Developing Secure .NET Web Applications – Mitigating the OWASP Top 10 Security Vulnerabilities

Training a team? Use a QA Skills Licence and makes better use of your budget
dates, pricing & booking
course description
blogs

Print course outline | Download as PDF document | Link to page: www.qa.com/QAOWASPNET

Sorry, but we do not have public dates scheduled for this course but these courses can be run as a closed event for your company.
Please contact us for details on alternative ways we can help you 0845 757 3888 or email us at info@qa.com

Special Notices

This course is run as an instructor led course, with the option to join via Extended Classrooms. To find dates click on the view dates/book course tab.

Using the latest technologies it allows virtual delegates to join an instructor led classroom, and interact with both the other delegates and instructors as if they were there.

Overview

This course provides the necessary skills and techniques to identify security risks in ASP.NET web applications and mitigate those risks through writing secure code. The course aligns to the OWASP Top 10 most critical web application security risks and takes delegates through the exploitation of vulnerable code so that they may experience them first hand. It then discusses mitigations in depths and provides students with the opportunity to secure the risks they have just exploited.

The course is presented as a mixture of lectures and hands-on exercises. Delegates are actively involved in exercising the practices an attacker would employ so that they can fully experience the risks and outcomes of a successful attack first hand. They will also leverage various manual and automated tools to help probe for vulnerabilities in a consistent fashion with what many attackers would use.

Prerequisites

  • Delegates should already have experience of using the C# or Visual Basic .NET programming languages, which can be gained by attending one of our C# or Visual Basic .NET programming language courses.
  • Delegates should be proficient with developing ASP.NET web applications with Visual Studio. They should have prior experience of delivering real world web sites although it is not expected that their experience be extensive.
  • Delegates should understand the basics of building either web forms or MVC applications and have an understanding of general web technologies such as HTTP.
  • Delegates should also already have experience of data access and data binding using APIs such as LINQ, ADO.NET and/or the Entity Framework , which can be gained by attending one of our C# or Visual Basic .NET programming language courses.

Delegates will learn how to

  • Define and understand common website security risks
  • Remotely identify vulnerabilities in web applications
  • Employ practices to secure discrete units of code
  • Learn about native web browsers security defences
  • Apply the principles of security in depth
  • Automate scanning and detection of risks

Course Outline.

Module 1: Introduction to Web Security

  • Who's being hacked and who's doing the hacking?
  • The prevalence of website vulnerabilities
  • Key web application security concepts

Module 2: OWASP #1: Injection

  • Exploiting SQL injection in a vulnerable website
  • Whitelist validation
  • Creating parameterised queries
  • ORMs and stored procedures
  • Database permissions and the principle of lease privilege

Module 3: OWASP #2: Cross Site Scripting - XSS

  • Exploiting XSS in a vulnerable website
  • ASP.NET request validation
  • Output encoding for different contexts
  • Native browser defences
  • Reflective, persistent and DOM XSS

Module 4: OWASP #3: Broken Authentication and Session Management

  • Exploiting broken authentication in a vulnerable website
  • The ASP.NET membership and role providers
  • Cookieless sessions
  • Increasing session security
  • Account management and password resets

Module 5: OWASP #4: Insecure Direct Object References

  • Exploiting direct object references in a vulnerable website
  • Implementing access controls
  • Indirect reference maps
  • Obfuscated identifiers

Module 6: OWASP #5: Cross-Site Request Forgery - CSRF

  • Exploiting CSRF in a vulnerable website
  • Leveraging the synchroniser token pattern
  • The anti-forgery token in ASP.NET MVC
  • Native browser defences against CSRF

Module 7: OWASP #6: Security Misconfiguration

  • Exploiting security misconfiguration in a vulnerable website
  • Using the NuGet package manager to keep frameworks up to date
  • Correctly configuring custom errors, tracing and debugging
  • Encrypting configuration data

Module 8: OWASP #7: Insecure Cryptographic Storage

  • Exploiting cryptographic storage in a vulnerable website
  • Creating secure salted hashes
  • Leverage the ASP.NET membership provider for password storage
  • Implementing symmetric encryption

Module 9: OWASP #8: Failure to Restrict URL Access

  • Exploiting unrestricted URLs in a vulnerable website
  • Using authorisation and security trimming
  • Leveraging the role provider
  • Employing principle permissions on classes and methods

Module 10: OWASP # 9: Insufficient Transport Layer Protection

  • Exploiting insufficient transport layer security in a vulnerable website
  • Properly implementing SSL on forms authentication
  • Secure cookies and HSTS
  • The dangers of mixed content

Module 11: OWASP #10: Unvalidated Redirects and Forwards

  • Exploiting unvalidated redirects in a vulnerable website
  • Whitelisting URLs
  • Referrer checking

Module 12: Other risks and tools

  • Clickjacking and other risks beyond the Top 10
  • Employing automated tools to detect vulnerabilities

Module 13: Summary

  • Going beyond technical controls to ensure application security
  • Implementing people processes in the secure development lifecycle

related blogs

A new blog for a new generation of Learner

Posted by Richard Froud on 15 October 2014

The start of Higher Apprentice course at QA's Newcastle Office

An AWS trainer in the Red Queen’s Race

Posted by on

I often feel I’m running the Red Queen’s race to ensure our delegates don’t have to.

Are you ready for End of Life for Windows Server 2003

Posted by Paul Gregory on 14 July 2014

It has been well documented that Windows Server 2003 will have support withdrawn on the 15th July 2015.

The benefits of the Cloud and Amazon Web Services (AWS)

Posted by on

If you read the tech press, you would think absolutely everybody was moving to the cloud. But is that just hype, or is it really true? And if it’s true, what benefits are they getting from it?

SP13IE10Issue

Posted by John Day on 15 May 2014

SharePoint 2013 and Internet Explorer 10 have a stormy relationship. I think it's time for marriage guidance counselling.

App-V 4.x to 5.0 Package conversion: Fixing the broken Pipeline!

Posted by on

The App-V 5.0 package format is very different from the previous 4.5/4.6 version, and the App-V 5.0 client is not compatible with the earlier package versions. To help protect your sequencing investment, Microsoft included two PowerShell commands on the sequencer to aid in migration: Test-AppVLegacyPackage and ConvertFrom-AppVLegacyPackage. The first tests the old package for known constraints, while the second attempts to convert the package to the new format

See all related blogs

top of page
  • Amazon logo
  • Apple logo
  • AppSense logo
  • cisco logo
  • citrix logo
  • compTIA logo
  • ec council logo
  • Hortonworks CTP logo
  • microsoft gold logo
  • novell logo
  • oracle logo
  • Pya -winner -2013 logo
  • redhat logo
  • Salesforce logo
  • symantec logo
  • vmware logo
  • redhat logo
  • Hortonworks CTP logo
  • Salesforce logo