The course will present security guidelines and considerations in .NET applications development. The participants will learn the basics of application security, how to enforce security on a .NET application, using .NET crypto API and other security related issues. In addition, the course presents an overview of .NET's Security Framework, including authentication and authorization implementation.
Objectives of the course
Upon completion of this course, participants will be able to:
- Understand the need for security
- Understand the security threats
- Implement code security best practices
- Implement role based security
- Improve security of ASP.NET Applications
Who should attend this course?
- .NET developers wishing to improve their security skills
- Module 1: Introduction & Case Study
- Module 2: Knowing Security Testing Methodologies
- Module 3: Application Security – Overview
- Threat Modeling Objective
- Terminologies Used
- Threat Profiling
- STRID Model
- DREAD Model
- Practical Consideration
- Threat Modeling Tools
- Using Web Application Proxy
- Burp Suite
- OWASP Top 10
- A2-Broken Authentication and Session Management
- A3-Cross-Site Scripting (XSS)
- A4-Insecure Direct Object References
- A5-Security Misconfiguration
- A6-Sensitive Data Exposure
- A7-Missing Function Level Access Control
- A8-Cross-Site Request Forgery (CSRF)
- A9-Using Components with Known Vulnerabilities
- A10-Unvalidated Redirects and Forwards
- Beyond OWASP
- Abuse of functionality
- Denial of Service
- Server Vulnerabilities
- Authentication & Authorization Issues
- From File Inclusion to Remote Code Execution
- API/CMS Based Vulnerabilities
- Diving from WEB to LAN
- Business Logic Testing
- Flash Based Attacks
- iFrame Attacks
- Automated Scanner
- Profiling Scans
- Interpreting Results
- Identifying False Positives
- Validation Concerns
- Session Management Best Practices
- Authentication & Authorization Issues
- CSRF Fixes
- Secure File Upload
- Preventing File Inclusions
- Issues with Randomization
- Understanding Cryptography
- web.config Security Best Practices
- Error handling and logging
- SDL Tools
- Binscope Binary Analyzer
- SDL Regex Fuzzer
- Code Analyzing Tool (CAT.NET)
- Minifuzzer File Fuzzer
- Developer v/s InfoSec Team
- Why SCA
- SCA during SDLC
- Languages and Framework Supported
- Vulnerability Checks
- Integration in the Software Development Process
- Report Reading
- Identification of False Positive
- Getting ROI of an SCA
Training is really good and Mahesh is very knowledgeable. We got very useful information and we will implement this knowledge in our application.
Makarand Gharat, Operation Manager, GCO
Excellent knowledge and ability to store the same. Interacting session with all queries answered with detailing.
Prasad Thakur, Team Manager, GCO
Training is very informative. Mahesh explained things very well. Material information provided by him is very useful. Will help to take security measurement in our application.
Sachidanand B Gaikwad, DBA, GCO
Training is good. Mahesh take us deep into vulnerabilities like SQL injection. Cross site scripting, Direct data object etc.
Eknath Parkhe, Software Developer, GCO
Good subject knowledge and is able to give valuable input to the attendees.
Shyam Gopalkrishnan , Test Lead, GCO
It was really great training to how I can secure my code while creating any NET APPLICATION. It’s really help to increase my knowledge in security.
Siddhesh Bhogale, Software Developer, GCO
Faculty is great, knowledgeable, approachable instructor. I enjoyed & learnt a lot from the course & from him. My only suggestion is to give the course structure (i:e break time & time –table) before hands.
Azam Al Fayor, Personnal Department, Aramco
Faculty is outstanding instructor who simplified this course into an interactive course.
Abdulaziz Alanmed , Aramco
Faculty is an excellent instructor.
Mujed Rasheed, Aramco
Faculty has well established his credibility by showing real cases, that demonstrated his great knowledge
Sultan Almutairi, Aramco