About the course
ASP.NET and the .NET framework have provided web developers with tools that allow them an unprecedented degree of flexibility and productivity. On the other hand, these sophisticated tools make it easier than ever to miss the little details that allow security vulnerabilities to creep into an application. Since ASP.NET, 2.0 Microsoft has done a fantastic job of integrating security into the ASP.NET framework, but the responsibility is still on application developers to understand the limitations of the framework and ensure that their own code is secure.
Have you ever wondered if the built-in ASP.NET validation is effective? Have you been concerned that web services might be introducing unexamined security issues into your application? Should you feel uneasy relying solely on the security controls built into the ASP.NET framework? The Secure Coding in .NET course will help students leverage built-in and custom defensive technologies to integrate security into their applications.
What Does the Course Cover?
This is a comprehensive course covering a huge set of skills and knowledge. It's not a high-level theory course. It's about real programming. In this course you will examine actual code, work with real tools, build applications, and gain confidence in the resources you need for the journey to improving the security of .NET applications.
Course Syllabus
DEV544.1: Data Validation
Overview
Improper data validation is the root cause of the most prevalent web application vulnerabilities today. Beginning on the first day, you will learn about some of the most prevalent web applications vulnerabilities such as XSS, SQL Injection, Open Redirects, and Parameter Manipulation. You will see how to find these issues and how to recreate them in a running application. Then you will use a variety of methods to actually fix these vulnerabilities in your C# code.
The course is full of hands on exercises where you can apply practical data validation techniques that you can use to prevent common attacks with defense ranging from input validation, output encoding, and use of new techniques like Content Security Policy.
CPE/CMU Credits: 6
Topics
- Web Application Attacks
- Web Application Proxies
- Parameter Manipulation
- Cross-Site Scripting (XSS)
- Open Redirect
- Unvalidated Forwards
- SQL Injection
- HTTP Response Splitting
- Input Validation
- Indirect Selection
- Blacklists
- Whitelists
- Regular Expressions
- Event Validation
- Character Encoding
- Command Encoding
- Content Security Policy
- LINQ & Entity Framework
DEV544.2: Authentication & Session Management
Overview
Authentication, authorization, and session management vulnerabilities are commonly exploited by attackers to gain unauthorized access to web applications. In this section, you will learn about various authentication and authorization attacks such as man-in-the-middle, cross-site request forgery, clickjacking, and session hijacking. Then, you will use a variety of techniques to fix these vulnerabilities in an ASP.NET web application.
CPE/CMU Credits: 6
Topics
- Authentication Factors
- Authentication Attacks
- Authorization Attacks
- Password Management
- ASP.NET Identity
- Forms Authentication & Membership Provider
- Race Conditions
- Session Identifiers
- Man-in-the-middle (MITM) Attacks
- Cross-Site Request Forgery (CSRF)
- Clickjacking
- Session Hijacking
- Session Fixation
- Session Management
- Cookie Security
DEV544.3: .NET Framework Security
Overview
A secure architecture is critical for mission critical .NET applications. You will learn about various built-in .NET security features such as cryptography, password storage, web service security and many other .NET features you should consider while writing secure code. A number of hand-on exercises will guide you through writing a cryptography utility for storing sensitive data and user passwords, protecting data in memory, exploiting a running application using DLL Injection, and much more.
CPE/CMU Credits: 6
Topics
- Cryptography
- Password Storage
- PCI Compliance
- Threading
- String Immutability
- Numeric Overflow
- Risks of Malicious Code
- Exception Handling
- Auditing and Logging
- Web Services
DEV544.4: Secure Software Development Lifecycle
Overview
We will take a look at each phase of the SDLC and discuss how security fits into the process. Using what you have learned about application vulnerabilities, you will get the opportunity to write static analysis rules to identify insecure code. Then, you will then perform security testing and actually exploit these weaknesses. Once they have been exploited, you will then fix them using the secure coding techniques you have learned in class.
CPE/CMU Credits: 6
Topics
- Security Training
- Security Requirements
- Secure Design
- Threat Modeling
- Implementation
- Static Analysis
- Roslyn Diagnostic Analyzers
- Peer Reviews
- Secure Code Review
- Verification
- Dynamic Analysis
- Penetration Test Reports
- Release
- Response
Who Should Attend
This course is intended for:
- ASP.NET developers who want to build more secure web applications
- .NET framework developers
- Software engineers
- Software architects
- Developers who need to be trained in secure coding techniques to meet PCI compliance
This class is focused specifically on software development, but it is accessible enough for anyone who's comfortable working with code and has an interest in understanding the developer's perspective. This could include:
- Application security auditors
- Technical project managers
- Senior software QA specialists
- Penetration testers who want a deeper understanding of how to target ASP.NET web applications or who want to provide more detailed vulnerability remediation options
Prerequisites
Students should have the following:
- At least one year of experience working with ASP.NET and the .NET framework
- Experience with programming in ASP.NET using either Visual Basic or C#. All class work will be performed in C#
- A thorough knowledge of Web technology
- While this class briefly reviews basic web attacks, a prior understanding of web application vulnerabilities (i.e. the OWASP Top 10) is recommended.
What You Will Receive
- Course Books
- Day 1: Data Validation
- Day 2: Authentication & Session Management
- Day 3: .NET Framework Security
- Day 4: Secure Software Development Lifecycle
- Lab Workbook
- USB drive with a Windows 10 VMware virtual machine used for all hands on exercises
- MP3 audio files of the completed course lecture
You Will Be Able To
- Use a web application proxy to view HTTP requests and responses.
- Review and perform basic exploits of common .NET web application vulnerabilities, such as those found in the SANS/CWE Top 25 and the OWASP Top 10:
- Cross-Site Scripting
- Parameter Manipulation
- Open Redirect
- Unvalidated Forwards
- SQL Injection
- Session Hijacking
- Clickjacking
- Cross-Site Request Forgery
- Man-in-the-middle (MITM)
- Mitigate common web application vulnerabilities using industry best practices in the .NET framework, including the following:
- Input Validation
- Blacklist & Whitelist Validation
- Regular Expressions
- Command Encoding
- Output Encoding
- Content Security Policy
- Client-side Security Headers
- Understand built-in ASP .NET security mechanisms, including the following:
- AntiForgeryToken
- Data Annotations
- Event Validation
- Request Validation
- View State
- Entity Framework
- ASP.NET Identity
- Forms Authentication
- Membership Provider
- WCF
- Web API
- Roslyn Diagnostic Analyzers
- Apply industry best practices (NIST, PCI) for cryptography and hashing in the .NET framework.
- Implementing a secure software development lifecycle (SDLC) to include threat modeling, static analysis, and dynamic analysis.
Hands-on Training
- Data Validation
- Parameter Manipulation
- SQL Injection
- Cross-Site Scripting
- Password Management
- Session Hijacking
- Cross-Site Request Forgery
- Cryptographic Storage
- Web Services
- Threat Modeling
- Static Analysis Rules
- Secure Code Review Challenge