• Classroom
  • Online, Self-Paced

ASP.NET and the .NET framework have provided web developers with tools that allow them an unprecedented degree of flexibility and productivity. On the other hand, these sophisticated tools make it easier than ever to miss the little details that allow security vulnerabilities to creep into an application. Since ASP.NET, 2.0 Microsoft has done a fantastic job of integrating security into the ASP.NET framework, but the responsibility is still on application developers to understand the limitations of the framework and ensure that their own code is secure.

Have you ever wondered if the built-in ASP.NET validation is effective? Have you been concerned that web services might be introducing unexamined security issues into your application? Should you feel uneasy relying solely on the security controls built into the ASP.NET framework? The Secure Coding in .NET course will help students leverage built-in and custom defensive technologies to integrate security into their applications.

What Does the Course Cover?

This is a comprehensive course covering a huge set of skills and knowledge. It's not a high-level theory course. It's about real programming. In this course you will examine actual code, work with real tools, build applications, and gain confidence in the resources you need for the journey to improving the security of .NET applications.

Learning Objectives

  • Use a web application proxy to view HTTP requests and responses.
  • Review and perform basic exploits of common .NET web application vulnerabilities, such as those found in the SANS/CWE Top 25 and the OWASP Top 10:
    • Cross-Site Scripting
    • Parameter Manipulation
    • Open Redirect
    • Unvalidated Forwards
    • SQL Injection
    • Session Hijacking
    • Clickjacking
    • Cross-Site Request Forgery
    • Man-in-the-middle (MITM)
  • Mitigate common web application vulnerabilities using industry best practices in the .NET framework, including the following:
    • Input Validation
    • Blocklist & Allowlist Validation
    • Regular Expressions
    • Command Encoding
    • Output Encoding
    • Content Security Policy
    • Client-side Security Headers
  • Understand built-in ASP .NET security mechanisms, including the following:
    • AntiForgeryToken
    • Data Annotations
    • Event Validation
    • Request Validation
    • View State
    • Entity Framework
    • ASP.NET Identity
    • Forms Authentication
    • Membership Provider
    • WCF
    • Web API
    • Roslyn Diagnostic Analyzers
  • Apply industry best practices (NIST, PCI) for cryptography and hashing in the .NET framework.
  • Implementing a secure software development lifecycle (SDLC) to include threat modeling, static analysis, and dynamic analysis.

Framework Connections

The materials within this course focus on the Knowledge Skills and Abilities (KSAs) identified within the Specialty Areas listed below. Click to view Specialty Area details within the interactive National Cybersecurity Workforce Framework.

Feedback

If you would like to provide feedback for this course, please e-mail the NICCS SO at NICCS@hq.dhs.gov.