Advanced Security

Defending .NET

Course Learning Objectives

  • Recognize insecure coding practices from web applications vulnerabilities found in the OWASP Top 10
  • Implement defensive coding techniques in .NET 4.5 and learn about common frameworks and tools to help support secure coding in .NET
  • Contrast between insecure and secure coding practices through examples taken from our vulnerable .NET web application

Description

Understand Microsoft .NET 4.5 vulnerabilities common to the OWASP top 10, and see how these vulnerabilities affect .NET web applications. Students will learn to define and identify secure code, differentiate between secure coding methods, employ secure code in practice, and design and judge effectiveness of secure coding practices. This course will build upon high-level concepts in the OWASP Top 10 by deep diving into each concept from a developerÕs perspective and demonstrating insecure vs. secure code.

Audience

.NET developers / .NET architects

Time Required

Tailored learning - 60 minutes total

Course Outline

  1. Defending cross-site request forgery
    • Review of CSRF in .NET
    • Anti-CSRF Tokens
    • Implementing anti-CSRF
    • Reviewing our solution
  2. Defending forced browsing
    • Review of forced browsing
    • Downloading arbitrary files
    • Indirect access maps
    • Implementing access maps
    • Reviewing our solution
  3. Defending insecure storage
    • Review of insecure storage
    • Managing private keys
    • Hashes
    • Salts
    • PBKDF2
    • AES Encryption
    • Encrypting files with PBKDF2
    • Decrypting files
  4. Defending redirects
    • Review of unvalidated redirects
    • Unchecked redirect in .NET
    • URL access mapping
    • Reviewing our solution
  5. Defending SQL injection
    • Review of SQL injection
    • Query with bind parameters
    • Changing the secure query
    • Reviewing our solution
  6. Defending cross-site scripting
    • Review of XSS
    • Insecure output
    • Escaping
    • AntiXSS and Encoder in .NET
    • Importance of context
    • Reviewing our solution
  7. Defending authorization and session management
    • Review of the problem
    • Sessions
    • Session timeout
    • Configuring timeouts
    • Container-based authorization
    • Autocomplete
  8. + Expand Course Outline

$200.00 *prices shown in USD Add to Cart or Subscribe your team