Writing Secure ASP.NET Applications
Duration: 3 days
The increasing use of the Internet for commercial purposes has led to a need for web applications to operate correctly and securely. There are many people seeking to take advantage of poorly designed and badly configured applications, and today's developers need to know how to write secure applications, and how to guard against attacks. This course will show how security can (and must) be designed into a project from the start, and will then examine a number of the common attacks experienced by web applications.
Delegates should have practical experience of writing ASP.NET applications, including a working knowledge of HTTP.
Course Content
Introduction- Why web applications are insecure
- Review of HTTP and web technologies
- Security throughout the lifecycle
- Threat Modelling
- Coding Best Practices
- Setting up a build process
- Source code analysis and testing
- Input validation
- Authentication
- Session hijacking
- Cross-site scripting
- Cross-site request forgery
- HTTP response splitting
- Cryptography and protecting sensitive data
- Buffer overruns
- Injection attacks
- Privilege escalation
- Race conditions
- Insecure error handling
- Insecure configuration management
- Denial of Service attacks
- Authentication: Windows and Forms modes
- Impersonation and delegation
- Configuring ASP.NET and IIS security
- Authorization in ASP.NET
- Configuring authorization in web.config
- Programmatic security
- Process identity for the ASP.NET account
- Storing secrets
- Securing sessions and viewstate
- Using a security proxy
- Fault injection and fuzzing
- Stress testing
- Load testing
- Effective auditing and logging