EC-Council Certified Secure Programmer-.NET

Course Length: 3Days

Tuition Per Person: Online Live – $1799|   Online self paced - $999

Contact: jrshea@syr.edu – Office: 315-632-4848


Course Outline

Module 01: Introduction to .NET Application Security

Microsoft .NET Application Security

o .NET Application Security

o Need for .NET Application Security

o .NET Application Attack Statistics

o Understanding Application Security

o End-to-End Security

o What is Secure Coding?

o Why are Security Mistakes Made?

o Key Elements of .NET Framework Architecture Security

o .NET Security Features

o .NET Framework Security Namespaces

o ASP.NET Security Architecture

Common Security Threats on .NET

o Web Application Security Frame

o Common Security Threats on .NET

o OWASP Top 10 Attacks on .NET

Security Misconfiguration

Cross-Site Scripting (XSS) Attacks

SQL Injection Attacks

Cross-Site Request Forgery (CSRF) Attack

Failure to Restrict URL Access

Insufficient Transport Layer Protection

Unvalidated Redirects and Forwards

Insecure Direct Object References

Broken Authentication and Session Management

Insecure Cryptographic Storage

Secure Development Lifecycle (SDL)

o Phases of SDL

o SDL Process

o Integrating Security into the Development Lifecycle

o Security in the Design Stage: Threat Modeling

o Threat Modeling Process

The STRIDE model

The DREAD model

o Guidelines for Applying Security in Implementation Phase of SDL

o Security Testing

Secure Coding Principles

Guidelines for Developing Secure Codes

 

 

Module 02: .NET Framework Security

Introduction to .NET Framework

o .NET Framework Architecture

o Basic Components of .NET Framework

.Net Runtime Security

o .NET Framework Runtime Security Model

o Role-Based Security

Role-Based Security: Windows Principal

Role-Based Security: Generic Principal

o Code Access Security (CAS) 

Using Code Access Security in ASP.NET 

Evidence-Based Security

Permissions 

Code Access Permissions

Identity Permissions

Role-Based Security Permissions

Permissions Classes in .NET

Type Safety

SkipVerification

Stack Walk

Declarative and Imperative Security Syntax

o Isolated Storage

Data Storing Process in Isolated Storage

Managing Data Isolation using Store’s Identity

Levels of Isolation

Limitations of Isolated Storage

Administering Isolated Storage

Granting Isolated Storage Permissions with Mscorcfg.msc

Granting Isolated Storage Permissions with Caspol.exe

Managing Existing Stores

.NET Class Libraries Security

o Class Libraries Security

o Writing Secure Class Libraries

Security Demands

Link Demands

Security Holes in Link Demands

Inheritance Demands

Overriding Security Checks

Security Optimizations

.NET Assembly Security

o .NET Assembly

o Common Threats to .NET Assemblies

o Privileged Code

o Secure Assembly Design Considerations

o Secure Class Design Considerations

o Securing Assemblies Using Strong Name Signing

o Securing Assemblies with Code Access Attributes

o Securing Assemblies Against Decompilation Using Obfuscation

o Dotfuscator: .NET Obfuscator

o Protecting Assemblies Using Publisher Certificate

o Securing Assemblies Using Application Domain Permissions

o Vulnerability in Serializing Sensitive Objects

o Vulnerabilities in Multithreaded Assemblies

o Vulnerabilities in Static Class Methods/ Constructors of Assemblies

o Vulnerability in Dispose Methods

.NET Security Tools

o Code Access Security Policy Tool: Caspol.exe

Caspol.exe Parameters

o Software Publisher Certificate Test Tool: Cert2spc.exe

o Certificate Manager Tool: Certmgr.exe

Options in Certmgr.exe

o Certificate Creation Tool: Makecert.exe

Options in Makecert.exe

o PEVerify Tool: Peverify.exe

Options in Peverify.exe

o .NET Security Annotator Tool: SecAnnotate.exe

o Sign Tool: SignTool.exe

o Strong Name Tool: Sn.exe

o Isolated Storage Tool: Storeadm.exe

Best Practices for .NET Framework Security

 

Module 03: Input Validation and Output Encoding

Input Validation

o Why Input Validation?

o Input Validation

o Input Validation Specification

o Input Validation Approaches

Client-side Input Validation

Server-side Input Validation

Client-Server Input Validation Reliability

o Input Filtering

Input Filtering Technique: Black Listing

Input Filtering Technique: White Listing

o Perform Input Validation and Filtering using a Regular Expression

o String Manipulation and Comparison

o Data Type Conversion

o ASP.NET Validation Controls

Set of ASP.NET Validation Controls

RequiredField Validation Control

Range Validation Control

Comparison Validation Control

RegularExpression Validation Control

Custom Validation Control

Validation Summary Control

Input Validation Attacks

o Cross Site Scripting (XSS) Attack

o SQL Injection Attacks

o HTML Tags Used in XSS Attack

Defensive Techniques against XSS Attacks

o XSS Attack Defensive Techniques

o Need for Securing Validation Controls

o Securing RequiredField Validation Control

o Securing Range Validation Control

o Specifying the Correct Data Type in Range Validator

o Securing Comparison Validation Control

o Securing RegularExpression Validation Control

o Securing Custom Validation Control

o Integrating Security for Multiple Validation Controls

Defensive Techniques against SQL Injection Attacks

o SQL Injection Attack Defensive Techniques

o Using Parameterized Queries

o Using Parameterized Stored Procedures

o Using Escape Routines to Handle Special Input Characters

o Database Specific Escaping: Oracle Escaping

o Using a Least-Privileged Database Account

o Constraining Input

Output Encoding

o ASP.NET Controls with Encoding Support

o Encoding Unsafe Output using HtmlEncode 

o Encoding Unsafe Output using UrlEncode 

o Anti-XSS Library

o Encoding Output using Anti-XSS Library

Sandboxing

o Sandboxing Software: Sandboxie 

o Sandboxing Software: BufferZone Pro

o Sandboxing API in .NET Framework

o Creating Sandbox for Partial Trust Code

Best Practices

o Microsoft Code Analysis Tool .NET (CAT.NET)

 

Module 04: .NET Authorization and Authentication

Introduction to Authentication and Authorization

o Common Threats with User Authentication and Authorization

o Authentication and Authorization in .NET Web Application Security

o Security Relationship between IIS and ASP.NET

Authentication

o ASP.NET Authentication

o ASP.NET Authentication Modes

o Security Settings Matrix between IIS and ASP.NET

o Forms Authentication

o Passport Authentication

Implementing Passport Authentication

o Custom Authentication

Implementing Custom Authentication Scheme

o Windows Authentication

o Selecting an Appropriate Authentication Method

o Determining an Authentication Method

o Enterprise Services Authentication

o SQL Server Authentication

Authorization

o Identities, Principals, and Roles

o ASP.NET Authorization

o URL Authorization

o File Authorization

o What is Impersonation?

Impersonation Options

o Delegation

o Code-based Authorization

Declarative Authorization

Imperative Authorization

Explicit Authorization

o Authorization using ASP.NET Roles

o Enterprise Services Authorization

o SQL Server Authorization

Authentication and Authorization Vulnerabilities

o Securing Forms Authentication Tickets

o Securing Hash Generation using SHA1

o Securing Encryption using AES

o Securing Forms Authentication Cookies using SSL

o Securing Forms Authentication Credentials

o Preventing Session Hijacking using Cookieless Authentication

o Securing Authentication Token Using Sliding Expiration

o Avoiding Forms Authentication Cookies from Persisting Using DisplayRememberMe Property

o Avoiding Forms Authentication Cookies from Persisting Using RedirectFromLoginPage Method

o Avoiding Form Authentication Cookies from Persisting Using SetAuthCookie Method

o Avoiding Form Authentication Cookies from Persisting Using GetRedirectUrl Method

o Avoiding Form Authentication Cookies from Persisting Using FormsAuthenticationTicket Constructor

o Securing Passwords with minRequiredPasswordLength 

o Securing Passwords with minRequiredNonalphanumericCharacters 

o Securing Passwords with passwordStrengthRegularExpression 

o Restricting Number of Failed Logon Attempts

o Securing Application by Using Absolute URLs for Navigation

o Securing Applications from Authorization Bypass Attacks

o Creating Separate Folder for Secure Pages in Application

o Validating Passwords on CreateUserWizard Control using Regular Expressions

Authentication and Authorization Best Practices

o Application Categories Considerations: Authentication-Forms

o Application Categories Considerations: Authorization

o Guidelines for Secure Authentication and Authorization Coding

o Secure Development Checklists: Authentication

o Secure Development Checklists: Authorization

o Secure Development Checklists: User-Server Authentication

Secure Communication

o Storing Secrets

o Options for Storing Secrets in ASP.NET

 

Module 05: Secure Session and State Management

Session Management

o Basic Security Principles for Session Management Tokens

o Common Threats to Session Management

Session Management Techniques in ASP.NET

o ASP.NET Session Management Techniques

o Client-Side State Management

Client-Side State Management Using Cookies

Client-Side State Management Using Hidden Fields

Client-Side State Management Using View State

Client-Side State Management Using Control State

Client-Side State Management Using Query Strings

o Server-Side State Management

Server-Side State Management Using Application Object

Server-Side State Management Using Session Object

Server-Side State Management Using Profile Properties

Session Attacks and Its Defensive Techniques

o Session Hijacking

Securing ASP.NET Application from Session Hijacking

Implementing SSL to Encrypt Cookies

Setting a Limited Time Period for Expiration

Avoid using Cookieless Sessions

Avoid using UseUri Cookieless Sessions

Avoid Specifying Cookie Modes to AutoDetect

Avoid Specifying Cookie Modes to UseDeviceProfile

Enabling regenerateExpiredSessionID for Cookieless Sessions

Resetting the Session when User Logs Out

o Token Prediction Attack

Generating Lengthy Session Keys to Prevent Guessing

o Session Replay Attack

Defensive Techniques for Session Replay Attack

o Session Fixation

o Session Fixation Attack

Securing ASP.NET Application from Session Fixation Attack

o Cross-Site Script Attack

Preventing Cross-Site Scripting Attack using URL Rewriting

Preventing Session Cookies from Client-Side Scripts Attacks

o Cross-Site Request Forgery Attack

Implementing the Session Token to Mitigate CSRF Attacks

Defensive Techniques for Cross Site Request Forgery Attack

Securing Cookie Based Session Management

o Cookie-Based Session Management

o Persistent Cookies Information Leakage

o Avoid Setting the Expire Attribute to Ensure Cookie Security

o Ensuring Cookie Security using the Secure Attribute

o Ensuring Cookie Security using the HttpOnly Attribute

o Ensuring Cookie Security using the Domain Attribute

o Ensuring Cookie Security using Path Attribute

ViewState Security

o Common Threats on ViewState 

ViewState Data Tampering Attack

ViewState oneClick Attacks

o Securing ViewState 

Securing ViewState with Hashing

Securing ViewState with Encryption

Securing ViewState by Assigning User-Specific Key

Guidelines for Secure Session Management

 

Module 06: .NET Cryptography

Introduction to Cryptography

o Cryptographic Attacks

o What Should You Do to Keep the .NET Application Away from Cryptographic Attacks?

o Cryptography

o Functions of Cryptography

o Common Threats on Functions of Cryptography and Their Mitigation Techniques

o Types of Cryptographic Attacks in .NET

o .NET Cryptography Namespaces

o .NET Cryptographic Class Hierarchy

Symmetric Encryption

o SymmetricAlgorithm Class

o Members of the SymmetricAlgorithm Class

o Programming Symmetric Data Encryption and Decryption in .NET

o Securing Information with Strong Symmetric Encryption Algorithm

o Cipher Function

Cipher Modes

Vulnerability in Using ECB Cipher Mode

o Padding

Problem with Zeros Padding

o Symmetric Encryption Keys

Securing Symmetric Encryption Keys from Brute Force Attacks

Resisting Cryptanalysis Attack Using Large Block Size

Generating Non-Predictable Cryptographic Keys using RNGCryptoServiceProvider

o Storing Secret Keys and Storing Options

Protecting Secret Keys with Access Control Lists (ACLs)

Protecting Secret Keys with DPAPI

o Self Protection for Cryptographic Application

o Encrypting Data in the Stream using CryptoStream Class

Asymmetric Encryption

o AsymmetricAlgorithm Class

o Members of the AsymmetricAlgorithm Class

o Programming Asymmetric Data Encryption and Decryption in .NET

o Asymmetric Encryption Algorithm Key Security

o Securing Asymmetric Encryption using Large Key Size

o Storing Private Keys Securely

o Problem with Exchanging Public Keys

o Exchanging Public Keys Securely

o Asymmetric Data Padding

o Protecting Communications with SSL

Hashing

o Hashing Algorithms Class Hierarchy in .NET

o Hashing in .NET

o Members of the HashAlgorithm Class

o Programming Hashing for Memory Data

o Programming Hashing for Streamed Data

o Imposing Limits on Message Size for Hash Code Security

o Setting Proper Hash Code Length for Hash Code Security

o Message Sizes and Hash Code Lengths Supported by the .NET Framework Hashing Algorithms

o Securing Hashing Using Keyed Hashing Algorithms

Digital Signatures

o Attacker's Target Area on Digital Signatures

o Security Features of Digital Signatures

o .NET Framework Digital Signature Algorithms

Digital Certificates

o .NET Support for Digital Certificates

o Programming Digital Signatures using Digital Certificates

XML Signatures

o Need for Securing XML Files

o Securing XML Files using Digital Signatures

o Programming a Digital Signature for a Sample XML File

 

Module 07: .NET Error Handling, Auditing, and Logging

Error Handling

o Parameters to be Considered while Designing Secure Error Messages!

o What is an Error?

o What are Exceptions/Runtime Errors?

o Need of Error/Exception Handling

o Secure Exception Handling

Exception Handling in ASP.NET

o Handling Exceptions in an Application

o Class-Level Exception Handling

o Class-Level Exception Handling Vulnerabilities

Generic Exception Throwing Vulnerability

Generic Exception Catching Vulnerability

Vulnerability in Printing StackTrace

Vulnerability in Exception.ToString() Method

Vulnerability in Swallowing Exceptions

Cleanup Code Vulnerability

Vulnerability in Re-Throwing Exception

Rules of Thumb for Good Exception Management

o Page-Level Exception Handling

o Application-Level Exception Handling

Handling Exception with Application_Error Event Handler

Handling Exception with ASP.NET Error Page Redirection Mechanism

Managing Unhandled Errors

Exposing Detailed Error Messages

Sensitive Information Leakage Vulnerability in Custom Error Message

Unobserved Exception Vulnerability

Exception Handling Best Practices

o Best Practices for Coding Exceptions Safely

o Do’s and Don’ts in Exception Handling

o Guidelines for Proper Exception Handling

o Error Handling Security Checklists

Auditing and Logging

o What is Logging and Auditing?

o Need of Secure Logging and Auditing

o Common Threats to Logging and Auditing

o What Should be Logged?

o What Should NOT be Logged?

o Where to Perform Event Logging?

o Performing Log Throttling in ASP.NET Health Monitoring System

o Windows Event Log

Preventing Windows Event Log from Denial of Service Attack

Securing Windows Event log

Preventing Rogue Administrators from Tampering with Windows Event Logs

o Centralizing Logging and Configuring its Security

o Tracing in .NET

Writing Trace Output to Windows Event Log Using EventLogTraceListener

Auditing and Logging Best Practices

o Tracing Security Concerns and Recommendations

o Secure Auditing and Logging Best Practices: Protecting Log Records

o Secure Auditing and Logging Best Practices: Fixing the Logs

o Auditing and Logging Security Checklists

.NET Logging Tools

o Apache Foundation’s log4net

o SmartInspect 

o NLog 

o Logview4net

o .NET Logging Tools

 

Module 08: .NET Secure File Handling

File Handling

o System.IO Namespace Classes

Attacks on File and Its Defensive Techniques

o Path Traversal Attack

Protecting Path Traversal Attack

Possible Methods to Prevent Path Traversal

o Canonicalization

Canonicalization Attack

Protecting the Applications against Canonicalization Attacks

Securing Files

o Securing the Static Files

o Adding Role Checks to File Access

o Securing File I/O from Untrusted File Input

o Securing File I/O with Absolute Path

o Constrain File I/O by Configuring Code Access Security Policy

o Securing User-Specified Files with FileIOPermission 

o Virtual Path Mapping Using MapPath 

o Preventing Cross-Application Mapping Using MapPath 

o Validating File Names using GetFullPath 

o Securing User Uploaded Files

File Extension Handling

o Active Server Pages (ASP) Directory Listing

o Creating Directory Listing

Isolated Storage

o Isolated Storage - Get Store/ Open Store

o Isolated Storage Root Location Storage Files

o Isolated Storage Example

File Access Control Lists (ACLs)

o File ACLs

o Required .NET Access Control Lists (ACLs)

Checklist for Securely Accessing Files

 

Module 09: .NET Configuration Management and Secure Code Review

Configuration Management

o ASP.NET Configuration Files

o ASP.NET Configuration File Model

o ASP.NET Configuration File Locations

o Configuration Management Threats

Machine Configuration File

o Machine Configuration File: Machine.config 

o Machine.config Vulnerability

Application Configuration Files

o Application Configuration File: Web.config 

Web.config Vulnerabilities: Default Error Message

Web.config Vulnerabilities: Leaving Tracing Enabled in Web-Based Applications

Web.config Vulnerabilities: Leaving Debugging Enabled

Web.config Vulnerabilities: Cookies Accessible through Client-Side Script

Web.config Vulnerabilities: Enabled Cookieless Session State

Web.config Vulnerabilities: Enabled Cookieless Authentication

Web.config Vulnerabilities: Failure to Require SSL for Authentication Cookies

Web.config Vulnerabilities: Using Sliding Expiration

Web.config Vulnerabilities: Using Non-Unique Authentication Cookie

Web.config Vulnerabilities: Using Hardcoded Credential

Web.config Vulnerabilities: Securing List-based Controls using EnableEventValidation

Web.config Vulnerabilities: Securing Passwords using PasswordFormat

Web.config Vulnerabilities: Changing Default Values of Membership Settings

Web.config Vulnerabilities: Securing Against XSS Attack Vulnerabilities

Web.config Vulnerabilities: Securing Against DoS Attack Vulnerabilities

Web.config Vulnerabilities: Preventing ViewState from Tampering

Web.config Vulnerabilities: Securing ViewState with SDL-approved Cryptographic Algorithms

Web.config Vulnerabilities: Securing ViewState with Strong Validation Key

Web.config Vulnerabilities: Securing ViewState using Encryption

Web.config Vulnerabilities: Selecting Right Algorithm for ViewState Encryption

Web.config Vulnerabilities: Deploying Application with Strong decryption Key

Web.config Vulnerabilities: Ignoring Validation Errors

o Application Configuration Files: App.exe.config 

App.exe.config Vulnerabilities

Code Access Security Configuration Files

o Enterprise Policy Configuration File: enterprisesec.config 

o Machine and User Policy Configuration File: security.config 

o ASP. NET Policy Configuration Files

o .NET Framework Configuration Tool: Mscorcfg.msc 

Mscorcfg.msc Features

o Code Access Security Policy Tool: Caspol.exe

Configuration Management Best PracticesSecure Code Review

o Why Secure Code Review?

o Security Code Review Approach

Step 1: Identify Security Code Review Objectives

Step 2: Perform Preliminary Scan

Step 3: Review Code for Security Issues

Step 4: Review for Security Issues Unique to the Architecture

Static Code Analysis Tools

o Parasoft dotTEST 

o Microsoft FxCop 

o StyleCop 

o NDepend 

o ReSharper 

 


Course Length: 3Days

Tuition Per Person: Online Live – $1799|   Online self paced - $999

Contact: jrshea@syr.edu – Office: 315-632-4848

 

 

 

 


Course Length: 3Days

Tuition Per Person: Online Live – $1799 – Online self paced - $999

Contact: jrshea@syr.edu – Office: 315-632-4848