DEV544: Secure Coding in .NET: Developing Defensible Applications
ASP.NET and the .NET framework have provided web developers with tools that allow them an unprecedented degree of flexibility and productivity. On the other hand, these sophisticated tools make it easier than ever to miss the little details that allow security vulnerabilities to creep into an application. Since ASP.NET, 2.0 Microsoft has done a fantastic job of integrating security into the ASP.NET framework, but the onus is still on application developers to understand the limitations of the framework and ensure that their own code is secure.
During this four-day course we will analyze the defensive strategies and technical underpinnings of the ASP.NET framework and learn where, as a developer, you can leverage defensive technologies in the framework, where you need to build security in by hand. We'll also examine strategies for building applications that will be secure both today and in the future.
Rather than focusing on traditional web attacks from the attacker's perspective, this class will show developers first how to think like an attacker, and will then focus on the latest defensive techniques specific to the ASP.NET environment. The emphasis of the class is a hands-on examination of the practical aspects of securing .NET applications during development.
Have you ever wondered if ASP.NET Request Validation is effective? Have you been concerned that XML web services might be introducing unexamined security issues into your application? Should you feel uneasy relying solely only on the security controls built into the ASP.NET framework? Secure Coding in ASP.NET will answer these questions and far more.
|DEV544.1: Data Validation|
Improper data validation is the root cause of the most prevalent web application vulnerabilities today. Cross Site Scripting (XSS) has become the most widely reported issue with web applications. It has reached the point where the Web Application Security Consortium (WASC) estimates that over 80% of the web sites on the Internet are vulnerable to this attack.
Beginning on the first day, you will learn about some of the most prevalent web applications vulnerabilities such as XSS, CSRF, SQL Injection, HTTP Response Splitting, and Parameter Manipulation. You will see how to spot some of these issues and how to recreate them in a running application. Then you will use a variety of methods to actually fix these vulnerabilities in your C# code.
The course is full of hands on exercises where you can apply practical data validation techniques that you can use to prevent common attacks.
CPE/CMU Credits: 6
Web Application Attacks
Web Application Proxies
|DEV544.2: Authentication & Session Management|
Broken authentication and session management are common issues that can compromise the integrity of your system. Such weak authentication protections can allow an attacker to expose your most sensitive secrets: your data! You will learn about these vulnerabilities and what you can do to design and code stronger authentication protections from the start.
You will learn how to use ASP.NET Authentication mechanisms and securely implement both Basic and Form Based Authentication. This course is full of hands on exercises and culminates in a lab where you put everything you learned together into an application that is protected by strong authentication controls.
CPE/CMU Credits: 6
|DEV544.3: Secure .NET Architecture|
Understanding how to leverage .NET to design a secure architecture with solid secure coding principals is critical to application security. This course combines tried and tested information security principals with secure coding principals to help you build rock solid applications.
CPE/CMU Credits: 6
NET Encryption Services
|DEV544.4: .NET Framework Security|
Starting off with covering Threat Modeling, the day quickly shifts into how the information provided over the past 3 days fits into the SDLC. We will take a look at each phase of the SDLC and discuss how security fits into the process. You will get the opportunity to review code from an open source application to identify security flaws and write the code to remediate them.
CPE/CMU Credits: 6
Supported Operating Systems
To complete the labs in class, the following Operating System is supported. Additionally, Internet Information Services should be installed as well.
Laptops must be pre-installed with the following Software
Visual Studio IDE
If choosing Visual Studio Express Editions you must install both:
* Please note that the SQL Server that is installed with this application is not R2. R2 must be installed separately. It is required to use the Upgrade option (if it exists) if performing this after the installation of Web Developer 2010 Express.
For retail versions of Visual Studio, just:
Database Server Software
SQL Server 2008 R2 Express Edition* (The start menu should show "Microsoft SQL Server 2008 R2" as an option)
The Express Edition of SQL Server works best in this lab environment. While the Developer, Standard, or Enterprise editions of SQL Server will work, they may require additional manual configuration.
Other Required Software
Other Installation Options: Virtual Machine
Installing all of the above on a virtual machine is a supported configuration provided there is enough RAM available on the host operating system to make available to the development image.
NOTE: Have the operating system CD (or ISO) with you at class as well as any other media in case your system has issues.
If you have additional questions about the laptop specifications, please contact email@example.com.
|Who Should Attend|
This class is focused specifically on software development but is accessible enough for anyone who's comfortable working with code and has an interest in understanding the developer's perspective:
Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.