Comprehensive C# and .NET Application Security
-
COURSE DATES AND LOCATIONS
DATE
Duration
LOCATION
FEES
Book Now
-
INTRODUCTION
A number of programming languages are available today to compile code to .NET and ASP.NET frameworks. The environment provides powerful means for security development, but developers should know how to apply the architecture- and coding-level programming techniques in order to implement the desired security functionality and avoid vulnerabilities or limit their exploitation.
This course teach developers through numerous hands-on exercises how to prevent untrusted code from performing privileged actions, protect resources through strong authentication and authorization, provide remote procedure calls, handle sessions, introduce different implementations for certain functionality, and many more. A special section is devoted to configuration and hardening of the .NET and ASP.NET environment for security.
-
COURSE OBJECTIVES
By the end of the course, you‘ll be able to:
- Understand basic concepts of security, IT security and secure coding
- Get familiar with essential cyber security concepts
- Understand Web application security issues
- Gain a detailed analysis of the OWASP Top Ten elements
- Put Web application security in the context of C#
- Go beyond the low hanging fruits
- Manage vulnerabilities in third-party components
- Get information about some recent vulnerabilities in .NET and ASP.NET
- Learn about typical coding mistakes and how to avoid them
- Get practical knowledge in using security testing tools
- Learn to use various security features of the .NET development environment
- Have a practical understanding of cryptography
- Get sources and further readings on secure coding practices
- Understand some recent attacks against cryptosystems
-
COURSE AUDIENCE
This course is made for :
- IT Specialists
- Software Developers
- Web Developers
-
COURSE OUTLINE
Day One
Cyber security basics
- What is security?
- Threat and risk
- Cyber security threat types
- Consequences of insecure software
Broken Authentication
- Authentication
- Password management
- Session management
- Using tokens
- Cookie security
Day Two
Sensitive Data Exposure
- Information exposure
- Exposure through extracted data and aggregation
- Case study – Strava data exposure
- Privacy violation
- System information leakage
- Information leakage through side channels
- Information exposure best practices
XML External Entities (XXE)
- DTD and the entities
- Attribute blowup
- Entity expansion
- External Entity Attack (XXE)
Day Three
Broken Access Control
- Access control basics
- Failure to restrict URL access
- Confused deputy
- File upload
Cross-site Scripting (XSS)
- Cross-site scripting basics
- Cross-site scripting types
- XSS protection best practices
Day Four
Using Components with Known Vulnerabilities
- Using vulnerable components
- Assessing the environment
- Hardening
- Untrusted functionality import
- Importing JavaScript
- Case study – The British Airways data breach
- Vulnerability management
XML Security
- XML validation
- XML injection
Day Five
Denial of Service
- Flooding
- Resource exhaustion
- Sustained client engagement
- Denial of service problems in C#
- Infinite loop
- Economic Denial of Sustainability (EDoS)
- Denial of service
- Algorithm complexity issues
Cryptography for Developers
- Cryptography basics
- Crypto APIs in C#