Secure Coding for .NET

Course Duration: 4 hours
Intended Audience: Developers

Once developers understand the basics, they are in a position to start learning more specific design and coding techniques for .NET application security. This course approaches application security practices and associated vulnerabilities as part of nine domains. Trust Boundaries covers essential principles regarding the treatment of application inputs from any source. In the Authentication and Authorization domains, we discuss application approaches to verifying a user is who they claim to be, and that that user is allowed to do what they attempt to do. Input Validation covers approaches to validating application input as well as what inputs should be subject to validation. With Information and Error Handling, Non-Repudiation and Auditing, Data Protection, and Configuration and Deployment, we discuss a wide range of practices that apply to applications and web applications in general, as well as recommended approaches for more distinct application features. This course is also available in a Java security training version so that developers learn platform-specific concerns and countermeasures.

Domain 1: Trust Boundaries
Course Objectives: After completing this lesson, you should be able to:

  • Describe the concept of trust boundaries and how they apply to application security
  • Demonstrate an understanding of general approaches for handling trust boundaries in applications

Domain 2: Authentication
Course Objectives: After completing this lesson, you should be able to:

  • Identify common authentication approaches
  • Identify common authentication vulnerabilities

Domain 3: Authorization
Course Objectives: After completing this lesson, you should be able to:

  • Describe common approaches for authorizing system access
  • Describe where authorization should occur
  • Demonstrate knowledge of common authorization vulnerabilities

Domain 4: Validation and Encoding
Course Objectives: After completing this lesson, you should be able to:

  • Describe best practices for input validation
  • Identify common vulnerabilities that proper validation can help address

Domain 5: Information and Error Handling
Course Objectives: After completing this lesson, you should be able to:

  • Describe the risks associated with poor information and error handling
  • Describe best practices for containing sensitive information and handling application failure

Domain 6: Non-Repudiation and Auditing
Course Objectives: After completing this lesson, you should be able to:

  • Desrcibe the value of non-repudiation, separation of duties, and support for auditing
  • Identify best practices for logging and reporting error conditions

Domain 7: Data Protection
Course Objectives: After completing this lesson, you should be able to:

  • Demonstrate knowledge of the general concepts of modern cryptography
  • Describe cryptographic best practices and common mistakes
  • Identify approaches for handling data classification standards

Domain 8: Configuration and Deployment
Course Objectives: After completing this lesson, you should be able to:

  • Demonstrate knowledge of how proper configuration and deployment can manage the impact of existing vulnerabilities and prevent others
  • Describe common configuration and deployment flaws and the danger they post to applications

Domain 9: Defense in Depth
Course Objectives: After completing this lesson, you should be able to:

  • Describe the concept of defense in depth
  • Discuss how defense in depth applies to secure design and implementation

On-Site Training Available

If e-Learning is not the best solution for your training needs, the creators of ThreadStrong also offer application security training in classroom format.

Register for an Online Demonstration or Contact Us for More Information.