Audit support (separate audit logs, managing debug logs)
Intrusion detection, correct reactions
Protecting the admin interface
D. Framework/language specifics
Secure coding in .net/C#
Developed by Riccardo ten Cate
Security features of .NET and what kind of protection they serve
C# language security (is C# a secure language?)
Numeric overflow, automatic conversions
Authentication, membership, provider model
Login controls, session management
Role based authorization
Cryptography in .NET
How to use a key vault
How to test entropy of secure random solutions
JS frameworks [optional]
Local storage/session storage
Web messaging, web sockets
E. Security testing and audit [optional]
Practicing is part of many of the above blocks. We start off basic hacking challenges, but the real exercises are about fixing vulnerable codes, and tasks when attendees need to assess code and an application on their own. We mostly offer cloud based facilities to run the exercise environments, so no local installation is needed.
Hands-ons with vulnerable apps
For most of the courses there are intentionally vulnerable applications which we use to demonstrate and learn specific vulnerabilities and how to fix them.
In some cases we use public "damn vulnerable" applications, in some cases we prepared our own applications to practice with.
DIY sonarqube code checking
We assume that developers should be capable of running basic automated tests against the security of their codes on their own. And also be able to tune the SCA tools to produce reasonable false positive and valuable findings ratio.
Normally we teach how to use security plugins of Sonarqube.
We provide sample codes to test. Though the best experience is achieved when developers run the security SCA against their own codes.
See also the extra, on-demand block of 'Assisted code-review lab' below for practicing on your own codes.
DIY ASVS self-audit
OWASP ASVS is the current standard for assessing the security quality and design flaws of a (web) application, and it's the developers who know the answers to the ASVS audit questions. So we take developers to a short journey in assessing the security properties of their applications.
Check out the trainers' bios in the Trainers section