Home > Training > SNC

Secure .NET Coding (SNC)

Course Description Schedule Course Outline
 

Course Content

Secure .Net Coding is a hands-on, lab-intensive .Net security, code-level training course that teaches you the best practices for designing, implementing and deploying secure programs in .Net. You will take an application from requirements through to implementation, analyzing and testing for software vulnerabilities. This course explores well beyond basic programming skills, teaching developers sound processes and practices to apply to the entire software development life-cycle. Perhaps just as significantly, you will learn about current, real examples that illustrate the potential consequences of not following these best practices. This course is short on theory and long on application, providing you with in-depth, code-level labs.

The concept and process of Threat Modeling is introduced as a key enabler for implementing effective and appropriate security for software and information assets. This course includes coverage of the many security-related technologies and APIs that exist in the .Net world. This class is “technology-centric”, designed to train you in essential secure coding and development skills, coupling the most current, effective techniques with the soundest industry practices. This workshop is about 50% dynamic lab exercises and 50% lecture.

The second portion of the course steps through a series of vulnerabilities illustrating in very real terms the right way to implement secure .Net applications. The last portion of the course examines several design patterns that can be used to facilitate better application architecture, design, implementation, and deployment.

You will leave the course armed with the required skills to recognize software vulnerabilities (actual and potential) and implement defenses for those vulnerabilities. This course quickly introduces you to the various types of threats against your software.

Who should attend

  • This is an intermediate-level .Net programming course designed for application project stakeholders who wish to get up and running on developing well defended .Net applications.

Prerequisites

  • Familiarity with the C# programming language is required
  • Real-world programming experience is highly recommended

Course Objectives

Working in a hands-on, dynamic learning environment, led by our expert security team, you will learn to:

  • Understand the concepts and terminology behind defensive coding
  • Understand and use Threat Modeling as a tool in identifying software vulnerabilities based on realistic threats against meaningful assets
  • Learn the entire spectrum of threats and attacks that take place against software applications in today’s world
  • Use Threat Modeling to identify potential vulnerabilities in a real life case study
  • Perform both static code reviews and dynamic application testing to uncover vulnerabilities in .Net applications
  • Understand the vulnerabilities of the .Net programming language and the runtime environment as well as how to harden both
  • Understand and work with .Net platform security to gain an appreciation for what is protected and how
  • Understand the basics of Cryptography and Encryption and where they fit in the overall security picture
  • Work with the .Net Cryptographic services
  • Examine how role-based security works in .Net and use it to control access
  • Examine how Code Access Security (CAS) works and use it to control access
  • Understand and work with the mechanics of isolated storage
  • Understand the fundamentals of XML Digital Signature and XML Encryption

Comments

What’s included?

Our robust course materials include much more than a simple slideshow presentation handout. Student materials include a comprehensive hard-copy course manual, complete with detailed course notes, code samples, diagrams and current reference materials, all directly related to the course at hand, indexed for ease of use. Step-by-step lab instructions and project descriptions are clearly illustrated and commented for maximum learning and ease of use. This course also includes:

  • Basic course pre-testing and/or post-course assessments
  • Ability to customize the courseware, adapting it to your companies policies, procedures and plans
  • Although this training is skills-centric, this course can be delivered using a variety of software versions. The preferred tools for the class are Visual Studio 2008, IIS, SQL Server, and C#
  • Our detailed workbooks are complete with software-specific screen shots and step-by-step tutorials for using the software you select. In most cases we can easily port our classes to run in the environment of your choosing

Detailed Course Outline

Session 1: Defensive Coding Overview

Misconceptions

  • Thriving Industry of Identify Theft
  • Dishonor Roll of Data Breaches
  • TJX: Anatomy of a Disaster
  • Heartland: What? Again?

Security Concepts

  • Terminology and Players
  • Assets, Threats, and Attacks
  • OWASP
  • CWE/SANS Top 25 Programming Errors
  • Categories
  • What they mean to your applications

Defensive Coding Principles

  • Security Is A Lifecycle Issue
  • Minimize Attack Surface
  • Manage Resources
  • Application States
  • Compartmentalize
  • Defense In Depth - Layered Defense
  • Consider All Application States
  • Not Trusting The Untrusted
  • Security Defect Mitigation
  • Leverage Experience

Reality

  • Recent, Relevant Incidents
  • Find Security Defects In Web Application
Session 2: Vulnerabilities
  • Unvalidated Input – XSS/CSRF, Injection, and Others
  • Broken Authentication and Authorization
  • Information Leakage - Error Handling, Logging, Insecure Storage and Others
  • Spoofing - Protecting Your Users and Your Applications
Session 3: .Net Security Fundamentals
  • .Net Security Overview
  • Services Provided
  • Code Protections
  • Data Protections
Session 4: .Net Assembly Security
  • The role of Application Domains
  • Protecting assemblies from tampering
  • Using obfuscation
  • Using publisher certificates
  • Using FxCop.exe
Session 5: Cryptography Overview
  • Cryptography defined
  • Strong Encryption
  • Ciphers and algorithms
  • Message digests
  • Keys and key management
  • Types of keys
  • Key management
  • Certificate management
  • Encryption/Decryption
Session 6: .Net Cryptographic Services
  • The role of cryptographic services
  • Hash algorithms and hash codes
  • Generating hashed data
  • Validating hash codes
  • Encryption and decryption
  • Encrypting data symmetrically
  • Encrypting data asymmetrically
Session 7: Understanding Role Based Security
  • Using role based security
  • Creating and administering roles
  • Principals, identity and roles
  • Determining role membership
  • Restricting actions based on roles
Session 8: Code Access Security
  • What is Code Access Security (CAS)
  • CAS components
  • Using CAS to secure applications
  • Interacting with CAS
Session 9: Isolated Storage
  • The purpose of Isolated Storage
  • Levels of isolated storage
  • Using isolated storage administrative tools
  • Working with isolated storage programmatically
Session 10: Session: Defending XML Processing

Defending XML

  • Understanding common attacks and how to defend
  • Operating in safe mode
  • Using standards-based security
  • XML-aware security infrastructure

Duration: 3 days

 
Live chat by BoldChat