2 Days Left to Save $400 on SANS Cyber Defense Initiative 2014, Wash DC

SANSFIRE 2013

Washington, DC | Fri, Jun 14 - Sat, Jun 22, 2013

DEV544: Secure Coding in .NET: Developing Defensible Applications

ASP.NET and the .NET framework have provided web developers with tools that allow them an unprecedented degree of flexibility and productivity. On the other hand, these sophisticated tools make it easier than ever to miss the little details that allow security vulnerabilities to creep into an application. Since ASP.NET, 2.0 Microsoft has done a fantastic job of integrating security into the ASP.NET framework, but the onus is still on application developers to understand the limitations of the framework and ensure that their own code is secure.

During this four-day course we will analyze the defensive strategies and technical underpinnings of the ASP.NET framework and learn where, as a developer, you can leverage defensive technologies in the framework, where you need to build security in by hand. We'll also examine strategies for building applications that will be secure both today and in the future.

Rather than focusing on traditional web attacks from the attacker's perspective, this class will show developers first how to think like an attacker, and will then focus on the latest defensive techniques specific to the ASP.NET environment. The emphasis of the class is a hands-on examination of the practical aspects of securing .NET applications during development.

Have you ever wondered if ASP.NET Request Validation is effective? Have you been concerned that XML web services might be introducing unexamined security issues into your application? Should you feel uneasy relying solely only on the security controls built into the ASP.NET framework? Secure Coding in ASP.NET will answer these questions and far more.

Course Syllabus
Course Contents InstructorsSchedule
  DEV544.1: Data Validation James Jardine Mon Jun 17th, 2013
9:00 AM - 5:00 PM
Overview

Improper data validation is the root cause of the most prevalent web application vulnerabilities today. Cross Site Scripting (XSS) has become the most widely reported issue with web applications. It has reached the point where the Web Application Security Consortium (WASC) estimates that over 80% of the web sites on the Internet are vulnerable to this attack.

Beginning on the first day, you will learn about some of the most prevalent web applications vulnerabilities such as XSS, CSRF, SQL Injection, HTTP Response Splitting, and Parameter Manipulation. You will see how to spot some of these issues and how to recreate them in a running application. Then you will use a variety of methods to actually fix these vulnerabilities in your C# code.

The course is full of hands on exercises where you can apply practical data validation techniques that you can use to prevent common attacks.

CPE/CMU Credits: 6

Topics

Web Application Attacks

  • Cross Site Scripting
  • Cross Site Request Forgery (CSRF)
  • SQL Injection
  • HTTP Response Splitting
  • Parameter Manipulation

Web Application Proxies

  • Using Fiddler

Validation Concerns

  • Character Encoding
  • Input Validation
  • Output Encoding
  • Blacklisting & Whitelisting

Validation Techniques

  • Validation Controls
  • Server vs. Client side validation
  • Regular Expressions
  • HTML Encoding
  • CAPTCHA
  • ADO.NET
  • Stored Procedures
  • LINQ
 
  DEV544.2: Authentication & Session Management James Jardine Tue Jun 18th, 2013
9:00 AM - 5:00 PM
Overview

Broken authentication and session management are common issues that can compromise the integrity of your system. Such weak authentication protections can allow an attacker to expose your most sensitive secrets: your data! You will learn about these vulnerabilities and what you can do to design and code stronger authentication protections from the start.

You will learn how to use ASP.NET Authentication mechanisms and securely implement both Basic and Form Based Authentication. This course is full of hands on exercises and culminates in a lab where you put everything you learned together into an application that is protected by strong authentication controls.

CPE/CMU Credits: 6

Topics

Authentication

  • IIS / ASP.NET pluggable authentication architecture
  • Basic & Digest Authentication
  • .NET Form Based Authentication Framework
  • Windows Authentication
  • Authorization, OS security, and Impersonation
  • SSL Client Certificates
  • Authentication Policies

Protecting Sessions

  • Secure Session ID generation
  • Session data, and persistence
  • Session policies, expiry, etc.
  • Session Hijacking
  • Session Fixation

Authentication Attacks

  • Brute Force Attacks
  • Weak Password Storage
  • Password Reset
  • Secret Questions
 
  DEV544.3: Secure .NET Architecture James Jardine Wed Jun 19th, 2013
9:00 AM - 5:00 PM
Overview

Understanding how to leverage .NET to design a secure architecture with solid secure coding principals is critical to application security. This course combines tried and tested information security principals with secure coding principals to help you build rock solid applications.

CPE/CMU Credits: 6

Topics

Architecture

  • Defense in depth
  • Least Privilege
  • Thread Safety
  • Structured Exception Handling
  • Application Logging and Auditing
  • Secure Coding Principals
  • ASP.NET Handlers, Modules and the HTTP Pipeline

NET Encryption Services

  • Encryption Principals
  • Securing communications
  • Protecting data at rest
 
  DEV544.4: .NET Framework Security James Jardine Thu Jun 20th, 2013
9:00 AM - 5:00 PM
Overview

Starting off with covering Threat Modeling, the day quickly shifts into how the information provided over the past 3 days fits into the SDLC. We will take a look at each phase of the SDLC and discuss how security fits into the process. You will get the opportunity to review code from an open source application to identify security flaws and write the code to remediate them.

CPE/CMU Credits: 6

Topics
  • Threat Modeling
  • Security and the SDLC
  • Secure Code Review
  • Static and Dynamic Analsys Tools
  • Secure Coding
  • Fixing weaknesses in a running application
 
Additional Information
 
  Laptop Required

!!IMPORTANT - BRING YOUR OWN LAPTOP CONFIGURED USING THESE DIRECTIONS!!

A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.

Please download and install VMware Workstation 8, VMware Fusion 5.0, or VMware Player 5.0 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their web site.

VMware Player is a free download that does not need a commercial license. Most students find VMware Player adequate for the course.

Mandatory Laptop Requirements

Mandatory Host Hardware Requirements

  • CPU: 2.0+ GHz processor or higher
  • Memory: 4GB of RAM minimum
  • Hard Disk: 20GB of free disk space
  • DVD Drive (minimum 16x recommended)
  • The student should have the capability to have Local Administrator Access within their host operating system

Mandatory Host Operating System Requirements

You must bring a laptop with one of the following operating systems. These operating systems have been verified to be compatible with course VMware image:

  • Windows 8
  • Windows 7
  • Mac OS X (Lion or Mountain Lion)

Windows XP is no longer supported by Microsoft and is therefore not officially supported for this course. However, a Windows XP host operating system has been independently verified to work with the course VMware image.

Mandatory Software Requirements

Please ensure the following software is installed on the host operating system prior to class:

  • VMware Workstation 8+, VMware Player 5+, or VMware Fusion 5+
  • Zip File Utility (WinZip, 7Zip, or the built-in operating system zip utility)

IN SUMMARY, BEFORE YOU BEGIN THE COURSE YOU SHOULD:

  • Bring the proper system hardware and operating system configuration
  • Install VMware (Workstation, Player, or Fusion)

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

 
  Who Should Attend

This class is focused specifically on software development but is accessible enough for anyone who's comfortable working with code and has an interest in understanding the developer's perspective:

  • Software developers and architects
  • Senior software QA specialists
  • System and security administrators
  • Penetration Testers
 
  Prerequisites
  • Experience with programming in ASP.NET using either Visual Basic or C#. All class work will be performed in C#.
  • While this class briefly reviews basic web attacks, some prior understanding of issues such as XSS and SQL injection is recommended.
 

Author Statement

Microsoft has provided a great development platform with .NET. There is a rich set of features, not only for building solid applications, but also for securing those applications. Even with a robust platform and decent security features, unfortunately, there is still a disconnect between building solid applications and building secure applications.

Developers are always up against rigid deadlines, sparse and changing requirements and constant production support issues, which leaves little time for keeping up with the current threats and defenses and inevitably makes security an afterthought. Bolting security on at the end of the development phase leaves applications vulnerable and requires significantly more effort than if the applications were architected with security in mind at the beginning. CWE defines approximately 658 software weaknesses that can be introduced at different points in the software development lifecycle, and an attacker only needs to expose one of these while developers feel pressure to defend against them all. The goal of this course is not to teach developers how to write 100% secure code, but instead to help developers nurture a mindset for creating defensible code from the early stages of the SDL that will allow applications to withstand an attack and provide feedback when under attack, so organizations can adjust and adapt to the changing threat landscape.

This course covers common attacks, including applicable topics from the CWE/SANS Top 25 Most Dangerous Programming Errors, the OWASP Top 10 and deficiencies in the .NET framework, while also providing solid defensive techniques. This course will change the way developers approach the design and implementation of software.

- Jason Montgomery