Duration: 4 Days
This course will arm you with the skills required to recognize actual and potential software vulnerabilities, implement defenses for those vulnerabilities, and test those defenses for sufficiency. You will be introduced to the most common security vulnerabilities faced by web applications today. Each vulnerability will be examined from a .Net perspective through a process of describing the threat and attack mechanisms, recognizing associated vulnerabilities, and designing, implementing, and testing effective defenses. You will learn basic programming skills, and dig deep into sound processes and practices that apply to the entire software development lifecycle. Multiple practical labs reinforce these concepts with real vulnerabilities and attacks. You will also design and implement the layered defenses needed to defend your own applications.
You will thoroughly examine best practices for defensively coding .Net web applications, including XML processing and web services. You will repeatedly attack and then defend various assets associated with a fully-functional web application. This hands-on approach drives home the mechanics of how to secure .Net web applications in the most practical of terms.
This course is a companion course with several developer-oriented courses and seminars. Although this edition of the course is .Net-specific, it may also be presented using Java or other programming languages. The comprehensive application security and secure coding courses address each of these critical issues head-on:
- Teach programmers what these errors are
- Demonstrate, in real terms, the potential impact of each of these errors
- Recognize and properly address these errors
- How to defend against the potential consequences of security breaches in other parts of their IT infrastructure.
- Cross-reference materials, vulnerabilities, and attacks that are covered with both the OWASP Top 10 and the WASC Threat Classifications
- Covers the latest security trends and developments, including the Verizon 2011 Data Breach Report and the latest from the National Vulnerabilities Database
What You Will Learn
- Potential sources for untrusted data
- Consequences for not properly handling untrusted data (denial of service, cross-site scripting, and injections)
- Test web applications with various attack techniques to determine the existence of and effectiveness of layered defenses
- Prevent and defend the many potential vulnerabilities associated with untrusted data
- Vulnerabilities associated with authentication and authorization
- Detect, attack, and implement defenses for authentication and authorization functionality and services
- Dangers and mechanisms behind Cross-Site Scripting (XSS) and injection attacks
- Detect, attack, and implement defenses against XSS and injection attacks
- Concepts and terminology behind defensive, secure coding
- Threat Modeling as a tool in identifying software vulnerabilities based on realistic threats against meaningful assets
- Perform both static code reviews and dynamic application testing to uncover vulnerabilities in web applications
- Design and develop strong, robust authentication and authorization implementations within the context of .Net
- Detect, attack, and implement defenses for XML-based services and functionality
- Techniques and measures used to harden web and application servers as well as other components in your infrastructure
- Implement the processes and measures associated with the Secure Software Development (SSD)
- Acquire the skills, tools, and best practices for design and code reviews as well as testing initiatives
- Basics of security testing and planning
- Work through a comprehensive testing plan for recognized vulnerabilities and weaknesses
Audience
Application project stakeholders who wish to develop well defended .Net applications
Prerequistes
- Familiarity with the C# programming language is required
- Real world programming experience is highly recommended
Course Outline
1. Foundation
- Misconceptions
- Security Concepts
- Defensive Coding Principles
- Reality
2. Top Security Vulnerabilities
- Unvalidated Input
- Regular Expressions
- Broken Access Control
- Broken Authentication and Session Management
- Cross Site Scripting (XSS) Flaws
- Injection Flaws
- Error Handling and Information Leakage
- Insecure Storage
- Insecure Management of Configuration
- Direct Object Access
- Spoofing and Redirects
3. What's Important
- Prioritizing Your Efforts
- Common Vulnerabilities and Exposures for 2011
- OWASP Top Ten for 2010
- CWE/SANS Top 25 Programming Errors
- .Net Issues and Best Practices
4. Defending XML Processing
- Defending XML
- Defending Web Services
- Defending Ajax
5. Secure Software Development (SSD)
- SSD Process
- CLASP Defined
- CLASP Applied
- Asset, Boundary, and Vulnerability Identification
- Vulnerability Response
- Design and Code Reviews
- Applying Processes and Practices
- Risk Analysis
6. Security Testing
- Testing as Lifecycle Process
- Testing Planning and Documentation
- Testing Tools and Processes
- Principles
- Static and Dynamic Code Analysis
- Testing Practices
7. Appendix - Security Design Patterns
- Design Patterns
- JEE Web Application Security Design Patterns
Course Labs
This course is approximately 50% dynamic lab exercises and 50% lecture, designed to train you in essential analysis and design skills, coupling the most effective techniques with the soundest industry practices.
