OWASP AppSec Conference November 12, 2007

Summary

This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of .NET focused content, including:

.NET Framework security overview,
All coding examples and recommendations are specifically focused on .NET, and
3 additional hands on coding labs where the students find and then fix security vulnerabilities in a .NET application developed for the class.
This class covers, and includes examples from, both C# and ASP.NET.

To make room for this .NET specific content, some of the more basic material has been removed, and some topics covered in our standard course are not addressed here.

This course is a compressed version of Aspect's standard 3-day Secure Coding for .NET course.

Course Overview

Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.

This powerful two day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.

Details

This course starts with a module designed to raise awareness of just how insecure most .NET based web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how .NET web applications work from a security perspective.

The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following .NET web application security areas (which encompass the entire OWASP Top 10 plus more):

Authentication and Session Management
Access Control
Cross-Site Request Forgery (CSRF)
Cross-Site Scripting (XSS)
Input Validation
Protecting Sensitive Data (w/ Crypto)
Database Security (Including SQL Injection)
Error Handling and Logging
Code Quality
For each area, the course covers the following:

Theoretical foundations
Recommended security policies
Common pitfalls when implementing
Details on historical exploits
Best practices for implementation

Official Website: http://www.owasp.org/index.php/7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T3._Secure_Coding_.NET_Web_Applications_-_2-Day_Course_-_Nov_12-13.2C_2007