Attacking and Securing .Net Web Applications is a lab-intensive, hands-on .Net security training course that provides unique coverage of .Net application security. In this course, students begin with penetration testing, hunting for bugs in .Net web applications. They then thoroughly examine best practices for defensively coding web applications, covering all the OWASP Top Ten as well as several additional prominent vulnerabilities (such as file uploads, CSRF and direct object references). Students will repeatedly attack and then defend various assets associated with fully functional web applications and services. This hands-on approach drives home the mechanics of how to secure .Net web applications in the most practical of terms. The course ends with an extensive discussion of what a mature application security presence would provide to the developers within an organization.
Student Testimonials
Instructor did a great job, from experience this subject can be a bit dry to teach but he was able to keep it very engaging and made it much easier to focus.
Student
Excellent presentation skills, subject matter knowledge, and command of the environment.
Student
Instructor was outstanding. Knowledgeable, presented well, and class timing was perfect.
Student
Click here to print this page »
Prerequisites
This is an intermediate -level .Net secure programming course, designed for experienced .Net developers who wish to get up and running on developing well defended software applications. Familiarity with C# is required and real world programming experience is highly recommended. Ideally students should have approximately 6 months to a year of .Net development practical experience.
Detailed Class Syllabus
Session: Bug Hunting Foundation
Lesson: Why Hunt Bugs?
Security and Insecurity
Dangerous Assumptions
Attack Vectors
Lab: Case Study in Failure
Lesson: Safe and Appropriate Bug Hunting/Hacking
Working Ethically
Respecting Privacy
Bug/Defect Notification
Bug Bounty Programs
Session: Scanning Web Applications
Lesson: Scanning Applications Overview
Scanning Beyond the Applications
Fingerprinting
Vulnerability Scanning: Hunting for Bugs
Reconnaissance Goals
Data Collection Techniques
Fingerprinting the Environment
Enumerating the Web Application
Session: Moving Forward From Hunting Bugs
Lesson: Removing Bugs
Open Web Application Security Project (OWASP)
OWASP Top Ten Overview
Web Application Security Consortium
CERT Secure Coding Standards
Bug Hunting Mistakes to Avoid
Tools and Resources
Session: Foundation for Securing Web Applications
Lesson: Principles of Information Security
Security Is a Lifecycle Issue
Minimize Attack Surface Area
Layers of Defense: Tenacious D
Compartmentalize
Consider All Application States
Do NOT Trust the Untrusted
Lab: Working with Visual Studio
Lab: Case Study: Setup And Analysis
Session: Bug Stomping 101
Lesson: Unvalidated Data
Buffer Overflows
Integer Arithmetic Vulnerabilities
Unvalidated Data: Crossing Trust Boundaries
Defending Trust Boundaries
Whitelisting vs Blacklisting
Lab: Defending Trust Boundaries
Lab: Applying Regular Expressions
Lesson: A1: Injection
Injection Flaws
SQL Injection Attacks Evolve
Drill Down on Stored Procedures
Other Forms of Injection
Minimizing Injection Flaws
Lab: Defending Against SQL Injection
Lesson: A2: Broken Authentication
Quality and Protection of Authentication Data
Handling Passwords on Server Side
SessionID Risk Reduction
HttpOnly and Security Headers
Lab: Defending Authentication
Lesson: A3: Sensitive Data Exposure
Protecting Data Can Mitigate Impact
In-Memory Data Handling
Secure Pipes
Failures in TLS/SSL Framework
Lesson: A4: XML External Entities (XXE)
XML Parser Coercion
XML Attacks: Structure
XML Attacks: Injection
Safe XML Processing
Lab: Safe XML Processing
Lesson: A5: Broken Access Control
Access Control Issues
Excessive Privileges
Insufficient Flow Control
Unprotected URL/Resource Access
Examples of Shabby Access Control
Sessions and Session Management
Lab: Spotlight: Verizon
Lab: Unsafe Direct Object References
Session: Bug Stomping 102
Lesson: A6: Security Misconfiguration
System Hardening: IA Mitigation
Application Whitelisting
Least Privileges
Anti-Exploitation
Secure Baseline
Lesson: A7: Cross Site Scripting (XSS)
XSS Patterns
Persistent XSS
Reflective XSS
DOM-Based XSS
Best Practices for Untrusted Data
Lab: Defending Against XSS
Lesson: A8/9: Deserialization/Vulnerable Components
Deserialization Issues
Identifying Serialization and Deserializations
Vulnerable Components
Software Inventory
Managing Updates
Lab: Spotlight: Equifax
Lesson: A10: Insufficient Logging and Monitoring
Fingerprinting a Web Site
Error-Handling Issues
Logging In Support of Forensics
Solving DLP Challenges
Lab: Error Handling
Lesson: Spoofing, CSRF, and Redirects
Name Resolution Vulnerabilities
Fake Certs and Mobile Apps
Targeted Spoofing Attacks
Cross Site Request Forgeries (CSRF)
CSRF Defenses
Lab: Cross-Site Request Forgeries
Session: Moving Forward with Application Security
Lesson: Applications: What Next?
Common Vulnerabilities and Exposures
CWE/SANS Top 25 Most Dangerous SW Errors
Strength Training: Project Teams/Developers
Strength Training: IT Organizations
Leveraging Common AppSec Practices and Control
Lab: Spotlight: Capital One
Lesson: Making Application Security Real
Cost of Continually Reinventing
Paralysis by Analysis
Actional Application Security
Additional Tools for the Toolbox
Lesson: .NET Issues and Best Practices
Managed Code and Buffer Overflows
.Net Permissions
ActiveX Controls
Proper Exception Handling
Lab: Securing the Business Layer
Session: Exploring .Net Cryptography
Lesson: .Net Cryptographic Services
The role of cryptographic services
Hash algorithms and hash codes
Encrypting data symmetrically
Encrypting data asymmetrically
Lab: Cryptography Wrapper for .Net