Overview

This comprehensive three-day course empowers developers with the skills to secure C# and ASP.NET web applications against common vulnerabilities and advanced cyber threats. Participants will explore core IT security principles, secure coding practices, and .NET-specific security measures. Key topics include SQL injection, cross-site scripting (XSS), authentication flaws, and insecure deserialization, with a focus on how they affect ASP.NET applications.

The course also delves into the .NET framework’s security architecture, emerging issues, and cryptographic techniques. Through hands-on exercises, participants will gain practical experience in applying secure coding practices to real-world scenarios.

Read more +

Prerequisites

  • General C# development knowledge.
  • Familiarity with web application concepts is beneficial but not mandatory.

Target Audience

  • C# developers building or maintaining web applications.
  • Software engineers seeking to enhance their knowledge of secure coding.
  • IT professionals responsible for application security in .NET-based systems.
Read more +

Learning Outcomes

By the end of this course, participants will be able to:

  • Identify and mitigate common web vulnerabilities affecting .NET applications, including OWASP Top Ten issues.
  • Apply secure coding practices in C# to prevent injection attacks, XSS, and insecure deserialization.
  • Utilise the security features of the .NET framework to enhance application security.
  • Strengthen authentication, session management, and access control in ASP.NET applications.
  • Conduct vulnerability assessments using tools like static code analysis and penetration testing frameworks.
  • Apply secure coding principles and follow key guidelines from industry standards such as OWASP and SEI CERT.
Read more +

Course Outline

Day 1: Introduction to IT security and secure coding

  • Fundamentals of IT security and risk management.
  • Understanding security flaws and their exploitation in cybercrime.
  • Overview of OWASP Top Ten vulnerabilities and secure coding principles.
  • Injections:
    • SQL Injection: Attack methods, blind SQL injection, and prevention using parameterized queries.
    • Command Injection: Detection, prevention techniques, and hands-on exercises.
    • XML Injection: Addressing and mitigating injection risks.
  • Cross-Site Scripting (XSS): Persistent, reflected, and DOM-based XSS attacks with prevention strategies and exercises.

Day 2: Advanced web vulnerabilities and secure coding

  • Authentication and Session Management:
    • Best practices for secure authentication.
    • Common vulnerabilities in session handling, including cookies and JWT tokens.
    • Exercises on securing authentication and sessions.
  • Business Logic Vulnerabilities:
  • Identifying and preventing issues like privilege escalation and payment manipulation.
  • Practical exercises on mitigating business logic flaws.
  • Securing forms and session tokens against CSRF attacks.
  • Prevention techniques with ASP.NET.
  • Addressing path traversal and insecure file upload vulnerabilities.
  • Exercises on secure coding practices.
  • Understanding and mitigating race conditions in multi-threaded environments.
  • Cross-Site Request Forgery (CSRF):
  • File and Path Vulnerabilities:
  • Race Conditions:

Day 3: .NET security and advanced topics

  • .NET Security Architecture:
    • Core security features, including role-based access control and secure error handling.
    • Serialization and deserialization vulnerabilities and their mitigation.
  • Practical Cryptography:
  • Symmetric and asymmetric encryption techniques.
  • Cryptographic APIs in .NET and best practices for key management.
  • In-depth analysis of new vulnerabilities such as insecure deserialization and cookie injection.
  • Tools and techniques for static code analysis, penetration testing, and vulnerability management.
  • Exercises using tools like OWASP ZAP and SQLMap.
  • Applying robust programming principles from Saltzer and Schroeder.
  • Recommended resources and further reading for secure coding practices.
  • Emerging Threats:
  • Security Testing and Vulnerability Management:
  • Principles of Secure Coding:

Exams and Assessments

  • Multiple-choice exam (60 questions, 50% pass mark).
  • The APMG Proctor-U exam is taken online after course completion.
  • Delegates receive individual access to the APMG candidate portal (available two weeks post-exam).
Read more +

Scademy

In partnership with our Secure Coding partner Scademy.

Click here to view all our Scademy courses.

ELCAS Enhanced Learning Credits Administration Service

 

 

 

 

 

QA is an approved training provider for ELCAS, proud to support service leavers in their transition into the tech industry. Learn more about Elcas approved training here.  

NCSC Assured Training

Continuous Professional Development (CPD)

CPD points can be claimed for NCSC assured training courses at the rate of 1 point per hour of training for NCSC assured training courses (up to a maximum of 15 points).

Why choose QA

Dates & Locations

Cyber Security learning paths

Want to boost your career in cyber security? Click on the roles below to see QA's learning pathways, specially designed to give you the skills to succeed.

= Required
= Certification
AI Security
Application Security
Cyber Blue Team
Cybersecurity Maturity Model Certification (CMMC)
Cloud Security
Continuity & Resilience
DFIR Digital Forensics & Incident Response
Industrial Controls & OT Security
Information Security Management
NIST Pathway
Offensive Security
Privacy Professional
Reverse Engineer
Secure Coding
Security Auditor
Security Architect
Security Risk
Security Tech Generalist
Vulnerability Assessment & Penetration Testing
Security Tech Generalist