ASP.Net Web Component Developers, .Net Programmers, Application Architects.

This course aims to teach developers and architects how to create secure applications in ASP.Net.

Secure ASP.Net is designed to teach Application architects and developers alike how to create secure distributed applications by walking through actual code examples. The course covers major security principles, programming vulnerabilities, and ASP.Net specific security issues in web applications.

For many years, information security has focused its effort on securing the network from attackers. The current situation is that the vast majority of attacks now occur at the application layer, many passing over port 80 as legitimate HTTP data.

Information security and development experts have recently started to realize that developers are pivotal to ensuring the creation of secure applications. Security needs to be built into applications, not tacked on at the end. To this end, developers need to be trained in how to create secure software.

While there are a plethora of security awareness courses for developers, many are simply ignored by students. Security Compass has some of the most effective hands-on application security training classes available - we consistently receive extremely positive feedback from developers about the real world value of our classes. Our secure coding classes represent years of classroom teaching and curriculum refinement.

The Secure ASP.Net class focuses on teaching developers how to create secure web applications in the .Net platform. While the specific examples and libraries are .Net focused, developers learn concepts that they easily apply in other platforms.

Students start by reviewing infrastructure basics. Our classroom experience shows us that many developers benefit from reviewing such topics such as TCP/IP, HTTP, etc. This section also serves to build the appropriate background necessary for the remaining sections in the class.

The next section explores principles in information security. These principles are referenced consistently throughout the rest of the class and serve as a background to a continuing education in application security.

For the remainder of the class, students learn about the major domains of application security: authentication, authorization & access control, session management, cryptography, logging/monitoring & error handling, input validation, and xml & web services. Each section includes unique hands-on training with actual ASP.Net code examples. Students see first hand the simplicity of an attack and how defensive coding and application configuration can mitigate the risk of an attack Each section also includes a quiz so that students have a chance to review the material and clarify and misunderstandings.

• TCP/IP
• HTTP
• Web client / server components
• HTTP methods / HTTP response codes
• SSL / TLS

• Application components
• Application architecture
• Principles of security (The Good)
• Principles of security (The Bad)
• Secure SDLC - Data classification & Other security concepts

• Overview
• Attacking authentication
• Declarative vs. imperative authentication

• Overview
• Attacking authorization
• Declarative vs. imperative authentication
• Policy configuration

• Overview
• Attacking session management
• Other session management development issues

• When to use cryptography
• DPAPI / CAPI

• Secure logging & monitoring
• Secure error handling

• Input validation attacks
• Cross site scripting
• SQL injection
• Viewstate / IsPostback
• Stored procedures / parameterized queries

• XML Parsers & Validators
• Attacking XML parsers
• Attacking XML validation
• SOAP protocol
• Web services security standards