The Synopsys Software Integrity Group is now Black Duck®. Learn More

Defensive Programming for COBOL

Course Description

Building on the Foundations of COBOL Security course, this course explores specific defensive programming techniques and best practices for creating secure COBOL programs. The goal is to teach developer behaviors that follow the principle of defense-in-depth and help prevent COBOL programs from being the weakest link in the enterprise security chain. Techniques covered include COBOL-specific methods for input validation, secure database interactions, secure error handling, and proper resource synchronization.

Learning Objectives

  • Thoroughly understand the guiding principles of secure design
  • Apply best practice COBOL defensive programming techniques
  • Thoroughly understand the software security touchpoints for COBOL programs

Details

Delivery Format: eLearning

Duration: 1 hour 30 minutes

Level: Intermediate

Intended Audience

  • Architects
  • Back-End Developers
  • Enterprise Developers
  • QA Engineers
Prerequisites

Course Outline

Introduction
  • Course Overview
  • COBOL Defensive Programming Techniques

Confidential Information Handling

  • Identifying Confidential Information
  • PII
  • PHI
  • Other Types of Sensitive Data
  • Sources of Information Leakage
  • Further Learning

Authentication and Authorization

  • Evidence of Authentication
  • Multifactor Authentication (MFA)
  • Authentication Best Practices
  • Authorization Best Practices
  • What to Do About 8-character Passwords
  • Further Learning

Secure Memory Handling

  • Clearing Sensitive Information from Memory
  • Pointers and Bounds Checking
  • Dynamic Memory Allocation
  • Further Learning

Cryptography

  • Cryptographic Libraries/Services
  • Why You Should Never Use DES or 3DES
  • Choosing a Key Length
  • Generating Keys
  • Securely Storing Keys
  • Key Rotation
  • Using HMACs to Verify Data Integrity
  • Further Learning

Common Vulnerabilities

  • SQL Injection
  • Code Injection
  • XML Injection
  • Command Injection
  • Truncation Errors
  • Log Injection
  • Further Learning

Time and State Issues

  • Race Conditions: Time-of-Check to Time-of-Use (TOCTOU)
  • Race Conditions: Deadlocks
  • Race Conditions: Multi-Threaded Code
  • Further Learning

Secure Modern Integrations

  • Continuous Integration and Continuous Delivery (CI/CD)
  • Serverless Functions
  • Leveraging Cloud Security Features
  • Architecting Resiliency for Dependency Downtime
  • Further Learning

Training

Developer Security Training

Equip development teams with the skills and education to write secure code and fix issues faster