Certified C# and Web application security

• General C# development knowledge.
• Familiarity with web application concepts is beneficial but not mandatory.

Target Audience

• C# developers building or maintaining web applications.
• Software engineers seeking to enhance their knowledge of secure coding.
• IT professionals responsible for application security in .NET-based systems.

By the end of this course, participants will be able to:

• Identify and mitigate common web vulnerabilities affecting .NET applications, including OWASP Top Ten issues.
• Apply secure coding practices in C# to prevent injection attacks, XSS, and insecure deserialization.
• Utilise the security features of the .NET framework to enhance application security.
• Strengthen authentication, session management, and access control in ASP.NET applications.
• Conduct vulnerability assessments using tools like static code analysis and penetration testing frameworks.
• Apply secure coding principles and follow key guidelines from industry standards such as OWASP and SEI CERT.

Day 1: Introduction to IT security and secure coding

• Fundamentals of IT security and risk management.
• Understanding security flaws and their exploitation in cybercrime.
• Overview of OWASP Top Ten vulnerabilities and secure coding principles.
• Injections:
  • SQL Injection: Attack methods, blind SQL injection, and prevention using parameterized queries.
  • Command Injection: Detection, prevention techniques, and hands-on exercises.
  • XML Injection: Addressing and mitigating injection risks.
• Cross-Site Scripting (XSS): Persistent, reflected, and DOM-based XSS attacks with prevention strategies and exercises.

Day 2: Advanced web vulnerabilities and secure coding

• Authentication and Session Management:
  • Best practices for secure authentication.
  • Common vulnerabilities in session handling, including cookies and JWT tokens.
  • Exercises on securing authentication and sessions.
• Business Logic Vulnerabilities:
• Identifying and preventing issues like privilege escalation and payment manipulation.
• Practical exercises on mitigating business logic flaws.
• Securing forms and session tokens against CSRF attacks.
• Prevention techniques with ASP.NET.
• Addressing path traversal and insecure file upload vulnerabilities.
• Exercises on secure coding practices.
• Understanding and mitigating race conditions in multi-threaded environments.
• Cross-Site Request Forgery (CSRF):
• File and Path Vulnerabilities:
• Race Conditions:

Day 3: .NET security and advanced topics

• .NET Security Architecture:
  • Core security features, including role-based access control and secure error handling.
  • Serialization and deserialization vulnerabilities and their mitigation.
• Practical Cryptography:
• Symmetric and asymmetric encryption techniques.
• Cryptographic APIs in .NET and best practices for key management.
• In-depth analysis of new vulnerabilities such as insecure deserialization and cookie injection.
• Tools and techniques for static code analysis, penetration testing, and vulnerability management.
• Exercises using tools like OWASP ZAP and SQLMap.
• Applying robust programming principles from Saltzer and Schroeder.
• Recommended resources and further reading for secure coding practices.
• Emerging Threats:
• Security Testing and Vulnerability Management:
• Principles of Secure Coding:

Exams and Assessments

• Multiple-choice exam (60 questions, 50% pass mark).
• The APMG Proctor-U exam is taken online after course completion.
• Delegates receive individual access to the APMG candidate portal (available two weeks post-exam).