DEV544: Secure Coding in .NET: Developing Defensible Applications

ASP.NET and the .NET framework have provided web developers with tools that allow them an unprecedented degree of flexibility and productivity. However, these sophisticated tools make it easier than ever to miss the little details that allow security vulnerabilities to creep into an application. Since ASP.NET 2.0, Microsoft has done a fantastic job of integrating security into the ASP.NET framework, but the responsibility is still on application developers to understand the limitations of the framework and ensure that their own code is secure.

Have you ever wondered if the built-in ASP.NET validation is effective? Have you been concerned that Windows Communication Foundation (WCF) services might be introducing unexamined security issues into your application? Should you feel uneasy relying solely on the security controls built into the ASP.NET framework?

DEV544: Secure Coding in .NET: Developing Defensible Applications will help students leverage built-in and custom defensive technologies to integrate security into their applications. This comprehensive course covers a huge set of skills and knowledge. It is not a high-level theory course. It is about real programming. Students examine actual code, work with real tools, build applications, and gain confidence in the resources they need to improve the security of .NET applications.

Rather than teaching students to use a set of tools, the course teaches students concepts of secure programming . This involves looking at a specific piece of code, identifying a security flaw, and implementing a fix for flaws found on the OWASP Top 10 and CWE/SANS Top 25 Most Dangerous Programming Errors.

The class culminates with a security review of a real-world open source application. Students will conduct a code review, review a penetration test report, perform security testing to actually exploit real vulnerabilities, and finally, using the secure coding techniques that they have learned in class, implement fixes for these issues.

PCI Compliance

Section 6.5 of the Payment Card Industry (PCI) Data Security Standard (DSS) instructs auditors to verify processes that require training in secure coding techniques for developers. This is the course for you if your application processes cardholder data and you are required to meet PCI compliance.

You Will Learn To:

  • Understand attackers' methodologies and how they will attack your web application.
  • Apply defensive coding techniques to prevent your application from being compromised.
  • Safeguard your sensitive information using approved cryptography standards.
  • Find vulnerabilities in your application using code review and basic penetration testing techniques.
  • Integrate security into your software development lifecycle.

Course Syllabus
Course Contents
  DEV544.1: Data Validation
Overview

Improper data validation is the root cause of the most prevalent web application vulnerabilities today. On the first day of this course, students will examine some of the most prevalent web application vulnerabilities, such as XSS, SQL Injection, Open Redirects and Parameter Manipulation. You will learn how to find these issues and how to re-create them in a running application. Then you will use a variety of methods to actually fix these vulnerabilities in your C# code.

The course is full of hands-on exercises where you can apply practical data validation techniques to prevent common attacks with defense, including input validation, output encoding and the use of new techniques like Content Security Policy.

CPE/CMU Credits: 6

Topics
  • Web Application Attacks
  • Web Application Proxies
  • Parameter Manipulation
  • Cross-Site Scripting (XSS)
  • Open Redirect
  • SQL Injection
  • HTTP Response Splitting
  • Input Validation
  • Indirect Selection
  • Blacklists
  • Whitelists
  • Regular Expressions
  • Event Validation
  • Character Encoding
  • Command Encoding
  • Content Security Policy
  • LINQ and Entity Framework
 
  DEV544.2: Authentication and Session Management
Overview

A secure architecture is vital for mission-critical .NET applications. This course day examines various built-in .NET security features such as cryptography, password storage, web service security, and many other .NET features you should consider while writing secure code. A number of hand-on exercises will guide you through writing a cryptography utility for storing sensitive data and user passwords, protecting data in memory, exploiting a running application using DLL Injection and much more.

CPE/CMU Credits: 6

Topics
  • Authentication Factors
  • Authentication Attacks
  • Authorization Attacks
  • Password Management
  • Basic, Digest and Windows Authentication
  • Forms Authentication and Membership Provider
  • Race Conditions
  • Session Identifiers
  • Man-in-the-middle Attacks
  • Cross-Site Request Forgery
  • Clickjacking
  • Session Hijacking
  • Session Fixation
  • Session Management
  • Cookie Security
  • ViewState
 
  DEV544.3: .NET Framework Security
Overview

Understanding how to leverage .NET to design a secure architecture with solid secure coding principals is critical to application security. This course day combines tried and tested information security principals with secure coding principals to help you build rock-solid applications.

CPE/CMU Credits: 6

Topics
  • Cryptography
  • Password Storage
  • Threading
  • String Immutability
  • Numeric Overflow
  • Risks of Malicious Code
  • Exception Handling
  • Auditing and Logging
  • Web Service Security
 
  DEV544.4: Secure Software Development Lifecycle
Overview

This session looks at each phase of the secure software development lifecycle (SDLC) and discusses how security fits into the process. Using what they have learned about web application vulnerabilities, students will review code from an open-source application to identify various vulnerabilities. Then you will perform security testing and actually exploit these weaknesses. Once these weaknesses have been exploited, you will fix them using the security coding techniques learned during the course.

CPE/CMU Credits: 6

Topics
  • Security Training
  • Security Requirements
  • Secure Design
  • Threat Modeling
  • Implementation
  • Static Analysis
  • Peer Reviews
  • Secure Code Review
  • Verification
  • Dynamic Analysis
  • Penetration Test Reports
  • Release
  • Response
 
Additional Information
 
  Laptop Required

!!IMPORTANT - BRING YOUR OWN LAPTOP CONFIGURED USING THESE INSTRUCTIONS!!

A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.

Please download and install VMware Workstation 8, VMware Fusion 5.0, or VMware Player 5.0 or higher versions on your system prior to the start of the class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.

VMware Player is a free download that does not require a commercial license.

Mandatory Laptop Requirements

  • Mandatory Host Hardware Requirements
    • Central Processing Unit (CPU): 2.0+ GHz processor or higher
    • Memory: 4 GB of RAM minimum
    • Hard disk: 20 GB of free disk space
    • Working USB 2.0 or higher port
    • Students should have the capability to have Local Administrator Access within their host operating system
  • Mandatory Host Operating System Requirements

You must bring a laptop with one of the operating systems listed below. These operating systems have been verified to be compatible with the course VMware image:

    • Windows 8
    • Windows 7
    • Mac OS X (Lion or Mountain Lion)

Windows XP is no longer supported by Microsoft and is therefore not officially supported for this course. However, a Windows XP host operating system has been independently verified to work with the course VMware image.

  • Mandatory Software Requirements

Please ensure the following software is installed on the host operating system prior to the course:

    • VMware Workstation 8+, VMware Player 5+, or VMware Fusion 5+
    • Zip File Utility (WinZip, 7Zip, or the built-in operating system zip utility)

IN SUMMARY, BEFORE YOU BEGIN THE COURSE YOU SHOULD:

  • Bring the proper system hardware and operating system configuration
  • Install VMware (Workstation, Player or Fusion)
  • Make sure you have a working USB drive. The course VM will be copied onto your laptop from a USB key provided by SANS.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

 
  Who Should Attend
  • ASP.NET developers who want to build more secure web applications
  • .NET framework developers
  • Software engineers
  • Software architects
  • Developers who need to be trained in secure coding techniques to meet PCI compliance

While this course is focused specifically on software development, it is accessible enough for anyone who is comfortable working with code and who has an interest in understanding the developer's perspective. This includes:

  • Application security auditors
  • Technical project managers
  • Senior software QA specialists
  • Penetration testers who want a deeper understanding of how to target ASP.NET web applications or who want to provide more detailed vulnerability remediation options
 
  Prerequisites
  • At least one year of experience working with ASP.NET and the .NET framework.
  • Experience with programming in ASP.NET using either Visual Basic or C#. All class work will be performed in C#.
  • A thorough knowledge of web technology.
  • While this class briefly reviews basic web attacks, a prior understanding of web application vulnerabilities (i.e. the OWASP Top 10) is recommended.
 
  Other Courses People Have Taken

Other Courses People Have Taken

Courses that lead in to DEV544

  • DEV522: Defending Web Applications Security Essentials

Courses that are good follow-ups to DEV544

  • DEV541: Secure Coding in Java/JEE: Developing Defensible Applications
  • SEC542: Web App Penetration Testing and Ethical Hacking

 
  What You Will Receive
  • Course books
    • Day 1: Data Validation
    • Day 2: Authentication and Session Management
    • Day 3: .NET Framework Security
    • Day 4: Secure Software Development Lifecycle
  • Lab workbook
  • USB drive with a Windows 8.1 VMware virtual machine used for all hands-on exercises
  • Windows 8.1 Standard License
 
  You Will Be Able To
  • Use a web application proxy to view HTTP requests and responses.
  • Review and perform basic exploits of common .NET web application vulnerabilities, such as those found in the SANS/CWE Top 25 and the OWASP Top 10:
    • Cross-Site Scripting
    • Parameter Manipulation
    • Open Redirect
    • SQL Injection
    • Session Hijacking
    • Clickjacking
    • Cross-Site Request Forgery
    • Man-in-the-middle
  • Mitigate common web application vulnerabilities using industry best practices in the .NET framework, including:
    • Input Validation
    • Blacklist and Whitelist Validation
    • Regular Expressions
    • Command Encoding
    • Output Encoding
    • Content Security Policy
    • Client-side Security Headers
  • Understand built-in ASP .NET security mechanisms, including:
    • Event Validation
    • Request Validation
    • View State
    • Entity Framework
    • Forms Authentication
    • Membership Provider
    • Windows Communication Foundation
  • Apply industry best practices (NIST, PCI) for cryptography and hashing in the .NET framework.
  • Implement a secure software development lifecycle (SDLC) to include threat modeling, static analysis and dynamic analysis.
 
  Hands-on Training
  • Parameter Manipulation
  • SQL Injection
  • Cross-Site Scripting
  • Session Hijacking
  • Cross-Site Request Forgery
  • Cryptographic Storage
  • WCF Web Services
  • Secure Code Review Challenge
 
  Press & Reviews

"This is a must-have for all applications and must-know for all developers. I recommend it to my colleagues." - Praveen Palety, Western Union Business Solutions

"It is shocking to see how much we are missing in our code. I am going back to change the code immediately." - Ruojie Wang, New Jersey Hospital Association

"DEV544 covers the fundamentals of security. Many tools and concepts have been introduced." - Duc Bui, WorldPay

"DEV544 does a terrific job at discussing security in .Net, a fairly elusive part of .net programming." - Craig Allyn Moore, Oncology Nursing Society

"This course illustrated just how easy it is to write exploitable code and how to prevent the attacks." - Brian Scoggins, TransCard, LLC

 

Author Statement

Developers are always up against rigid deadlines, sparse and changing requirements, and constant production support issues. This leaves little time for keeping up with current threats and defenses, and inevitably makes security an afterthought. Bolting security on at the end of the development phase leaves applications vulnerable, and requires significantly more effort than if the applications were architected with security in mind from the beginning. CWE defines approximately 658 software weaknesses that can be introduced at different points in the software development lifecycle. An attacker only needs to expose one of these, while developers feel pressure to defend against them all. The goal of this course is not to teach developers how to write 100% secure code, but instead to help developers change their mindset to developing defensible code from the early stages of the software development lifecycle. This will allow applications to withstand an attack and provide feedback when under attack, enabling organizations to adjust and adapt to the changing threat landscape.

This course covers common attacks - including applicable topics from the CWE/SANS Top 25 Most Dangerous Programming Errors, the OWASP Top 10 and deficiencies in the .NET framework - while also providing solid defensive techniques. It will change the way developers approach the design and implementation of software. Take part in this exciting class and arm yourself with the knowledge to protect your .NET applications. - Eric Johnson

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.

*CPE/CMU credits not offered for the SelfStudy delivery method

Online options available. Train from any location.
Type
Topic
Course
/ Location
/ Instructor
Date
Register

Training Event
Developer
SANS 2015
Orlando, FL
Apr 11, 2015 -
Apr 18, 2015
 

SelfStudy
Developer
Online
Anytime  

OnDemand
Developer
Online
Anytime  

Onsite
All OnSite Course of Your Choice Your Choice  

*Course contents may vary depending upon location, see specific event description for details.