Extended web application security in C#

Day 1

• Cyber security basics
•        What is security?
•        Threat and risk
•        Cyber security threat types – the CIA triad
•        Consequences of insecure software
• The OWASP Top Ten 2021
•        The OWASP Top 10 2021
•        A01 – Broken Access Control
•                Access Control Basics
•                Confused deputy
•                File upload
•                Open redirects and forwards
•        A02 – Cryptographic Failures
•                Information exposure
•                Cryptography for developers

Day 2

• The OWASP Top Ten 2021
•        A03 - Injection
•                Input validation
•                Injection
•                SQL Injection
•                SQL Injection best practices
•                Parameter manipulation
•                Code injection
•                Script injection
•                Dangerous file inclusion
•                HTML injection - Cross-site scripting (XSS)

Day 3

• A04 - Insecure Design
•        The STRIDE model of threats
•        Secure design principles of Saltzer and Schroeder
•        Client-side security
• A05 - Security Misconfiguration
•        Configuration principles
•        Server misconfiguration
•        ASP.NET and IIS configuration best practices
•        Cookie security
•        XML entities
• A06 - Vulnerable and Outdated Components
•        Using vulnerable components
•        Assessing the environment
•        Hardening
•        Untrusted functionality import
•        Vulnerability management
• A07 - Identification and Authentication Failures
•        Authentication
•        Session management

Day 4

• A07 – Identification and Authentication Failures (continued)
•        Password management
• A08 - Software and Data Integrity Failures
•        Integrity protection
•        Subresource integrity
•        Insecure deserialization
• A09 - Security Logging and Monitoring Failures
•        Logging and monitoring principles
•        Insufficient logging
•        Case study - Plaintext passwords at Facebook
•        Logging best practices
•        Monitoring best practices
• A10 - Server-Side Request Forgery (SSRF)
•        Server-side Request Forgery (SSRF)
•        Case study - SSRF and the Capital One breach
• Web application security beyond the Top Ten
•        Denial of service
• Wrap Up
•        Secure coding principles
•        And now what?