ECSP.Net - EC-Council Certified Secure Programmer- Net v8 | IT Training & Certification | Info Trek
Respect Your Dreams
Follow through on your goals with courses

ECSP.Net - EC-Council Certified Secure Programmer- Net v8

  • Public Class Icon
    Public Class
    • HRDF SBL Claimable
    • Lunch & refreshment provided
    • Certificate of Attendance available
    Starting From
    RM 4700.00
    3 Days
  • Private Class Icon
    Private Class
    • All of our private classes are customized to your organization's needs.

      Click on the button below to send us your details and you will be contacted shortly.
    3 Days

Course Details

Expand All

This course will be invaluable to software developers and programmers alike to code and develop highly secure applications and web applications. This is done throughout the software life cycle that involves designing, implementing, and deployment of applications.


.Net is widely used by almost all organizations as the leading framework to build web applications.
The course teaches developers how to identify security flaws and implement security countermeasures throughout the software development life cycle to improve the overall quality of products and applications.

EC-Council Certified Secure Programmer lays the foundation required by all application developers and development organizations to produce applications with greater stability and fewer security risks to the consumer. The Certified Secure Application Developer standardizes the knowledge base for application development by incorporating the best practices followed by experienced experts in the various domains.

This course is purposefully built with tons of labs peppered throughout the three days of training, offering participants critical hands on time to fully grasp the new techniques and strategies in secure programming.

The ECSP certification is intended for programmers who are responsible for designing and building secure Windows/Web based applications with .NET Framework. It is designed for developers who have .NET development skills.

You must be well-versed with .NET programming language.

This program will be conducted with interactive lectures, PowerPoint presentation, discussion and practical exercise.

After completing this course, you will be able to:

• .Net framework security features and various secure coding principles

• .Net framework run time security model, role-based security, code access security (CAS), and class libraries security

• Various validation controls, mitigation techniques for validation control vulnerabilities, defensive techniques for SQL injection attacks, and output encoding to prevent input validation attacks

• Defensive techniques against session attacks, cookie security, and View State security

• Mitigating vulnerabilities in class level exception handling, managing unhandled errors, and implementing windows log security against various attacks

• Defensive techniques against path traversal attacks and defensive techniques against canonicalization attack and file ACLs

• Mitigating vulnerabilities in machine config files, mitigating the vulnerabilities in app config files, and security code review approaches

• The importance of secure programmers and certified secure programmers, the career path of secure programmers, and the essential skill set of secure programmers


Modules

Expand All

Microsoft .NET Application Security

• .NET Application Security
• Need for .NET Application Security
• .NET Application Attack Statistics
• Understanding Application Security
• End-to-End Security
• What is Secure Coding?
• Why are Security Mistakes Made?
• Key Elements of .NET Framework Architecture Security
• .NET Security Features
• .NET Framework Security Namespaces
• ASP.NET Security Architecture

Common Security Threats on .NET
• Web Application Security Frame
• Common Security Threats on .NET
• OWASP Top 10 Attacks on .NET
o Security Misconfiguration
o Cross-Site Scripting (XSS) Attacks
o SQL Injection Attacks
o Cross-Site Request Forgery (CSRF) Attack
o Failure to Restrict URL Access
o Insufficient Transport Layer Protection
o Unvalidated Redirects and Forwards
o Insecure Direct Object References
o Broken Authentication and Session Management
o Insecure Cryptographic Storage

Secure Development Lifecycle (SDL)
• Phases of SDL
• SDL Process
• Integrating Security into the Development Lifecycle
• Security in the Design Stage: Threat Modeling
• Threat Modeling Process
o The STRIDE model
o The DREAD model
• Guidelines for Applying Security in Implementation Phase of SDL
• Security Testing

Introduction to .NET Framework

• .NET Framework Architecture

• Basic Components of .NET Framework


.Net Runtime Security

• .NET Framework Runtime Security Model

• Role-Based Security

o Role-Based Security: Windows Principal

o Role-Based Security: Generic Principal

• Code Access Security (CAS)

o Using Code Access Security in ASP.NET

o Evidence-Based Security

o Permissions

o Code Access Permissions

o Identity Permissions

o Role-Based Security Permissions

o Permissions Classes in .NET

o Type Safety

o SkipVerification

o Stack Walk

o Declarative and Imperative Security Syntax

• Isolated Storage

o Data Storing Process in Isolated Storage

o Managing Data Isolation using Store’s Identity

o Levels of Isolation

o Limitations of Isolated Storage

o Administering Isolated Storage

o Granting Isolated Storage Permissions with Mscorcfg.msc

o Granting Isolated Storage Permissions with Caspol.exe

o Managing Existing Stores


.NET Class Libraries Security

• Class Libraries Security

• Writing Secure Class Libraries

o Security Demands

o Link Demands

• Security Holes in Link Demands

o Inheritance Demands

o Overriding Security Checks

o Security Optimizations


.NET Assembly Security

• .NET Assembly

• Common Threats to .NET Assemblies

• Privileged Code

• Secure Assembly Design Considerations

• Secure Class Design Considerations

• Securing Assemblies Using Strong Name Signing

• Securing Assemblies with Code Access Attributes

• Securing Assemblies Against Decompilation Using Obfuscation

• Dotfuscator: .NET Obfuscator

• Protecting Assemblies Using Publisher Certificate

• Securing Assemblies Using Application Domain Permissions

• Vulnerability in Serializing Sensitive Objects

• Vulnerabilities in Multithreaded Assemblies

• Vulnerabilities in Static Class Methods/ Constructors of Assemblies

• Vulnerability in Dispose Methods


.NET Security Tools

• Code Access Security Policy Tool: Caspol.exe

o Caspol.exe Parameters

• Software Publisher Certificate Test Tool: Cert2spc.exe

• Certificate Manager Tool: Certmgr.exe

o Options in Certmgr.exe

• Certificate Creation Tool: Makecert.exe

o Options in Makecert.exe

• PEVerify Tool: Peverify.exe

o Options in Peverify.exe

• .NET Security Annotator Tool: SecAnnotate.exe

• Sign Tool: SignTool.exe

• Strong Name Tool: Sn.exe

• Isolated Storage Tool: Storeadm.exe


Input Validation

• Why Input Validation?

• Input Validation

• Input Validation Specification

• Input Validation Approaches

o Client-side Input Validation

o Server-side Input Validation

o Client-Server Input Validation Reliability

• Input Filtering

o Input Filtering Technique: Black Listing

o Input Filtering Technique: White Listing

• Perform Input Validation and Filtering using a Regular Expression

• String Manipulation and Comparison

• Data Type Conversion

• ASP.NET Validation Controls

o Set of ASP.NET Validation Controls

o RequiredField Validation Control

o Range Validation Control

o Comparison Validation Control

o RegularExpression Validation Control

o Custom Validation Control

o Validation Summary Control


Input Validation Attacks

• Cross Site Scripting (XSS) Attack

• SQL Injection Attacks

• HTML Tags Used in XSS Attack


Defensive Techniques against XSS Attacks

• XSS Attack Defensive Techniques

• Need for Securing Validation Controls

• Securing RequiredField Validation Control

• Securing Range Validation Control

• Specifying the Correct Data Type in Range Validator

• Securing Comparison Validation Control

• Securing RegularExpression Validation Control

• Securing Custom Validation Control

• Integrating Security for Multiple Validation Controls


Defensive Techniques against SQL Injection Attacks

• SQL Injection Attack Defensive Techniques

• Using Parameterized Queries

• Using Parameterized Stored Procedures

• Using Escape Routines to Handle Special Input Characters

• Database Specific Escaping: Oracle Escaping

• Using a Least-Privileged Database Account

• Constraining Input


Output Encoding

• ASP.NET Controls with Encoding Support

• Encoding Unsafe Output using HtmlEncode

• Encoding Unsafe Output using UrlEncode

• Anti-XSS Library

• Encoding Output using Anti-XSS Library

• Sandboxing

• Sandboxing Software: Sandboxie

• Sandboxing Software: BufferZone Pro

• Sandboxing API in .NET Framework

• Creating Sandbox for Partial Trust Code


Best Practices

• Microsoft Code Analysis Tool .NET (CAT.NET)


Introduction to Authentication and Authorization

• Common Threats with User Authentication and Authorization

• Authentication and Authorization in .NET Web Application Security

• Security Relationship between IIS and ASP.NET


Authentication

• ASP.NET Authentication

• ASP.NET Authentication Modes

• Security Settings Matrix between IIS and ASP.NET

• Forms Authentication

• Passport Authentication

o Implementing Passport Authentication

• Custom Authentication

o Implementing Custom Authentication Scheme

• Windows Authentication

• Selecting an Appropriate Authentication Method

• Determining an Authentication Method

• Enterprise Services Authentication

• SQL Server Authentication


Authorization

• Identities, Principals, and Roles

• ASP.NET Authorization

• URL Authorization

• File Authorization

• What is Impersonation?

o Impersonation Options

• Delegation

• Code-based Authorization

o Declarative Authorization

o Imperative Authorization

o Explicit Authorization

• Authorization using ASP.NET Roles

• Enterprise Services Authorization

• SQL Server Authorization


Authentication and Authorization Vulnerabilities

• Securing Forms Authentication Tickets

• Securing Hash Generation using SHA1

• Securing Encryption using AES

• Securing Forms Authentication Cookies using SSL

• Securing Forms Authentication Credentials

• Preventing Session Hijacking using Cookieless Authentication

• Securing Authentication Token Using Sliding Expiration

• Avoiding Forms Authentication Cookies from Persisting Using DisplayRememberMe Property

• Avoiding Forms Authentication Cookies from Persisting Using RedirectFromLoginPage Method

• Avoiding Form Authentication Cookies from Persisting Using SetAuthCookie Method

• Avoiding Form Authentication Cookies from Persisting Using GetRedirectUrl Method

• Avoiding Form Authentication Cookies from Persisting Using FormsAuthenticationTicket Constructor

• Securing Passwords with minRequiredPasswordLength

• Securing Passwords with minRequiredNonalphanumericCharacters

• Securing Passwords with passwordStrengthRegularExpression

• Restricting Number of Failed Logon Attempts

• Securing Application by Using Absolute URLs for Navigation

• Securing Applications from Authorization Bypass Attacks

• Creating Separate Folder for Secure Pages in Application

• Validating Passwords on CreateUserWizard Control using Regular Expressions


Authentication and Authorization Best Practices

• Application Categories Considerations: Authentication-Forms

• Application Categories Considerations: Authorization

• Guidelines for Secure Authentication and Authorization Coding

• Secure Development Checklists: Authentication

• Secure Development Checklists: Authorization

• Secure Development Checklists: User-Server Authentication


Secure Communication

• Storing Secrets

• Options for Storing Secrets in ASP.NET


Session Management

• Basic Security Principles for Session Management Tokens

• Common Threats to Session Management


Session Management Techniques in ASP.NET

• ASP.NET Session Management Techniques

• Client-Side State Management

o Client-Side State Management Using Cookies

o Client-Side State Management Using Hidden Fields

o Client-Side State Management Using View State

o Client-Side State Management Using Control State

o Client-Side State Management Using Query Strings

• Server-Side State Management

o Server-Side State Management Using Application Object

o Server-Side State Management Using Session Object

o Server-Side State Management Using Profile Properties


Session Attacks and Its Defensive Techniques

• Session Hijacking

o Securing ASP.NET Application from Session Hijacking

o Implementing SSL to Encrypt Cookies

o Setting a Limited Time Period for Expiration

o Avoid using Cookieless Sessions

o Avoid using UseUri Cookieless Sessions

o Avoid Specifying Cookie Modes to AutoDetect

o Avoid Specifying Cookie Modes to UseDeviceProfile

o Enabling regenerateExpiredSessionID for Cookieless Sessions

o Resetting the Session when User Logs Out

• Token Prediction Attack

o Generating Lengthy Session Keys to Prevent Guessing

• Session Replay Attack

o Defensive Techniques for Session Replay Attack

• Session Fixation

• Session Fixation Attack

o Securing ASP.NET Application from Session Fixation Attack

• Cross-Site Script Attack

o Preventing Cross-Site Scripting Attack using URL Rewriting

o Preventing Session Cookies from Client-Side Scripts Attacks

• Cross-Site Request Forgery Attack

o Implementing the Session Token to Mitigate CSRF Attacks

o Defensive Techniques for Cross Site Request Forgery Attack


Securing Cookie Based Session Management

• Cookie-Based Session Management

• Persistent Cookies Information Leakage

• Avoid Setting the Expire Attribute to Ensure Cookie Security

• Ensuring Cookie Security using the Secure Attribute

• Ensuring Cookie Security using the HttpOnly Attribute

• Ensuring Cookie Security using the Domain Attribute

• Ensuring Cookie Security using Path Attribute


ViewState Security

• Common Threats on ViewState

o ViewState Data Tampering Attack

o ViewState oneClick Attacks

• Securing ViewState

o Securing ViewState with Hashing

o Securing ViewState with Encryption

o Securing ViewState by Assigning User-Specific Key


Guidelines for Secure Session Management


Introduction to Cryptography

• Cryptographic Attacks

• What Should You Do to Keep the .NET Application Away from Cryptographic Attacks?

• Cryptography

• Functions of Cryptography

• Common Threats on Functions of Cryptography and Their Mitigation Techniques

• Types of Cryptographic Attacks in .NET

• .NET Cryptography Namespaces

• .NET Cryptographic Class Hierarchy


Symmetric Encryption

• SymmetricAlgorithm Class

• Members of the SymmetricAlgorithm Class

• Programming Symmetric Data Encryption and Decryption in .NET

• Securing Information with Strong Symmetric Encryption Algorithm

• Cipher Function

o Cipher Modes

o Vulnerability in Using ECB Cipher Mode

• Padding

o Problem with Zeros Padding

• Symmetric Encryption Keys

o Securing Symmetric Encryption Keys from Brute Force Attacks

o Resisting Cryptanalysis Attack Using Large Block Size

o Generating Non-Predictable Cryptographic Keys using RNGCryptoServiceProvider

• Storing Secret Keys and Storing Options

o Protecting Secret Keys with Access Control Lists (ACLs)

o Protecting Secret Keys with DPAPI

• Self Protection for Cryptographic Application

• Encrypting Data in the Stream using CryptoStream Class


Asymmetric Encryption

• AsymmetricAlgorithm Class

• Members of the AsymmetricAlgorithm Class

• Programming Asymmetric Data Encryption and Decryption in .NET

• Asymmetric Encryption Algorithm Key Security

• Securing Asymmetric Encryption using Large Key Size

• Storing Private Keys Securely

• Problem with Exchanging Public Keys

• Exchanging Public Keys Securely

• Asymmetric Data Padding

• Protecting Communications with SSL


Hashing

• Hashing Algorithms Class Hierarchy in .NET

• Hashing in .NET

• Members of the HashAlgorithm Class

• Programming Hashing for Memory Data Programming Hashing for Streamed Data

• Imposing Limits on Message Size for Hash Code Security

• Setting Proper Hash Code Length for Hash Code Security

• Message Sizes and Hash Code Lengths Supported by the .NET Framework Hashing Algorithms

• Securing Hashing Using Keyed Hashing Algorithms


Digital Signatures

• Attacker's Target Area on Digital Signatures

• Security Features of Digital Signatures

• .NET Framework Digital Signature Algorithms


Digital Certificates

• .NET Support for Digital Certificates

• Programming Digital Signatures using Digital Certificates


ML Signatures

• Need for Securing XML Files

• Securing XML Files using Digital Signatures

• Programming a Digital Signature for a Sample XML File


Error Handling

• Parameters to be Considered while Designing Secure Error Messages!

• What is an Error?

• What are Exceptions/Runtime Errors?

• Need of Error/Exception Handling

• Secure Exception Handling


Exception Handling in ASP.NET

• Handling Exceptions in an Application

• Class-Level Exception Handling

• Class-Level Exception Handling Vulnerabilities

o Generic Exception Throwing Vulnerability

o Generic Exception Catching Vulnerability

o Vulnerability in Printing StackTrace

o Vulnerability in Exception.ToString() Method

o Vulnerability in Swallowing Exceptions

o Cleanup Code Vulnerability

o Vulnerability in Re-Throwing Exception

o Rules of Thumb for Good Exception Management

• Page-Level Exception Handling

• Application-Level Exception Handling

o Handling Exception with Application_Error Event Handler

o Handling Exception with ASP.NET Error Page Redirection Mechanism

o Managing Unhandled Errors

o Exposing Detailed Error Messages

o Sensitive Information Leakage Vulnerability in Custom Error Message

o Unobserved Exception Vulnerability


Exception Handling Best Practices

• Best Practices for Coding Exceptions Safely

• Do’s and Don’ts in Exception Handling

• Guidelines for Proper Exception Handling

• Error Handling Security Checklists


Auditing and Logging

• What is Logging and Auditing?

• Need of Secure Logging and Auditing

• Common Threats to Logging and Auditing

• What Should be Logged?

• What Should NOT be Logged?

• Where to Perform Event Logging?

• Performing Log Throttling in ASP.NET Health Monitoring System

• Windows Event Log

o Preventing Windows Event Log from Denial of Service Attack

o Securing Windows Event log

o Preventing Rogue Administrators from Tampering with Windows Event Logs

• Centralizing Logging and Configuring its Security Tracing in .NET

o Writing Trace Output to Windows Event Log Using EventLogTraceListener


Auditing and Logging Best Practices

• Tracing Security Concerns and Recommendations

• Secure Auditing and Logging Best Practices: Protecting Log Records

• Secure Auditing and Logging Best Practices: Fixing the Logs

• Auditing and Logging Security Checklists

• .NET Logging Tools

• Apache Foundation’s log4net

• SmartInspect

• NLog

• Logview4net

• .NET Logging Tools


File Handling

• System.IO Namespace Classes


Attacks on File and Its Defensive Techniques

• Path Traversal Attack

o Protecting Path Traversal Attack

o Possible Methods to Prevent Path Traversal

• Canonicalization

o Canonicalization Attack

o Protecting the Applications against Canonicalization Attacks


Securing Files

• Securing the Static Files

• Adding Role Checks to File Access

• Securing File I/O from Untrusted File Input

• Securing File I/O with Absolute Path

• Constrain File I/O by Configuring Code Access Security Policy

• Securing User-Specified Files with FileIOPermission

• Virtual Path Mapping Using MapPath

• Preventing Cross-Application Mapping Using MapPath

• Validating File Names using GetFullPath

• Securing User Uploaded Files


File Extension Handling

• Active Server Pages (ASP) Directory Listing

• Creating Directory Listing


Isolated Storage

• Isolated Storage - Get Store/ Open Store

• Isolated Storage Root Location Storage Files

• Isolated Storage Example


File Access Control Lists (ACLs)

• File ACLs

• Required .NET Access Control Lists (ACLs)


Checklist for Securely Accessing Files


Configuration Management

• ASP.NET Configuration Files

• ASP.NET Configuration File Model

• ASP.NET Configuration File Locations

• Configuration Management Threats


Machine Configuration File

• Machine Configuration File: Machine.config

• Machine.config Vulnerability


Application Configuration Files

• Application Configuration File: Web.config

o Web.config Vulnerabilities: Default Error Message

o Web.config Vulnerabilities: Leaving Tracing Enabled in Web-Based Applications

o Web.config Vulnerabilities: Leaving Debugging Enabled

o Web.config Vulnerabilities: Cookies Accessible through Client-Side Script

o Web.config Vulnerabilities: Enabled Cookieless Session State

o Web.config Vulnerabilities: Enabled Cookieless Authentication

o Web.config Vulnerabilities: Failure to Require SSL for Authentication Cookies

o Web.config Vulnerabilities: Using Sliding Expiration

o Web.config Vulnerabilities: Using Non-Unique Authentication Cookie

o Web.config Vulnerabilities: Using Hardcoded Credential

o Web.config Vulnerabilities: Securing List-based Controls using EnableEventValidation

o Web.config Vulnerabilities: Securing Passwords using PasswordFormat

o Web.config Vulnerabilities: Changing Default Values of Membership Settings

o Web.config Vulnerabilities: Securing Against XSS Attack Vulnerabilities

o Web.config Vulnerabilities: Securing Against DoS Attack Vulnerabilities

o Web.config Vulnerabilities: Preventing ViewState from Tampering

o Web.config Vulnerabilities: Securing ViewState with SDL-approved Cryptographic Algorithms

o Web.config Vulnerabilities: Securing ViewState with Strong Validation Key

o Web.config Vulnerabilities: Securing ViewState using Encryption

o Web.config Vulnerabilities: Selecting Right Algorithm for ViewState Encryption

o Web.config Vulnerabilities: Deploying Application with Strong decryption Key

o Web.config Vulnerabilities: Ignoring Validation Errors


• Application Configuration Files: App.exe.config

o App.exe.config Vulnerabilities


Code Access Security Configuration Files

• Enterprise Policy Configuration File: enterprisesec.config

• Machine and User Policy Configuration File: security.config

• ASP. NET Policy Configuration Files

• .NET Framework Configuration Tool: Mscorcfg.msc

o Mscorcfg.msc Features

• Code Access Security Policy Tool: Caspol.exe


Configuration Management Best Practices

Secure Code Review

• Why Secure Code Review?

• Security Code Review Approach

o Step 1: Identify Security Code Review Objectives

o Step 2: Perform Preliminary Scan

o Step 3: Review Code for Security Issues

o Step 4: Review for Security Issues Unique to the Architecture


Static Code Analysis Tools

• Parasoft dotTEST

• Microsoft FxCop

• StyleCop

• NDepend

• ReSharper


Trainers

Reviews

0
based on 0 ratings reviews