Andaira Technology

Mejoramos los procesos, reducimos los costes

Advanced C#, ASP.NET and Web Application Security 


Certificación: N/A 

Acreditación: None 

Duración: 3 días 

Idioma del material: Inglés 

Formato: Presencial 

Creditos: N/A

Introducción:

Beyond a solid knowledge in using various security features of .NET and ASP.NET, even for experienced programmers it is essential to have a deep knowledge in Web-related vulnerabilities both on server and client side along with the consequences of the various risks.

In this course the general web-based vulnerabilities are demonstrated through presenting the relevant attacks, while the recommended coding techniques and mitigation methods are explained in the context of ASP.NET. A special focus is given to client-side security tackling security issues of JavaScript, Ajax and HTML5.

The course also deals with the security architecture and components of the .NET framework, including code- and role based access control, permission declaration and checking mechanisms and the transparency model. A brief introduction to the foundations of cryptography provides a common practical baseline for understanding the purpose and the operation of various algorithms, based on which the course presents the cryptographic features that can be used in .NET.

Introduction of different security bugs follows the well-established vulnerability categories, tackling input validation, security features, error handling, time- and state-related problems, the group of general code quality issues, and a special section on ASP.NET-specific vulnerabilities. These topics are concluded with an overview on testing tools that can be used to automatically reveal some of the learnt bugs.

Topics are presented through practical exercises where participants can try out the consequences of certain vulnerabilities, the mitigations, as well as the discussed APIs and tools for themselves.

Audiencia:

Web developers using ASP.NET

Objetivos:

Individuals certified at this level will have demonstrated:

  • Knowledge of basic concepts of security, IT security, cryptography and secure coding
  • Understand Web vulnerabilities beyond OWASP Top Ten and know how to avoid them
  • Understand client-side vulnerabilities and secure coding practices
  • Knowledge to use various security features of the .NET development environment
  • Informed about some recent vulnerabilities in .NET and ASP.NET
  • Knowledge about typical coding mistakes and how to avoid them
  • Gained practical knowledge in using security testing tools
  • Get sources and further reading on secure coding practices

Prerrequisitos:

None

Material del curso:

You will receive the following as part of this course:

  • A participant handbook with reference materials
  • Virtual machine with the exercises (to be distributed by the instructor on a USB drive)

Examen:

There are no exams associated with this course

Requisitos técnicos:

A preinstalled exercise environment in the form of desktop virtual machine will be distributed on USB sticks for the participants at the start of the course by the instructor.

Hardware and software specifications for the used host PCs are:

  • CPU equivalent to Core i5 with virtualization technology is recommended, minimum is Core i3 (or equivalent laptop processors)
  • 4GB is recommended, minimum is 2GB
  • At least 20 GB free space on the HDD.
  • Display resolution minimum 1024×768 (the larger the better)
  • Keyboard, mouse: any can be used as long as participants are familiar with them.
  • VMware Player minimal version is 3.2, preferred is 5.0.4.

Temario:

IT security and secure coding

  • Nature of security
  • IT security related terms
  • Definition of risk
  • Different aspects of IT security
  • Requirements of different application areas
  • IT security vs. secure coding
  • From vulnerabilities to botnets and cyber crime
  • Classification of security flaws

Web application vulnerabilities

  • Injection
  • Broken authentication and session management
  • Cross-Site Scripting (XSS)
  • Insecure direct object reference
  • Missing function level access control
  • Cross Site Request Forgery (CSRF)
  • Unvalidated redirects and forwards

Client-side security

  • JavaScript security
  • Ajax security
  • HTML5 Security

.NET security architecture and services

  • .NET architecture
  • Code Access Security
  • Role-based security

Basics of cryptography

  • Cryptosystems
  • Symmetric-key cryptography
  • Other cryptographic algorithms
  • Asymmetric (public-key) cryptography
  • Public Key Infrastructure (PKI)
  • Cryptography in .NET

ASP.NET security architecture

  • ASP.NET basics
  • ASP.NET features
  • ASP.NET authentication and identity management
  • ASP.NET authorization

ASP.NET security features and  vulnerabilities

  • Custom protected configuration providers
  • Postback validation
  • Viewstate protection
  • Viewstate protection
  • Event validation
  • Accessing disabled and hidden controls
  • Control sequence attacks
  • NULL byte termination vulnerability
  • Real life example – Forms Authentication Bypass
  • Denial of service possibilities

Typical coding errors in .NET

  • Input validation
  • Improper use of security features
  • Improper error and exception handling
  • Time and state problems
  • Code quality problems

Using security testing tools

  • Web vulnerability scanners
  • SQL injection tools
  • Proxy servers and sniffers
  • Exercise – Capturing network traffic
  • Static code analysis

Advices and principles

  • Matt Bishop’s principles of robust programming
  • The security principles of Saltzer and Schroeder

Knowledge sources

  • Secure coding sources – a starter kit
  • Vulnerability databases