ECSP .NET - EC-Council Certified Secure Programmer .NET


EC-Council Certified Secure Programmer .NET

ECSP .NET - EC-Council Certified Secure Programmer .NET

Course Description

This course will be invaluable to software developers and programmers alike to code and develop highly secure applications and web applications. This is done throughout the software life cycle that involves designing, implementing, and deployment of applications .Net is widely used by almost all organizations as the leading framework to build web applications. The course teaches developers how to identify security flaws and implement security countermeasures throughout the software development life cycle to improve the overall quality of products and applications.

EC-Council Certified Secure Programmer lays the foundation required by all application developers and development organizations to produce applications with greater stability and fewer security risks to the consumer. The Certified Secure Application Developer standardizes the knowledge base for application development by incorporating the best practices followed by experienced experts in the various domains.

This course is purposefully built with tons of labs peppered throughout the three days of training, offering participants critical hands on time to fully grasp the new techniques and strategies in secure programming.

Course Objectives

This course will:

Familiarize you with .Net Application Security, ASP.Net Security Architecture and help you understand the need for application security and common security threats to .Net framework

Discuss security attacks on .Net frame work and explain the secure software development life cycle

Help you to understand common threats to .Net assemblies and familiarize you with stack walking processes

Discuss the need for input validation, various input validation approaches, common input validation attacks, validation control vulnerabilities, and best practices for input validation

Familiarize you with authorization and authentication processes and common threats to authorization and authentication

Discuss various security principles for session management tokens, common threats to session management, ASP.Net session management techniques, and various session attacks

Cover the importance of cryptography in .Net, different types of cryptographic attacks in .Net, and various .Net cryptography namespaces

Explain symmetric and asymmetric encryption, hashing concepts, digital certificates, digital and XML signatures

Describe the principles of secure error handling, different levels of exception handling, and various .Net logging tools

Examine file handling concepts, file handling security concerns, path traversal attacks on file handling, and defensive techniques against path traversal attack


What will You Learn?

Students in this course will acquire knowledge in the following areas:

.Net framework security features and various secure coding principles

.Net framework run time security model, role-based security, code access security (CAS), and class libraries security

Various validation controls, mitigation techniques for validation control vulnerabilities, defensive techniques for SQL injection attacks, and output encoding to prevent input validation attacks

Defensive techniques against session attacks, cookie security, and View State security

Mitigating vulnerabilities in class level exception handling, managing unhandled errors, and implementing windows log security against various attacks

Defensive techniques against path traversal attacks and defensive techniques against canonicalization attack and file ACLs

Mitigating vulnerabilities in machine config files, mitigating the vulnerabilities in app config files, and security code review approaches

The importance of secure programmers and certified secure programmers, the career path of secure programmers, and the essential skill set of secure programmers

Module 01: Introduction to .NET Application Security
  •  Microsoft .NET Application Security
    • .NET Application Security
    • Need for .NET Application Security
    • .NET Application Attack Statistics
    • Understanding Application Security
    • End-to-End Security
    • What is Secure Coding?
    • Why are Security Mistakes Made?
    • Key Elements of .NET Framework Architecture Security
    • .NET Security Features
    • .NET Framework Security Namespaces
    • ASP.NET Security Architecture
    •  Common Security Threats on .NET
    • Web Application Security Frame
    • Common Security Threats on .NET
    • OWASP Top 10 Attacks on .NET
      • Security Misconfiguration
      • Cross-Site Scripting (XSS) Attacks
      • SQL Injection Attacks
      • Cross-Site Request Forgery (CSRF) Attack
      • Failure to Restrict URL Access
      • Insufficient Transport Layer Protection
      • Unvalidated Redirects and Forwards
      • Insecure Direct Object References
      • Broken Authentication and Session Management
      • Insecure Cryptographic Storage
  •  Secure Development Lifecycle (SDL)
    • Phases of SDL
    • SDL Process
    • Integrating Security into the Development Lifecycle
    • Security in the Design Stage: Threat Modeling
    • Threat Modeling Process
      • The STRIDE model
      • The DREAD model
    • Guidelines for Applying Security in Implementation Phase of SDL
    • Security Testing
  •  Secure Coding Principles
  •  Guidelines for Developing Secure Codes
Module 02: .NET Framework Security
  •  Introduction to .NET Framework
    • .NET Framework Architecture
    • Basic Components of .NET Framework
  •  .Net Runtime Security
    • .NET Framework Runtime Security Model
    • Role-Based Security
      • Role-Based Security: Windows Principal
      • Role-Based Security: Generic Principal
    • Code Access Security (CAS)
      • Using Code Access Security in ASP.NET
      • Evidence-Based Security
      • Permissions
      • Code Access Permissions
      • Identity Permissions
      • Role-Based Security Permissions
      • Permissions Classes in .NET
      • Type Safety
      • SkipVerification
      • Stack Walk
      • Declarative and Imperative Security Syntax
    • Isolated Storage
      • Data Storing Process in Isolated Storage
      • Managing Data Isolation using Store’s Identity
      • Levels of Isolation
      • Limitations of Isolated Storage
      • Administering Isolated Storage
      • Granting Isolated Storage Permissions with Mscorcfg.msc
      • Granting Isolated Storage Permissions with Caspol.exe
      • Managing Existing Stores
  •  .NET Class Libraries Security
    • Class Libraries Security
    • Writing Secure Class Libraries
      • Security Demands
      • Link Demands
        •  Security Holes in Link Demands
      • Inheritance Demands
      • Overriding Security Checks
      • Security Optimizations
  •  .NET Assembly Security
    • .NET Assembly
    • Common Threats to .NET Assemblies
    • Privileged Code
    • Secure Assembly Design Considerations
    • Secure Class Design Considerations
    • Securing Assemblies Using Strong Name Signing
    • Securing Assemblies with Code Access Attributes
    • Securing Assemblies Against Decompilation Using Obfuscation
    • Dotfuscator: .NET Obfuscator
    • Protecting Assemblies Using Publisher Certificate
    • Securing Assemblies Using Application Domain Permissions
    • Vulnerability in Serializing Sensitive Objects
    • Vulnerabilities in Multithreaded Assemblies
    • Vulnerabilities in Static Class Methods/ Constructors of Assemblies
    • Vulnerability in Dispose Methods
  •  .NET Security Tools
    • Code Access Security Policy Tool: Caspol.exe
      • Caspol.exe Parameters
    • Software Publisher Certificate Test Tool: Cert2spc.exe
    • Certificate Manager Tool: Certmgr.exe
      • Options in Certmgr.exe
    • Certificate Creation Tool: Makecert.exe
      • Options in Makecert.exe
    • PEVerify Tool: Peverify.exe
      • Options in Peverify.exe
    • .NET Security Annotator Tool: SecAnnotate.exe
    • Sign Tool: SignTool.exe
    • Strong Name Tool: Sn.exe
    • Isolated Storage Tool: Storeadm.exe
  •  Best Practices for .NET Framework Security
Module 03: Input Validation and Output Encoding
  •  Input Validation
    • Why Input Validation?
    • Input Validation
    • Input Validation Specification
    • Input Validation Approaches
      • Client-side Input Validation
      • Server-side Input Validation
      • Client-Server Input Validation Reliability
    • Input Filtering
      • Input Filtering Technique: Black Listing
      • Input Filtering Technique: White Listing
    • Perform Input Validation and Filtering using a Regular Expression
    • String Manipulation and Comparison
    • Data Type Conversion
    • ASP.NET Validation Controls
      • Set of ASP.NET Validation Controls
      • RequiredField Validation Control
      • Range Validation Control
      • Comparison Validation Control
      • RegularExpression Validation Control
      • Custom Validation Control
      • Validation Summary Control
  •  Input Validation Attacks
    • Cross Site Scripting (XSS) Attack
    • SQL Injection Attacks
    • HTML Tags Used in XSS Attack
  •  Defensive Techniques against XSS Attacks
    • XSS Attack Defensive Techniques
    • Need for Securing Validation Controls
    • Securing RequiredField Validation Control
    • Securing Range Validation Control
    • Specifying the Correct Data Type in Range Validator
    • Securing Comparison Validation Control
    • Securing RegularExpression Validation Control
    • Securing Custom Validation Control
    • Integrating Security for Multiple Validation Controls
  •  Defensive Techniques against SQL Injection Attacks
    • SQL Injection Attack Defensive Techniques
    • Using Parameterized Queries
    • Using Parameterized Stored Procedures
    • Using Escape Routines to Handle Special Input Characters
    • Database Specific Escaping: Oracle Escaping
    • Using a Least-Privileged Database Account
    • Constraining Input
  •  Output Encoding
    • ASP.NET Controls with Encoding Support
    • Encoding Unsafe Output using HtmlEncode
    • Encoding Unsafe Output using UrlEncode
    • Anti-XSS Library
    • Encoding Output using Anti-XSS Library
  •  Sandboxing
    • Sandboxing Software: Sandboxie
    • Sandboxing Software: BufferZone Pro
    • Sandboxing API in .NET Framework
    • Creating Sandbox for Partial Trust Code
  •  Best Practices
    • Microsoft Code Analysis Tool .NET (CAT.NET)
Module 04: .NET Authorization and Authentication
  •  Introduction to Authentication and Authorization
    • Common Threats with User Authentication and Authorization
    • Authentication and Authorization in .NET Web Application Security
    • Security Relationship between IIS and ASP.NET
  •  Authentication
    • ASP.NET Authentication
    • ASP.NET Authentication Modes
    • Security Settings Matrix between IIS and ASP.NET
    • Forms Authentication
    • Passport Authentication
      • Implementing Passport Authentication
    • Custom Authentication
      • Implementing Custom Authentication Scheme
    • Windows Authentication
    • Selecting an Appropriate Authentication Method
    • Determining an Authentication Method
    • Enterprise Services Authentication
    • SQL Server Authentication
  •  Authorization
    • Identities, Principals, and Roles
    • ASP.NET Authorization
    • URL Authorization
    • File Authorization
    • What is Impersonation?
      • Impersonation Options
    • Delegation
    • Code-based Authorization
      • Declarative Authorization
      • Imperative Authorization
      • Explicit Authorization
    • Authorization using ASP.NET Roles
    • Enterprise Services Authorization
    • SQL Server Authorization
  •  Authentication and Authorization Vulnerabilities
    • Securing Forms Authentication Tickets
    • Securing Hash Generation using SHA1
    • Securing Encryption using AES
    • Securing Forms Authentication Cookies using SSL
    • Securing Forms Authentication Credentials
    • Preventing Session Hijacking using Cookieless Authentication
    • Securing Authentication Token Using Sliding Expiration
    • Avoiding Forms Authentication Cookies from Persisting Using DisplayRememberMe Property
    • Avoiding Forms Authentication Cookies from Persisting Using RedirectFromLoginPage
    • Method
    • Avoiding Form Authentication Cookies from Persisting Using SetAuthCookie Method
    • Avoiding Form Authentication Cookies from Persisting Using GetRedirectUrl Method
    • Avoiding Form Authentication Cookies from Persisting Using FormsAuthenticationTicket
    • Constructor
    • Securing Passwords with minRequiredPasswordLength
    • Securing Passwords with minRequiredNonalphanumericCharacters
    • Securing Passwords with passwordStrengthRegularExpression
    • Restricting Number of Failed Logon Attempts
    • Securing Application by Using Absolute URLs for Navigation
    • Securing Applications from Authorization Bypass Attacks
    • Creating Separate Folder for Secure Pages in Application
    • Validating Passwords on CreateUserWizard Control using Regular Expressions
  •  Authentication and Authorization Best Practices
    • Application Categories Considerations: Authentication-Forms
    • Application Categories Considerations: Authorization
    • Guidelines for Secure Authentication and Authorization Coding
    • Secure Development Checklists: Authentication
    • Secure Development Checklists: Authorization
    • Secure Development Checklists: User-Server Authentication
  •  Secure Communication
    • Storing Secrets
    • Options for Storing Secrets in ASP.NET
Module 05: Secure Session and State Management
  •  Session Management
    • Basic Security Principles for Session Management Tokens
    • Common Threats to Session Management
  •  Session Management Techniques in ASP.NET
    • ASP.NET Session Management Techniques
    • Client-Side State Management
      • Client-Side State Management Using Cookies
      • Client-Side State Management Using Hidden Fields
      • Client-Side State Management Using View State
      • Client-Side State Management Using Control State
      • Client-Side State Management Using Query Strings
    • Server-Side State Management
      • Server-Side State Management Using Application Object
      • Server-Side State Management Using Session Object
      • Server-Side State Management Using Profile Properties
  •  Session Attacks and Its Defensive Techniques
    • Session Hijacking
      • Securing ASP.NET Application from Session Hijacking
      • Implementing SSL to Encrypt Cookies
      • Setting a Limited Time Period for Expiration
      • Avoid using Cookieless Sessions
      • Avoid using UseUri Cookieless Sessions
      • Avoid Specifying Cookie Modes to AutoDetect
      • Avoid Specifying Cookie Modes to UseDeviceProfile
      • Enabling regenerateExpiredSessionID for Cookieless Sessions
      • Resetting the Session when User Logs Out
    • Token Prediction Attack
      • Generating Lengthy Session Keys to Prevent Guessing
    • Session Replay Attack
      • Defensive Techniques for Session Replay Attack
    • Session Fixation
    • Session Fixation Attack
      • Securing ASP.NET Application from Session Fixation Attack
    • Cross-Site Script Attack
      • Preventing Cross-Site Scripting Attack using URL Rewriting
      • Preventing Session Cookies from Client-Side Scripts Attacks
    • Cross-Site Request Forgery Attack
      • Implementing the Session Token to Mitigate CSRF Attacks
      • Defensive Techniques for Cross Site Request Forgery Attack
  •  Securing Cookie Based Session Management
    • Cookie-Based Session Management
    • Persistent Cookies Information Leakage
    • Avoid Setting the Expire Attribute to Ensure Cookie Security
    • Ensuring Cookie Security using the Secure Attribute
    • Ensuring Cookie Security using the HttpOnly Attribute
    • Ensuring Cookie Security using the Domain Attribute
    • Ensuring Cookie Security using Path Attribute
  •  ViewState Security
    • Common Threats on ViewState
      • ViewState Data Tampering Attack
      • ViewState oneClick Attacks
    • Securing ViewState
      • Securing ViewState with Hashing
      • Securing ViewState with Encryption
      • Securing ViewState by Assigning User-Specific Key
  •  Guidelines for Secure Session Management
Module 06: .NET Cryptography Introduction to Cryptography
    • Cryptographic Attacks
    • What Should You Do to Keep the .NET Application Away from Cryptographic Attacks?
    • Cryptography
    • Functions of Cryptography
    • Common Threats on Functions of Cryptography and Their Mitigation Techniques
    • Types of Cryptographic Attacks in .NET
    • .NET Cryptography Namespaces
    • .NET Cryptographic Class Hierarchy
  •  Symmetric Encryption
    • SymmetricAlgorithm Class
    • Members of the SymmetricAlgorithm Class
    • Programming Symmetric Data Encryption and Decryption in .NET
    • Securing Information with Strong Symmetric Encryption Algorithm
    • Cipher Function
      • Cipher Modes
      • Vulnerability in Using ECB Cipher Mode
    • Padding
      • Problem with Zeros Padding
    • Symmetric Encryption Keys
      • Securing Symmetric Encryption Keys from Brute Force Attacks
      • Resisting Cryptanalysis Attack Using Large Block Size
      • Generating Non-Predictable Cryptographic Keys using RNGCryptoServiceProvider
    • Storing Secret Keys and Storing Options
      • Protecting Secret Keys with Access Control Lists (ACLs)
      • Protecting Secret Keys with DPAPI
    • Self Protection for Cryptographic Application
    • Encrypting Data in the Stream using CryptoStream Class
  •  Asymmetric Encryption
    • AsymmetricAlgorithm Class
    • Members of the AsymmetricAlgorithm Class
    • Programming Asymmetric Data Encryption and Decryption in .NET
    • Asymmetric Encryption Algorithm Key Security
    • Securing Asymmetric Encryption using Large Key Size
    • Storing Private Keys Securely
    • Problem with Exchanging Public Keys
    • Exchanging Public Keys Securely
    • Asymmetric Data Padding
    • Protecting Communications with SSL
  •  Hashing
    • Hashing Algorithms Class Hierarchy in .NET
    • Hashing in .NET
    • Members of the HashAlgorithm Class
    • Programming Hashing for Memory Data
    • Programming Hashing for Streamed Data
    • Imposing Limits on Message Size for Hash Code Security
    • Setting Proper Hash Code Length for Hash Code Security
    • Message Sizes and Hash Code Lengths Supported by the .NET Framework Hashing
    • Algorithms
    • Securing Hashing Using Keyed Hashing Algorithms
  •  Digital Signatures
    • Attacker's Target Area on Digital Signatures
    • Security Features of Digital Signatures
    • .NET Framework Digital Signature Algorithms
  •  Digital Certificates
    • .NET Support for Digital Certificates
    • Programming Digital Signatures using Digital Certificates
  •  XML Signatures
    • Need for Securing XML Files
    • Securing XML Files using Digital Signatures
    • Programming a Digital Signature for a Sample XML File
Module 07: .NET Error Handling, Auditing, and Logging
  •  Error Handling
    • Parameters to be Considered while Designing Secure Error Messages!
    • What is an Error?
    • What are Exceptions/Runtime Errors?
    • Need of Error/Exception Handling
    • Secure Exception Handling
  •  Exception Handling in ASP.NET
    • Handling Exceptions in an Application
    • Class-Level Exception Handling
    • Class-Level Exception Handling Vulnerabilities
      • Generic Exception Throwing Vulnerability
      • Generic Exception Catching Vulnerability
      • Vulnerability in Printing StackTrace
      • Vulnerability in Exception.ToString() Method
      • Vulnerability in Swallowing Exceptions
      • Cleanup Code Vulnerability
      • Vulnerability in Re-Throwing Exception
      • Rules of Thumb for Good Exception Management
    • Page-Level Exception Handling
    • Application-Level Exception Handling
      • Handling Exception with Application_Error Event Handler
      • Handling Exception with ASP.NET Error Page Redirection Mechanism
      • Managing Unhandled Errors
      • Exposing Detailed Error Messages
      • Sensitive Information Leakage Vulnerability in Custom Error Message
      • Unobserved Exception Vulnerability
  •  Exception Handling Best Practices
    • Best Practices for Coding Exceptions Safely
    • Do’s and Don’ts in Exception Handling
    • Guidelines for Proper Exception Handling
    • Error Handling Security Checklists
  •  Auditing and Logging
    • What is Logging and Auditing?
    • Need of Secure Logging and Auditing
    • Common Threats to Logging and Auditing
    • What Should be Logged?
    • What Should NOT be Logged?
    • Where to Perform Event Logging?
    • Performing Log Throttling in ASP.NET Health Monitoring System
    • Windows Event Log
      • Preventing Windows Event Log from Denial of Service Attack
      • Securing Windows Event log
      • Preventing Rogue Administrators from Tampering with Windows Event Logs
    • Centralizing Logging and Configuring its Security
    • Tracing in .NET
      • Writing Trace Output to Windows Event Log Using EventLogTraceListener
  •  Auditing and Logging Best Practices
    • Tracing Security Concerns and Recommendations
    • Secure Auditing and Logging Best Practices: Protecting Log Records
    • Secure Auditing and Logging Best Practices: Fixing the Logs
    • Auditing and Logging Security Checklists
  •  .NET Logging Tools
    • Apache Foundation’s log4net
    • SmartInspect
    • NLog
    • Logview4net
    • .NET Logging Tools
    Module 08: .NET Secure File Handling
    •  File Handling
      • System.IO Namespace Classes
    •  Attacks on File and Its Defensive Techniques
      • Path Traversal Attack
        • Protecting Path Traversal Attack
        • Possible Methods to Prevent Path Traversal
      • Canonicalization
        • Canonicalization Attack
        • Protecting the Applications against Canonicalization Attacks
    •  Securing Files
      • Securing the Static Files
      • Adding Role Checks to File Access
      • Securing File I/O from Untrusted File Input
      • Securing File I/O with Absolute Path
      • Constrain File I/O by Configuring Code Access Security Policy
      • Securing User-Specified Files with FileIOPermission
      • Virtual Path Mapping Using MapPath
      • Preventing Cross-Application Mapping Using MapPath
      • Validating File Names using GetFullPath
      • Securing User Uploaded Files
    •  File Extension Handling
      • Active Server Pages (ASP) Directory Listing
      • Creating Directory Listing
    •  Isolated Storage
      • Isolated Storage - Get Store/ Open Store
      • Isolated Storage Root Location Storage Files
      • Isolated Storage Example
    •  File Access Control Lists (ACLs)
      • File ACLs
      • Required .NET Access Control Lists (ACLs)
    •  Checklist for Securely Accessing Files
    Module 09: .NET Configuration Management and Secure Code Review
    •  Configuration Management
      • ASP.NET Configuration Files
      • ASP.NET Configuration File Model
      • ASP.NET Configuration File Locations
      • Configuration Management Threats
    •  Machine Configuration File
      • Machine Configuration File: Machine.config
      • Machine.config Vulnerability
    •  Application Configuration Files
      • Application Configuration File: Web.config
        • Web.config Vulnerabilities: Default Error Message
        • Web.config Vulnerabilities: Leaving Tracing Enabled in Web-Based Applications
        • Web.config Vulnerabilities: Leaving Debugging Enabled
        • Web.config Vulnerabilities: Cookies Accessible through Client-Side Script
        • Web.config Vulnerabilities: Enabled Cookie less Session State
        • Web.config Vulnerabilities: Enabled Cookie less Authentication
        • Web.config Vulnerabilities: Failure to Require SSL for Authentication Cookies
        • Web.config Vulnerabilities: Using Sliding Expiration
        • Web.config Vulnerabilities: Using Non-Unique Authentication Cookie
        • Web.config Vulnerabilities: Using Hardcoded Credential
        • Web.config Vulnerabilities: Securing List-based Controls using EnableEventValidation
        • Web.config Vulnerabilities: Securing Passwords using Password Format
        • Web.config Vulnerabilities: Changing Default Values of Membership Settings
        • Web.config Vulnerabilities: Securing Against XSS Attack Vulnerabilities
        • Web.config Vulnerabilities: Securing Against DoS Attack Vulnerabilities
        • Web.config Vulnerabilities: Preventing View State from Tampering
        • Web.config Vulnerabilities: Securing View State with SDL-approved Cryptographic
        • Algorithms
        • Web.config Vulnerabilities: Securing View State with Strong Validation Key
        • Web.config Vulnerabilities: Securing View State using Encryption
        • Web.config Vulnerabilities: Selecting Right Algorithm for View State Encryption
        • Web.config Vulnerabilities: Deploying Application with Strong decryption Key
        • Web.config Vulnerabilities: Ignoring Validation Errors
      • Application Configuration Files: App.exe.config
        • App.exe.config Vulnerabilities
    •  Code Access Security Configuration Files
      • Enterprise Policy Configuration File: enterprisesec.config
      • Machine and User Policy Configuration File: security.config
      • ASP. NET Policy Configuration Files
      • .NET Framework Configuration Tool: Mscorcfg.msc
        • Mscorcfg.msc Features
      • Code Access Security Policy Tool: Caspol.exe
    •  Configuration Management Best Practices
    •  Secure Code Review
      • Why Secure Code Review?
      • Security Code Review Approach
        • Step 1: Identify Security Code Review Objectives
        • Step 2: Perform Preliminary Scan
        • Step 3: Review Code for Security Issues
        • Step 4: Review for Security Issues Unique to the Architecture
    •  Static Code Analysis Tools
      • Parasoft dotTEST
      • Microsoft FxCop
      • StyleCop
      • NDepend
      • ReSharper

    Exam Info

    • Number of Questions: 50
    • Passing Score: 70%
    • Test Duration: 2 Hours
    • Test Format: Multiple Choice
    • Test Delivery: EC-Council Exam Center
    • Exam Prefix: 312-93

    • Certification

      The ECSP .Net 312-93 exam will be conducted on the last day of training. Students need to pass the online exam to receive the ECSP certification.

      Download Brochure

    For more details, class schedules, enquiries mail at info@meclosys.com and click here to contact us