Dev544 Secure Coding in .NET : Developing Defensible Applications (4 Day Course) Course Overview. ASP.NET and the .NET framework have provided web developers with tools that allow them an unprecedented degree of flexibility and productivity. On the other hand, these sophisticated tools make it easier than ever to miss the little details that allow security vulnerabilities to creep into an application. Since ASP.NET, 2.0 Microsoft has done a fantastic job of integrating security into the ASP.NET framework, but the onus is still on application developers to understand the limitations of the framework and ensure that their own code is secure.
During this four-day course we will analyze the defensive strategies and technical underpinnings of the ASP.NET framework and learn where, as a developer, you can leverage defensive technologies in the framework, where you need to build security in by hand. We’ll also examine strategies for building applications that will be secure both today and in the future.
Rather than focusing on traditional web attacks from the attacker’s perspective, this class will show developers first how to think like an attacker, and will then focus on the latest defensive techniques specific to the ASP.NET environment. The emphasis of the class is a hands-on examination of the practical aspects of securing .NET applications during development.
Have you ever wondered if ASP.NET Request Validation is effective? Have you been concerned that XML web services might be introducing unexamined security issues into your application? Should you feel un-easy relying solely only on the security controls built into the ASP.NET framework? Secure Coding in ASP.NET will answer these questions and far more.
* Who should attend:
This class is focused specifically on software development but is accessible enough for anyone who’s comfortable working with code and has an interest in understanding the developer’s perspective:
+ Software developers and architects
+ Senior software QA specialists
+ System and security administrators
+ Penetration Testers
o Experience with programming in ASP.NET using either Visual Basic or C#. All class work will be performed in C#.
o While this class briefly reviews basic web attacks, some prior understanding of issues such as XSS and SQL injection is recommended.
Day 1 Data Validation
Improper data validation is the root cause of the most prevalent web application vulnerabilities today. Cross Site Scripting (XSS) has become the most widely reported issue with web applications. It has reached the point where the Web Application Security Consortium (WASC) estimates that over 80% of the web sites on the Internet are vulnerable to this attack.
Beginning on the first day, you will learn about some of the most prevalent web applications vulnerabilities such as XSS, CSRF, SQL Injection, HTTP Response Splitting, and Parameter Manipulation. You will see how to spot some of these issues and how to recreate them in a running application. Then you will use a variety of methods to actually fix these vulnerabilities in your C# code.
The course is full of hands on exercises where you can apply practical data validation techniques that you can use to prevent common attacks.
* Topics Covered:
o Web Application Attacks
+ Cross Site Scripting
+ Cross Site Request Forgery (CSRF)
+ SQL Injection
+ HTTP Response Splitting
+ Parameter Manipulation
o Web Application Proxies
+ Using Fiddler
o Validation Concerns
+ Character Encoding
+ Input Validation
+ Output Encoding
+ Blacklisting & Whitelisting
o Validation Techniques
+ Validation Controls
+ Server vs. Client side validation
+ Regular Expressions
+ HTML Encoding
+ Stored Procedures
“As a SysAdmin, I found this tack invaluable. It not on”
Day 2 Authentication & Session Management
Broken authentication and session management are common issues that can compromise the integrity of your system. Such weak authentication protections can allow an attacker to expose your most sensitive secrets: your data! You will learn about these vulnerabilities and what you can do to design and code stronger authentication protections from the start.
You will learn how to use ASP.NET Authentication mechanisms and securely implement both Basic and Form Based Authentication. This course is full of hands on exercises and culminates in a lab where you put everything you learned together into an application that is protected by strong authentication controls.
* Topics Covered:
+ IIS / ASP.NET pluggable authentication architecture
+ Basic & Digest Authentication
+ .NET Form Based Authentication Framework
+ Windows Authentication
+ Authorization, OS security, and Impersonation
+ SSL Client Certificates
+ Authentication Policies
o Protecting Sessions
+ Secure Session ID generation
+ Session data, and persistence
+ Session policies, expiry, etc.
+ Session Hijacking
+ Session Fixation
o Authentication Attacks
+ Brute Force Attacks
+ Weak Password Storage
+ Password Reset
+ Secret Questions
Day 3 Secure .NET Architecture
Understanding how to leverage .NET to design a secure architecture with solid secure coding principals is critical to application security. This course combines tried and tested information security principals with secure coding principals to help you build rock solid applications.
* Topics Covered:
+ Defense in depth
+ Least Privilege
+ Thread Safety
+ Structured Exception Handling
+ Application Logging and Auditing
+ Secure Coding Principals
+ ASP.NET Handlers, Modules and the HTTP Pipeline (might be good to combine this with day 2)
o NET Encryption Services
+ Encryption Principals
+ Securing communications
+ Protecting data at rest
Day 4 .NET Framework Security
Code-centric security is one of the primary benefits of .NET. This course takes the student neck–deep into the details of .NET’s security architecture and the calculation and formulation of permission grants as well as a detailed presentation of permission enforcement and the .NET’s security administration and execution model.
* Topics Covered:
o Code Access Security
o Global Assembly Cache
o Strong and Weak Named Assemblies
o The Common Language Runtime
o Execution Model
o Security Zones
o Code Groups
o Hacking .NET Security
o Security Policy and Hierarchy
o Permission Calculations
o Assembly Permission Requests
o Permission Enforcement and Stack Walks
If you have any inquiry or questions, please don’t hesitate to contact us.