### Security Headers + +- Content-Type validation +- X-Content-Type-Options: nosniff +- Cache-Control for sensitive data +- CORS configuration + +### Endpoint Security + +- Versioning strategies +- Resource naming conventions +- Pagination and filtering security + +--- + +## 13.7 GraphQL Security + +### Query Security + +- Query depth limiting +- Query complexity analysis +- Field-level authorization +- Introspection control in production + +### Rate Limiting for GraphQL + +- Query cost analysis +- Timeout enforcement +- Batch query limits + +### Common GraphQL Vulnerabilities + +- Denial of Service via complex queries +- Information disclosure via introspection +- Authorization bypass in resolvers + +--- + +## 13.8 SOAP and gRPC Security + +### SOAP Security + +- WS-Security standards +- XML signature and encryption +- SAML token integration +- XXE prevention in XML parsing + +### gRPC Security + +- TLS/mTLS for transport security +- Token-based authentication +- Interceptors for authorization +- Protobuf validation + +--- + +## 13.9 Webhook Security + +### Vulnerabilities + +- Clear text communication +- Missing verification of message and origin +- Replay attacks +- Missing data and schema validation +- Lack of expiry times +- SSRF via webhook URLs + +### Securing Webhooks + +- HTTPS enforcement +- HMAC signature verification +- Timestamp validation and replay prevention +- IP allowlisting +- Request timeout limits +- Payload schema validation + +### Webhook Endpoint Security + +- Authentication of webhook endpoints +- Idempotency handling +- Async processing of webhook payloads +- Error handling and retry logic + +--- + +## 13.10 API Gateway Security + +### Gateway Functions + +- Centralized authentication and authorization +- Rate limiting and throttling +- Request/response transformation +- Logging and monitoring + +### Security Features + +- WAF integration +- Bot detection +- DDoS protection +- API versioning management + +### Configuration Security + +- Secure default configurations +- Certificate management +- Secret management for backend services +- Access control for gateway administration + +--- + +## 13.11 Third-Party API Security + +### Cross-Origin Resource Sharing (CORS) + +- Proper origin validation +- Credential handling +- Preflight request configuration +- Avoiding wildcard origins with credentials + +### Third-Party Authentication and Authorization + +- Validating third-party tokens +- Scope verification +- Token storage security + +### Data Validation from External APIs + +- Never trust external API responses +- Schema validation of responses +- Error handling for external failures +- Timeout and circuit breaker patterns + +--- + +## 13.12 API Security Testing + +### Security Testing Approaches + +- API fuzzing +- Authentication and authorization testing +- Business logic testing +- Rate limit testing + +### Continuous Security + +- API security in CI/CD pipelines +- Automated security scanning +- API contract testing +- Security regression testing diff --git a/2.Curriculum/14.Secure Configuration and Deployment/14.00 - Objectives.md b/2.Curriculum/14.Secure Configuration and Deployment/14.00 - Objectives.md index dded139..7eceaec 100644 --- a/2.Curriculum/14.Secure Configuration and Deployment/14.00 - Objectives.md +++ b/2.Curriculum/14.Secure Configuration and Deployment/14.00 - Objectives.md @@ -1,5 +1,16 @@ # Objectives for Module 14 - Secure Configuration and Deployment +## Learning Objectives + +After completing this module, developers will be able to: + +- Configure web servers securely with proper access controls and file permissions +- Implement secure deployment practices for code and packages +- Remove unnecessary features, debug code, and unused dependencies before deployment +- Apply security controls for cloud-based deployment services + +--- + ## Knowledge diff --git a/2.Curriculum/15.Security of and for AI/15.00 - Objectives.md b/2.Curriculum/15.Security of and for AI/15.00 - Objectives.md index 29dbf8b..d9ae471 100644 --- a/2.Curriculum/15.Security of and for AI/15.00 - Objectives.md +++ b/2.Curriculum/15.Security of and for AI/15.00 - Objectives.md @@ -1,5 +1,17 @@ # Objectives for Module 15 - Security of and for AI +## Learning Objectives + +After completing this module, developers will be able to: + +- Identify and mitigate OWASP LLM Top 10 (2025) vulnerabilities +- Implement defenses against prompt injection and system prompt leakage +- Secure vector databases and RAG implementations against embedding attacks +- Apply controls for excessive agency, unbounded consumption, and misinformation risks +- Design guardrails and content filtering for AI-generated outputs + +--- + ## Knowledge diff --git a/2.Curriculum/15.Security of and for AI/15.01 - Security of and for AI.md b/2.Curriculum/15.Security of and for AI/15.01 - Security of and for AI.md index eef57a5..ff9ab58 100644 --- a/2.Curriculum/15.Security of and for AI/15.01 - Security of and for AI.md +++ b/2.Curriculum/15.Security of and for AI/15.01 - Security of and for AI.md @@ -1,11 +1,384 @@ # Module 15 - Security of and for AI -15.1 Input Data Validation +## 15.1 OWASP LLM Top 10 -15.2 Output Data Control +### Overview of AI/LLM Risks (2025) -15.3 Supply Chain Security +- LLM01:2025 Prompt Injection +- LLM02:2025 Sensitive Information Disclosure +- LLM03:2025 Supply Chain +- LLM04:2025 Data and Model Poisoning +- LLM05:2025 Improper Output Handling +- LLM06:2025 Excessive Agency +- LLM07:2025 System Prompt Leakage +- LLM08:2025 Vector and Embedding Weaknesses +- LLM09:2025 Misinformation +- LLM10:2025 Unbounded Consumption -15.4 Identities, Access Control, and Privilege Escalation +--- -15.5 Privacy Requirements +## 15.2 Prompt Injection Attacks + +### Direct Prompt Injection + +- User input manipulation of prompts +- Instruction override attacks +- Jailbreaking attempts +- Role-playing exploits + +### Indirect Prompt Injection + +- Malicious content in retrieved data +- Poisoned external sources +- Hidden instructions in documents +- Cross-plugin attacks + +### Prevention Techniques + +- Input sanitization and validation +- Prompt structure hardening +- Delimiter strategies +- Output validation +- Least privilege for LLM actions + +--- + +## 15.3 Input Data Validation + +### Validating User Inputs + +- Length and format restrictions +- Content filtering +- Rate limiting prompts +- Context window management + +### Validating Retrieved Data + +- Source verification +- Content scanning before inclusion +- Sandboxing external content +- Trust boundaries for data sources + +--- + +## 15.4 Output Data Control + +### Insecure Output Handling + +- XSS through AI-generated content +- Code injection via outputs +- Markdown/HTML rendering risks +- Command execution from outputs + +### Output Validation + +- Sanitization before rendering +- Format validation +- Content safety filtering +- Human review for sensitive actions + +--- + +## 15.5 Training Data Poisoning + +### Attack Vectors + +- Malicious training data injection +- Data source compromise +- Label manipulation +- Backdoor insertion + +### Prevention + +- Training data validation +- Source verification +- Anomaly detection in training +- Model behavior monitoring + +--- + +## 15.6 Model Theft and Extraction + +### Extraction Techniques + +- Query-based model extraction +- API abuse for model cloning +- Side-channel attacks +- Insider threats + +### Protection Measures + +- Rate limiting and monitoring +- Query pattern analysis +- Watermarking techniques +- Access controls for model APIs + +--- + +## 15.7 System Prompt Leakage + +### Understanding System Prompts + +- Role of system prompts in LLM behavior +- Sensitive information in system prompts +- Business logic encoded in prompts +- API keys and credentials in prompts + +### Leakage Attack Vectors + +- Direct extraction attempts +- Prompt reflection techniques +- Behavioral inference attacks +- Error message disclosure + +### Prevention Strategies + +- Avoid storing secrets in system prompts +- Prompt obfuscation techniques +- Output filtering for prompt content +- Separation of instructions from sensitive data +- Regular prompt auditing + +--- + +## 15.8 Sensitive Information Disclosure + +### Disclosure Risks + +- Training data leakage +- PII in model outputs +- Confidential information exposure +- System prompt leakage + +### Mitigation Strategies + +- Data minimization in training +- Output filtering for sensitive data +- Differential privacy techniques +- Prompt confidentiality measures + +--- + +## 15.9 Supply Chain Risks for AI Models + +### Supply Chain Threats + +- Compromised pre-trained models +- Malicious model weights +- Poisoned fine-tuning data +- Vulnerable dependencies + +### Secure Model Management + +- Model provenance verification +- Integrity checking (checksums, signatures) +- Trusted model sources +- Vulnerability scanning of AI libraries + +--- + +## 15.10 Vector and Embedding Weaknesses + +### Understanding Vector Databases and RAG + +- Role of embeddings in LLM applications +- Vector databases for retrieval-augmented generation (RAG) +- Semantic search and similarity matching +- Knowledge base integration + +### Vulnerability Categories + +- Unauthorized access to vector stores +- Data poisoning in embeddings +- Embedding inversion attacks +- Cross-tenant data leakage +- Adversarial embedding manipulation + +### Security Controls + +- Access control for vector databases +- Encryption of embeddings at rest and in transit +- Input validation before embedding generation +- Monitoring for anomalous queries +- Tenant isolation in multi-tenant systems +- Regular auditing of embedded content + +--- + +## 15.11 Misinformation + +### Understanding AI Misinformation Risks + +- Hallucinations and confabulations +- Authoritative presentation of false information +- Outdated training data issues +- Overreliance on AI outputs + +### Impact Areas + +- Decision-making based on false information +- Reputation and legal risks +- User trust erosion +- Compliance violations + +### Mitigation Strategies + +- Fact-checking integration +- Source attribution requirements +- Confidence scoring for outputs +- Human verification workflows +- Clear AI disclosure to users +- Grounding with verified data sources +- Regular model evaluation for accuracy + +--- + +## 15.12 Unbounded Consumption + +### Resource Exhaustion Attacks + +- Denial of wallet attacks (cost exploitation) +- Computational resource exhaustion +- Context window manipulation +- Recursive or infinite loop triggers + +### Attack Vectors + +- Excessive token generation requests +- Complex query flooding +- Large context window exploitation +- Concurrent request abuse + +### Prevention Controls + +- Token and cost limits per user/session +- Request rate limiting +- Timeout enforcement +- Query complexity analysis +- Budget alerts and caps +- Resource quotas per tenant +- Monitoring for abnormal usage patterns + +--- + +## 15.13 AI-Generated Code Security + +### Risks of AI-Generated Code + +- Insecure code suggestions +- Outdated or deprecated patterns +- Vulnerable dependencies +- Injection vulnerabilities + +### Secure Integration + +- Code review requirements +- Automated security scanning +- Testing AI-generated code +- Developer security training + +--- + +## 15.14 Guardrails and Content Filtering + +### Input Guardrails + +- Topic restrictions +- Harmful content detection +- Prompt classification +- Policy enforcement + +### Output Guardrails + +- Safety filters +- Factuality checking +- Bias detection +- Toxicity prevention + +### Implementation Approaches + +- Rule-based filters +- ML-based content moderation +- Human-in-the-loop for sensitive outputs +- Layered defense strategies + +--- + +## 15.15 Model Access Controls and Rate Limiting + +### Access Control + +- Authentication for model APIs +- Authorization levels +- Scope restrictions +- Audit logging + +### Rate Limiting + +- Request throttling +- Token/cost limits +- Abuse detection +- Capacity management + +--- + +## 15.16 Excessive Agency + +### Understanding Excessive Agency + +- LLMs with autonomous action capabilities +- Plugin and tool integration risks +- Unintended action execution +- Scope creep in AI permissions + +### Risk Scenarios + +- Unauthorized data modifications +- Unintended external communications +- Financial transactions without approval +- System configuration changes + +### Control Measures + +- Principle of least privilege for AI actions +- Human-in-the-loop for sensitive operations +- Action scope limitations +- Approval workflows for high-risk actions +- Comprehensive action logging +- Rollback capabilities +- Clear boundaries for autonomous behavior + +--- + +## 15.17 Identities, Access Control and Privilege Escalation + +### AI System Identity Management + +- Service account security +- API key management +- OAuth for AI services +- Cross-service authentication + +### Privilege Management + +- Least privilege for AI agents +- Capability restrictions +- Action approval workflows +- Sandboxing AI operations + +--- + +## 15.18 Privacy Requirements for AI + +### Data Privacy + +- Training data privacy +- User prompt confidentiality +- Data retention policies +- Right to deletion + +### Regulatory Compliance + +- GDPR considerations for AI +- AI-specific regulations +- Consent for AI processing