I need more information

If you would like to speak to a member of our specialist team, please feel free to call our freephone number or email us directly:

0800 028 6400

Quote me | Enrol me

Clients who have attended this course include

Course testimonial

Course Outline

This lab-focused, workshop style course will provide delegates with a sound understanding of issues surrounding building secure .NET applications, OWASP top 10 risks and the current Payment Card Industry Secure Data Security Standards for building secure applications in the .NET Framework, using C# and/or VB.NET.

This workshop will provide delegates with a solid understanding of the issues facing web application developers using ASP.NET. Some aspects covered are generic to all web developers – while others are ASP.NET specific. The vast majority of flaws within ASP.NET applications are due to design or implementation details - or programmer error

The workshop will be Threat Model driven, and Delegates should come in with an open mind to structure, as many of the topics below will be exposed and discussed in the context of sites and applications being analysed, rather than in the strict sequence below.. As time available is short, it may not be possible to cover all topics. Therefore delegates are encouraged to dictate priorities to the instructor at the start of the workshop.

What you will learn

• Security Principles and SD3
• A rich list of security techniques
• Writing secure .net code
• How to test security
• How to build privacy into you application
• How to secure installations
• How to write secure documentation and error messages
• An understanding of OWASP and PCI DSS
• Writing compliant .NET code in C# and / or VB.NET
• How to test security
• How to build privacy into you application
• How to secure installations
• How to write secure documentation and error messages.

WRITING SECURE, PCI COMPLIANT ASP.NET APPLICATIONS

Secure Development Overview

Case Studies
The Need for Secure Systems 
Trustworthy Computing 
Proactive Security Development 
Security Principles 
Threat Modelling

Security Overview

The Need for Secure Systems 
Trustworthy Computing 
Proactive Security Development 
SD 3 : Secure by Design, by Default, and in Deployment 
Security Principles 
Threat Modelling

Security Techniques

Preventing Buffer Overruns
Determining Appropriate Access Control 
Running with Least Privilege
Cryptographic Techniques
Protecting Secret Data 
Guarding against Input 
Canonical Representation Issues
Database Input Issues 
Web-Specific Input Issues
Internationalization Issues 
Socket Security 
Securing RPC, ActiveX Controls, and DCOM 
Protecting Against Denial of Service Attacks

Writing Secure .NET Code

Code Access Security Overview
Using FxCop
Strong-Named Assemblies 
Specifying Assembly Permission Requirements 
Use of Assert 
Demands and Link Demands
Limiting Who Uses Your Code
XML and Configuration Files
Partial Trust Assemblies
Issues with Delegates 
Issues with Serialization 
The Role of Isolated Storage 
Tracing and Debugging
General Good Practices 

Security Testing

The Role of the Security Tester 
Building Security Test Plans from a Threat Model 
Testing Clients with Rogue Servers 
Determining Attack Surface
Performing a Security Code Review 

Secure Software Installation

Principle of Least Privilege 
Using the Security Configuration Editor 
Low-Level Security APIs 

Building Privacy into Your Application

Malicious vs. Annoying Invasions of Privacy 
Major Privacy Legislation 
Privacy vs. Security 
Building a Privacy Infrastructure 
Designing Privacy-Aware Applications

Writing Security Documentation and Error Messages

Security Issues in Documentation 
Security Issues in Error Messages 
Information Disclosure Issues 
Security Usability

PCI DSS v1.2

What’s new?
PCI DSS and OWASP
Common misconceptions

OWASP

What is OWASP?
Current OWASP Top Ten

ASP.NET with PCI DSS

6.5.1 Cross-site scripting (XSS)

• Understanding XSS
• Validate Requests in asp.net
• Validating all parameters before use

6.5.2 Injection flaws

• Understanding SQL injection.
• Understanding LDAP and Xpath injection flaws as well as other injection flaws.
• Ado.Net and Sql Injection
• Validating input to verify user data cannot modify meaning of commands and queries

6.5.3 Malicious file execution

• Validating input to verify application does not accept filenames or files from users.
• Using the File upload control
• Flash, Java, ActiveX and Silverlight

6.5.4 Insecure direct object references

• Avoiding exposing internal object references to users.
• Using Code Access Security in asp.net
• Understanding asp.net Trust levels

6.5.5 Cross-site request forgery

• Understanding Cross-site request forgery (CSRF)
• Dealing with authorization credentials and tokens automatically submitted by browsers
• Cross site service security policies for Silverlight and Flash
  

  6.5.6 Information leakage and improper error handling

• Avoiding leaking information via error messages or other means.
• Asp.Net exception handling
• Exception handling patterns

6.5.7 Broken authentication and session management

• Authenticating users and protect account credentials and session tokens.
• Asp.Net membership system
• Understanding & configuring asp.Net Session state

6.5.8 Insecure cryptographic storage

• Preventing cryptographic flaws.
• Using cryptography in .net
• Using cryptography in .net Enterprise library v4.1

• 6.5.9 Insecure communications

• Properly encrypting all authenticated and sensitive communications.
• Understanding secure communications in asp.net and wcf

6.5.10 Failure to restrict URL access

• Consistently enforcing access control in presentation layer and business logic for all URLs.

Using the Asp.Net membership system.