Web application security masterclass in C# (WASECM-C#) – Outline

Detailed Course Outline

Day 1

  • Cyber security basics
    • What is security?
    • Threat and risk
    • Cyber security threat types – the CIA triad
    • Consequences of insecure software
    • Constraints and the market
  • The OWASP Top Ten 2021
    • The OWASP Top 10 2021
    • A01 - Broken Access Control
      • Access control basics
      • Missing or improper authorization
      • Failure to restrict URL access
      • Confused deputy
      • File upload
      • Open redirects and forwards
      • Cross-site Request Forgery (CSRF)
    • A02 - Cryptographic Failures
      • Information exposure
      • Cryptography for developers

Day 2

  • A02 - Cryptographic Failures (continued)
    • Cryptography for developers
    • Certificates
  • A03 - Injection
    • Injection principles
    • Injection attacks
    • SQL injection
    • Code injection
    • HTML injection - Cross-site scripting (XSS)

Day 3

  • A03 - Injection (continued)
    • Input validation
  • A04 - Insecure Design
    • The STRIDE model of threats
    • Secure design principles of Saltzer and Schroeder
    • Client-side security

Day 4

  • A05 - Security Misconfiguration
    • Configuration principles
    • Server misconfiguration
    • ASP.NET and IIS configuration best practices
    • Cookie security
    • XML entities
  • A06 - Vulnerable and Outdated Components
    • Using vulnerable components
    • Assessing the environment
    • Hardening
    • Untrusted functionality import
    • Vulnerability management
  • A07 - Identification and Authentication Failures
    • Authentication
    • Session management
    • Password management
  • A08 - Software and Data Integrity Failures
    • Integrity protection

Day 5

  • A08 - Software and Data Integrity Failures (continued)
    • Subresource integrity
    • Insecure deserialization
  • A09 - Security Logging and Monitoring Failures
    • Logging and monitoring principles
    • Insufficient logging
    • Case study – Plaintext passwords at Facebook
    • Logging best practices
    • C# logging best practices
    • Monitoring best practices
    • Firewalls and Web Application Firewalls (WAF)
    • Intrusion detection and prevention
    • Case study – The Marriott Starwood data breach
  • A10 - Server-side Request Forgery (SSRF)
    • Server-side Request Forgery (SSRF)
    • Case study – SSRF and the Capital One breach
  • Web application security beyond the Top Ten
    • Code quality
    • Denial of service
  • Security testing
    • Security testing techniques and tools
      • Code analysis
      • Dynamic analysis
  • Wrap up
    • Secure coding principles
    • And now what?