OWASP Top 10, C# Secure Coding Follow Up Training

• Learn client-side vulnerabilities and secure coding practices
• Learn to use various security features of the .NET development environment
• Have a practical understanding of cryptography

• Client-side security
• .NET security architecture and services
• Practical cryptography

Client-side security

• JavaScript security
• Same Origin Policy
• Simple requests
• Preflight requests
• Clickjacking
  • Clickjacking
  • Exercise – IFrame, Where is My Car?
  • Protection against Clickjacking
  • Anti frame-busting – dismissing protection scripts
  • Protection against busting frame busting
• AJAX security
  • XSS in AJAX
  • Script injection attack in AJAX
  • Exercise – XSS in AJAX
  • XSS protection in AJAX
  • Exercise CSRF in AJAX – JavaScript hijacking
  • CSRF protection in AJAX

.NET security architecture and services

• .NET architecture
• Code Access Security (optional)
  • Full and partial trust
  • Evidence classes
  • Permissions
  • Code access permission classes
  • Deriving permissions from evidence
  • Defining custom permissions
  • .NET runtime permission checking
  • The Stack Walk
  • Effects of Assert()
  • Class and method-level declarative permission
  • Imperative (programmatic) permission checking
  • Exercise – sandboxing .NET code
  • Using transparency attributes
  • Allow partially trusted callers
  • Exercise – using transparency attributes

Practical cryptography

• Rule #1 of implementing cryptography
• Cryptosystems
  • Elements of a cryptosystem
  • .NET cryptographic architecture
• Symmetric-key cryptography
  • Providing confidentiality with symmetric cryptography
  • Symmetric encryption algorithms
  • Modes of operation
  • Encrypting and decrypting (symmetric)
• Other cryptographic algorithms
  • Hash or message digest
  • Hash algorithms
  • SHAttered
  • Hashing
  • Message Authentication Code (MAC)
  • Providing integrity and authenticity with a symmetric key
  • Random number generation
    • Random numbers and cryptography
    • Cryptographically-strong PRNGs
    • Weak PRNGs in .NET
    • Strong PRNGS in .NET
    • Hardware-based TRNGs
• Asymmetric (public-key) cryptography
  • Providing confidentiality with public-key encryption
  • Rule of thumb – possession of private key
  • The RSA algorithm
    • Introduction to RSA algorithm
    • Encrypting with RSA
    • Combining symmetric and asymmetric algorithms
    • Digital signing with RSA
    • Asymmetric algorithms in .NET
    • Exercise Sign
    • Exercise – using .NET cryptographic classes
• Public Key Infrastructure (PKI)
  • Man-in-the-Middle (MitM) attack
  • Digital certificates against MitM attack
  • Certificate Authorities in Public Key Infrastructure
  • X.509 digital certificate