Secure Coding in .NET: Developing Defensible Applications

Overview | Sampling of Topics | Laptop | Day Information

Overview

ASP.NET and the .NET framework have provided web developers with tools that allow them an unprecedented degree of flexibility and productivity. On the other hand, these sophisticated tools make it easier than ever to miss the little details that allow security vulnerabilities to creep into an application. Since ASP.NET, 2.0 Microsoft has done a fantastic job of integrating security into the ASP.NET framework, but the onus is still on application developers to understand the limitations of the framework and ensure that their own code is secure.

During this four-day course we will analyze the defensive strategies and technical underpinnings of the ASP.NET framework and learn where, as a developer, you can leverage defensive technologies in the framework, where you need to build security in by hand. We'll also examine strategies for building applications that will be secure both today and in the future.

Rather than focusing on traditional web attacks from the attacker's perspective, this class will show developers first how to think like an attacker, and will then focus on the latest defensive techniques specific to the ASP.NET environment. The emphasis of the class is a hands-on examination of the practical aspects of securing .NET applications during development.

Have you ever wondered if ASP.NET Request Validation is effective? Have you been concerned that XML web services might be introducing unexamined security issues into your application? Should you feel un-easy relying solely only on the security controls built into the ASP.NET framework? Secure Coding in ASP.NET will answer these questions and far more.

Sampling of Topics

• Who should attend:
  • This class is focused specifically on software development but is accessible enough for anyone who’s comfortable working with code and has an interest in understanding the developer’s perspective:
    • Software developers and architects
    • Senior software QA specialists
    • System and security administrators
    • Penetration Testers

• Prerequisites:
  • Experience with programming in ASP.NET using either Visual Basic or C#. All class work will be performed in C#.
  • While this class briefly reviews basic web attacks, some prior understanding of issues such as XSS and SQL injection is recommended.

Laptop

Laptop Requirements

Due to a change in the labs, laptops for the Hand-on labs brought to DEV544 Course should have the following software installed.

Supported Operating Systems

To complete the labs in class, any one of the following Operating Systems are supported. Additionally, the corresponding version of Internet Information Services should be installed from the Operation System media.

• Windows XP SP3
  • w/ IIS 5.1
• Windows Server 2003
  • w/ IIS 6.0
• Windows Vista **
  • w/ IIS 7.0
• Windows Server 2008 **
  • w/ IIS 7.0

** Vista, Server 2008 with IIS 7 are considerably different then the previous versions of the Windows operating systems. If using one of these operating systems make sure you have a good level of comfort with the setup and configuration, as well as trouble-shooting the issues.

Laptops should be Pre-installed with the following Software Developer IDE

Free Microsoft Express Products - all of the following are required.

• Visual C# 2008 Express Edition
• Visual Web Developer 2008 Express Edition
• MSDN Express Library
  http://www.microsoft.com/express/download/

OR

• Visual Studio 2008 Professional or better, C# language support required
• MSDN Library for Visual Studio 2008

Database Server Software

• SQL Server 2005 Express Edition

OR

• SQL Server 2008 Express Edition

Other Software

• .NET Framework 2.0 Software Development Kit (SDK) (x86)
  http://www.microsoft.com/downloads/details.aspx?FamilyID=fe6f2099-b7b4-4f47-a244-c96d69c35dec&displaylang=en
• Mozilla FireFox 3.0.10 or latest.
  http://www.mozilla.com/en-US/
• To complete certain labs, additional software may be provided in class.

NOTE: It's a good idea to bring the Operating System CD (or ISO) with you to class as well as any other media in case your system has issues.

Day Information

Day 1

Data Validation

Improper data validation is the root cause of the most prevalent web application vulnerabilities today. Cross Site Scripting (XSS) has become the most widely reported issue with web applications. It has reached the point where the Web Application Security Consortium (WASC) estimates that over 80% of the web sites on the Internet are vulnerable to this attack.

Beginning on the first day, you will learn about some of the most prevalent web applications vulnerabilities such as XSS, CSRF, SQL Injection, HTTP Response Splitting, and Parameter Manipulation. You will see how to spot some of these issues and how to recreate them in a running application. Then you will use a variety of methods to actually fix these vulnerabilities in your C# code.

The course is full of hands on exercises where you can apply practical data validation techniques that you can use to prevent common attacks.

• Topics Covered:
  • Web Application Attacks
    • Cross Site Scripting
    • Cross Site Request Forgery (CSRF)
    • SQL Injection
    • HTTP Response Splitting
    • Parameter Manipulation
  • Web Application Proxies
    • Using Fiddler
  • Validation Concerns
    • Character Encoding
    • Input Validation
    • Output Encoding
    • Blacklisting & Whitelisting
  • Validation Techniques
    • Validation Controls
    • Server vs. Client side validation
    • Regular Expressions
    • HTML Encoding
    • CAPTCHA
    • ADO.NET
    • Stored Procedures
    • LINQ

Day 2

Authentication & Session Management

Broken authentication and session management are common issues that can compromise the integrity of your system. Such weak authentication protections can allow an attacker to expose your most sensitive secrets: your data! You will learn about these vulnerabilities and what you can do to design and code stronger authentication protections from the start.

You will learn how to use ASP.NET Authentication mechanisms and securely implement both Basic and Form Based Authentication. This course is full of hands on exercises and culminates in a lab where you put everything you learned together into an application that is protected by strong authentication controls.

• Topics Covered:
  • Authentication
    • IIS / ASP.NET pluggable authentication architecture
    • Basic & Digest Authentication
    • .NET Form Based Authentication Framework
    • Windows Authentication
    • Authorization, OS security, and Impersonation
    • SSL Client Certificates
    • Authentication Policies
  • Protecting Sessions
    • Secure Session ID generation
    • Session data, and persistence
    • Session policies, expiry, etc.
    • Session Hijacking
    • Session Fixation
  • Authentication Attacks
    • Brute Force Attacks
    • Weak Password Storage
    • Password Reset
    • Secret Questions

Day 3

Secure .NET Architecture

Understanding how to leverage .NET to design a secure architecture with solid secure coding principals is critical to application security. This course combines tried and tested information security principals with secure coding principals to help you build rock solid applications.

• Topics Covered:
  • Architecture
    • Defense in depth
    • Least Privilege
    • Thread Safety
    • Structured Exception Handling
    • Application Logging and Auditing
    • Secure Coding Principals
    • ASP.NET Handlers, Modules and the HTTP Pipeline (might be good to combine this with day 2)
  • NET Encryption Services
    • Encryption Principals
    • Securing communications
    • Protecting data at rest

Day 4

.NET Framework Security

Code-centric security is one of the primary benefits of .NET. This course takes the student neck--deep into the details of .NET's security architecture and the calculation and formulation of permission grants as well as a detailed presentation of permission enforcement and the .NET's security administration and execution model.

• Topics Covered:
  • Code Access Security
  • Assemblies
  • Global Assembly Cache
  • Strong and Weak Named Assemblies
  • The Common Language Runtime
  • Execution Model
  • Security Zones
  • Evidence
  • Code Groups
  • Permissions
  • Hacking .NET Security
  • Security Policy and Hierarchy
  • Permission Calculations
  • Assembly Permission Requests
  • Permission Enforcement and Stack Walks