Web Application Security Primer for Web Developers

Course Description

This course is aimed at web developers to help them understand the sort of threats their web applications will be exposed to. It will give an overview of security best practices along with practical examples of actual threats and how to write code that mitigates against these threats. The course will talk about web applications in general and will cover specific techniques when using the Microsoft ASP.NET core stack. It will cover backend, front end, database and server vulnerabilities and demonstrate real threats and their solutions.
5 Days
Contact us for pricing
 

Prerequisites

This course assumes familiarity with developing web applications using the ASP.NET stack. The course "Full Stack C# Development" is recommended for all participants.

Introduction

Web Application Security
Types of attacks
Introducing a poorly written web application

Attack Vectors

OWASP Top Ten
Common Weakness Enumeration
Common Vulnerabilities and Exposures

Cross-Site Scripting

OWASP No. 3
What is XSS?
Demonstrate XSS attacks
Resolving XSS attacks

Cross-Site Request Forgery

OWASP No. 10
What is XSRF?
Demonstrate an XSRF vulnerability
Resolving XSRF attacks
C# ASP.NET solution

Injection Attacks

OWASP No. 3
SQL Injection
NOSQL Injection
Parameterised queries
Entity framework considerations
Some sample attacks along with solutions

File Uploads

OWASP No. 4 & No. 5
File Upload Vulnerabilities
Path traversal attacks

XML External Entity Attack

OWASP No. 5
What is an XXE attack?
An example attack
C# ASP.NET solution

Authentication And Authorization

OWASP No 7 & No 2
Password Strength
Encrypting passwords
Minimising access using authorization
Database credentials and read only access unless necessary
3rd party authorization

Server Side Request Forgery

OWASP No. 10
What is SSRF?
Demonstrate a SSRF attack
Resolving SSRF Vulnerabilities


Meet the hackers

Viewing web server logs
The threat landscape
Types of attack
Tools used by hackers
Setup a public server on a well-known IP address and monitor the logs
Understanding the role of network security
Security by design
Security concepts and terminology
The role of AI in Web Application Security

General Principles

Don't share unnecessary information
Use proper exception handling and custom error pages
Patch servers and other libraries
Externalise sensitive information like passwords
Use encryption
Use SSL
Sanitise all information coming from users
Monitor logs
Review code
The Human Factor

Configuring ASP.NET Core server

Proper Exception Handling - Custom Error Pages
Hide Server Information
Use HTTPS And Redirect All Traffic To HTTPS
Configuring IIS For HTTPS
Adding security headers to your pages

Protecting Your Configuration

The importance of externalising configuration
.config files
Environment variables
Command line parameters
Managing secrets
Securing your connection strings

Threat Monitoring

The importance of logging
Application logs
Network logs
Monitoring logs

Some web application techniques

Razor pages
AJAX calls
Connection to databases
Browser Developer Tools
Client side frameworks - angular / react
Review the web application

Security Best Practices

Code development practices
Security testing strategies
Code reviews
Runtime protection for application development

Conclusions

Review of threat landscape
Importance of monitoring logs
Security checking tools and penetration testing
SecurityASP.NETC#Web DevelopersCyber Security