Free OWASP Top 10 CBT

Language agnostic. Complete at your own pace.
Real exploit concepts around web application threats, vulnerabilities & strategies to mitigate them.

3 Day Training

3 Day Training

Intermediate Level

Intermediate Level

.NET Developers

.NET Developers

Instructor Led<br />CBT / Remote<br /> Training Available

Instructor Led
CBT / Remote
Training Available

Course Overview

Students will gain valuable insight in to developing secure Microsoft .NET applications for the .NET framework up to 4.5.

The course will assist students in understanding web application attacks and how they occur due to insecure coding practices. Students will then see how we employ .NET secure coding techniques to defend against these coding defects.

Students will learn to define and identify secure code, differentiate between secure coding methods, employ secure code in practice, and design and judge effectiveness of secure coding practice.

Students completing this class will find their secure coding abilities materially sharpened and able to integrate these techniques in your organization.

Learning Objectives

  • Express the vulnerabilities and exploits facing modern web applications including common weaknesses when programming with .NET
  • Learn and implement defensive coding methods in .NET and the tools that can help support secure coding
  • Hands-on experience in writing secure code and adding security controls into vulnerable source code examples

Outline

1. Defending CSRF

  • Review of the problem
    • Non-tokenizer pattern
    • CSRF in .NET
  • Anti-CSRF Tokens
    • Generating a token
    • Implementing Anti-CSRF
    • Solution

2. Defending Forced Browsing

  • Review of the problem
    • Downloading arbitrary files
    • Forced Browsing
  • Indirect Access Maps
    • Creating mappings
    • Implementing access maps
    • Solution

3. Defending Insecure Storage

  • Review of the problem
    • Storing information
    • Managing Keys
  • Salting Hashses
    • Problem with hashes
    • Adding a salt
    • Solution
  • PBKDF2
    • Deriving a key from password
    • Implementing RFC2898
  • AES Encryption
    • Encrypting files with PBKDF2
    • Decrypting files

4. Defending Redirects

  • Review of the problem
    • Tampered query strings
    • Unchecked redirect
  • URL Mapping
    • GUIDs mapped to URLs
    • Solution

5. Defending SQL Injection

  • Review of the problem
    • Listing customer tables
    • SQL Injection tampering
  • Bind Parameters
    • Changing the secure query
    • Implementing Bind parameter
    • Solution

6. Defending XSS

  • Review of the problem
    • Insecure output
    • XSS
  • Escaping
    • AntiXSS and Encoder
    • Importance of Context
    • Solution

7. Defending Authorization/Sessions

  • Review of the problem
    • Sessions
  • Session timeout
    • Configuring timeouts
    • Solution
  • Contained based authorization
    • Modifying web config
    • Solution
  • Autocomplete

Download Datasheet

Download Datasheet

Security Compass training courses are offered using a variety of delivery methods. Download the data sheet to learn more.

Public Classes

Security Compass offers this course as a public class. Contact us for a schedule of all our upcoming public training classes.