Software Security - #NEIS0736 #NECS0736 (2020)!

---

• GitLab Wiki
• MiSSxTalks
• MiSSxTalks Special : Jan 31, 2021 (Postponed due to concerns over a new wave of COVID-19)
• One-on-One Assessment : Nov 29, 2020
• Week 1, Week 2, Week 3, Week 4, Week 5, Week 6, Week 7 and Semi-final Exam
• Week 8, Week 9, Week 10, Week 11, Week 12, Week 13, Week 14, Week 15 and Final Exam
• Extra Point
• 7 (not 11) Groups
• Participant Workload
• Time Attendance
• Congratulations! (From MiSS to MiSS)
• #Code4Sec Week

---

Anan, Athiporn, Bhoomjit, Ekawut, Fareed, Hachol, Jaray, Jaruspong, Keaittisak, Nantawan, Narunart, Nattapong, Nattawut, Nipitpon, Phureephat, Piyawit, Sakarin, Sanchat, Saran, ??????, Soontorn, Suntisuk, Sununta, Supattra, Thanakorn, Theerapong, Vatcharin, Vuttawat, Wasupol

---

[Participants]

1. Anan Boondamnoen
   • (6317810009)
   • One-on-One - Sandbox, Malware (behavior) Analysis
   • DSV - Arduino IDE (#8)
   • Congrats Msg
   • TC : Authentication Architectural
   • V3.5 Token-based Session Management
   • Google
   • SQL Injection - Blind - Time-Based
   • #Code4Sec Week
     • Day 1 : isalpha() - Jan 10, 2021
     • Day 2 : isalnum() - Jan 11, 2021
     • Day 3 : preg_match() - Jan 12, 2021
     • Day 4 : password_verify() - Jan 13, 2021
     • Day 5 : crypt() - Jan 14, 2021
     • Day 6 : display_errors() - Jan 15, 2021
     • Day 7 : isdigit() - Jan 16, 2021
   • Collaborative Coding
   • MiSSxTalks : Golden SAML
   • Golden SAML
   • The Perfect Match : Memory Management, 4.1 Adhere to Relevant Secure Coding Practices
   • The Twelve-Factor App : (Concurrency)
   • Technical Due Diligence
2. Athiporn Phumnicom
   • (6217810016)
   • One-on-One - Authentication, OpenID
   • V3.4 Cookie based Session Management
   • MiSSxTalks - Keep Calm and Sign your Strong Name Assemblies
   • DSV - Gpg4win (#2)
   • Congrats Msg
   • TC : Cookie Expires Session
   • Facebook
   • Digital Signature Verification
   • PHP Code Injection
   • #Code4Sec Week
     • Day 1 : System.Text.RegularExpressions - Jan 6, 2021
     • Day 2 : TryValidateModel - Jan 7, 2021
     • Day 3 : CookieOptions - Jan 8, 2021
     • Day 4 : AuthorizeAttribute - Jan 9, 2021
     • Day 5 : IdentityOptions - Jan 10, 2021
     • Day 6 : Assembly.Load() - Jan 11, 2021
     • Day 7 : ProtectedMemory.Protect() - Jan 12, 2021
   • Collaborative Coding
   • The Perfect Match : Error and exception handling, 4.1 Adhere to Relevant Secure Coding Practices
   • The Twelve-Factor App (Dev/prod parity)
3. Bhoomjit Bhoominath
   • (6317660004)
   • One-on-One - Threat Modeling, Threat Intelligence
   • V1.1 Secure Software Development Lifecycle Requirements
   • Data Governance
   • DSV - Python (#6)
   • Congrats Msg
   • TC : Data Encryption
   • V-Key
   • SQL Injection (Login Form/User)
   • #Code4Sec Week
     • Day 1 : session_start() - Jan 10, 2021
     • Day 2 : session_destroy() - Jan 11, 2021
     • Day 3 : error_reporting() - Jan 12, 2021
     • Day 4 : $_GET VS $_POST - Jan 13, 2021
     • Day 5 : readpassword() - Jan 14, 2021
     • Day 6 : URLEncoder - Jan 15, 2021
     • Day 7 : hashCode() - Jan 16, 2021
   • Collaborative Coding
   • MiSSxTalks : Threat Modeling, The first step towards security in SDLC
   • The Perfect Match : Data Anonymization, 2.4 Identify and Analyze Privacy Requirements
   • The Twelve-Factor App : (Codebase)
   • Microsoft Threat Modeling Tool
4. Ekawut Chairat
   • (6217660002)
   • Daily Scribe of Day 1
   • One-on-One - NetDevOps, Automation
   • V9.1 Client Communications Security Requirements
   • Daily Scribe of Day 2
   • DSV - Notepad++ (#1)
   • Congrats Msg
   • TC : Log Content
   • Microsoft
   • XSS - Reflected (PHP_SELF)
   • #Code4Sec Week
     • Day 1 : shelex.split() - Jan 5, 2021
     • Day 2 : wolfcrypt.ciphers.Aes() - Jan 6, 2021
     • Day 3 : hashlib - Jan 7, 2021
     • Day 4 : ConfigParser - Jan 8, 2021
     • Day 5 : secrets - Jan 9, 2021
     • Day 6 : CRSF protection - Jan 10, 2021
     • Day 7 : ftplib - Jan 11, 2021
   • Collaborative Coding
   • MiSSxTalks : Software Defined Network: When software become to network
   • The Twelve-Factor App : (Build, release, run)
   • The Perfect Match : Cloud architectures - Infrastructure as a Service (IaaS), 3.2 Define the Security Architecture
   • Zero Trust : Identity
5. Fareed Marnleb
   • (6317810012)
   • One-on-One - IoT, CASB
   • V3.3 Session Logout and Timeout
   • DSV - phpMyAdmin (#4)
   • Congrats Msg
   • TC : E-Mail Validation
   • Twitter
   • XSS - Reflected (User-Agent)
   • #Code4Sec Week
     • Day 1 : encode() - Jan 5, 2021
     • Day 2 : isdigit() - Jan 6, 2021
     • Day 3 : password_hash() - Jan 7, 2021
     • Day 4 : preg_replace() - Jan 8, 2021
     • Day 5 : filter_var() - Jan 9, 2021
     • Day 6 : error_reporting() - Jan 10, 2021
     • Day 7 : pg_escape_string() - Jan 11, 2021
   • Collaborative Coding
   • MiSSxTalks : The Vulnerability of IoTs
   • Subresource Integrity (SRI)
   • The Perfect Match : Memory Management, 4.1 Adhere to Relevant Secure Coding Practices
   • The Twelve-Factor App : (Port binding)
6. Hachol Dabthong
   • (6217810010)
   • One-on-One - Automated Testing
   • V7.1 Log Content Requirements
   • MiSSxTalks - Automated Testing, Robot Framework Will Save the Day!
   • DSV - MySQL (#7)
   • Congrats Msg
   • TC : Log Content
   • Microsoft
   • XSS - Reflected (JSON)
   • #Code4Sec Week
     • Day 1 : jsonschema.validate() - Jan 8, 2021
     • Day 2 : Logging.basicConfig() - Jan 9, 2021
     • Day 3 : FILTER_SANITIZE_URL() - Jan 10, 2021
     • Day 4 : socket.inet_pton() - Jan 11, 2021
     • Day 5 : substr_replace() - Jan 12, 2021
     • Day 6 : FILTER_VALIDATE_INT() - Jan 13, 2021
     • Day 7 : os.system() - Jan 14, 2021
   • Collaborative Coding
   • Geohash
   • The Twelve-Factor App : (Admin processes)
   • The Perfect Match : Digitally-signed component, 8.3 Verify Pedigree and Provenance
7. Jaray Paensong
   • (6317660006)
   • One-on-One - CTF, Gamification
   • DSV - Apache (#9)
   • Congrats Msg
   • Daily Scribe of Day 4
   • V2.2 General Authenticator Requirements
   • MiSSxTalks : SQL Injection, the well-known vulnerability ever (Part I)
   • Twitter
   • TC : Authentication Time Limit
   • XSS - Reflected (User-Agent)
   • #Code4Sec Week
     • Day 1 : fchmod - Jan 10, 2021
     • Day 2 : tmpnam, tmpnam_s, tmpnam_r - Jan 11, 2021
     • Day 3 : “strncpy” or “wcsncpy” is security-sensitive - Jan 12, 2021
     • Day 4 : chmod, fchmod - Jan 13, 2021
     • Day 5 : clear-text protocols - Jan 14, 2021
     • Day 6 : changing working directories - Jan 15, 2021
     • Day 7 : archive files without controlling resource consumption - Jan 16, 2021
   • Collaborative Coding
   • MiSSxTalks : SQL Injection
   • The Perfect Match : Logging, 1.1 Core Concepts : Accountability
   • The Twelve-Factor App : (Dependencies)
   • What Are Application Security Risks?
   • Language Server Protocol
8. Jaruspong Tongboon
   • (6217810004)
   • One-on-One - ISMS
   • V6.1 Data Classification
9. Keaittisak Luithong
   • (6317660007)
   • One-on-One - Penetration Testing, Mobile
   • DSV - Python (#6)
   • Congrats Msg
   • LINE
   • TC : Authentication Time Limit
10. Nantawan Sanpukdee
    • (6317660003)
    • One-on-One - CII, Forensics, Cybersecurity
    • DSV - MySQL (#7)
    • Congrats Msg
    • TC : Login Authentication Limits
    • Daily Scribe
    • MiSSxTalks - System acquisition, development and maintenance in ISO27001
    • Instagram
    • SQL Injection (POST/Search)
    • #Code4Sec Week
      • Day 1 : addslashs() - Jan 10, 2021
      • Day 2 : md5() - Jan 11, 2021
      • Day 3 : sha1() - Jan 12, 2021
      • Day 4 : openssl_encrypt() - Jan 13, 2021
      • Day 5 : bcrypt() - Jan 14, 2021
      • Day 6 : mcrypt_encrypt() - Jan 15, 2021
      • Day 7 : openssl_public_encrypt() - Jan 16, 2021
    • Collaborative Coding
    • The Twelve-Factor App : (Build, release, run)
    • The Perfect Match : Type Safety, 4.1 Adhere to Relevant Secure Coding Practices
11. Narunart Vongeium
    • (6317810006)
    • One-on-One - Logging, Log Monitoring
    • DSV - PuTTY (#5)
    • Congrats Msg
    • TC : Log Protection
    • Outlook
    • HTML Injection - Reflected (GET)
    • #Code4Sec Week
      • Day 1 : Crypto.PublicKey - Jan 10, 2021
      • Day 2 : pyAesCrypt (AES256-CBC) - Jan 11, 2021
      • Day 3 : urllib.parse - Jan 12, 2021
      • Day 4 : hmac - Jan 13, 2021
      • Day 5 : strip_tags() - Jan 14, 2021
      • Day 6 : input is_numeric() - Jan 15, 2021
      • Day 7 : hash_equals() - Jan 16, 2021
    • Collaborative Coding
    • MiSSxTalks : 3 Pillars of Observability
    • The Twelve-Factor App : (Admin processes)
    • The Perfect Match : Component Reuse, 1.2 Security Design Principles
12. Nattapong Ketkaew
    • (6317810011)
    • One-on-One - CTI, Log Monitoring
    • DSV - Arduino IDE (#8)
    • Congrats Msg
    • Outlook
    • SQL Injection (POST/Select)
    • Software Supply-Chain Attack
    • #Code4Sec Week
      • Day 1 : preg_quote() - Jan 10, 2021
      • Day 2 : imagestring() - Jan 11, 2021
      • Day 3 : exec() - Jan 12, 2021
      • Day 4 : authentication - Jan 13, 2021
      • Day 5 : ctype_alnum() - Jan 14, 2021
      • Day 6 : memset_s - Jan 15, 2021
      • Day 7 : javax.crypto.Cipher - Jan 16, 2021
    • Collaborative Coding
    • MiSSxTalks : Software Supply Chain Attack
    • Technical Due Diligence
13. Nattawut Reungsap
    • (6217810013)
    • One-on-One - ISO, 27001
    • V4.1 General Access Control Design
    • DSV - Kali (#3)
    • Congrats Msg
    • TC : Authorization of the server resource
    • Firefox
    • XSS - Reflected (JSON)
    • #Code4Sec Week
      • Day 1 : highlight_string() - Jan 9, 2021
      • Day 2 : basename() - Jan 10, 2021
      • Day 3 : ingres_escape_string() - Jan 11, 2021
      • Day 4 : escape_shell_cmd() - Jan 12, 2021
      • Day 5 : pathinfo() - Jan 13, 2021
      • Day 6 : input validation - Jan 14, 2021
      • Day 7 : os.path.basename() - Jan 15, 2021
    • Consent: option not an obligation
    • Collaborative Coding
    • MiSSxTalks : Personal Data Protection Act
    • The Perfect Match : Error and exception handling, 4.1 Adhere to Relevant Secure Coding Practices
    • The Twelve-Factor App : (Disposability)
14. Nipitpon Doungyai
    • (6317810008)
    • One-on-One - VA, PT
    • DSV - PuTTY (#5)
    • Congrats Msg
    • TC : XSS
    • SQL Injection (GET/Search)
    • #Code4Sec Week
      • Day 1 : escape() - Jan 7, 2021
      • Day 2 : parseInt() - Jan 8, 2021
      • Day 3 : bcrypt.hashSync() - Jan 10, 2021
    • Collaborative Coding
    • MiSSxTalks : Static Application Security Testing
    • The Twelve-Factor App : (Disposability)
    • The Perfect Match : Component Reuse, 1.2 Security Design Principles
    • Broken Access Control
    • CSV Injection
    • No Rate Limit
    • Using Comonents with Knonw Vulnerabilities
    • Brute force attack
15. Phureephat Sottiratanapan
    • (6217810014)
    • One-on-One - 27001
    • DSV - Gpg4win (#2)
    • Congrats Msg
    • Search vs. Browse
    • TC : Cookie Expires Session
    • V12.2 File Integrity Requirements
    • Static site generator: SSGs
    • Facebook
    • PHP Code Injection
    • #Code4Sec Week
      • Day 1 : htmlentities() - Jan 10, 2021
      • Day 2 : crc32() - Jan 11, 2021
      • Day 3 : setcookie() - Jan 12, 2021
      • Day 4 : convert_uuencode() - Jan 13, 2021
      • Day 5 : SHA256Hash.ComputeHash() - Jan 14, 2021
      • Day 6 : System.Net.NetworkInformation - Jan 15, 2021
      • Day 7 : java.util.Base64 - Jan 16, 2021
    • Collaborative Coding
    • MiSSxTalks : Secure Software Concepts : Core Concepts
    • The Twelve-Factor App : (Processes)
    • The Perfect Match : Type Safety, 4.1 Adhere to Relevant Secure Coding Practices
    • Business logic vulnerability
16. Piyawit Khumkrong
    • (6317810004)
    • T-Shirt Design
    • Warning: line endings have changed from ‘LF’ to ‘CRLF’
    • One-on-One - Machine Learning, IDS
    • V1.6 Cryptographic Architectural Requirements
    • MiSSxTalks - DevSecOps : Integrating Security into DevOps
    • DSV - Python (#6)
    • Congrats Msg
    • TC : Data Encryption
    • Planet earth with visualization of GitHub activity crossing the globe
    • V-Key
    • SQL Injection (Login Form/User)
    • #Code4Sec Week
      • Day 1 : Formatting SQL queries - Jan 9, 2021
      • Day 2 : Environment Variables - Jan 10, 2021
      • Day 3 : crypto.getRandomValues() - Jan 11, 2021
      • Day 4 : libxmljs - Jan 12, 2021
      • Day 5 : publicly writable directories - Jan 13, 2021
      • Day 6 : XSS - Jan 14, 2021
      • Day 7 : csurf - Jan 15, 2021
    • Collaborative Coding
    • The Perfect Match : File Integrity Monitoring (FIM), 4.3 Implement Security Controls
    • The Twelve-Factor App : (Logs)
    • DevSecOps : Integrating security to DevOps
17. Sakarin Kaewsathitwong
    • (6217810002)
    • One-on-One - MitM
    • 12.5.1 Verify that the web tier is configured to serve only files with specific file extensions to prevent unintentional information and source code leakage
    • DSV - Kali (#3)
    • Congrats Msg
    • GitHub
    • XSS - Reflected (GET)
    • #Code4Sec Week
      • Day 1 : Steganography() - Jan 9, 2021
      • Day 2 : CryptographyHelper.EncryptString() - Jan 10, 2021
      • Day 3 : PASSWORD() - Jan 11, 2021
      • Day 4 : sha1() - Jan 12, 2021
      • Day 5 : java.security.MessageDigest() - Jan 13, 2021
      • Day 6 : sha256.Sum256() - Jan 14, 2021
      • Day 7 : empty(), isset() & isnull() - Jan 15, 2021
    • Collaborative Coding
    • The Perfect Match : Digitally-signed component, 8.3 Verify Pedigree and Provenance
    • MiSSxTalks : Input Validation : Why it matters?
    • Data Pipeline
18. Sanchat Phaisit
    • (6317810015)
    • DSV - Apache (#9)
    • V2.3 Authenticator Lifecycle Requirements
    • Congrats Msg
    • One-on-One - Phishing, ISO27001, Chemistry
    • TC : Authenticator Lifecycle
    • LINE
    • XSS - Reflected (HREF)
    • #Code4Sec Week
      • Day 1 : Tempfile.NamedTemporaryFile() - Jan 10, 2021
      • Day 2 : Casting to safe types - Jan 11, 2021
      • Day 3 : os.environ.get() - Jan 12, 2021
      • Day 4 : re.escape() - Jan 13, 2021
      • Day 5 : urllib.parse.urlparse() - Jan 14, 2021
      • Day 6 : isalnum() - Jan 15, 2021
      • Day 7 : OS commands - Jan 16, 2021
    • Collaborative Coding
    • The Twelve-Factor App : (Backing services)
    • Cross-Site Request Forgery Attacks
    • Directory traversal
    • LDAP Injection
19. Saran Kaewnang
    • (6317810007)
    • One-on-One - VA, PT
    • Congrats Msg
    • TC : XSS
    • SQL Injection (GET/Search)
    • #Code4Sec Week
      • Day 1 : mysqli_real_escape_string() - Jan 5, 2021
    • Collaborative Coding
    • MiSSxTalks : Dynamic Application Security Testing
    • MiSSxTalks : Dynamic Application Security Testing (cont’d)
    • The Twelve-Factor App : (Processes)
    • The Perfect Match : Out-of-Band (OOB) management, 3.3 Performing Secure Interface Design
    • Dynamic Application Security Testing
    • How to crack and protect vb.net language programs
    • Prevent brute force with Google recaptcha in php language
20. ??????
    • (6117810017)
    • One-on-One - Static Analysis, Android, SaaS, SDN
    • DSV - Arduino IDE (#8)
    • V2.5 Credential Recovery Requirements
    • TC : File Upload
    • Firefox
    • SQL Injection (GET/Select)
    • #Code4Sec Week
      • Day 1 : bcrypt - Jan 10, 2021
      • Day 2 : getpass - Jan 11, 2021
      • Day 3 : sha256_crypt - Jan 12, 2021
      • Day 4 : Hazmat Module - Jan 13, 2021
      • Day 5 : hashlib.sha256() - Jan 14, 2021
      • Day 6 : getuser() - Jan 15, 2021
      • Day 7 : passlib.hash.scrypt - Jan 16, 2021
    • Collaborative Coding
    • MiSSxTalks : What is Container Security?
    • The Twelve-Factor App : (Config)
    • The Perfect Match : Out-of-Band (OOB) management, 3.3 Performing Secure Interface Design
    • Technical Due Diligence –>
21. Soontorn Janphuk
    • (6317660001)
    • One-on-One - CTI, SOC
    • V1.2 Authentication Architectural Requirements
    • DSV - phpMyAdmin (#4)
    • Congrats Msg
    • TC : Authentication Architectural
    • Google
    • SQL Injection - Blind - Time-Based
    • #Code4Sec Week
      • Day 1 : mysql_escape_string - Jan 9, 2021
      • Day 2 : strpos() - Jan 10, 2021
      • Day 3 : urldecode() - Jan 11, 2021
      • Day 4 : hexdec() - Jan 12, 2021
      • Day 5 : htmlentities - Jan 13, 2021
      • Day 6 : dirname() - Jan 14, 2021
      • Day 7 : in_array() - Jan 15, 2021
    • Collaborative Coding
    • MiSSxTalks : Cyber Threat Intelligence
    • Indicator of compromise (IoC)
    • The Perfect Match : Data Anonymization, 2.4 Identify and Analyze Privacy Requirements
    • The Twelve-Factor App (Dev/prod parity)
22. Suntisuk Thepthong
    • (6217810015)
    • One-on-One - SIEM, Security Automation, SOAR
    • V11-Business-Logic-Verification-Requirements
    • MiSSxTalks - Secure Access Service Edge (SASE)
    • DSV - Notepad++ (#1)
    • Congrats Msg
    • TC : File Upload
    • GitHub
    • XSS - Reflected (GET)
    • #Code4Sec Week
      • Day 1 : request_safe - Jan 3, 2021
      • Day 2 : uuid - Jan 4, 2021
      • Day 3 : ntplib - Jan 5, 2021
      • Day 4 : base64 - Jan 6, 2021
      • Day 5 : PasswordPolicy - Jan 7, 2021
      • Day 6 : threading - Jan 8, 2021
      • Day 7 : http.server - Jan 9, 2021
    • Collaborative Coding
    • The Perfect Match : Platform as a Service (PaaS), 3.2 Define the Security Architecture
    • The Twelve-Factor App : (Dependencies)
23. Sununta Labaiusuh
    • (6217810009)
    • One-on-One - Cloud Security, Test bed
    • V1.7 Errors, Logging and Auditing Architectural Requirements
    • DSV - Gpg4win (#2)
    • TC : Authorization of the server resource
24. Supattra Boonkied
    • (6317810003)
    • One-on-One - IoT, Blockchain
    • V10.1 Code Integrity Controls
    • DSV - MySQL (#7)
    • Congrats Msg
    • TC : Login Authentication Limits
    • Instagram
    • #Code4Sec Week
      • Day 1 : hashlib - Jan 5, 2021
      • Day 2 : cryptography.fernet - Jan 6, 2021
      • Day 3 : passlib.hash - Jan 7, 2021
      • Day 4 : requests.get - Jan 8, 2021
      • Day 5 : socket, ssl - Jan 9, 2021
      • Day 6 : sockets - Jan 10, 2021
      • Day 7 : pickle - Jan 11, 2021
    • Collaborative Coding
    • MiSSxTalks : SQL Injection
    • The Twelve-Factor App : (Logs)
    • The Perfect Match : Type Safety, 4.1 Adhere to Relevant Secure Coding Practices
25. Thanakorn Prajuabkamon
    • (6217810017)
    • One-on-One - Cloud Security, Misconfiguration
    • 12.1.1 Verify that the application will not accept large files that could fill up storage or cause a denial of service
    • GitLab - HTTP Basic: Access denied. You must use a personal access token with ‘read_repository’ or ‘write_repository’ scope for Git over HTTP.
    • DSV - Notepad++ (#1)
    • Congrats Msg
    • TC : File Upload
    • GitLab
    • XSS - Reflected (PHP_SELF)
    • #Code4Sec Week
      • Day 1 : shlex.quote() - Jan 10, 2021
      • Day 2 : filehash() - Jan 11, 2021
      • Day 3 : re - Jan 12, 2021
      • Day 4 : PasswordGenerator - Jan 13, 2021
      • Day 5 : pysftp - Jan 14, 2021
      • Day 6 : smtplib - Jan 15, 2021
      • Day 7 : pyminizip - Jan 16, 2021
    • Collaborative Coding
    • MiSSxTalks : Secret management in software development
    • The Perfect Match : Platform as a Service (PaaS), 3.2 Define the Security Architecture
    • The Twelve-Factor App : (Config)
26. Theerapong Kanrawong
    • (6317810002)
    • One-on-One - RPA
    • Source Code Escrow
    • DSV - PuTTY (#5)
    • Congrats Msg
    • TC : Log Protection
    • HTML Injection - Reflected (GET)
    • #Code4Sec Week
      • Day 1 : RegExp() - Jan 10, 2021
      • Day 2 : encodeURIComponent() - Jan 11, 2021
      • Day 3 : Base64 - Jan 12, 2021
      • Day 4.1 : https.request() - Jan 13, 2021
      • Day 4.2 : https.request() - Jan 14, 2021
      • Day 5 : regex - Jan 15, 2021
      • Day 6 : hash function - Jan 16, 2021
      • Day 7 : AES encryption - Jan 16, 2021
    • Collaborative Coding
    • The Perfect Match : Logging, 1.1 Core Concepts : Accountability
    • MiSSxTalks - Define the Cloud Architecture
    • The Twelve-Factor App : (Backing services)
27. Vatcharin Kongsakul
    • (6217810003)
    • MiSSxTalks - Git
    • One-on-One - IoT PenTest, DevOps, DevSecOps, Agile
    • DSV - Kali (#3)
    • Congrats Msg
    • GitLab
    • #Code4Sec Week
      • Day 1 : input validation - Jan 5, 2021
      • Day 2 : CORS HTTP allow methods - Jan 9, 2021
      • Day 3 : bcrypt - Jan 10, 2021
      • Day 4 : HTTP Server - Jan 11, 2021
      • Day 5 : gofiber Error Handling - Jan 12, 2021
      • Day 6 : gofiber CSRF - Jan 13, 2021
      • Day 7 : limiter - Jan 14, 2021
    • Collaborative Coding
    • The Twelve-Factor App : (Port binding)
    • The Perfect Match : Cloud architectures - Infrastructure as a Service (IaaS), 3.2 Define the Security Architecture
    • Case Style
    • Business logic vulnerability
    • Kubernetes Network
    • InC Secure Scanning from Scratch
    • .gitignore
28. Vuttawat Uyanont
    • (6317810001)
    • T-Shirt Design
    • How to create a new GitLab page from scratch, https://hyde4thheaven.gitlab.io/profile/
    • One-on-One - Smart Contract, Blockchain, Cryptocurrency
    • DSV - phpMyAdmin (#4)
    • Congrats Msg
    • TC : E-Mail Validation
    • SQL Injection (POST/Search)
    • #Code4Sec Week
      • Day 1 : compare_digest() - Jan 10, 2021
      • Day 2 : TemporaryFile() and mkstemp() - Jan 11, 2021
      • Day 3 : yaml.safe_load() - Jan 12, 2021
      • Day 4 : Deserialize Data from Untrusted Sources - Jan 13, 2021
      • Day 5 : generate_private_key() - Jan 14, 2021
      • Day 6 : eval() - Jan 15, 2021
      • Day 7 : Auto-Escaping - Jan 16, 2021
    • Collaborative Coding
    • MiSSxTalks : Blockchain and Smart Contract
    • The Perfect Match : File Integrity Monitoring (FIM), 4.3 Implement Security Controls
    • The Twelve-Factor App : (Codebase)
29. Wasupol Chaisangasilp
    • (6317810014)
    • One-on-One - CTI
    • Congrats Msg
    • TC : Authenticator Lifecycle
    • XSS - Reflected (HREF)
    • #Code4Sec Week
      • Day 1 : prepare() - Jan 10, 2021
      • Day 2 : hash() - Jan 11, 2021
      • Day 3 : session_regenerate_id - Jan 12, 2021
      • Day 4 : random_int() - Jan 13, 2021
      • Day 5 : crypto.createCipheriv() - Jan 14, 2021
      • Day 6 : HttpUtility.HtmlEncode - Jan 15, 2021
      • Day 7 : sleep() - Jan 16, 2021
    • Collaborative Coding
    • The Twelve-Factor App : (Concurrency)
    • Web Application Security
    • Security Misconfiguration
    • Penetration Testing
    • DDoS Protection

---

[MiSSxTalks] (2 chances)

• Book your time slot

• (Sun) Nov 22, 2020
  • “Git”, Khun Vatcharin Kongsakul
• (Sun) Dec 6, 2020
  • “DevSecOps : Integrating Security into DevOps”, Khun Piyawit Khumkrong (Es)
  • “Automated Testing, Robot Framework Will Save the Day!”, Khun Hachol Dabthong (Chon)
  • “Keep Calm and Sign your Strong Name Assemblies”, Khun Athiporn Phumnicom (Beam)
  • “Secure Access Service Edge (SASE)”, Khun Suntisuk Thepthong (IceSuntisuk)
• (Sun) Dec 13, 2020
  • “SQL Injection, the well-known vulnerability ever.”, Khun Jaray Paensong (Ray)
• (Sun) Dec 20, 2020
  • “System acquisition, development and maintenance in ISO27001”, Khun Nantawan Sanpukdee (Fai)
• (Sun) Jan 24, 2021
  • “Threat Modeling, The first step towards security in SDLC”, Khun Bhoomjit Bhoominath (Luck)
  • “Blockchain and Smart Contract”, Khun Vuttawat Uyanont (Palm)
  • “Software Defined Network: When software become to network”, Khun Ekawut Chairat (Nua)
  • “Secret management in software development”, Khun Thanakorn Prajuabkamon (Korn)
  • “Personal Data Protection Act”, Khun Nattawut Reungsap (Meaw)
  • “3 Pillars Of Observability”, Khun Narunart Vongeium (Eit)
  • “Cyber Threat Intelligence”, Khun Soontorn Janphuk (Brad)
  • “Software Supply Chain Attack”, Khun Nattapong Ketkaew (X)
• (Sun) Jan 31, 2021
  • “What is Container Security?”, Khun ??????
  • “The Vulnerability of IoTs”, Khun Fareed Marnleb (Far)
  • “Golden SAML”, Khun Anan Boondamnoen (Nan)
  • “SQL Injection”, Khun Supattra Boonkied (Noy) + (Jaray)
  • “Secure Software Concepts : Core Concepts”, Khun Phureephat Sottiratanapan (Farn)
  • “Static Application Security Testing”, Khun Nipitpon Doungyai (Geno)
• (Sun) Feb 14, 2021
  • “Dynamic Application Security Testing”, Khun Saran Kaewnang (Golf)
  • “Define the cloud architecture”, Khun Theerapong Kanrawong (Pong)
  • “SQL Injection”, Khun Supattra Boonkied (Noy) + (Jaray)
• (Sun) Mar 7, 2021
  • “Dynamic Application Security Testing”, Khun Saran Kaewnang (Golf)
  • “Input Validation: Why it matters?”, Khun Sakarin Kaewsathitwong (Alfatoxin)

---

[Instructor]

• Maykin Warasart
• Pongpat Rakdej
  • Basic Buffer Overflow : Case gets() in C Language
• Pemika Limpittaya

---

[Week 1] - (Sun) Nov 22, 2020

• Course introduction
  • Ground rules (created and agreed by the people participating in the 1^st session)
  • Grading statistic & policy
• Git - Why the Gauntlet didn’t work?
• MiSSxTalks
  • Khun Vatcharin K.
• KEEP CALM and FUN with Git
  • Biography
• MiSSxTalks
  • CSSLP Ex. Outline
  • Extra Point
• Daily Scribe by Ekawut Chairat
• Homeworks
  • Bruce Schneier: The Security Mindset - only 7:32 min.
  • 5 Reasons Why Software Security Is More Critical Than Ever, Checkmarx
  • “Security”, Thailand Digital Technology Foresight 2035
  • Prep. for the One-on-One Assessment
    • Background check
    • Security mindset
    • Reasons why #SWSec is more critical
    • Thailand Security Foresight 2035
    • Show us your Love in the loop
    • Topics of interest (Thesis/Independent Study) w/ 3 related papers from IEEExplore or trusted research databases
    • Completion of your GitHub Page biography
    • Tell me your AKA
    • Perfectly MiSSxTalks topic name

[Week 2] - (Sun) Nov 29, 2020

• Security Requirements
  • OWASP ASVS (Application Security Verification Standard)
  • Choose and create a perfect KB in GitLab Wiki under “Requirement” folder.
    • Do not hesitate to ask Khun Ekawut if you cannot deal with the wiki.

• One-on-One Assessment (true coffee)
  1. Nov 26 (Eve): Khun Fareed Marnleb (Starbucks at Major Avenue - Ratchayothin)
  2. Nov 26 (Eve): Khun Soontorn Janphuk (Starbucks at Major Avenue - Ratchayothin)
  3. 08:31 - 08:40 : Khun Ekawut Chairat
  4. 08:41 - 08:50 : Khun Sakarin Kaewsathitwong
  5. 08:51 - 09:00 : Khun Thanakorn Prajuabkamon
  6. 09:01 - 09:10 : Khun Nattawut Reungsap
  7. 09:11 - 09:20 : Khun Sununta Labaiusuh
  8. 09:21 - 09:30 : Khun Athiporn Phumnicom
  9. 09:31 - 09:40 : Khun Jaruspong Tongboon
  10. 09:41 - 09:50 : Khun Piyawit Khumkrong
  11. 09:51 - 10:00 : Khun Vatcharin Kongsakul
  12. 10:01 - 10:10 : Khun Anan Boondamnoen
  13. 10:11 - 10:20 : Khun Jaray Paensong
  14. 10:21 - 10:30 : Khun Bhoomjit Bhoominath
  15. 10:31 - 10:40 : Khun Vuttawat Uyanont
  16. 10:41 - 10:50 : Khun Keaittisak Luithong
  17. 10:51 - 11:00 : Khun Saran Kaewnang
  18. 11:01 - 11:10 : Khun Nipitpon Doungyai
  19. 11:11 - 11:20 : Khun Narunart Vongeium
  20. 11:21 - 11:30 : Khun ??????
  21. 11:31 - 11:40 : Khun Phureephat Sottiratanapan
  22. 11:41 - 11:50 : Khun Supattra Boonkied
  23. 11:51 - 12:00 : Khun Wasupol Chaisangasilp
  24. 12:01 - 12:10 : Khun Theerapong Kanrawong
  25. 12:11 - 12:20 : Khun Hachol Dabthong
  26. 15:15 - 15:30 : Khun Suntisuk Thepthong
  27. Dec 1 (Eve) : Khun Nantawan Sanpukdee (Starbucks at Central Ladprao)
  28. Dec 1 (Eve) : Khun Nattapong Ketkaew (Starbucks at Central Ladprao)
  29. Dec 13 (8:30) : Khun Sanchat Phaisit
• Daily Scribe by Ekawut Chairat

[Week 3] - (Sun) Dec 6, 2020

• Required App : LINE Dictionary (Android), (iOS)
• Constructive Criticism
• MiSSxTalks
  • “DevSecOps : Integrating Security into DevOps”, Khun Piyawit Khumkrong (Es)
  • “Automated Testing, Robot Framework Will Save the Day!”, Khun Hachol Dabthong (Chon)
  • “Keep Calm and Sign your Strong Name Assemblies”, Khun Athiporn Phumnicom (Beam)
  • “Secure Access Service Edge (SASE)”, Khun Suntisuk Thepthong (IceSuntisuk)
• Relocate GitLab repository
• /ˈrēˌkap/ - Security Requirements
• Group Project & Mini-Contest Clarification & Grouping
• Homework
  • Digital Signature Verification, Python, PHP, phpMyAdmin, MySQL, Apache HTTP Server, nginx, Notepad++, Arduino IDE, Gpg4win, GnuPG, PuTTY, Kali Linux, Apache JMeter

[Week 4] - (Sun) Dec 13, 2020

• MiSSxTalks
  • “SQL Injection, the well-known vulnerability ever”, Khun Jaray Paensong (Ray)
• https://orcid.org/0000-0001-9855-1676
• Client, BA, Developer & Code (Tic-Tac-Toe)
• No bug is hard to catch with team work.
• Testable Security Requirements
• Test Case, ISTQB Glossary
• Daily Scribe by Jaray Paensong
• Homework
  • Congratulations Messages | The new way to send a farewell| group card
    • Vuttawat, Saran, Bhoomjit, Fareed, Sanchat, Theerapong, Athiporn, Phureephat, Piyawit, Thanakorn, Jaray, Ekawut, Anan, Soontorn, Hachol, Sakarin, Suntisuk, Supattra, Keaittisak, Nattapong, Wasupol, Vatcharin, Nantawan, Narunart, Nipitpon, Nattawut

[Week 5] - (Sun) Dec 20, 2020

• MNR Room, Q Building
• MiSSxTalks
  • “System acquisition, development and maintenance in ISO27001”, Khun Nantawan Sanpukdee
• Empathy
  • Congrats Msg, TC
• Two factor authentication
• Daily Scribe by Nantawan Sanpukdee
• Homework
  • Two factor authentication : well known application/services

[Week 6] - (Sun) Dec 27, 2020

• Online (due to COVID-19)
  • Static Application Security Testing (SAST), Source Code Analysis
    • VirtualBox / VMware Workstation Player
    • WinSCP or any SCP client
    • #HereWeFix, request access needed
    • NetBeans : PHP, VS Code with PHP Static Analysis extension
• #HereWeFix
  • SQL Injection (Login Form/User) - Piyawit / Bhoomjit
  • XSS - Reflected (GET) - IceSuntisuk / Sakarin
  • SQL Injection (GET/Search) - Saran / Nipitpon
  • XSS - Reflected (User-Agent) - Fareed / Jaray
  • PHP Code Injection - Athiporn / Phureephat
  • XSS - Reflected (PHP_SELF) - Thanakorn / Ekawut
  • SQL Injection (POST/Search) - Nantawan / Vuttawat
  • HTML Injection - Reflected (GET) - Theerapong / Narunart
  • SQL Injection (GET/Select) - ??????
  • XSS - Reflected (User-Agent) - Hachol / Nattawut
  • SQL Injection - Blind - Time-Based - Anan / Soontorn
  • XSS - Reflected (HREF) - Sanchat / Wasupol
  • SQL Injection (POST/Select) - Nattapong
• X’Mas Aftermath: Moments of Celebration & Sharing
• MiSSxTalks
• Daily Scribe

[Week 7] - (Sun) Jan 3, 2021

• Online (due to COVID-19)
• What is your favorite programming language?
• #Code4Sec, a week of coding for security
  • Publish : [GitHub Pages|GitLab Pages|DEV|Medium|WordPress|Blogger]
  • Share : [Facebook|Twitter|IG], #Code4Sec Week, Day X #NEIS0736 #NECS0736
  • 7 continuous days within Jan 16, 2021
• Daily Scribe
• Homework
  • Repl.it 6 min. (3:45 - 9:45)
  • @EsKoOnG, @Devtech95, @SupattraBoonkie, @inuax, @XserieX, @marukofar, @alfatoxin, @AthipornPhumnic, @peegonggoy, @hacholda, @NarunartVongeiu, @icesuntisuk, @nongkon09, @PhureephatS, @omoomomx, @sanchat13, @ryudokung, @AnanBoondamnoen, @jaray06, @fAi00S, @freedom357, @ShiaNEIS0736, @VuttawatUyanont, @NattapongKetkae, @ahicft, @GenoGN, @Pongpatrakdej

---

[Semi-final Examination]

• Jan 10, 2021 (AM)
• Keybase will save your day :)
• Openbook (2 hours) + live debugging (1 Hour)
• Controlled environment (w/o communication devices)
• Take the exam at the same time, one item at a time.

---

[Week 8] - (Sun) Jan 10, 2021

• Online (due to COVID-19)
• Class check-in : Talk, learn, collab and code together right in your browser
• Pairing for #CollabChallenge by Random Team Generator
  1. @VuttawatUyanont & @inuax
  2. @AthipornPhumnic & @Devtech95
  3. @EsKoOnG & @PhureephatS
  4. @fAi00S & @XserieX
  5. @ShiaNEIS0736 & @omoomomx
  6. @AnanBoondamnoen & @peegonggoy
  7. @SupattraBoonkie & @ahicft
  8. @marukofar & @NarunartVongeiu
  9. @freedom357 & @nongkon09
  10. @icesuntisuk & @sanchat13
  11. @hacholda & @ryudokung
  12. @NattapongKetkae & @GenoGN
  13. @alfatoxin & @jaray06
• Review & Revise your published #Code4Sec
• Daily Scribe
• Homework
  • Prep. for the #CollabChallenge, 5 points per group
    • You select 3 topics from the published #Code4Sec (by your friends), 1 will be chosen by the instructor.
    • Take turn every 3 characters in 3 mins w/o talking together.

[Week 9] - (Sun) Jan 17, 2021

• Online (due to COVID-19)
• #CollabChallenge, #PairProgramming the funny way (Takeshi’s Castle style) 😜 (draw lots)
  1. @AnanBoondamnoen & @peegonggoy
  2. @marukofar & @NarunartVongeiu
  3. @freedom357 & @nongkon09
  4. @alfatoxin & @jaray06
  5. @hacholda & @ryudokung
  6. @fAi00S & @XserieX
  7. @SupattraBoonkie & @ahicft
  8. @NattapongKetkae & @GenoGN
  9. @VuttawatUyanont & @inuax
  10. @icesuntisuk & @sanchat13
  11. @EsKoOnG & @PhureephatS
  12. @AthipornPhumnic & @Devtech95
  13. @ShiaNEIS0736 & @omoomomx
• Homework
  • Collaborative Coding
    • Visual Studio Code
    • Extention(s)
      • Python
      • Live Share
    • Test Live Share w/ your pair.
      • Piyawit vs. Phureephat - Jan 17, 2021
      • Athiporn vs. Theerapong - Jan 18, 2021
      • Soontorn vs. Thanakorn - Jan 19, 2021
      • Nattapong vs. Nipitpon - Jan 20, 2021
      • Fareed vs. Narunart - Jan 20, 2021
      • Vuttawat vs. Ekawut - Jan 20, 2021
      • Suntisuk vs. Sanchat - Jan 20, 2021
      • Nantawan vs. Wasupol - Jan 22, 2021
      • Hachol vs. Vatcharin - Jan 23, 2021
      • Bhoomjit vs. Anan - Jan 23, 2021
      • Sakarin vs. Jaray - Jan 23, 2021
      • Nattawut vs. ?????? - Jan 24, 2021
      • Saran vs. Supattra - Jan 28, 2021

[Week 10] - (Sun) Jan 24, 2021

• Online (due to COVID-19)
• MiSSxTalks
  • “Threat Modeling, The first step towards security in SDLC”, Khun Bhoomjit Bhoominath
  • “Blockchain and Smart Contract”, Khun Vuttawat Uyanont
  • “Software Defined Network: When software become to network”, Khun Ekawut Chairat
  • “Secret management in software development”, Khun Thanakorn Prajuabkamon
  • “Personal Data Protection Act”, Khun Nattawut Reungsap
  • “3 Pillars of Observability”, Khun Narunart Vongeium
  • “Cyber Threat Intelligence”, Khun Soontorn Janphuk
  • “Software Supply Chain Attack”, Khun Nattapong Ketkaew
• SysAdminDay 2020

[Week 11] - (Sun) Jan 31, 2021

• Online (due to COVID-19)
• MiSSxTalks
  • “What is Container Security?”, Khun ??????
  • “The Vulnerability of IoTs”, Khun Fareed Marnleb
  • “Golden SAML”, Khun Anan Boondamnoen
  • “SQL Injection”, Khun Supattra Boonkied & Khun Jaray Paensong
  • “Secure Software Concepts : Core Concepts”, Khun Phureephat Sottiratanapan
  • “Static Application Security Testing”, Khun Nipitpon Doungyai
• The Perfect Match, CSSLP exam outline
  1. Khun Bhoomjit & Khun Soontorn : Data Anonymization, 2.4 Identify and Analyze Privacy Requirements - Feb 7, 2021
  2. Khun Piyawit & Khun Vuttawat : File Integrity Monitoring (FIM), 4.3 Implement Security Controls - Feb 8, 2021
  3. Khun Nattawut & Khun Athiporn : Error and exception handling, 4.1 Adhere to Relevant Secure Coding Practices - Feb 10, 2021
  4. Khun Fareed & Khun Anan : Memory Management, 4.1 Adhere to Relevant Secure Coding Practices - Feb 11, 2021
  5. Khun Thanakorn & Khun Suntisuk : Cloud architectures - Platform as a Service (PaaS), 3.2 Define the Security Architecture - Feb 11, 2021
  6. Khun Theerapong & Khun Jaray : Logging, 1.1 Core Concepts : Accountability - Feb 12, 2021
  7. Khun Hachol & Khun Sakarin : Digitally-signed component, 8.3 Verify Pedigree and Provenance - Feb 16, 2021
  8. Khun Vatcharin & Khun Ekawut : Cloud architectures - Infrastructure as a Service (IaaS), 3.2 Define the Security Architecture - Feb 22, 2021
  9. Khun Nipitpon & Khun Narunart : Component Reuse, 1.2 Security Design Principles - Mar 23, 2021
  10. Khun ?????? & Khun Saran : Out-of-Band (OOB) management, 3.3 Performing Secure Interface Design - Mar 29, 2021
  11. Khun Phureephat, Khun Nantawan & Khun Supattra : Type Safety, 4.1 Adhere to Relevant Secure Coding Practices - Apr 4, 2021

Class Cancelled (Sun) Feb 7, 2021

[Week 12] - (Sun) Feb 14, 2021

• Online (due to COVID-19)
• Valentine vs. Ovaltine
• MiSSxTalks
  • “Dynamic Application Security Testing”, Khun Saran Kaewnang
  • “Define the cloud architecture”, Khun Theerapong Kanrawong
  • “SQL Injection”, Khun Supattra Boonkied & Khun Jaray Paensong
• Are we all on the same page with the final examination?
• The Twelve-Factor App
  1. Khun Bhoomjit & Khun Vuttawat (Codebase)
  2. Khun Suntisuk & Khun Jaray (Dependencies)
  3. Khun Thanakorn & Khun ?????? (Config)
  4. Khun Theerapong & Khun Sanchat (Backing services)
  5. Khun Nantawan & Khun Ekawut (Build, release, run)
  6. Khun Saran & Khun Phureephat (Processes)
  7. Khun Fareed & Khun Vatcharin (Port binding)
  8. Khun Anan & Khun Wasupol (Concurrency)
  9. Khun Nipitpon & Khun Nattawut (Disposability)
  10. Khun Soontorn & Khun Athiporn (Dev/prod parity)
  11. Khun Piyawit & Khun Supattra (Logs)
  12. Khun Hachol & Khun Narunart (Admin processes)
• Homework
  • Prep. for the Band Battle : The War is On
    • Old School : Athiporn, Ekawut, Hachol, Nantawan, Nattawut, Phureephat, Piyawit, Sakarin, ??????, Suntisuk, Thanakorn, Vatcharin
    • New School : Anan, Bhoomjit, Fareed, Jaray, Narunart, Nattapong, Nipitpon, Sanchat, Saran, Soontorn, Supattra, Theerapong, Vuttawat, Wasupol
  • Prep. for the Last Pitch

[Week 13] - (Sun) Feb 21, 2021

• Band Battle : The War is On (#CodeBattle)

  Old School	Athiporn, Ekawut, Hachol, Nantawan, Nattawut, Phureephat, Piyawit, Sakarin, ??????, Suntisuk, Thanakorn, Vatcharin
  New School	Anan, Bhoomjit, Fareed, Jaray, Narunart, Nipitpon, Sanchat, Saran, Soontorn, Supattra, Theerapong, Vuttawat, Wasupol

• There’s something about number.
  • version
  • factor
  • etc.
• The Twelve-Factor App Cont’d
• Homework
  • Prep. for the Last Pitch

[Week 14] - (Sun) Feb 28, 2021

• Are You Ready to Fly Solo? – The Last Pitch
  • Coding Interview, choose three and play only one
  • Do not be afraid to improvise
• Navigator w/ Improvisation
  • Vatcharin & Ekawut [Done] – #FileIntegrity #Logging
  • Thanakorn & Suntisuk [Done] – #FileIntegrityMonitoring #LiNENotification
  • Piyawit & Bhoomjit [Done] – #Logging #LimitTimeLogin
  • Athiporn & Phureephat [Done] – #Logging #CodeSnippet
  • Narunart & Saran [Done] – #BruteForcePrevention
  • Nipitpon & ?????? [Done] –
  • Theerapong & Jaray [Done] –
  • Anan & Fareed [Done] – #ExceptionHandling
  • Soontorn & Wasupol [Done] – #Anonymization
  • Hachol, Nattawut & Nantawan [Done] – #FileIntegrityMonitoring #EmailNotification
• em·pa·thize

[Week 15] - (Sun) Mar 7, 2021

• Navigator w/ Improvisation (cont’d)
  • Vuttawat, Sakarin & Sanchat – [Done] –
• MiSSxTalks
  • “Dynamic Application Security Testing”, Khun Saran Kaewnang
  • “Input Validation: Why it matters?”, Khun Sakarin Kaewsathitwong
• End of Course Summary
  • The Coolest
  • The Worst
  • The Most admired KB
• Feedback for improving the KBs
  • Constructive Criticism for KBs
• Final Exam Guidelines
• Knowledge along with virtue
  • Use your ability to learn to work for this country.
  • The Learning Pyramid

[Final Examination] - (Lec)

• Mar 27, 2021 (AM) @MII209B

---

[Grading Policy]

A weighted grade average will be calculated as follows:

ACTIVITIES	PERCENTAGES
In-class participation (#MiSSxTalks special, Daily Scribe, KBs, homeworks)	25
Individual assignments (#MiSSxTalks)	10
Completion of mandatory finger exercises (#CollabChallenge #CodeBattle)	5
Course project (or mini contest)	10
Midterm exam (#Code4Sec Week)	15
Final exam	35

[Required Materials]

• There are no required books to purchase for this class, but a personal laptop.

---

[Recommended Materials]

• Authentication, Authorisation & Accountability (AAA) Knowledge Area, Dieter Gollmann
• Security Engineering, Ross Anderson
• Computer Security and the Internet: Tools and Jewels, Paul C. van Oorschot
• Software Security: Principles, Policies, and Protection, Payer
• OWASP Top 10 Web Application Security Risks
• OWASP Web Security Testing Guide v4.2
• OWASP Proactive Controls
• Web Application Security Standard v1.0 by ETDA
• OWASP AppSec Pipeline
• Trusted Electronic Document and Authentication : TEDA
• The Twelve Factors (ไทย)
• The Architecture of Open Source Applications
• Thailand Data Protection Guidelines v3.0
• Guideline for Blockchain Technology Adoption in Financial Services
• Cloud Controls Matrix v4

---

[Official class meeting place]

[Extra Point]

• GitLab Pages, claimed by Khun Vuttawat U.
• GitLab - Personal Access Token, claimed by Khun Thanakorn P.
• Someone just searched for you on Google…
• If you found it useful maybe consider buying us a coffee
• Keybase
• Digital signature verification (e.g. Tor Browser)
• Tester Work, a crowdsourced testing. You’re ready to test!
• Bug bounty/CTF write-ups
• Subresource Integrity, claimed by Khun Fareed M.
• Publication[s] (e.g. Coin Recovery, ECTI DAMT and NCON 2021)
• Community volunteering (e.g. VolunteXTH, Barcamp Bangkhen)
• Certification (e.g. Professional Certificate in Secure Software Development Fundamentals)
• Contest/Seminar/Webinar
• LinuxFoundationX: LFD105x Secure Software Development: Implementation
  • “Improper input validation is such a common cause of security vulnerabilities that it is 2019 CWE Top 25 #3. It is also identified as CWE-20 (Improper Input Validation).”
  • “Insecure deserialization is such a common mistake in web applications that it is 2017 OWASP Top 10 #8 and 2019 CWE Top 25 #23. It is CWE-502, Deserialization of Untrusted Data. Attackers may find such vulnerabilities harder to exploit, but once the vulnerability is found it can result in immediate compromise of an entire system, because it may provide complete control of the system to the attacker.”
• Warning: line endings have changed from ‘LF’ to ‘CRLF’, claimed by Khun Piyawit K.
• Cyber Threat Intelligence - API. “Threat intelligence” (TI) is evidence-based knowledge — including context, mechanisms, indicators, implications and actionable advice — about an existing or emerging menace or hazard to IT or information assets. It can be used to inform decisions regarding the subject’s response to that menace or hazard. – Gartner
• What is a (computing/digital) platform?, booked by Khun Phureephat S.
• ar·chi·tec·ture /ˈärkəˌtek(t)SHər/
• Data Governance, claimed by Khun Bhoomjit Bh.
• Source Code Escrow Agreement, claimed by Khun Theerapong K.
• Technical Due Diligence, claimed by Khun ??????
• Search vs. Browse, claimed by Khun Phureephat S.
• Amazon Lookout for Vision - Spot product defects using computer vision to automate quality inspection
• Planet earth with visualization of GitHub activity crossing the globe, claimed by Khun Piyawit K.
• 10 Cool Error/Warning Messages
• lint, or a linter
• Static Site Generators - SSGs, claimed by Khun Phureephat S.
• Introspectable tunnels to localhost
• Distributed Load Testing on AWS
• Homomorphic Encryption: Unlock value of sensitive data without decryption
• Software Supply-Chain Attack, claimed by Khun Nattapong K.
• Golden SAML, claimed by Khun Anan B.
• Zero Trust : Identity, claimed by Khun Ekawut C.
• SSI: Self Sovereign Identity
• Business logic vulnerability
• Case Styles, claimed by Khun Vatcharin K.
• Sandbox
• Consent: option not an obligation, claimed by Khun Nattawut R.
• Tools calibration: why is it important?
• Using Privacy Enhancing Techniques to Unlock New Value, WEF
• If you don’t want to invest in SAST tools for all your languages
• Geohash, claimed by Khun Hachol D.
• Microsoft Security Code Analysis
• Language Server Protocol
• sigstore, Software Signing

---

Anan, Athiporn, Bhoomjit, Ekawut, Fareed, Hachol, Jaray, Jaruspong, Keaittisak, Nantawan, Narunart, Nattapong, Nattawut, Nipitpon, Phureephat, Piyawit, Sakarin, Sanchat, Saran, ??????, Soontorn, Suntisuk, Sununta, Supattra, Thanakorn, Theerapong, Vatcharin, Vuttawat, Wasupol

---

[80-20 Rule]

• Discuss 20% of things used 80% of the time in depth to touch upon other things briefly equipping you with enough knowledge to find out more on your own
• All students will be required to have a personal laptop and bring it to class every week

[Useful Program(s)]

• Sizer 4.0
• Visual Studio Code
• GitHub Desktop
• ReversoSpeller

---

[Misc.]

• SonarSource Rules
• Rules - SEI CERT Oracle Coding Standard for Java - Confluence
• CWE™, a community-developed list of software and hardware weakness types
• CWE/SANS TOP 25 Most Dangerous Software Errors
• Bugs Patterns, The complete list of descriptions given when FindBugs identify potential weaknesses
• OAuth and OpenID Connect, David Neal
• Web Framework Benchmarks
• Lighthouse, an automated tool for improving the quality of web pages.
• Practical Cryptography for Developers
• Why is XAMPP not suited for production?
• Sensitive Data Exposed in GitHub
• Programiz, Learn to Code for Free
• PHP Manual
• AskPython, Start your Python Journey from our top quality tutorials.
• JournalDev - Java, Java EE, Android, Python, Web Development Tutorials
• The Python Package Index (PyPI)
• PYnative - Tips & Tricks
• The Cyber Swiss Army Knife, a web app for encryption, encoding, compression and data analysis
• Golang Tutorial, Blog, Articles and Examples
• Everything you need to know about Django.
• Learn how a medium-sized business managed to successfully include web security testing in their SDLC processes, Acunetix

---

“Improvement begins with I.”, – Arnold H. Glasow.