3 arrows

Summer-Ready Savings: Up To $500 Off Training 


Securing .Net Web Applications

  • Tuition USD $2,595 GSA  $2,262.47
  • Reviews star_rate star_rate star_rate star_rate star_half 4064 Ratings
  • Course Code TT8320-N
  • Duration 4 days
  • Available Formats Classroom, Virtual

Securing .Net Web Applications is a lab-intensive, hands-on .Net security training course, essential for experienced enterprise developers who need to produce secure .Net -based web applications. In addition to teaching basic programming skills, this course digs deep into sound processes and practices that apply to the entire software development lifecycle.

  • In this course, students thoroughly examine best practices for defensively coding .Net web applications, including XML processing and web services. Students will repeatedly attack and then defend various assets associated with a fully-functional web application. This hands-on approach drives home the mechanics of how to secure .Net web applications in the most practical of terms.

Skills Gained

  • Understand potential sources for untrusted data
  • Understand the consequences for not properly handling untrusted data such as denial of service, cross-site scripting, and injections
  • Be able to test web applications with various attack techniques to determine the existence of and effectiveness of layered defenses
  • Prevent and defend the many potential vulnerabilities associated with untrusted data
  • Understand the vulnerabilities of associated with authentication and authorization
  • Be able to detect, attack, and implement defenses for authentication and authorization functionality and services
  • Understand the dangers and mechanisms behind Cross-Site Scripting (XSS) and Injection attacks
  • Be able to detect, attack, and implement defenses for authentication and authorization functionality and services
  • Understand the dangers and mechanisms behind Cross-Site Scripting (XSS) and Injection attacks
  • Be able to detect, attack, and implement defenses against XSS and Injection attacks
  • Understand the concepts and terminology behind defensive, secure, coding
  • Understand the use of Threat Modeling as a tool in identifying software vulnerabilities based on realistic threats against meaningful assets
  • Perform both static code reviews and dynamic application testing to uncover vulnerabilities in web applications
  • Design and develop strong, robust authentication and authorization implementations within the context of .NET
  • Understand the fundamentals of XML Digital Signature and XML Encryption as well as how they are used within the web services arena
  • Be able to detect, attack, and implement defenses for XML-based services and functionality
  • Understand techniques and measures that can used to harden web and application servers as well as other components in your infrastructure

Who Can Benefit

This is an intermediate -level .Net secure programming course, designed for developers who wish to get up and running on developing well defended software applications. This course may be customized to suit your team’s unique objectives.

  • Familiarity with C# is required and real world programming experience is highly recommended. Ideally students should have approximately 6 months to a year of .Net application development practical experience.

Course Details



  • Misconception #1
  • Security: The Complete Picture
  • TJX: Anatomy of a Disaster?
  • So What is the Point?
  • 2012 Attacks Continued to Evolve
  • Causes of Data Breaches
  • Heartland – Slipping Past PCI Compliance
  • What's the Point?
  • Verizon’s 2012 Data Breach Report
  • 360M Down to 4M in 2010???
  • US Secret Service Continued to Battle
  • Verizon’s 2013 Data Breach Report
  • The Numbers are Abstract, but…
  • Are You Concerned Yet?
  • Verizon AppSec Recommendations

Security Concepts

  • Terminology and Players
  • Assets, Threats, and Attacks
  • WASC

Defensive Coding Principles

  • Security Is a Lifecycle Issue
  • Bolted on Versus Baked
  • Minimize Attack Surface Area
  • Examples of Minimization
  • Defense in Depth
  • Manage Resources
  • Layers of Defense: Tenacious D
  • Compartmentalize
  • Consider All Application States
  • Do NOT Trust the Untrusted
  • Fix Security Defects Correctly
  • Learning From Vulnerabilities


  • Recent, Relevant Incidents
  • Finding Security Defects In Web Applications

Top Security Vulnerabilities

Unvalidated Input

  • OWASP/WASC Coverage
  • Unvalidated Input: Description
  • Buffer Overflows
  • Format String Attacks
  • Null Byte Injection Attacks
  • Integer Arithmetic Vulnerabilities
  • Unvalidated Input: From the Web
  • Hidden Values in HTTP Communications
  • Unvalidated Input: Symptoms and Detection
  • Detection Through Fuzz Testing
  • Unvalidated Input: Fixes
  • Identifying Trust Boundaries
  • Designing An Appropriate Response
  • Testing Defenses And Responses

Overview of Regular Expressions

  • Description with working example

Broken Access Control

  • OWASP/WASC Coverage
  • Access Control Issues
  • Broken Access Control: Description
  • Excessive Privileges
  • Insufficient Flow Control/Forceful Browsing
  • Primary Concerns in URL/Resource Access
  • Unprotected URL/Resource Access: Fixes
  • Protecting Sessions
  • Addressing Client-Side Caching of Content
  • Authorization Security Overview
  • .Net authorization security overview
  • Defending Special Privileges Such As Administrative Functions
  • Application Authorization Best Practices

Broken Authentication And Session Management

  • OWASP/WASC Coverage
  • Quality of Authentication Credentials
  • Multi-Layered Defenses Of Authentication Services
  • Password Management Strategies
  • Password Handling With Hashing
  • Mitigating Password Caching
  • Testing Defenses And Responses For Weaknesses
  • Alternative Authentication Mechanisms
  • Best Practices For Session Management
  • Defending Session Hijacking Attacks

Cross Site Scripting (XSS) Flaws

  • OWASP/WASC Coverage
  • XSS Mechanisms
  • Character Encoding Complications
  • Blacklisting
  • Whitelisting
  • HTML/XML Entity Encoding
  • Trust Boundary Definition
  • Implementing An Effective Layered Defense
  • Designing An Appropriate Response

Injection Flaws

  • OWASP/WASC Coverage
  • SQL Injection Continues to be Prevalent
  • Injection Flaws: Description
  • Injection Flaws: Symptoms and Detection
  • SQL Injection Examples
  • SQL Injection Attacks Evolve
  • Attackers have a Variety of Tools
  • SQL Injection: Drill Down on Stored Procedures
  • SQL Injection: Drill Down on ORM
  • Minimize SQL Injection Vulnerabilities
  • Minimizing Injection Flaws
  • Command Injection Vulnerabilities
  • LDAP Injection Vulnerabilities
  • Server-Side Include (SSI) Vulnerabilities

Error Handling And Information Leakage

  • OWASP/WASC Coverage
  • Four Dimensions of Designing Error Respones
  • Error Response Best Practices
  • Error, Auditing, And Logging Content Management
  • Error, Auditing, And Logging Service Management
  • Best Practices For Supporting Web Attack Forensics
  • Information Leaks
  • Data Loss Prevention (DLP)
  • Solving DLP Challenges
  • DLP: What and Where
  • DLP: Best Practices

Insecure Data Handling

  • OWASP/WASC Coverage
  • Sony and Related Exploits
  • Protecting Data can Mitigate Impact of Exploit
  • Data Handling Concerns
  • Unexpected Data Repositories
  • In-Memory Data Handling
  • Secure Pipes
  • Transport-Level Security
  • SSL
  • Recent Failures in SSL Framework
  • BEAST Attacks on SSL

Insecure Management of Configuration

  • OWASP/WASC Coverage
  • System hardening
  • Server configuration “Gotchas!”
  • Hardening software installation

Direct Object Access

  • OWASP/WASC Coverage
  • Dynamic Loading Mechanisms
  • Race Conditions
  • Direct Object References

Spoofing and Redirects

  • OWASP/WASC Coverage
  • Spoofing: Description
  • Name Resolution Vulnerabilities
  • Targeted Spoofing Attacks Against RSA
  • Attacks are Constant and Changing
  • Spoofing: Fixes
  • Cross Site Request Forgeries (CSRF)
  • How To Get Victim To Select URL?
  • CSRF Defenses are Entirely Server-Side
  • CSRF Defenses are Evolving
  • Redirects and Forwards
  • Safe Redirects and Forwards

Understanding What’s Important

  • Prioritizing Your Efforts
  • Common Vulnerabilities and Exposures
  • OWASP Top Ten
  • Caveats and Context
  • OWASP Top Ten for 2013
  • How Many Principles Can be Violated?
  • CWE/SANS Top 25 Most Dangerous SW Errors
  • Monster Mitigations
  • Defense In Depth - Layered Defense
  • Defense in Depth – An Example
  • Defense in Depth – Damage Control
  • Strength Training: Project Teams/Developers
  • Strength Training: IT Organizations
  • .Net Issues and Best Practices

Defending XML Processing

Defending XML

  • Understanding common attacks and how to defend
  • Operating in safe mode
  • Using standards-based security
  • XML-aware security infrastructure

Defending Web Services

  • Security exposures
  • Transport-level security
  • Message-level security
  • WS-Security
  • Attacks and defenses

Defending Ajax

  • Ajax Security Exposures
  • Attack Surface Changes
  • Injection Threats And Concerns
  • Bridging and Potential Problems
  • Managing Bridges
  • Effective Defenses And Practices

When does class start/end?

Classes begin promptly at 9:00 am, and typically end at 5:00 pm.

Does the course schedule include a Lunchbreak?

Lunch is normally an hour long and begins at noon. Coffee, tea, hot chocolate and juice are available all day in the kitchen. Fruit, muffins and bagels are served each morning. There are numerous restaurants near each of our centers, and some popular ones are indicated on the Area Map in the Student Welcome Handbooks - these can be picked up in the lobby or requested from one of our ExitCertified staff.

How can someone reach me during class?

If someone should need to contact you while you are in class, please have them call the center telephone number and leave a message with the receptionist.

What languages are used to deliver training?

Most courses are conducted in English, unless otherwise specified. Some courses will have the word "FRENCH" marked in red beside the scheduled date(s) indicating the language of instruction.

What does GTR stand for?

GTR stands for Guaranteed to Run; if you see a course with this status, it means this event is confirmed to run. View our GTR page to see our full list of Guaranteed to Run courses.

Does ExitCertified deliver group training?

Yes, we provide training for groups, individuals and private on sites. View our group training page for more information.

Does ExitCertified deliver group training?

Yes, we provide training for groups, individuals, and private on sites. View our group training page for more information.

Thank you for training on AWS development. Course was good and encouraging but labs need to be improved and provide more information and ask students to more work than provide solutions.

Very good material, the instructor was clear explaining the topics, and the labs were easy to follow it.

Labs and the study materials provided for Architecting on AWS course are very easy to understand and explains all the topics required to pass the Associate certification.

This was effective way to provide a ton of information in a short time period.

The technical data in the AWS Solutions Architect course was very thorough.

3 options available

  • Aug 30, 2021 Sep 2, 2021 (4 days)
    10:00 AM 6:00 PM EDT
    SAVE on this course -  Promo Code: SUMMER500
  • Oct 12, 2021 Oct 15, 2021 (4 days)
    10:00 AM 6:00 PM EDT
  • Nov 30, 2021 Dec 3, 2021 (4 days)
    10:00 AM 6:00 PM EDT
Contact Us 1-800-803-3948
Contact Us
FAQ Get immediate answers to our most frequently asked qestions. View FAQs arrow_forward