Home » Professional Development

Developing Secure .Net Applications

Event Date and Time: 
Oct 20 2010 - 8:30am - 12:30pm

Presentation Now Available

See slides (PDF 3.9 MB).

Registration

Free. Space is limited to 190. Registration is required.

Intended Audience

This seminar is for  .NET Developers, System Designers and Application Testers

Abstract of Seminar Contents

Participants will learn how to build security into applications that they design, build, and test.  The session will cover the Security Development Lifecycle and approaches for determining security requirements.  The main part of the session will focus on showing participants how to avoid the OWASP Top 10 Application Security Risks.  Participants will learn about tools and practices for testing for these risks in source code. 

Speaker's Bio:

Bryan Sullivan is a Senior Security Program Manager on the Microsoft Security Development Lifecycle (SDL) team. He is responsible for addressing web and managed-code security issues in the SDL, not only by adding new SDL requirements to address new vulnerabilities, but also by changing the way the SDL itself is applied for rapid, agile development environments. Bryan is a frequent speaker at security industry events, including Black Hat, RSA Conference, Microsoft TechEd, and BlueHat. He is the author of the book Ajax Security (Addison-Wesley, 2007) and writes the Security Briefs column for MSDN Magazine.

Contact Information

Brayan Sullivan - bryansul@microsoft.com

Agenda

 

Introduction

8:30 - 8:35

Intro to SDL

a.       What is the SDL?

b.      Effectiveness of the SDL

8:35 – 8:50

Secure coding practices for ASP.NET and the OWASP Top 10 - Part 1

a.       Injection attacks

i.      Explanation & demonstration: SQL injection

 ii.      Mitigation

b.      Cross-site scripting

i.      Explanation & demonstration

 ii.      Mitigation

 iii.      Advanced XSS technique: view state poisoning

c.       Cross-site Request Forgery

i.      Explanation & demonstration

ii.      Mitigation

iii.      CSRF in Rich Internet Applications (Silverlight, Flash, Ajax)

8:50 – 9:50

Break

9:50 – 10:05

Secure coding practices for ASP.NET and the OWASP Top 10 - Part 2

d.      Open Redirects

i.      Explanation & demonstration -  Same-origin policy

ii.      Mitigation -  Safe Redirect white listing

e.      Insecure Use of Cryptography

i.      SDL Cryptographic standards

ii.      Crypto agility in .NET

f.        Additional web.config security issues

i.      Web.config security overview

ii.      Custom errors disabled

iii.      Tracing/debugging enabled

iv.      Cookieless session state & cookieless authentication (session fixation)

v.      Failure to require SSL for authentication cookies

vi.     Sliding expiration

vii     Non-unique authentication cookies

 viii.  Hardcoded credentials

ix.      EnableEventValidation

x.      PasswordFormat

 xi.      Minimum password length and complexity rules

 xii.      Max request length

10:05 – 11:05

SDL Tools Demonstrations

a.       SDL Threat Modeling Tool

b.      CAT.NET

c.       SDL Regex Fuzzer

d.      Web Application Configuration Analyzer (WACA)

e.      SDL Process Templates

11:05 – 12:20

Q&A

12:20 – 12:30

 

For more information:

Contact Thomas Bynum, Carl Harris, Ron Seymour, or Fran Muskopf
IPMA Professional Development Committee Co-Chairs

Location

Saint Martin's Worthington Center
United States
Tags: