close search bar

Sorry, not available in this language yet

close language selection

Building Security into ASP.NET v3.0

Course Description

ASP.NET is the platform of choice for .NET developers. The security built into the framework has come a long way in 15 years, but there are still some areas that require the developer to remain vigilant in guarding their application from attackers. Learn the ins and outs of identity management, data protection best practices, attack prevention techniques, and other security topics as they apply to .NET.

Learning Objectives

  • Determine what features of ASP.NET already meet their security requirements
  • Understand how to develop secure applications on top of ASP.NET, and how to safely use the various editions of the framework

Details

Delivery Format: eLearning

Duration: 2 hours

Level: Intermediate

  • Architects
  • Back-End Developers
  • Enterprise Developers

Course Outline

Handling Input Security

  • Welcome to Building Security into ASP.NET
  • Don't Trust the Client
  • General Input Validation
  • ASP.NET Request Validation
  • Validator Controls
  • Razor's ValidationHelper
  • MVC Model Binding and Validation
  • Cross-Site Scripting
  • Output Encoding
  • Template Injection
  • Injections
  • Open Redirect Attacks
  • Cross-Origin Request Sharing
  • Deserializing Objects

Dealing with Files Securely

  • Defending the File System
  • Directory Traversal
  • Defending Against Directory Traversal
  • Local File Inclusion
  • Defending Against a Local File Inclusion Attack
  • The Dangers of File Uploads
  • Attack Review
  • Defending Against File Upload Attacks
  • Windows-Specific Issues
  • Linux-Specific Issues 

Identity

  • Introduction to Access Control
  • Identity Management in ASP.NET
  • ASP.NET Core Identity
  • Azure Active Directory
  • ASP.NET 4 Membership

Authentication

  • What Is Authentication?
  • Two-Factor Authentication
  • Certificate Authentication
  • External Authentication Providers
  • Authentication in ASP.NET Core
  • Authentication in Azure App Service
  • Authentication in ASP.NET 4 MVC
  • Authentication in ASP.NET Web Forms

Authorization

  • Authorization
  • Role-Based Authorization
  • Claim-Based Authorization
  • Policy-Based Authorization
  • Resource-Based Authorization
  • View-Based Authorization
  • Razor Authorization Conventions

Session Management

  • Sessions in ASP.NET
  • Handling Session Cookies
  • Shared SSO Cookies
  • Cross-Site Request Forgery
  • SameSite Cookies
  • Anti CSRF in ASP.NET Core and Razor
  • Anti CSRF in ASP.NET 4 Web Forms

Data Protection in ASP.NET

  • Using Cryptography in ASP.NET
  • ASP.NET Core DataProtection
  • Configuring DataProtection
  • Time Limitations
  • Password Protection in ASP.NET
  • Using ASP.NET Core DataProtection in ASP.NET 4

Exceptions and Logging

  • Exceptions and Logging
  • Handling Exceptions
  • Bad Exception-Handling Practice
  • Managed Exceptions in ASP.NET Core
  • Logging
  • Logging Best Practice
  • Logging in ASP.NET Core
  • Monitoring with Application Insights
  • Information Leakage
  • Debugging
  • Debugging: Spot the Problem

Configuration Management

  • Why Is Configuration Important?
  • Environment Settings
  • Web Servers and Hosting
  • Hosting with Kestrel Web Server
  • Hosting with HTTP.sys
  • Hosting with IIS HTTP Server
  • HTTPS
  • Security Headers
  • Keeping It Updated

Client-Side Integration 

  • API Security with SPAs
  • Authentication with SPA
  • Authorization with SPA
  • Securing Blazor WebAssembly Apps
  • Working with SignalR

 Conclusion 

  • Where We've Been So Far
  • A Summary of All You've Learned
  • Where to Go to Learn More

Training

Developer Security Training

Equip development teams with the skills and education to write secure code and fix issues faster