Securing .NET Web Application Development Lifecycle

Introduction: Misconceptions

• Security: The Complete Picture
• TJX: Anatomy of a Disaster?
• Causes of Data Breaches
• Heartland – Slipping Past PCI Compliance
• Target's Painful Christmas
• Meaning of Being Compliant
• Verizon's 2013 and 2014 Data Breach Reports

Session: Foundation

Lesson: Security Concepts

• Motivations: Costs and Standards
• Open Web Application Security Project
• Web Application Security Consortium
• CERT Secure Coding Standards
• Assets are the Targets
• Security Activities Cost Resources
• Threat Modeling
• System/Trust Boundaries

Lesson: Principles of Information Security

• Security Is a Lifecycle Issue
• Minimize Attack Surface Area
• Layers of Defense: Tenacious D
• Compartmentalize
• Consider All Application States
• Do NOT Trust the Untrusted

Session: Vulnerabilities

Lesson: Unvalidated Input

• Buffer Overflows
• Integer Arithmetic Vulnerabilities
• Unvalidated Input: From the Web
• Defending Trust Boundaries
• Whitelisting vs Blacklisting

Lesson: Overview of Regular Expressions

• Regular Expressions
• Working With Regexes in .Net
• Applying Regular Expressions

Lesson: Broken Access Control

• Access Control Issues
• Excessive Privileges
• Insufficient Flow Control
• Unprotected URL/Resource Access
• Examples of Shabby Access Control
• Session and Session Management

Lesson: Broken Authentication

• Broken Quality/DoS
• Authentication Data
• Username/Password Protection
• Exploits Magnify Importance
• Handling Passwords on Server Side
• Single Sign-on (SSO)

Lesson: Cross Site Scripting (XSS)

• Persistent XSS
• Reflective XSS
• Best Practices for Untrusted Data

Lesson: Injection

• Injection Flaws
• SQL Injection Attacks Evolve
• Drill Down on Stored Procedures
• Other Forms of Injection
• Minimizing Injection Flaws

Lesson: Error Handling and Information Leakage

• Fingerprinting a Web Site
• Error-Handling Issues
• Logging In Support of Forensics
• Solving DLP Challenges

Lesson: Insecure Data Handling

• Protecting Data Can Mitigate Impact
• In-Memory Data Handling
• Secure Pipes
• Failures in the SSL Framework Are Appearing

Lesson: Insecure Configuration Management

• System Hardening: IA Mitigation
• Application Whitelisting
• Least Privileges
• Anti-Exploitation
• Secure Baseline

Lesson: Direct Object Access

• Dynamic Loading
• Race Conditions
• Direct Object References

Lesson: Spoofing, CSRF, and Redirects

• Name Resolution Vulnerabilities
• Fake Certs and Mobile Apps
• Targeted Spoofing Attacks
• Cross Site Request Forgeries (CSRF)
• CSRF Defenses are Entirely Server-Side
• Safe Redirects and Forwards

Session: Best Practices

Lesson: .NET Issues and Best Practices

• Manage Code and Buffer Overflows
• .Net Permissions
• ActiveX Controls
• Proper Exception Handling

Lesson: Understanding What's Important

• Common Vulnerabilities and Exposures
• OWASP Top Ten for 2013
• CWE/SANS Top 25 Most Dangerous SW Errors
• Monster Mitigations
• Strength Training: Project Teams/Developers
• Strength Training: IT Organizations

Session: Defending XML, Services, and Rich Interfaces

Lesson: Defending XML

• XML Signature
• XML Encryption
• XML Attacks: Structure
• XML Attacks: Injection
• Safe XML Processing

Lesson: Defending Web Services

• Web Service Security Exposures
• When Transport-Level Alone is NOT Enough
• Message-Level Security
• WS-Security Roadmap
• Web Service Attacks
• Web Service Appliance/Gateways

Lesson: Defending Rich Interfaces and REST

• How Attackers See Rich Interfaces
• Attack Surface Changes When Moving to Rich Interfaces
• Bridging and its Potential Problems
• Three Basic Tenets for Safe Rich Interfaces
• OWASP REST Security Recommendations

Session: Cryptography

Lesson: Cryptography Overview

• Strong Encryption
• Message digests
• Keys and key management
• Certificate management
• Encryption/Decryption

Lesson: .NET Cryptographic Services

• The role of cryptographic services
• Hash algorithms and hash codes
• Encrypting data symmetrically
• Encrypting data asymmetrically

Session: Secure Development Lifecycle (SDL)

Lesson: SDL Process Overview

• Software Security Axioms
• Security Lifecycle – Phases

Lesson: Applying Processes and Practices

• Awareness
• Application Assessments
• Security Requirements
• Secure Development Practices
• Security Architecture/Design Review
• Security Code Review
• Configuration Management and Deployment
• Vulnerability Remediation Procedures

Lesson: Risk Analysis

• Threat Modeling Process
• 1. Identify Security Objectives
• 2. Describe the System
• 3. List Assets
• 4. Define System/Trust Boundaries
• 5. List and Rank Threats
• 6. List Defenses and Countermeasures

Session: Security Testing

Lesson: Testing Tools and Processes

• Security Testing Principles
• Black Box Analyzers
• Static Code Analyzers
• Criteria for Selecting Static Analyzers

Lesson: Testing Practices

• OWASP Web App Penetration Testing
• Authentication Testing
• Session Management Testing
• Data Validation Testing
• Denial of Service Testing
• Web Services Testing
• Ajax Testing