SANS Software Security Institute
SANS Software Security Institute
Home > Courses > Secure Coding

Register For
Upcoming Events

No Events Scheduled

Security 616 ::

Defensible .NET

Overview

This course is a security course that just happens to talk about .NET. It does not just talk about .NET, though. You participate in .NET with plenty of hands-on labs taking you to the heights (and depths) of .NET enlightenment. .NET is an absolutely powerful player in the future of software applications and development. This course lets you experience the full impact of the .NET paradigm.

This course covers the critical aspects of security in .NET, from the Framework's internals to enterprise management; from ASP.NET to XML Web Services. Students will leave the course with a realistic and pragmatic vision of .NET as well as conceptual and practical means for securing their environment, creating defensible applications, and educating users and clients.

This course covers all versions of the .NET Framework (v1.x, 2.0, and 3.0), defending Windows 2003, IIS 6, SQL 2005, and Windows Communication Foundation.

Prerequisites: Experience with programming languages (such as C#) is extremely helpful, but not absolutely required. This class is designed for more than just developers, so you won't be alienated if you are not a developer. In fact, the developer-focused aspect of this class will make you savvy to what your developers are [and should be] doing.

Sampling of Topics

  • Who Should Attend
    • System and security administrators
    • Security managers
    • Individuals responsible for software requirements definition, procurement, or negotiations.
    • Software and web application developers developing applications that handle sensitive client information.

Laptop

Laptops are required to enjoy the hands-on labs included in this class. Laptops should have Windows 2003 Server installed with all patches and service packs. You must also bring the original Windows 2003 Server installation CD (or copy the installation files locally to your hard drive).

If you do not have a professional version of Visual Studio, you must download Visual Studio Express Web Developer *and* Visual Studio C# 2005. These lightweight versions of Visual Studio are free from Microsoft. Enter "visual studio express" in Google for the Visual Studio Express home page.

Day Information

Day 1
.NET Framework Architecture
Understanding .NET security requires intimate knowledge of .NET's composition. This day introduces .NET and everything that makes it tick, and provides students with the foundation to understand the rest of the course.
  • The Grand Unified Vision of .NET
  • Assemblies
  • Assembly Internals
  • Type Safety
  • MSIL
  • Strong and Weak Named Assemblies
  • Why Strong Named Assemblies, Aren’t
  • The Common Language Runtime
  • CLR Internals
  • Introduction to .NET Framework Security
Day 2
.NET Framework Security
Code-centric security is one of the primary benefits of .NET. This course takes the student neck-deep into the details of .NET's security architecture and the calculation and formulation of permission grants. Administrators and software developers alike will benefit from the detailed presentation of permission enforcement, as well as .NET's security administration and execution model.
  • Code Access Security Overview
  • .NET Security Administration Model
  • Execution Model
  • Security Zones
  • Evidence
  • Code Groups
  • Permissions
  • Hacking .NET Security
  • Security Policy and Hierarchy
  • Permission Calculations
  • Assembly Permission Requests
  • Permission Enforcement and Stack Walks
  • Deploying Security Policy in the Enterprise
  • Security Guidance for the Enterprise
Day 3
ASP.NET Security
ASP.NET is part and parcel of .NET and is the foundation of Microsoft's Web Services. ASP.NET is an order of magnitude in improvement over ASP and makes web applications even easier to create and deploy. This course covers the essentials of ASP.NET, both from an architectural and security perspective, and how proper configuration and control can make ASP.NET an enormous benefit to business processes and corporate goals.
  • ASP.NET Architecture
  • IIS 5 and IIS 6 Architecture and Authentication
  • Handlers, Modules and the HTTP Pipeline
  • Configuration Files and Settings
  • State Management, Local and Remote
  • ASP.NET Authentication and Authorization
  • Identity of Execution, Worker Processes and Impersonation
Day 4
Defensible ASP.NET Applications, Part 1
There is really no such thing as a "secure" system any more than there is a "secure" castle. The word "secure" simply implies a guarantee that is not possible. The philosophy of defensibility seeks to make a particular system capable of being defended according to the level of risk and complexity an organization is willing to accept. This course is the first of two parts that focus on building defensible applications from the network up. Corporations faced with complying with the Payment Card Industry Data Security Standard (PCI DSS) will find Part 1 and 2 of this course particularly helpful.
  • The Philosophy of Defensibility
  • Threat Modeling
  • Defending the Network
  • Defending the Host
  • Defending IIS
  • Defending ASP.NET
Day 5
Defensible ASP.NET Applications, Part 2
This second part of Defensible ASP.NET Applications continues to focus on ASP.NET application through defensive programming techniques focused on mitigating OWASP Top 10 web application mistakes as well as fulfilling guidance defined by Visa's Payment Application Best Practices (PABP). If you are a software developer creating web applications this day is for you, but Program Managers and Administrators don't be fearful; you will finally understand what all this crying over web application security is all about.
  • Building a Better eCommerce Vehicle
  • OWASP Top 10
  • Payment Application Best Practices (PABP)
  • Application Trust Boundaries
  • What Attackers are Looking For
  • Input Validation and Regular Expressions
  • Guarding Session State
  • Authentication and Authorization
  • Using Cryptography Wisely
  • Using Role-based Security
  • Structured Exception Handling
  • SQL Parameters and Stored Procedures
  • Storing Sensitive Information Wisely (or not at all)
  • Defending SQL Server 2005
Day 6
Defensible Web Services
Service Oriented Architecture (SOA) has many definitions, but represents the way we build modern distributed applications using loosely coupled, interoperable services. An XML Web Service is just one kind of service implementation in an SOA. Microsoft has finalized its "wizzy evolution" with Windows Communication Foundation (WCF). WCF is a unified framework for building reliable, secure, transacted, and interoperable distributed applications. As such, expect more and more Microsoft-enabled technologies to leverage WCF. It's the beginning of a whole new world.
  • Grand Unified Vision of Web Services
  • Open Standards Do Not Mean Secure Standards
  • Web Services Weaknesses
  • Evolution of GXA, WSE (“wizzy”), and WCF
  • WCF Architecture
  • SOAP and firewalls: The Joy of Remote Invocation
  • WSDL
  • UDDI
  • WS-* specifications for security
  • Credential, Claims, and Authorization
  • Web Services Defensible Architecture