The most trusted source for computer security training, certification and research.

select a course
Global Information Assurance Certification

If you want to be a technology and security leader, this is the course for you!
-Andrew Longsworth, Priscoll's

DEVELOPER 544

Secure Coding in .NET: Developing Defensible Applications

6 CPE Credits Per Day

ASP.NET and the .NET framework have provided web developers with tools that allow them an unprecedented degree of flexibility and productivity. On the other hand, these sophisticated tools make it easier than ever to miss the little details that allow security vulnerabilities to creep into an application. Since ASP.NET, 2.0 Microsoft has done a fantastic job of integrating security into the ASP.NET framework, but the onus is still on application developers to understand the limitations of the framework and ensure that their own code is secure.

During this four-day course we will analyze the defensive strategies and technical underpinnings of the ASP.NET framework and learn where, as a developer, you can leverage defensive technologies in the framework, where you need to build security in by hand. We'll also examine strategies for building applications that will be secure both today and in the future.

Rather than focusing on traditional web attacks from the attacker's perspective, this class will show developers first how to think like an attacker, and will then focus on the latest defensive techniques specific to the ASP.NET environment. The emphasis of the class is a hands-on examination of the practical aspects of securing .NET applications during development.

Have you ever wondered if ASP.NET Request Validation is effective? Have you been concerned that XML web services might be introducing unexamined security issues into your application? Should you feel un-easy relying solely only on the security controls built into the ASP.NET framework? Secure Coding in ASP.NET will answer these questions and far more.

  • Who should attend:
    • This class is focused specifically on software development but is accessible enough for anyone who’s comfortable working with code and has an interest in understanding the developer’s perspective:
      • Software developers and architects
      • Senior software QA specialists
      • System and security administrators
      • Penetration Testers
  • Prerequisites:
    • Experience with programming in ASP.NET using either Visual Basic or C#. All class work will be performed in C#.
    • While this class briefly reviews basic web attacks, some prior understanding of issues such as XSS and SQL injection is recommended.

...class was well done, and I genuinely appreciate you "breathing life" into 7799. The anecdotal stories were worth the trip as were the experiences of those in classroom who shared.
-Liam Doyle, Regions Financial Corporation

Author Statement

Oliver Lavery brings a decade of experience in security software development and consulting to the Security Compass team. As an experienced software architect, Oliver has an extensive understanding of software development and design issues as well as the practical realities of building security into the software development lifecycle. At the same time, as a renowned security researcher Oliver has a deep understanding of application and network security issues. This dual background brings a unique insight to bear on Security Compass? projects.

Prior to joining Security Compass, Oliver Lavery was engaged as chief scientist at PivX Solutions Inc. where he was responsible for overseeing the design and development of an award winning intrusion prevention system product line, performed in-depth vulnerability analysis as part of a cutting-edge research team, and provided consulting services to international corporations.

In the past Mr. Lavery has worked with internationally recognized cryptographers on privacy issues as part of Zero Knowledge Systems Inc.; has provided consulting and development services for clients including MCI, Unilever, Rational Software, and Sun Microsystems; and has participated in bringing a variety of commercial software applications from conception to release. As a security consultant he has been engaged on a variety of projects focusing on network and application penetration testing, reverse-engineering, security code review, vulnerability analysis, forensics, and design oversight of secure systems.

Mr. Lavery is a noted expert in information security and has published ground-breaking vulnerabilities in Microsoft Windows, Internet Explorer, and well known applications running on the Windows platform. Most notably a paper authored by Mr. Lavery reintroduced a class of vulnerabilities in Windows that resulted in a slew of patches from Microsoft and major software vendors.

Training Events By Course

DEVELOPER 544 :: Secure Coding in .NET: Developing Defensible Applications
SANS 2010 Orlando, FL March 06, 2010 - March 15, 2010
SANSFIRE 2010 Baltimore, MD June 06, 2010 - June 14, 2010
SANS OnDemand Online Training & Assessments Anytime