Desktop Application Security in C#

DAY 1

Cyber security basics

• What is security?
• Threat and risk
• Cyber security threat types
• Consequences of insecure software
•        Constraints and the market
•        The dark side
• Categorization of bugs
•        The Seven Pernicious Kingdoms
•        Common Weakness Enumeration (CWE)
•        CWE Top 25 Most Dangerous Software Errors

Input validation

• Input validation principles
•        Blacklists and whitelists
•        Data validation techniques
•        What to validate – the attack surface
•        Where to validate – defense in depth
•        How to validate – validation vs transformations
•        Output sanitization
•        Encoding challenges
•        Validation with regex
• Injection
•        Injection principles
•        Injection attacks
•        Code injection
•                OS command injection
•                        Lab – Command injection
•                        OS command injection best practices
•                        Avoiding command injection with the right APIs
•                        Lab – Command injection best practices
•                        Case study – Command injection via ping
•                Script injection
•        General protection best practices
• Integer handling problems
•        Representing signed numbers
•        Integer visualization
•        Integer overflow
•        Lab – Integer overflow
•        Signed / unsigned confusion
•        Case study – The Stockholm Stock Exchange
•        Lab – Signed / unsigned confusion
•        Integer truncation
•        Best practices
•                Upcasting
•                Precondition testing
•                Postcondition testing
•                Using big integer libraries
•                Integer handling in C#
•                Lab – Checked arithmetics
• Files and streams
•        Path traversal
•        Path traversal-related examples
•        Lab – Path traversal
•        Additional challenges in Windows
•        Path traversal best practices
• Unsafe reflection
•        Reflection without validation
•        Lab – Unsafe reflection
• Unsafe native code
•        Native code dependence
•        Lab – Unsafe native code
•        Best practices for dealing with native code

DAY 2

Security features

• Authentication
•        Authentication basics
•        Multi-factor authentication
•        Authentication weaknesses – spoofing
•        Case study – PayPal 2FA bypass
•        User interface best practices
•        Password management
•                Inbound password management
•                        Storing account passwords
•                        Password in transit
•                        Lab – Is just hashing passwords enough?
•                        Dictionary attacks and brute forcing
•                        Salting
•                        Adaptive hash functions for password storage
•                        Password policy
•                                NIST authenticator requirements for memorized secrets
•                                Password length
•                                Password hardening
•                                Using passphrases
•                                Lab – Applying a password policy
•                        Case study – The Ashley Madison data breach
•                                The dictionary attack
•                                The ultimate crack
•                                Exploitation and the lessons learned
•                        Password database migration
•                Outbound password management
•                        Hard coded passwords
•                        Best practices
•                        Lab – Hardcoded password
•                        Protecting sensitive information in memory
•                                Challenges in protecting memory
•                                Storing sensitive data in memory
•                                Sensitive data in memory
• Authorization
•        Access control basics
• Information exposure
•        Exposure through extracted data and aggregation
•        Case study – Strava data exposure
•        System information leakage
•                Leaking system information
•        Information exposure best practices
• .NET platform security
•        Code Access Security
•                Code Access Security and Evidence
•                Application Domains and Permissions
•                The Stack Walk
•                Lab – Code Access Security
•        The transparency model
•                Lab – The transparency model
•        Role-based security
•                Principal and identity
•                Role-based permissions
•                Impersonation
•                Lab – Role-based security
•        Protecting .NET code and applications
•                Code signing
• UI security
•        UI security principles
•        Sensitive information in the user interface
•        Lab – Extracting password from the UI
•        Misinterpretation of UI features or actions
•        Insufficient UI feedback
•        Relying on hidden or disabled UI element
•        Insufficient anti-automation

Time and state

• Race conditions
•        Race condition in object data members
•                Lab – Singleton member fields
•        File race condition
•                Time of check to time of usage – TOCTTOU
•                Insecure temporary file
•        Database race conditions
•        Avoiding race conditions in C#

Errors

• Error and exception handling principles
• Error handling
•        Returning a misleading status code
•        Information exposure through error reporting
• Exception handling
•        In the catch block. And now what?
•        Catching NullReferenceException
•        Empty catch block
•        Catching and throwing SystemExceptions
•        Lab – Exception handling mess

DAY 3

Cryptography for developers

• Cryptography basics
• Crypto APIs in C#
• Elementary algorithms
•        Random number generation
•                Pseudo random number generators (PRNGs)
•                Cryptographically strong PRNGs
•                Weak and strong PRNGs
•                Using random numbers in C#
•                Case study – Equifax credit account freeze
•                Lab – Using random numbers in C#
•        Hashing
•                Hashing basics
•                Common hashing mistakes
•                Hashing in C#
•                Lab – Hashing in C#
• Confidentiality protection
•        Symmetric encryption
•                Block ciphers
•                Modes of operation
•                Modes of operation and IV – best practices
•                Symmetric encryption in C#
•                Symmetric encryption in C# with streams
•                ProtectedMemory and ProtectedData
•                Lab – Symmetric encryption in C#
•                Asymmetric encryption
•                        The RSA algorithm
•                                Using RSA – best practices
•                                RSA in C#
•                                Lab – Using RSA in C#
•                        Elliptic Curve Cryptography
•                                The ECC algorithm
•                                Using ECC – best practices
•                        Combining symmetric and asymmetric algorithms
• Integrity protection
•        Message Authentication Code (MAC)
•                Calculating HMAC in C#
•                Lab – Calculating MAC in C#
•        Digital signature
•                Digital signature with RSA
•                Digital signature with ECC
•                Digital signature in C#
•                Lab – Digital signature in C#
• Public Key Infrastructure (PKI)
•        Some further key management challenges
•        Certificates
•                Chain of trust
•                Certificate management – best practices

Common software security weaknesses

• Code quality
•        Data handling
•                Initialization and cleanup
•                        Class initialization cycles
•                        Lab – Initialization cycles
•                Unreleased resource
•        Object oriented programming pitfalls
•                Accessibility modifiers
•                        Are accessibility modifiers a security feature?
•                        Accessibility modifiers – best practices
•                Inheritance and overriding
•                Mutability
•                        Lab – Mutable object
•                        Readonly collections
• Denial of service
•        Denial of Service
•        Resource exhaustion
•        Cash overflow
•        Flooding
•        Algorithm complexity issues
•                Regular expression denial of service (ReDoS)
•                        Lab – Regular expression denial of service (ReDoS)
•                        Dealing with ReDoS
•                Hashtable collision
•                        How hashtables work?
•                        Hash collision in case of hashtables
•                        Hashtable collision in C#

Using vulnerable components

• Vulnerability management
•        Patch management
•        Vulnerability databases
•        Lab – Finding vulnerabilities in third-party components

Wrap up

• Secure coding principles
•        Principles of robust programming by Matt Bishop
•        Secure design principles of Saltzer and Schröder
• And now what?
•        Software security sources and further reading
•        NET and C# resources