השרותים שלנו

בדיקות אבטחה

הדרכת קוד מאובטח

ייעוץ

הספרים שלנו

Managed Code Rootkits

נכתב ע"י ארז מטולה

הזמן עכשו מאמזון !

(.NET) קורס פיתוח מאובטח בסביבת דוטנט

Course description

Secure Programming is the last line of defense against attacks targeted toward our systems. This course shows you how to identify security flaws & implement security countermeasures in different areas of the software development lifecycle and apply these skills to improve the overall quality of the products and applications. Using sound programming techniques and best practices shown in this course, you can produce high-quality code that stands up to attack. The course covers major security principles in the .NET framework, programming vulnerabilities and specific security issues in ASP.NET web applications & Winform applications.

Course objectives

The objectives of the course are to acquaint students with security concepts and terminology, and to provide them with a solid foundation for developing software using the best practices in the .NET framework. By course completion, students should be proficient in secure programming and have learnt the basics of security analysis and design. Students should then be able to develop, design and maintain applications using security methods and techniques using the .NET framework advanced security features.

Trainer

Erez Metula ,CISSP | Founder
Application Security Expert, AppSec

Course duration

5 days

Target audience

Members of the software development team:

ASP.Net Web Developers
.Net Windows Developers
Designers & Architects

Prequisites

Before attending this course, students should be familiar with:

Basic Knowledge of the .NET Framework
ASP.NET / Winform programming background, using C# or VB.NET
Internet Information Server (IIS)
Background in Databases (SQL Server) & SQL language

Course topics

Topic	Content
Module 1 - Introduction to .NET security	Main topics covered in this module include: Information security overview Introduction to application security in ASP.NET Introduction to Runtime Environment Network VS. Application level attacks Security mechanisms .NET Framework security features Input Validation Vulnerabilities
Module 2 - Application level attacks – learning the attacker's techniques	Main topics covered in this module include: HTTP fundamentals OWASP top 10 (2010) web application risks Injections Cross Site Scripting (XSS) Broken Authentication and Session Management Insecure Direct Object Reference Cross Site Request Forgery (CSRF) Security Misconfiguration Failure to restrict URL access Unvalidated redirects and forwards Insecure Cryptographic Storage Insufficient transport layer protection Buffer overflows Injection flaws (sql inection, command injection, ldap injection) Denial of service Insecure configuration management
Module 3 - .NET Authentication	Main topics covered in this module include: What is authentication, and why it's different than authorization Authentication scenarios Implementing Forms authentication Implementing Windows authentication Relationship between IIS and ASP.NET. Impersonation & delegation Single sign on scenarios Membership provider
Module 4 - .NET Authorization	Main topics covered in this module include: What is authorization Authorization models URL authorization File authorization Role based access control (RBAC) Code level Authorization Role manager Introduction to AzMan
Module 5 - Cryptography	Main topics covered in this module include: Introduction to cryptography Symmetric encryption (DES, 3DES, AES) Asymmetric encryption (RSA) One way Hashing (MD5, Sha-1) Digital Signatures PKI & Certificates Secure authentication Secure number generation .NET Cryptographic API’s
Module 6 - Auditing and Logging	Main topics covered in this module include: .NET Logging technologies ASP.NET trace and System.Diagnostics.Trace Windows event log Performance Monitor Windows Management Instrumentation (WMI) What should we audit Event message structure Logging best practices
Module 7 - Platform Security Best Practices	Main topics covered in this module include: Server Security Best Practices IIS SQL Server COM+ Using ACLs and DACLs Using Windows Least-Privilege Accounts Using Audit Trails Platform Cryptography and the Certificate Store What is DPAPI?
Module 8 - Code Access Security	Main topics covered in this module include: What is Code Access Security (CAS) and why do we need it? The Full Trust problem Using CAS Code groups Permissions Policy Evidence Tools Assert / Deny model Partial trust
Module 9 - Web services & WCF Security	Main topics covered in this module include: Web services & SOA overview Security and Web services Transport level security VS. Message level security WS-Security and WSE 3.0 security features Web services authentication & authorization Message protection patterns Replay detection pattern Message validation pattern Perimeter service router pattern
Module 10 - Protecting from Application Denial of Service Attacks	Main topics covered in this module include: The problem of DOS Common DOS attack vectors DOS types Application / OS crash CPU starvation Memory starvation Resource starvation Network bandwidth attacks Preventing dos attacks
Module 11 - SDL (Secure Development Lifecycle)	Main topics covered in this module include: Traditional development processes & The cost of change Integrating Security into the Development Life cycle Security in the design stage Threat modeling The STRIDE model The DREAD model Implementing security while writing secure code Security testing
Module 12 - Application Security Testing	Main topics covered in this module include: The problem of security testing Technical VS. Logical security issues Security testing during the development lifecycle What & How to test Tools used to detect security bugs Case studies Sql injection testing XSS testing Web services testing

צור קשר

ארועים

15בספטמבר 2011

20 בספטמבר 2011

פרטים נוספים