Gitlab hero border pattern left svg Gitlab hero border pattern right svg

GitLab Security Secure Coding Training

GitLab Security Secure Coding Training

This page contains information on secure training initiatives sponsored by the GitLab Security team.

Secure Coding Guidelines

These guidelines cover how to address specific classes of vulnerabilities that have been identified in GitLab.

Secure Coding Training with Jim Manico

Description

A developer-focused application security training presented by Jim Manico, and Dr. Justin Collins, the creator of Brakeman, occurred on the days of July 29th and 30th 2019. In addition to covering secure coding in general, it also covers specific threats and mitigations for Ruby on Rails applications. The content is presented in a lighthearted and entertaining manner.

You can find the recorded, private YouTube stream at the following:

Recommendations

Schedule and Topics

Day 1

Day 1 Morning
  1. Introduction to Application Security (4:33)
  2. Threat Modeling
  3. OWASP Top Ten 2017 overview (42:57)
  4. A1: Injection (52:03)
  5. A2: Broken Authentication and Session Management (1:19:50)
  6. A7: Cross site scripting - XSS (2:09:45)
  7. A8: Insecure deserialization (2:15:10)
  8. A9: Using known vulnerable components (2:22:26)
  9. A10: Insufficient logging and monitoring (2:24:30)

Also covers:

Day 1 Afternoon
  1. XSS Defense - HAML (1:51)
  2. Safe client-side JSON Handling (1:45:31)
  3. iFrame Sandboxing (1:57:25)
  4. Input validation (2:04:50)
  5. Unvalidated Redirects (2:22:14)
  6. DevOps Best Practices (3:14:30)
  7. Content Security Policy (3:36:31)
  8. Brakeman and Static Analysis (4:09:20)

Also covers:

Day 2

Day 2 Morning
  1. Access control (4:28)
  2. Insecure direct object reference in Rails (58:20)
  3. Cross site request forgery (1:28:33)
  4. Cross site request forgery protection in Rails (1:52:32)
  5. Cookie Options and Security (2:33:45)
  6. Server Side Request Forgery SSRF (2:44:22)

Also covers:

Day 2 Afternoon
  1. Authentication Best Practices (5:40)
  2. Rails 6 Security Features (2:23:15)
  3. Introduction to the OAuth authorization protocol v1 (2:48:21)
  4. OAuth v2 (2:51:05)
  5. Client Registration (3:04:06)
  6. Authorization Code Grant (3:07:44)
  7. OAuth 2.0 Terminology (3:21:06)
  8. OAuth 2.0 Tokens (3:35:35)

Also covers:

Additional resources