About the course
Building secure software is an absolute necessity. Developers using the Microsoft .NET platform face specific security challenges and opportunities when it comes to protecting their applications and the sensitive data they handle. This 3-day intensive hands-on training course is designed to equip .NET developers, architects, and technical leads with the essential knowledge and practical skills required to identify common security vulnerabilities, understand precisely how they manifest within .NET applications (including ASP.NET Core and other relevant technologies), and implement effective countermeasures using secure coding practices and the powerful security features provided by the .NET platform and its ecosystem. The course is heavily informed by the widely recognised OWASP (Open Web Application Security Project) guidelines, particularly focusing on the OWASP Top 10 list of critical web application security risks.
The course begins by analysing current threat vectors targeting software development teams and exploring the fundamental reasons why web applications, including those built with .NET technologies, can be vulnerable to attack. Participants will then dive deep into the OWASP Top 10 list, gaining a detailed understanding of each vulnerability category, how to identify these risks within .NET codebases and architectures, and, crucially, learning effective techniques to prevent them. Hands-on labs will provide practical experience in recognising vulnerable .NET code patterns, understanding the impact of these vulnerabilities, and applying secure coding techniques and .NET security APIs to mitigate risks. The training covers essential defence mechanisms such as implementing robust Authentication and Authorization using modern .NET frameworks like ASP.NET Core Identity, designing effective protection through practical Threat Modelling activities tailored for .NET projects, and utilising Encryption and other critical data protection techniques provided by the .NET cryptography libraries.
Furthermore, the course explores the importance of integrating security throughout the entire Software Development Lifecycle (SDLC), shifting security "left" by incorporating secure design principles and threat modelling early in the development process. Participants will learn specific .NET techniques for secure input validation, output encoding, and best practices for managing sensitive configuration and secrets to prevent common injection attacks, Cross-Site Scripting (XSS), and sensitive data exposure. The course provides an overview of how various security testing approaches (including an introduction to penetration testing tips and techniques relevant to web applications) and automated secure testing tools can help identify vulnerabilities proactively before deployment. By the end of this course, attendees will have a solid understanding of secure .NET development principles, be intimately familiar with key OWASP vulnerabilities and their specific manifestations and countermeasures in .NET, and possess practical skills to build more secure, resilient, and trustworthy .NET applications.
-
- 1. Understand current software threat vectors, the motivations behind attacks, and the fundamental reasons why web applications can be insecure.
- 2. Explain the principles of secure design and architecture and understand how to implement security throughout the Software Development Lifecycle (SDLC).
- 3. Identify the vulnerabilities listed in the OWASP Top 10, understand how they specifically apply to .NET applications, and learn practical techniques to prevent them.
- 4. Implement secure Authentication and Authorization mechanisms in .NET applications, including effectively using ASP.NET Core Identity and role/policy-based authorization.
- 5. Perform basic Threat Modelling activities tailored for .NET projects to identify potential security risks during the design phase.
- 6. Utilise Encryption and other .NET cryptography APIs effectively for data protection, including securing data at rest and in transit.
- 7. Apply secure coding best practices in .NET, including secure input validation, output encoding, managing sensitive configuration, and handling errors securely.
- 8. Understand the purpose and techniques of Penetration Testing and Testing for Secure Software, and know how to apply relevant testing approaches to .NET applications.
-
This 3-day intensive hands-on training course is designed for software developers, architects, and technical leads building applications using the Microsoft .NET platform. It is ideal for:
Software Developers working with .NET (including ASP.NET, ASP.NET Core, .NET) who want to build secure applications and prevent common vulnerabilities.
.NET Architects and Technical Leads responsible for designing secure application architectures and guiding development teams on security best practices.
Anyone involved in building or maintaining web applications, APIs, or services using .NET technologies.
Security professionals who need to understand application security specifically within the .NET ecosystem to perform code reviews or advise development teams.
-
Participants should have:
Experience developing applications using the Microsoft .NET framework or .NET Core / .NET.
Familiarity with building web applications using ASP.NET or ASP.NET Core is highly recommended, as many examples and labs will focus on web vulnerabilities.
A basic understanding of web technologies (HTTP, browsers, client-server concepts).
We can customise the training to match your team's experience and needs - with more time and coverage of fundamentals for newer developers, for instance.
-
This Secure .NET course is available for private / custom delivery for your team - as an in-house face-to-face workshop at your location of choice, or as online instructor-led training via MS Teams (or your own preferred platform).
Get in touch to find out how we can deliver tailored training which focuses on your project requirements and learning goals.
-
Introduction to Secure .NET Development
Welcome and course overview.
The importance of secure software development in the modern threat landscape.
Current Threat Vectors used to attack Dev Teams and organisations.
The business and reputational impact of security breaches.
Why are Web Applications Insecure? Common weaknesses and attack surface.
Understanding the Attacker's mindset.
Discussion: Analysing recent real-world breaches and their causes.
Implementing a Secure Development Cycle (SDLC)
Shifting security "left": Integrating security into the SDLC.
Understanding and applying Secure Design Principles.
Requirements gathering with security in mind.
Secure coding standards and guidelines.
Security testing throughout the lifecycle.
Secure deployment and operations.
Review and continuous improvement.
Activity: Discussing how to integrate security into a typical development workflow.
Introduction to the OWASP Top 10
What is OWASP? History and resources.
Overview of the OWASP Top 10 (2021): The most critical web application security risks.
Why the OWASP Top 10 is important for developers.
Mapping OWASP risks to common software weaknesses (CWE).
Introduction to the Hands-On Lab environment and tools.
Hands-On Lab: Introduction to the lab environment, exploring a vulnerable application.
OWASP – The Big Picture
OWASP Top 10
OWASP API Security Top 10
Using the OWASP API Security Top 10
Metrics behind the Top 10 Risks
Module 4: OWASP Top 10 (Part 1) - Injection (A03:2021)
Understanding Injection flaws (SQL Injection, OS Command Injection, etc.).
How Injection vulnerabilities manifest specifically in .NET applications (e.g., vulnerable ADO.NET code, LINQ to SQL issues, interacting with OS processes).
Preventing Injection:
Using Parameterized Queries and ORMs (Entity Framework Core).
Securely interacting with the operating system.
Secure input validation and sanitisation techniques in .NET.
Hands-On Lab: Identifying and exploiting Injection vulnerabilities in .NET code examples, implementing mitigation using parameterized queries or ORM.
Broken Access Control (A01:2021)
Understanding Access Control vulnerabilities.
How Broken Access Control manifests in .NET applications (e.g., missing checks, insecure direct object references (IDOR), privilege escalation).
Preventing Broken Access Control:
Implementing granular access control checks server-side.
Using Role-Based Access Control (RBAC) and Policy-Based Authorization in ASP.NET Core.
Handling object references securely (e.g., using opaque identifiers).
Hands-On Lab: Identifying and exploiting Broken Access Control issues in .NET code, implementing secure access control checks and authorization policies.
Cryptographic Failures (A02:2021)
Understanding vulnerabilities related to sensitive data exposure.
How Cryptographic Failures manifest in .NET applications (e.g., weak encryption, improper key management, sending sensitive data over insecure channels).
Preventing Cryptographic Failures:
Identifying sensitive data and its lifecycle.
Using .NET Cryptography APIs securely (System.Security.Cryptography).
Best practices for encryption (at rest and in transit - TLS/HTTPS).
Secure key management in .NET applications.
Securely storing credentials and secrets (e.g., using .NET Secret Manager or Azure Key Vault).
Hands-On Lab: Identifying sensitive data exposure, implementing data encryption/decryption using .NET cryptography APIs, securing secrets.
Identification and Authentication Failures (A07:2021)
Understanding vulnerabilities related to broken authentication and session management.
How Authentication and Identification Failures manifest in .NET applications (e.g., weak password handling, insecure session management, lack of MFA).
Implementing Secure Authentication and Authorization in .NET:
Using ASP.NET Core Identity for robust user management.
Secure password hashing and storage (Identity default security).
Implementing multi-factor authentication (MFA) with .NET Identity.
Secure session management (cookies, tokens).
Preventing brute-force and credential stuffing attacks.
Hands-On Lab: Implementing secure user registration and login with ASP.NET Core Identity, configuring password policies, implementing MFA.
Security Misconfiguration (A05:2021)
Understanding vulnerabilities from improper setup or defaults.
How Security Misconfiguration manifests in .NET environments (e.g., default credentials, unnecessary services, verbose error messages, insecure cloud configurations).
Preventing Security Misconfiguration:
Secure configuration practices in .NET applications (appsettings.json, configuration providers).
Removing default or unnecessary components.
Hardening the deployment environment (IIS, Kestrel, Azure App Services).
Logging and monitoring best practices in .NET.
Hands-On Lab: Identifying security misconfigurations in a .NET application and environment, applying secure configuration settings.
Cross-Site Scripting (XSS) (A03:2021 - part of Injection)
Understanding XSS flaws (Reflected, Stored, DOM-based).
How XSS manifests in .NET web applications (e.g., injecting scripts into Razor views, handling untrusted user input displayed in UI).
Preventing XSS:
Using context-aware output encoding in ASP.NET Core Razor (@).
Manual output encoding when necessary (.NET HtmlEncoder).
Implementing Content Security Policy (CSP).
Securely handling user-provided HTML.
Hands-On Lab: Identifying and exploiting XSS vulnerabilities in a .NET web application, applying output encoding to prevent XSS.
Vulnerable and Outdated Components (A06:2021)
Understanding the risk of using libraries, frameworks, and other components with known vulnerabilities.
How this applies to the .NET ecosystem (NuGet packages, .NET runtime versions).
Preventing Vulnerable and Outdated Components:
Keeping .NET runtime and SDKs updated.
Managing NuGet package dependencies securely.
Using dependency scanning tools (e.g., OWASP Dependency Check, GitHub Dependabot).
Understanding CVEs (Common Vulnerabilities and Exposures).
Hands-On Lab: Using a dependency scanning tool on a .NET project to identify vulnerable components.
Insecure Design (A04:2021)
Understanding vulnerabilities resulting from design flaws.
How Insecure Design manifests in .NET architectures (e.g., trusting client-side input, lack of defence in depth, complex access control logic).
Addressing Insecure Design:
Integrating security into the design phase.
Applying secure design patterns.
Principle of Least Privilege in design.
Separation of Concerns for security boundaries.
Client-Side Security
OWASP Top 10: Software and Data Integrity Failures (A08:2021).
OWASP Top 10: Security Logging and Monitoring Failures (A09:2021).
OWASP Top 10: Server-Side Request Forgery (SSRF) (A10:2021).
How these manifest and are prevented in .NET applications.
Client-Side Security – Protecting your users:
Client-side Secure Design Principles.
Risks of client-side code (JavaScript).
Securing communication with the server (HTTPS revisited).
Input validation (client vs. server-side).
Protecting against Cross-Site Request Forgery (CSRF) using ASP.NET Core Anti-Forgery Tokens.
Hands-On Lab: Implementing anti-CSRF tokens in an ASP.NET Core application, identifying and mitigating SSRF in a .NET service.
Threat Modelling
What is Threat Modelling? Purpose and benefits.
Different Threat Modelling methodologies (e.g., STRIDE, DREAD).
Performing basic Threat Modelling for a .NET application (identifying assets, threats, vulnerabilities, countermeasures).
Integrating Threat Modelling into the SDLC.
Activity: Performing a mini-threat modelling exercise for a component of a .NET application.
Client-Side Security
OWASP Top 10: Software and Data Integrity Failures (A08:2021).
OWASP Top 10: Security Logging and Monitoring Failures (A09:2021).
OWASP Top 10: Server-Side Request Forgery (SSRF) (A10:2021).
How these manifest and are prevented in .NET applications.
Client-Side Security – Protecting your users:
Client-side Secure Design Principles.
Risks of client-side code (JavaScript).
Securing communication with the server (HTTPS revisited).
Input validation (client vs. server-side).
Protecting against Cross-Site Request Forgery (CSRF) using ASP.NET Core Anti-Forgery Tokens.
Hands-On Lab: Implementing anti-CSRF tokens in an ASP.NET Core application, identifying and mitigating SSRF in a .NET service.
Testing for Secure Software & Review
Why security testing is essential.
Types of security testing (Static Analysis - SAST, Dynamic Analysis - DAST, Interactive Analysis - IAST, Penetration Testing, Code Reviews).
Testing for Secure Software - Review: Techniques and best practices.
Introduction to Penetration Testing – Tips & Techniques: What developers should know about pentests.
Automated security testing tools relevant to .NET development (overview).
Interpreting security scanner results.
Reporting security findings.
Course Review and next steps in secure .NET development.
Hands-On Lab: Using a simple SAST tool on a vulnerable .NET codebase, interpreting results.
-
OWASP Official Website: The primary source for all OWASP projects, guides, and communities.
OWASP Top 10 (Latest Version): Detailed information on the most critical web application security risks.
OWASP Cheat Sheet Series: Practical guidance on preventing specific vulnerabilities.
ASP.NET Core Security Documentation: Comprehensive documentation on security features in ASP.NET Core, including authentication, authorization, data protection, and more.
Microsoft.AspNetCore.Identity Documentation: Detailed guide to implementing user identity and membership in ASP.NET Core.
.NET Cryptography Documentation: Documentation on the .NET APIs for encryption, hashing, and other cryptographic operations.
Trusted by
