"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Transcription

1 Course Summary Description Securing.Net Web Applications - Lifecycle is a lab-intensive, hands-on.net security training course, essential for experienced enterprise developers who need to produce secure.net-based web applications. In addition to teaching basic programming skills, this course digs deep into sound processes and practices that apply to the entire software development lifecycle. In this course, students thoroughly examine best practices for defensively coding.net web applications, including XML processing and web services. Students will repeatedly attack and then defend various assets associated with a fully-functional web application. This hands-on approach drives home the mechanics of how to secure.net web applications in the most practical of terms. Security experts agree that the least effective approach to security is "penetrate and patch". It is far more effective to "bake" security into an application throughout its lifecycle. After spending significant time trying to defend a poorly designed (from a security perspective) web application, developers are ready to learn how to build secure web applications starting at project inception. The final portion of this course builds on the previously learned mechanics for building defenses by exploring how design and analysis can be used to build stronger applications from the beginning of the software lifecycle. A key component to our Best Defense IT Security Training Series, this workshop is a companion course with several developer-oriented courses and seminars. Although this edition of the course is.net-specific, it may also be presented using Java or other programming languages. Objectives At the end of this course, students will be able to: Understand potential sources for untrusted data Understand the consequences for not properly handling untrusted data such as denial of service, crosssite scripting, and injections Be able to test web applications with various attack techniques to determine the existence of and effectiveness of layered defenses Prevent and defend the many potential vulnerabilities associated with untrusted data Understand the vulnerabilities of associated with authentication and authorization Be able to detect, attack, and implement defenses for authentication and authorization functionality and services Understand the dangers and mechanisms behind Cross-Site Scripting (XSS) and Injection attacks Be able to detect, attack, and implement defenses against XSS and Injection attacks Understand the concepts and terminology behind defensive, secure, coding Understand the use of Threat Modeling as a tool in identifying software vulnerabilities based on realistic threats against meaningful assets Perform both static code reviews and dynamic application testing to uncover vulnerabilities in web applications Design and develop strong, robust authentication and authorization implementations within the context of.net

2 Course Summary (cont d) Be able to detect, attack, and implement defenses for XML-based services and functionality Understand techniques and measures that can used to harden web and application servers as well as other components in your infrastructure Understand and implement the processes and measures associated with the Secure Software Development (SSD) Acquire the skills, tools, and best practices for design and code reviews as well as testing initiatives Understand the basics of security testing and planning Work through a comprehensive testing plan for recognized vulnerabilities and weaknesses Topics Foundation Top Security Vulnerabilities Understanding what s important Defending XML Processing Secure Software Development (SSD) Security Testing Appendix: Security Design Patterns Audience This is an intermediate-level.net programming course designed for application project stakeholders who wish to get up and running on developing well defended.net applications. Prerequisites Familiarity with the C# programming language is required, and real world programming experience is highly recommended. Students should have an understanding and a working knowledge in basic programming in.net. Students should have experience similar to ProTech s.net Framework Using C#. Take After: We offer a variety of introductory through advanced security, development, project management, engineering, architecture and design courses. Students may want to consider the following topics as follow-on to this course. Securing.Net Web Services Mastering Secure SOA Secure Software Design Additional advanced Security or Secure Programming topics Service-Oriented Analysis and Design Web Services Intro through Advanced Software Engineering, Design or Project Management tracks Duration Four days

3 I. Foundation A. Misconceptions 1. Thriving Industry of Identity Theft 2. Dishonor Roll of Data Breaches 3. TJX: Anatomy of a Disaster 4. Heartland: What? Again? B. Security Concepts 1. Terminology and Players 2. Assets, Threats, and Attacks 3. OWASP 4. CWE/SANS Top 25 Programming Errors 5. Categories 6. What they mean to your web applications C. Defensive Coding Principles 1. Security Is a Lifecycle Issue 2. Bolted on Versus Baked 3. Minimize Attack Surface Area 4. Examples of Minimization 5. Defense in Depth 6. Manage Resources 7. Layers of Defense: Tenacious D 8. Compartmentalize 9. Consider All Application States 10. Do NOT Trust the Untrusted 11. Fix Security Defects Correctly 12. Learning From Vulnerabilities D. Reality 1. Recent, Relevant Incidents 2. Finding Security Defects In Web Applications II. Top Security Vulnerabilities A. Unvalidated Input 1. Unvalidated Input: Description 2. Integer Arithmetic Vulnerabilities 3. Unvalidated Input: From the Web 4. Hidden Values in HTTP Communications 5. Unvalidated Input: Symptoms and Detection 6. Detection Through Fuzz Testing 7. Unvalidated Input: Fixes 8. Identifying Trust Boundaries 9. Designing An Appropriate Response 10. Testing Defenses And Responses B. Overview of Regular Expressions Course Outline C. Broken Access Control 1. Access Control Issues 2. Broken Access Control: Description 3. Excessive Privileges 4. Unprotected URL/Resource Access: Description 5. Unprotected URL/Resource Access: Symptoms and Detection 6. Primary Concerns in URL/Resource Access 7. Unprotected URL/Resource Access: Fixes 8. Protecting Sessions 9. Addressing Client-Side Caching of Content 10..Net authorization security overview 11. Defending special privileges such as administrative functions 12. Application authorization best practices D. Broken Authentication and Session Management 3. Multi-layered defenses of authentication services 4. Password management strategies 5. Password handling with hashing 6. Mitigating password caching 7. Testing defenses and responses for weaknesses 8. Alternative authentication mechanisms 9. Best practices for session management 10. Defending session hijacking attacks 11. Best practices for Single Sign-On (SSO) E. Cross Site Scripting (XSS) Flaws 1. Description With Working Example 3. Character Encoding Complications 4. Blacklisting 5. Whitelisting 6. HTML/XML Entity Encoding 7. Trust Boundary Definition 8. Implementing An Effective Layered Defense 9. Designing An Appropriate Response F. Injection Flaws 1. SQL Injection Continues to be Prevalent 2. Injection Flaws: Description 3. Injection Flaws: Symptoms and Detection 4. SQL Injection Examples

4 Course Outline (cont d) 5. SQL Injection Attacks Evolve 6. Attackers have a Variety of Tools 7. SQL Injection: Drill Down on Stored Procedures 8. SQL Injection: Drill Down on ORM 9. Minimize SQL Injection Vulnerabilities 10. Minimizing Injection Flaws 11. Command Injection Vulnerabilities G. Error Handling and Information Leakage 3..Net web application exception handling framework 4. Error response best practices 5. Error, auditing, and logging content management 6. Error, auditing, and logging service management 7. Best practices for supporting web attack forensics 8. Information Leaks 9. Data Loss Prevention (DLP) 10. Solving DLP Challenges 11. DLP: What and Where 12. DLP: Best Practices H. Insecure Storage 3. Data leakage 4. Risk minimization 5. Cryptography Overview 6. Data encryption 7. In-Memory Data Handling 8. Handling Passwords on Server Side I. Insecure Management of Configuration 3. System hardening 4..Net application server configuration Gotchas! 5. Hardening software installation J. Direct Object Access 3. XML/DTD/Schema/XSLT best practices 4. Race Conditions 5. Direct Object References K. Spoofing and Redirects 1. Spoofing: Description 2. Name Resolution Vulnerabilities 3. Attacks are Constant and Changing 4. Spoofing: Fixes 5. Cross Site Request Forgeries (CSRF) 6. How To Get Victim To Select URL? 7. CSRF Defenses are Entirely Server-Side 8. CSRF Defenses are Evolving 9. Redirects and Forwards 10. Safe Redirects and Forwards III. Understanding What s Important A. Prioritizing Your Efforts 1. Common Vulnerabilities and Exposures 2. OWASP Top Ten for Security Is a Lifecycle Issue 4. Minimize Attack Surface Area 5. Defense in Depth 6. Manage Resources 7. Layers of Defense: Tenacious D 8. Compartmentalize 9. Consider All Application States 10. Do NOT Trust the Untrusted 11. Fix Security Defects Correctly 12. Leverage Experience B..Net Issues and Best Practices 1..Net Security Mechanisms 2..Net Authorization Mechanism 3. Securing Passwords and Configurations 4. Managed Code and Buffer Overflows 5..Net Permissions 6. ActiveX Security Implications 7. Securely Handling Exceptions in.net IV. Defending XML Processing A. Defending XML 1. Understanding common attacks and how to defend 2. Operating in safe mode 3. Using standards-based security 4. XML-aware security infrastructure B. Defending Web Services 1. Security exposures 2. Transport-level security

5 Course Outline (cont d) 3. Message-level security 4. WS-Security 5. Attacks and defenses C. Defending Ajax 1. Ajax Security exposures 2. Attack surface changes 3. Injection threats and concerns 4. Effective defenses and practices V. Secure Software Development (SSD) A. SSD Process Overview B. CLASP Defined C. CLASP Applied 1. Asset, Boundary, and Vulnerability Identification 2. Vulnerability Response 3. Design and Code Reviews 4. Applying Processes and Practices 5. Risk Analysis VII. Appendix: Security Design Patterns A. Design patterns introduction B..Net Web Application Security Design Patterns 1. Authentication Enforcer 2. Authorization Enforcer 3. Intercepting Validator 4. Secure Base Action 5. Secure Logger 6. Secure Pipe 7. Secure Service Proxy 8. Intercepting Web Agent VI. Security Testing A. Testing as Lifecycle Process B. Testing Planning and Documentation C. Testing Tools And Processes 1. Principles 2. Reviews 3. Testing 4. Tools D. Static and Dynamic Code Analysis E. Testing Practices 1. Authentication Testing 2. Session Management Testing 3. Data Validation Testing 4. Denial Of Service Testing 5. Web Services Testing 6. Ajax Testing