Certified .NET Application Security Engineer

Day One

Understanding Application Security, Threats and Attacks

• What is a Secure Application
• Need for Application Security
• Most Common Application Level Attacks
• Why Applications become Vulnerable to Attacks
• What Consistutes Comprehensive Application Security ?
• Insecure Application: A Software Development Problem
• Software Security Standards, Models and Frameworks

Security Requirements Gathering

• Importance of Gathering Security Requirements
• Security Requirement Engineering (SRE)
• Abuse Case and Security Use Case Modeling
• Abuser amd Security Stories
• Security Quality Requirements Engneering (SQUARE)
• Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)

Day Two

Secure Application Design and Architecture

• Relative Cost of Fixing Vulnerabilities at Different Phases of SDLC
• Secure Application Design and Architecture
• Goal of Secure Design Process
• Secure Design Actions
• Secure Design Principles
• Threat Modeling
• Decompose Application
• Secure Application Architecture

Secure Coding Practices for Input Validation

• Input Validation
• Why Input Validation ?
• Input Validation Specification
• Input Validation Approaches
• Input Filtering
• Secure Coding Practices for Input Validation: Web Forms
• Secure Coding Practices for Input Validation: ASP.NET Core
• Secure Coding Practices for Input Validation: MVC

Day Three

Secure Coding Practices for Authentication and Authorization

• Authentication and Authorization
• Common Threats on User Authentication and Authorization
• Authentication and Authorization: Web Forms
• Authentication and Authorization: ASP .NET Core
• Authentication and Authorization: MVC
• Authentication and Authorization Defensive Techniques : Web Forms
• Authentication and Authorization Defensive Techniques : ASP .NET Core
• Authentication and Authorization Defensive Techniques : MVC

Day Four

Secure Coding Practices for Cryptography

• Cryptographic
• Ciphers
• Block Ciphers Modes
• Symmetric Encryption Keys
• Asymmetric Encryption Keys
• Functions of Cryptography
• Use of Cryptography to Mitigate Common Application Security Threats
• Cryptographic Attacks
• Techniques Attackers Use to Steal Cryptographic Keys
• What should you do to Secure .Net Applications for Cryptographic Attacks
• .NET Cryptographic Name Spaces
• .NET Cryptographic Class Hierarchy
• Symmetric Encryption
• Symmetric Encryption: Defensive Coding Techniques
• Asymmetric Encryption
• Asymmetric Encryption: Defensive Coding Techniques
• Hashing
• Digital Signatures
• Digital Certificates
• XML SIgnatures
• ASP.NET Core Specific Secure Cryptography Practices

Day Five

Secure Coding Practices for Session Management

• What are Exceptions/Runtime Errors ?
• Need for Secure Error/Exception Handling
• Consequences of Detailed Error Message
• Exposing Detailed Error Messages
• Considerations: Designing Secure Error Messages
• Secure Exception Handling
• Handling Exceptions in an Application
• Defensve Coding practices against Information Disclosure
• Defensive Coding practices against Improper Error Handling
• ASP .NET Core: Secure Error Handling Practices
• Secure Auditing and Logging
• Tracing .NET
• Auditing and Logging Security Checklists