Topics
Day 1
Introduction to Application Security
Why do application risks occur?
How is application security different from network security?
Application exploits & vulnerabilities
Live hacking examples
.NET Authentication
Authentication scenarios and protocols
Password based authentication
Protecting user accounts passwords
Implementing Windows authentication
WS authentication scenarios
Relationship between IIS and ASP.NET.
Impersonation
Delegation
.NET Authorization
Introduction to authorization models
Role Based Access Control (RBAC)
OS ACL authorization
WS authorization scenarios
Membership provider & role manager
Least privileged approach
Day 2
.NET Input Validation
What is considered Input?
The need for input validation
Client side VS. server side validations
Black list VS. white list validation
String manipulation and comparison
Data type conversion
Regular expressions
WCF input validation
.NET Secure File Handling
Path traversal
Canonicalization problem
Virtual path mapping using MapPath
Sanitizing file names using GetFullPath
Uploaded files backdoors
File extension handling
Isolated storage
File ACLs
.NET Cryptography
Introduction to cryptography
Avoiding weak “encryption”
Symmetric encryption
A-Symmetric encryption
Hashing
Digital signatures
Certificates
The certificate store
Transport level encryption
Storage level encryption
DB encryption
Protecting sensitive strings with SecureString
Key derivation
Password vault
Using DPAPI (Data Protection API)
Day 3
Transport, Web Services & WCF Security
REST & SOAP overview
Security and web services
Common WS threats and vulnerabilities
WCF security mechanisms
Sensitive information transmission
Transport level security
Message level security
Validating certificates and avoiding man-in-the-middle
SSL Pinning
Application Denial of Service Vulnerabilities
Application / OS crash
CPU starvation
Memory starvation
File system starvation
Resource starvation
Resource locking
Triggering high network bandwidth
User level DoS
Exploiting a specific vulnerability to cause DoS
.NET Secure Configuration Management
Securing back-end communications
Protecting connections strings
Disable debugging
Disable tracing
Protecting server runtime environment
Implementing least privileged approach for DB
Secure compilation
Secure deployment
Day 4
.NET Error Handling
Why exposing detailed error messages is bad
Structured exception handling – Try, Catch, Finally
The Fail-Open VS. Fail-Close approach
Configuring error handling in web.config
Creating custom error pages
HTTP error codes
Level of application error handling
Handling Runtime Security Errors
Error handling strategies
WCF error handling
.NET Auditing & Logging
Importance of logging
What should we audit?
Event message structure
Logging best practices
Built-in logging technologies in .NET
WCF logging options
Windows event log
Performance monitor
Windows Management Instrumentation (WMI)
The logn4net framework
EXE Reverse Engineering and Code Protection
The problem of reversing & decompilation
Assume attackers have source code
Introduction to MSIL & the CLR
Debugging
Patching
Unpacking
Obfuscation
Avoiding hard coded secrets
Secure serialization