Choose your language:

France
Germany
Hong Kong
India
Ireland
Japan
Malaysia
Netherlands
New Zealand
Singapore
Sweden
United Kingdom
United States

Secure Coding for .NET

Course Code

SEC115

Duration

3 Days

Training developers on secure coding practices offers one of highest returns on investment of any security investment by eliminating vulnerabilities at the source. Aspect’s .NET Secure Coding Training raises developer awareness of application security issues and provides examples of ‘what to do’ and ‘what not to do'. All examples and exercises are available in both C# and VB.NET. Please specify which version best suits your organization. The class is led by an experienced developer and is delivered in a very interactive manner.

This class includes hands-on exercises where the participants get to perform security analysis and testing on a live .NET web application. This specially designed environment includes deliberate flaws the participants have to find, diagnose, and fix. The class also uses .NET coding exercises to provide participants with realistic hands-on secure coding experience. Participants gain hands-on experience using freely available web application security test tools to find and diagnose flaws and learn to avoid them in their own code.
This course is designed for:
  • C# and VB.NET Software Developers 
  • C# and VB.NET Software Testers 
  • Security Specialists 
  • Application Architects 
Upon completion of this course, participants will be able to:
  • Understand and be able to employ the security features involved with using HTTP (e.g., headers, cookies, SSL)
  • Understand and be able to apply application security design principles.
  • Identify and explain common web application security threats (e.g., Cross-Site Scripting, SQL Injection, Access Control Attacks, “Man-in-the-middle” attacks, etc.) and implement mitigation techniques.
  • Handle credentials securely while providing the full range of authentication support functions, including login, change password, forgot password, remember password, logout, re-authentication, and timeouts.
  • Implement access control rules for the user interface, business logic, and data layers.
  • Understand how Clickjacking attacks work, and the security headers that can now be used to easily defend against them.
  • Implement simple, straightforward Cross-Site Scripting defenses through proper output encoding and how to detect XSS vulnerabilities throughout an application.
  • Understand how Clickjacking attacks work, and the security headers that can now be used to easily defend against them.
  • Understand the strong benefits of proper input validation, and how to architect an effective and easy to use input validation framework.
  • Understand the dangers of command injection and techniques for avoiding the introduction of this type vulnerability.
  • Implement a consistent error (exception) handling and logging approach for an entire web application.
  • Understand when to apply cryptographic techniques and be able to choose algorithms and use encryption/decryption and hash functions securely.
  • Be able to select and implement appropriate auditing/logging capabilities.
  • Avoid this issue with the use of automation.
  • Review their applications for common security vulnerabilities using code review and penetration testing techniques.
  • Be familiar with native .NET security mechanisms such as the crypto APIs, the Identity (current user) and Principal (security context) objects, and how they can be employed to produce secure web applications.
  • Understand the factors involved in securing a Web Services capability.
Introduction
Section Overview: This section describes and introduces the course, and instructors. It also provides setup instructions for the course exercises.
i. Training Program Introduction
ii. Course Objectives, Approach, and Layout
iii. Intro to Aspect Security/Instructors
iv. Participants Introduce Themselves
v. Discussion of Applicable Corporate Initiatives
vi. Review of Course Agenda
vii. Install and Setup Code and Test Environment

Understanding HTTP and Web Technologies
Section Overview: This section is intended to provide the foundations needed to understand the upcoming application security concepts. It begins by describing the HTTP protocol and how it relates to web applications. It dives into various aspects of the protocol, in detail, to assist in the understanding of the entire communication path from client request, server processing, server response, and browser interpretation. It then discusses how a hacker proxy can be used to modify HTTP requests and where this proxy fits into the big picture. Finally, we begin the first hands-on lesson which is intended to get the participants familiar with the hands-on application and comfortable using the testing proxy.
a. HTTP Protocol (Requests, Responses, Headers, Cookies, Parameters, Response Codes)
i. Security of GET vs. POST
ii. SSL and Certificates
iii. Man-in-the-Middle Threat
iv. HTTP Strict Transport Security
b. Introducing a Security Testing Proxy
i. WebGoat Architecture Walkthrough
ii. Visual Studio - Getting Started
iii. Example Lab Description
iv. ZAP Overview
c. .NET Platform Security
i. .NET Language and Platform Features (Managed Code)
ii. .NET Role Based Security
iii. Web and Application Server Mappings
iv. .NET Configuration Tools and Files
v. WebForms Viewstate
vi. Request Validation
vii. WebForms Event Validation
d. Exercises and Labs
i. Hands-On Testing Exercise: WebGoat HTTP Basics
ii. Hands-On Testing Exercise: WebGoat and Proxy

How to Authenticate Users
Section Overview: This section introduces common web authentication methods along with their strengths and weaknesses. It discusses best practices associated with authentication and uses hands-on lessons to demonstrate some common authentication mistakes. Through this we discuss different technology specific authentication uses and configurations.
a. Overview
b. Authentication Mechanisms
c. .NET Authentication Approaches (Forms Authentication, LDAP, Database, Login Controls)
d. How to Protect Credentials from Disclosure
e. How to Protect Against Brute Force Attacks in .NET applications
f. How to Provide Password Management Functions in .NET applications
g. Exercises and Labs
i. Hands-On Testing Exercise: WebGoat – Basic Authentication
ii. Hands-On Testing Exercise: WebGoat – Authentication Cookies
iii. Spot the Bug(s): Flawed Password Change Page

How to Manage User Sessions
Section Overview: This section includes what session management is and how it works within a web application environment. It discusses common mistakes developers make regarding session management and attacks that can take advantage of these errors. The section discusses best practices associated with session management and technology specific implementation approaches.
a. Introduction to .NET Sessions
b. Explanation of Session Lifecycle in .NET (login, logout, reauthentication, timeouts)
c. How to Protect Against .NET Session Hijacking
d. Exercises and Labs
i. Hands-On Testing Exercise: WebGoat – Weak Session Identifier
ii. Spot the Bug(s): Logout Flaws

How to Control Access
Section Overview: This section introduces Access Control in a web environment and the various complexities associated with implementing strong access protections. It walks through the importance of checking all access to sensitive functionality, defining application roles and functions, not relying only on presentation rendering, and implementing access controls at different level, including: declarative (URL), programmatic (API) and instance (data) level. Throughout the section, various technology specific access control uses are discussed and demonstrated. This section also includes common best practices associates with access control.
a. Overview
b. Defining & Architecting Your Access Control Policy
i. .NET Authorization Primitives (Identity, Principal, Role)
ii. Defining an Access Control Matrix
c. .NET Presentation Layer Access Control
i. Single Role vs. Multi-Role Views
d. Environment Enforced Access Control in .NET
i. Attack Surface
ii. Single Role vs. Multi-Role URLs
iii. Declarative .NET Authorization (web.config)
e. Business Layer Access Control In .NET
i. Programmatic .NET Authorization
ii. Single Role vs. Multi-Role Business Functions
iii. .NET MVC Access Control Annotations
f. .NET Data Layer Access Control
i. The Object Reference Problem
g. Other Common .NET Access Control Problems
h. Exercises and Labs
i. Hands-On Testing Exercise: WebGoat – Access Control
ii. .NET Coding Lab: WebGoat – Access Control (Stages 1-2)
iii. .NET Coding Lab: WebGoat – Access Control (Stages 3-4)
iv. .NET Coding Lab: WebGoat – Access Control (Stages 5-6)

How to Protect Against Cross Site Request Forgery (CSRF)
Section Overview: The section introduces a very common web application attack most developers aren’t familiar with known as Cross-Site Request Forgery. CSRF is an attack that tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf, like change the victim's e-mail address, home address, or password, or purchase something.
For most sites, such a request will automatically include any credentials associated with the site, such as the user's session cookie, basic auth credentials, IP address, Windows domain credentials, etc. Therefore, if the user has authenticated to the site, the site will have no way to distinguish this from a legitimate user request. This section discusses the significance of these types of flaws and presents several approaches for how developers can defend their applications against this type of attack.
a. What is CSRF?
b. CSRF Vulnerability Pattern
i. Example Attacks
ii. Attack Illustration
iii. The Same Origin Policy
c. CRSF Vulnerability Types
i. Standard and Stored CSRF
d. CSRF Defenses that Don’t Work
e. CSRF Recommended Defenses
i. Use of CSRF Tokens
ii. Protecting REST Interfaces Against CSRF
iii. .NET MVC – AjaxOnly Attribute
iv. .NET WebForms – Viewstate CSRF Defense
v. OWASP’s CSRF Tester
f. CSRF’s relationship to XSS
g. Exercises and Labs
i. Hands-On Testing Exercise: WebGoat – CSRF

How to Protect Against Cross Site Scripting (XSS)
Section Overview: The section covers in detail a very common web application attack known as Cross-Site Scripting (XSS). It explains how and why this attack works and the consequences of such attacks. It introduces and explains two types of XSS attacks (reflected and stored), demonstrates an attack, walks through various buggy code examples. And finally allow the participants to apply what they have learned by executing XSS attacks using hands-on lessons. Throughout the section different technology specific protections, including output encoding and input validation, are explored and discussed.
a. Overview of XSS
i. Types of XSS (Stored and Reflected)
ii. Tricking the Browser Sandbox
iii. Consequences of XSS
b. How to Solve .NET XSS Problems
i. Proper Output Encoding
ii. .NET MVC auto HTML Entity encoding
iii. .NET MVC manual encoding
iv. Filters
v. Input Validation (.NET Anti-XSS Library)
vi. HTTPOnly
vii. Response Headers to Help Prevent XSS
c. Exercises and Labs
i. Hands-On Testing Exercise: WebGoat – Stored and Reflected XSS
ii. .NET Testing and Coding Lab: XSS Stages 1-4
iii. Hands-On Testing Exercises: WebGoat – HTTPOnly

How to Prevent Clickjacking Vulnerabilities
Section Overview: The section introduces another common web application attack most developers aren’t familiar with. It explains how and why allowing your content to be framed allows this attack to work and the consequences of such attacks. It discusses the significance of these types of flaws and presents several approaches for how developers can defend their applications against this type of attack.
a. Overview of Clickjacking
i. The Attack Deconstructed
ii. Evading CSRF Defenses
iii. Consequences of a Clickjacking Attack
b. How to Defend Against Clickjacking
i. Approach 1: Framebusting Code
ii. Approach 2: X-Frame-Options Header
iii. Approach 3: Content Security Policy (CSP)
c. Exercises and Labs
i. Demo: WebGoat – Clickjacking

How to Architect Input Validation Solutions
Section Overview: The section provides a basis for understanding the important of proper input validation. It walks through common design and implementation approaches to validate user input and discusses the strengths and weaknesses associated with each approach. It starts off with a focus on threats associated with unvalidated user input. It introduces and explains these threats, demonstrates the attacks, and allows participants to apply what they have learned by using hands-on lessons. Throughout the section different technology specific protections are explored and discussed as well as the best practices associated with quality attributes of proper input validation.
a. Introduction
i. Buffer Overflows in .NET (unmanaged code)
b. General Input Validation Approaches
i. Hidden Fields
ii. Positive Validation
iii. Encoding Schemes
iv. Unchecked Redirects and Forwards
c. How to Validate Outside .NET Applications (Javascript, WAF, Filters)
d. How to Validate Within .NET Applications (Patterns, Libraries, Regex)
i. .NET WebForms Input Validation Infrastructure
ii. .NET MVC Input Validation Infrastructure
e. How to Respond to Input Validation Issues in .NET Applications
f. How to Validate Data from Other Sources (Socket, Mainframe, Message, Web Services, File Upload)
i. Safe File Uploads/Downloads
g. .NET Input Validation Checklist
h. Exercises and Labs:
i. Spot the Bug(s): Input Validation Flaws
ii. Hands-On Testing Exercise: WebGoat – Hidden Fields
iii. Hands-On Testing Exercise: WebGoat – JavaScript

How to Protect Sensitive Data
Section Overview: This section discusses common cryptographic problems associated with web applications. It will demystify and dispel the myth that crypto is extremely complex to use by walking through various simple and straightforward code examples. These code examples are technology specific and include examples of encrypting, decrypting, hashing, and the use of SSL. It also discusses other common flaws that can lead to the exposure of sensitive data.
a. Overview
b. Cryptography in .NET Applications
c. How to Choose the Right Algorithm
d. How to Use .NET Crypto APIs to Encrypt, Decrypt, Sign, and Hash
e. How to Avoid Replay Attacks
f. How to Use SSL
g. How to Protect Sensitive Data in Caches in .NET Applications
h. Exercises and Labs:
i. Spot the Bug(s): Flawed Use of Cryptography

How to Use Databases Securely
Section Overview: The section provides the material necessary to use a database securely. Threats related to securely connecting to a database, validating input, using SQL, handling errors and logging, and validating results are covered. Some architectural concerns are also discussed in terms of centralizing the security functions related to accessing a database securely.
a. Overview/Goals
b. How to Prevent SQL Injection using .NET Stored Procedures/Prepared Statements
c. .NET ORMs
i. LINQ
ii. nHibernate
d. Protecting Database Connection Strings (usernames/passwords)
e. Minimizing Privilege
f. How to Handle SQL Error Lists and Verify Results
g. Database Layer Access Control
h. Architectural Patterns for Database Security (DAO)
i. Exercises and Labs:
i. Hands-On Testing Exercise: WebGoat – SQL Injection
ii. .NET Testing and Coding Lab: SQL Injection Stages 1-2
iii. .NET Testing and Coding Lab: SQL Injection Stages 3-4

How to Handle Errors and Log Security Events
Section Overview: This section introduces the importance of proper error handling and security logging mechanisms for security critical events. Throughout the section technology specific logging APIs and error handling strategies will be introduced and discussed.
a. Overview
i. Example Real World Fail Opens
b. How to Configure Error Handling in .NET
c. .NET Error Handling Best Practices and Danger Signs
d. What Events to Log and What Data to Capture
e. Standard .NET Logging Mechanisms
f. Detecting and Responding to Attacks
ii. OWASP AppSensor
g. Exercise and Labs:
i. Spot the Bug(s): Improper Error Handling
ii. Hands-On Testing Exercise: WebGoat – Fail Open Authentication Pattern
iii. Hands-On Testing Exercise: WebGoat – Fail Open Authentication Pattern

Avoiding the Use of Components with Known Vulnerabilities
Section Overview: This section introduces the importance keeping track of which versions of 3rd party and open source components are being used in a project, and keeping them up to date when new versions become available. Most updates to such components include security updates. Without updating, this introduces significant risk to your applications.
a. Overview
i. A Huge Risk Most Dev Teams aren’t Dealing With
ii. The Proliferation in the Use of Open Source
iii. Serious Vulnerabilities in Open Source are Common
b. What Can You Do?
i. Automation Can Warn You When Your Components Are Out-of-date/Vulnerable
ii. Develop a Process For Updating Frequently

How to Prevent Quality Issues from Introducing Vulnerabilities
Section Overview: Security is directly related to quality, and software vulnerabilities increase directly with the quality of the code. This section explores the importance of establishing and following a coding guideline that is tailored to address security approaches adopted by the project. Some specific code quality problems that are frequently linked with security are included. The section includes a discussion of what can be enforced automatically and some of the relevant tools.
a. Why Code Quality and Deployment Issues Lead to Vulnerabilities
b. General Code Quality Best Practices for Security
c. Handling Debug and Test Code (Debug/Assert, Page Tracing, NUnit)
d. How to Avoid Concurrency Vulnerabilities in .NET Applications
e. Exercises
i. Hands-On Testing Exercise: WebGoat – Clues in HTML
ii. Spot the Bug(s): Find the Concurrency Flaws

How to Use XML Securely
Section Overview: This section discusses the use of XML for data storage and transmission. XML parsers and generators have been abused with certain types of injection attacks that need to be understood. Also, the use of XML schema for validation purposes will be covered. Finally, this section demonstrates the use of XML encryption and signature techniques and discusses scenarios for their use.
a. Overview
b. Security Risks Associated With XML
i. XML Documents and Data Stores
ii. XML-Based Communication
iii. XML Threats and Attacks
iv. XPath Injection Attack
c. Validating XML Content with .NET (DTD, XML Schema)
i. Validation Challenges with XML
d. XML Cryptography and Signatures in .NET

How to Access Services Securely
Section Overview: This section discusses security issues associated with external connections, and walks through various best practices. This section is used as a review of all the practices covered so far. Participants should realize that all the practices they've learned for protection of a web application should apply to an external connection as well.
a. A Pattern for Using Services Securely
i. Vulnerability Examples
b. Applying the Pattern to Prevent Command Injection in .NET Applications
c. Architecting Secure Service Access
d. Examples of How to Access Services Securely from .NET Applications
e. Exercises and Labs:
i. Hands-On Testing Exercise: WebGoat – Command Injection

Web Services Security
Section Overview: This section discusses issues related to using web services securely, including the various standards available and special issues related to web services, SOAP, WSDL, and XML Schema.
a. How Do Web Services Work?
b. SOAP Description and Examples
c. Web Services Definition Language (WDSL) Description and Examples
d. Example .NET Web Service Client
e. Overview of WS Standards
f. Exercises and Labs:
i. Hands-On Testing Exercise: WebGoat – WS SOAP Request
ii. Hands-On Testing Exercise: WebGoat – WS WSDL Scanning
iii. Hands-On Testing Exercise: WebGoat – WS SQL Injection

HTML5 Security
Section Overview: HTML5 is gaining in popularity and browser support. This section describes a number of security features introduced in HTML5 and how developers can take advantage of them to improve the security of their applications and/or leverage new HTML capabilities in a secure way.
a. What is HTML5
b. HTML5: Local Storage
i. Security Implications of Using IndexDB
c. HTML5: WebSockets
i. Using WebSockets Securely
d. Cross-Origin Resource Sharing (CORS)
i. CORS Preflight Requests
ii. CORS Security Risks

AppSec at DevOps Speed and Portfolio Scale
Section Overview: Software development is moving much faster than application security with new platforms, languages, frameworks, paradigms, and methodologies like Agile and DevOps. This section describes how development organizations can instrument their entire IT organization with passive sensors to collect real-time data that can be used to identify vulnerabilities, enhance security architecture, and enable application security activities to generate significant measureable value.
a. Comparison of AppSec to Healthcare
b. Traditional SDLC Approaches
c. Starting Over, at Portfolio Scale, and DevOps Speed
d. Example Sensors
i. Clickjacking
ii. Security Headers
iii. Access Control
iv. Known Vulnerable Components
v. CSRF
vi. Injection
vii. Architecture, Inventory, More …
e. Building Continuous AppSec Throughout Lifecycle
f. What Sensors Does Your Organization Need?
g. What Security Do You Expect vs. What Are You Actually Measuring?
h. Aligning Sensors with Business Concerns
i. Developing a Portfolio Wide Dashboard

References
i. Books
ii. OWASP Resources
iii. Microsoft Application Security Resources
iv. Web Application Security Consortium Guidelines

The Challenge
Section Overview: The challenge section allows participants to step back, look at what they have learned and apply this knowledge by performing a final hack on the hands-on Challenge lesson. This lesson combines many of the vulnerabilities previously discussed into a single lesson (with multiple stages). This lesson doesn’t contain any hints, as do previous lessons. In previous lessons, hints are included to guide participants through each stage of an attack. While the instructor assists participants, this is the time to allow the participants to use their creativity and the knowledge they have gained from this course to successfully compromise the final lesson.

Exercises and Labs:
  • Hands-On Testing Exercise: WebGoat – Challenge Stage 1 – Break Authentication 
  • Hands-On Testing Exercise: WebGoat – Challenge Stage 2 – Steal the Credit Cards 
  • Hands-On Testing Exercise: WebGoat – Challenge Stage 3 – Deface the Web Site
Send Us a Message
Choose one