11 Cyber Security Courses in San Francisco - July 22-27. Save $200 thru Tomorrow!

DEV544: Secure Coding in .NET: Developing Defensible Applications

It is shocking to see how much we are missing in our code. I am going back to change the code immediately.

Ruojie Wang, New Jersey Hospital Association

DEV544 covers the fundamentals of security. Many tools and concepts have been introduced.

Duc Bui, WorldPay

ASP.NET and the .NET framework provide developers with tools that give them an unprecedented degree of flexibility and productivity. However, these sophisticated tools also make it easier than ever to miss the little details that allow security vulnerabilities to creep into an application. Microsoft has done a fantastic job of providing security controls in the .NET framework, but the responsibility is still on application developers to understand how to configure and implement the security controls to ensure that their own code is secure.

DEV544 is a comprehensive course covering a huge set of skills and knowledge. It's not a high-level theory course. It's about real programming. In this course, you will examine actual code, work with real tools, defend applications, and gain confidence in the resources you need for the journey to improve the security of .NET applications.

Rather than teaching students to use a set of tools, this course teaches students concepts of secure programming. This involves looking at a specific piece of code, identifying a security flaw, and implementing a fix for flaws found on the OWASP Top 10 and CWE/SANS Top 25 Most Dangerous Programming Errors.

Students will explore the security controls across the entire .NET ecosystem. DEV544 focuses heavily on ASP.NET MVC and .NET Core technologies (including the Identity and Web APIs), while offering bonus material on legacy WebForms application development technology. The course exercises contain a variety of target applications to attack, defend, and secure, including a ReactJS Single Page Application, .NET Core Web APIs, .NET framework MVC web applications, and a legacy WebForms application.

The class culminates with a security review of a real-world open-source application. You will write custom static analysis rules to discover insecure .NET code, conduct a code review, review a penetration test report, perform security testing to actually exploit real vulnerabilities, and finally, using the secure coding techniques that you have learned in class, implement fixes for these issues.

PCI Compliance

Section 6.5 of the Payment Card Industry (PCI) Data Security Standard instructs auditors to verify that processes exist that require training in secure coding techniques for developers. If your application processes cardholder data and you are required to meet PCI compliance, then this course is for you.

Be secure. Before you're next.

You Will Learn To:

  • Understand the methodology of attacker'sattackers methodology and how they will attack your web application
  • Apply defensive coding techniques to prevent your application from being compromised
  • Safeguard your sensitive information using approved cryptography standards
  • Find vulnerabilities in your application using code review and basic pen test techniques
  • Integrate security into your software development lifecycle

Course Syllabus

Overview

Day 1 starts with an examination of improper data validation. You will learn about data validation techniques and the most prevalent web application vulnerabilities caused by missing or weak data validation: cross-site scripting (XSS), SQL injection, unvalidated redirects, parameter manipulation, deserialization attacks, and XML injection. You will see how to find these issues and how to re-create them in a running application. Then you will use a variety of methods to actually fix these vulnerabilities in your C# code.

Exercises
  • Web Application Proxies
  • Data Validation
  • Parameter Manipulation
  • Unvalidated Redirects
  • Cross-Site Scripting (XSS)
  • Browser Header Protections
  • SQL Injection

CPE/CMU Credits: 6

Topics
  • Web Application Attacks
  • Web Application Proxies
  • Data Validation
  • Model Validation
  • Regular Expressions
  • Parameter Manipulation
  • Unvalidated Redirects
  • Cross-Site Scripting (XSS)
  • ASP.NET Encoders
  • Content Security Policy (CSP)
  • SQL Injection
  • OS Command Injection
  • LDAP Injection
  • XML Injection
  • XPath Injection
  • XML External Entity Expansion (XXE)
  • Insecure Deserialization
Overview

Day 2 covers authentication, authorization, and session management vulnerabilities that are commonly exploited by attackers to gain unauthorized access to web applications. In this section, you will learn about various authentication and authorization attacks such as man-in-the-middle, cross-site request forgery, clickjacking, and session hijacking. Then you will use a variety of techniques - including ASP.NET identity, strict transport security, session management hardening, and custom authorization - to fix these vulnerabilities in an ASP.NET Web and React single page application.

Exercises
  • Forgot Password Code Review
  • Custom HTTP Modules &and Handlers
  • ASP.NET Identity Authentication and Authorization
  • Session Management Security
  • Cross-Site Request Forgery (CSRF) and Clickjacking
  • Client-side Single Page Application Security (React)

CPE/CMU Credits: 6

Topics
  • Authentication Factors
  • Authentication Attacks
  • Authorization Attacks
  • Password Management
  • Two-Factor Authentication
  • HTTP Handlers
  • ASP.NET Core Middleware
  • ASP.NET Identity
  • Session Management
  • Man-in-the-middle (MITM) Attacks
  • Strict Transport Security
  • Session Hijacking
  • Session Fixation
  • Cross-Site Request Forgery (CSRF)
  • Antiforgery Tokens
  • Clickjacking
  • Single Page Application (SPA) Security
  • Angular and React JS Security
Overview

Day 3 builds a secure architecture for .NET applications. You will learn about various built-in .NET framework security features such as cryptography, password storage, secrets management, exception handling, and audit logging for security. Students will see the risks associated with referencing open-source packages and understand how to scan packages for known vulnerabilities. Day 3 finishes by taking an in-depth look at Web API security, securing web services with middleware, and JSON Web Token (JSON) security.

Exercises
  • Cryptography
  • Numeric Overflow
  • Secure Exception Handling
  • Secure Audit Logging
  • Reflection
  • Web API Security

CPE/CMU Credits: 6

Topics
  • Cryptography
  • Password Storage
  • Secrets Management
  • PCI Compliance
  • Secure Memory Management
  • Exception Handling
  • Auditing and Logging
  • Dependency Management/Supply Chain Security
  • Web API Security
  • Web API Middleware
  • JSON Web Token (JWT) Security
Overview

Day 4 looks at each phase of the secure development lifecycle and how security fits into the daily workflow. Using what you have learned about application vulnerabilities, you will get the opportunity to write static analysis rules to identify insecure code, as code is written in Visual Studio. The second half of the day is a hands-on capstone exercise that requires students to perform a security assessment of a real-world open-source eCommerce application. Students will perform security testing and practice exploiting the weaknesses with a few open-source attack tools. After the attack phase is complete, students must fix the vulnerabilities using the secure coding techniques learned in class.

Exercises
  • Threat Modeling
  • Static Code Analysis with Roslyn
  • Peer Code Reviews
  • Dynamic Application Security Testing

CPE/CMU Credits: 6

Topics
  • Security Training
  • Security Requirements
  • Secure Design
  • Threat Modeling
  • Implementation
  • Static Analysis
  • Roslyn Diagnostic Analyzers
  • Peer Reviews
  • Secure Code Review
  • Verification
  • Dynamic Analysis
  • Penetration Test Reports
  • Release
  • Response

Additional Information

Laptop Requirements

!!IMPORTANT - PLEASE PLAN ON ARRIVING AT CLASS AT LEAST 30 MINUTES EARLY THE FIRST MORNING TO SET UP THE VIRTUAL MACHINE BEFORE CLASS STARTS. BRING YOUR OWN LAPTOP CONFIGURED USING THESE DIRECTIONS!!!

A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.

Please download and install VMware Workstation, VMware Fusion, or VMware Workstation Player on your system prior to the start of the class. If you own a licensed copy of VMware, make sure it is at least VMware Workstation 14, VMware Fusion 10, or VMware Workstation Player 14. If you do not own a licensed copy of VMware, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at its web site.

VMware Workstation Player is a free download that does not need a commercial license. Most students find VMware Workstation Player adequate for the course.

Mandatory Host Hardware Requirements

  • CPU: 64-bit 2.5+ GHz multi-core processor or higher (IMPORTANT - A 64-bit system processor is mandatory)
  • Memory: 8GB of RAM minimum
  • Hard Disk: 60GB of free disk space minimum
  • Working USB 2.0 or higher port
  • Students should have the capability to have Local Administrator Access within their host operating system

Mandatory Host Operating System Requirements

You must bring a laptop with one of the following operating systems that are compatible with the Windows Enterprise VMware virtual machine image:

  • Windows (8.1 or 10) Enterprise or Professional
  • Mac OS X (Sierra, High Sierra, Mojave)

Mandatory Software Requirements

Please ensure the following software is installed on the host operating system prior to class:

  • VMware Workstation 14+, VMware Workstation Player 14+, or VMware Fusion 10+
  • Zip File Utility (built-in operating system zip utility or 7zip)

IN SUMMARY, BEFORE YOU BEGIN THE COURSE YOU SHOULD:

  • Bring the proper system hardware and operating system configuration
  • Install VMware (Workstation, Workstation Player, or Fusion)
  • Make sure you have a working USB drive. The course VM will be copied onto your laptop from a USB key provided by SANS.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

This course is intended for:

  • ASP.NET developers who want to build more secure web applications
  • .NET framework developers
  • Software engineers
  • Software architects
  • Developers who need to be trained in secure coding techniques to meet PCI compliance

The course focuses specifically on software development, but it is accessible enough for anyone who is comfortable working with code and has an interest in understanding the developer's perspective. This could include:

  • Application security auditors
  • Technical project managers
  • Senior software QA specialists
  • Penetration testers who want a deeper understanding of how to target ASP.NET web applications or who want to provide more detailed vulnerability remediation options
  • At least one year of experience working with ASP.NET and the .NET framework
  • Experience with programming in ASP.NET using either Visual Basic or C#. All class work will be performed in C#
  • A thorough knowledge of Web technology
  • While this class briefly reviews basic web attacks, a prior understanding of web application vulnerabilities (i.e., the OWASP Top 10) is recommended.
  • Course Books
    • Day 1: Data Validation
    • Day 2: Authentication & Session Management
    • Day 3: .NET Framework Security
    • Day 4: Secure Software Development Lifecycle
  • Lab Workbook
  • USB drive with a Windows 10 VMware virtual machine used for all hands-on exercises
  • MP3 audio files of the completed course lecture
  • Use a web application proxy to view HTTP requests and responses
  • Review and perform basic security tests for common .NET web application vulnerabilities, such as those found in the SANS/CWE Top 25 and the OWASP Top 10:
    • Cross-Site Scripting
    • Parameter Manipulation
    • Unvalidated Redirects
    • SQL Injection
    • XML External Entity Injection (XXE)
    • Deserialization Vulnerabilities
    • Session Hijacking
    • Clickjacking
    • Cross-Site Request Forgery
    • Man-in-the-middle (MITM)
  • Mitigate common web application vulnerabilities using industry best practices in the .NET framework, including the following:
    • Input Validation
    • Command Encoding
    • Output Encoding
    • Client-side Security Headers
    • Two-Factor Authentication
    • Access Control/Entitlement Checks
    • Strong Cryptography
    • Secure Memory Management
    • Web Service Hardening
    • Secure Development Lifecycle (SDL)
  • Understand built-in ASP .NET security mechanisms, including the following:
    • ASP.NET Identity Authentication
    • ASP.NET Role and Claims Authorization
    • ASP.NET Core Middleware
    • Model Validation Data Attributes
    • AntiForgeryToken
    • Entity Framework Parameterization
    • .NET Cryptography API
    • React JS Security
    • Web API
    • JWT Configuration and Validation
    • Roslyn Diagnostic Analyzers
    • ASP.NET Request Validation
    • WebForms Output Encoding
  • Apply industry best practices (NIST, PCI) for cryptography and hashing in the .NET framework
  • Implement a secure software development lifecycle, including threat modeling, static analysis, and dynamic analysis.
  • Web Application Proxies
  • Data Validation
  • Parameter Manipulation
  • Unvalidated Redirects
  • Cross-Site Scripting (XSS)
  • Browser Header Protections
  • SQL Injection
  • Forgot Password Code Review
  • Custom HTTP Modules and Handlers
  • ASP.NET Identity Authentication and Authorization
  • Session Management Security
  • Cross-Site Request Forgery (CSRF) and Clickjacking
  • Client-side Single Page Application Security (React)
  • Cryptography
  • Numeric Overflow
  • Secure Exception Handling
  • Secure Audit Logging
  • Reflection
  • Web API Security
  • Threat Modeling
  • Static Code Analysis with Roslyn
  • Peer Code Reviews
  • Dynamic Application Security Testing

"This is a must-have for all applications and must-know for all developers. I recommend it to my colleagues." - Praveen Palety, Western Union Business Solutions

"It's shocking to see how much we are missing in our code. I'm going to go back to change the code immediately." -Ruojie Wang, New Jersey Hospital Association

"DEV544 covers the fundamentals of security. Many tools and concepts have been introduced." -Duc Bui, WorldPay

"DEV544 does a terrific job at discussing security in .NET, a fairly elusive part of .NET programming." - Craig Allyn Moore, Oncology Nursing Society

"This course illustrated just how easy it is to write exploitable code and how to prevent the attacks." - Brian Scoggins, TransCard, LLC

Author Statement

"Developers are always up against rigid deadlines, sparse and changing requirements, and constant production support issues. This leaves little time for keeping up with current threats and defenses, and inevitably makes security an afterthought. Bolting security on at the end of the development phase leaves applications vulnerable and requires significantly more effort than if the applications were architected with security in mind at the beginning. CWE defines approximately 658 software weaknesses that can be introduced at different points in the software development lifecycle. An attacker only needs to expose one of these, while developers feel pressure to defend against them all. The goal of this course is not to teach developers how to write 100% secure code, but instead to help them change their mindset to developing defensible code from the early stages of the development lifecycle. This will allow applications to withstand an attack and provide feedback when under attack, so organizations can adjust and adapt to the changing threat landscape.

"This course covers common attacks, including applicable topics from the OWASP Top 10 and CWE/SANS Top 25 Most Dangerous Programming Errors. It also covers how to detect vulnerabilities in .NET code, and defensive techniques for fixing those vulnerabilities. Our goal is to help you design and implement secure software. Take part in this exciting class and arm yourself with the knowledge to protect your .NET applications!"

- Eric Johnson

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.

Online options available. Train from any location.

4 Training Results

*Course contents may vary depending upon location, see specific event description for details.