Securing ASP.NET and ASP.NET Core Applications

Paths

Securing ASP.NET and ASP.NET Core Applications

Authors: Matt Milner, Matt Tester, Roland Guijt, Erik Dahl, Matt Honeycutt, David Berry, Nertil Poci

Security is an integral part of any Web-based application. Understanding ASP.NET security will help in building secure Web applications. ASP.NET Core enables developers to easily... Read more

Learn how to identify common attack scenarios and prevent insider threats to applications and data.

The courses included in this path are designed to take you from understanding security principals such as the Principle of Least Access, Malignant User Input, and Separation of Responsibilities through advanced subjects such as securing applications from XML External Entities and ways to secure applications from exposing sensitive data and cross-site injection attacks.

By the end of this path, you will possess the tools and knowledge required to protect your data and website from external and internal threats.

Pre-requisites

This path is intended for .NET developers that possess a minimum of intermediate programming experience in ASP.NET and C#.

Intermediate

Continue learning about the fundamentals of securing website applications built with both ASP.NET and ASP.NET Core with topics such as:

Configuring Browser Features and HTTP Headers to secure an ASP.NET or ASP.NET Core application or service. Configuring ASP.NET and ASP.NET Core Applications and Services to properly handle and report errors. How to analyze threats to your login process and recommend strategies to mitigate each threat.

Implementing HTTPS in ASP.NET and ASP.NET Core

by Matt Milner

Jan 25, 2020 / 47m

47m

Start Course
Description

If you are .NET web developer you already know how powerful ASP.NET is for building web applications. In this course, Implementing HTTPS in ASP.NET and ASP.NET Core, you will learn how to secure the functionality in your web application by using HTTPS. First, you will see how HTTPS works and the related protocols. Next, you will discover the advantages of requiring HTTPS for website users. Finally, you will learn how to use HSTS to further protect your website. At the end of this course, you will be able to ensure that all requests to your application are secured over HTTPS, protecting your company and user data in transit.

Table of contents
  1. Course Overview
  2. Understanding HTTPS in ASP.NET
  3. Using and Requiring HTTPS in ASP.NET and ASP.NET Core Websites
  4. Configuring HSTS for ASP.NET and ASP.NET Core Websites

Securing Application Secrets in ASP.NET Core

by Matt Tester

Dec 6, 2019 / 51m

51m

Start Course
Description

Losing control of production passwords, API keys, and other secrets can be extremely costly to any business. In this course, Securing Application Secrets in ASP.NET Core, you will learn how to keep secrets safe in development through to production. First, you will discover the principles behind keeping application secrets protected and the common anti-patterns to avoid. Next, you will learn how to use Secret Manager to create a secure practice while developing. Finally, you will explore how to protect secrets in production using a Key Vault service. When you're finished with this course, you will have the skills and knowledge needed to secure application secrets in your ASP.NET applications.

Table of contents
  1. Course Overview
  2. Understanding Application Secrets
  3. Safely Store Secrets in Development
  4. Protecting Production Secrets with a Key Vault

Configuring Security Headers in ASP.NET and ASP.NET Core Applications

by Roland Guijt

Sep 30, 2019 / 51m

51m

Start Course
Description

You’ve heard about attacks like Cross Site Scripting (CSS) and click-jacking. This course, Configuring Security Headers in ASP.NET and ASP.NET Core Applications, will give you the skills needed to mitigate these kinds of attacks by turning on browser features in your ASP.NET(Core) application like Content Security Policy (CSP), Referrer Policy and Feature Policy. By the end of this course you'll not only know how to make these configurations, you'll understand how these attacks work.

Table of contents
  1. Course Overview
  2. How Security Headers Help Protect Your Application
  3. Controlling the Browser to Protect Against Cross Site Scripting (XSS) and Click-Jacking Attacks
  4. Reducing the Attack Surface with X-Content-Type-Options, Subsource Integrity, and by Withholding Version Information

Securely Handling Errors and Logging Security Events in ASP.NET and ASP.NET Core

by Erik Dahl

Dec 11, 2019 / 1h 2m

1h 2m

Start Course
Description

Improper error handling and incomplete logging can have a crippling effect when it comes to the security of your ASP.NET and ASP.NET Core applications. In this course, Securely Handling Errors and Logging Security Events in ASP.NET and ASP.NET Core, you will gain the ability to properly shield and log errors gracefully, as well as effectively log security events. First, you will learn global exception handling and logging. Next, you will discover both what constitutes a security event and what information is important to log with them. Finally, you will explore how to analyze and explore the log entries you've created. When you’re finished with this course, you will have the skills and knowledge of Securely Handling Errors and Logging Security Events in ASP.NET and ASP.NET Core needed to solidify your own applications.

Table of contents
  1. Course Overview
  2. Setting up Secure Logging in ASP.NET Applications
  3. Logging Security Events in ASP.NET Applications

ASP.NET Core and ASP.NET Input Validation

by Roland Guijt

Mar 27, 2020 / 45m

45m

Start Course
Description

Learn how to implement data validation in your ASP.NET and ASP.NET Core apps. In this course, ASP.NET Core and ASP.NET Input Validation, you will learn both the principles of validation and the ability to apply it to your applications. First, you will learn how to apply the built-in ASP.NET (Core) validations. Next, you will discover how to write your own validations both with server-side and client-side logic. Finally, you will explore how to create custom validations. When you are finished with this course, you will be able to validate user input with confidence.

Table of contents
  1. Course Overview
  2. Applying Server- and Client-side Validation
  3. Creating Custom Validations

Defeating Injection Attacks in ASP.NET and ASP.NET Core

by Matt Honeycutt

Jan 21, 2020 / 26m

26m

Start Course
Description

Web applications, including the one you just created, are under constant attack by bad actors. In this course, Defeating Injection Attacks in ASP.NET and ASP.NET Core, you will gain the ability to defend against common injection attacks in ASP.NET applications. First, you will learn about SQL injection attacks, and how to thwart them. Next, you will discover how injection attacks can be applied to NoSQL, and how to properly defend against such attacks. Finally, you will see examples of process injection attacks, and how to prevent them. When you’re finished with this course, you will have the skills and knowledge of defeating injection attacks for ASP.NET needed to build secure applications.

Table of contents
  1. Course Overview
  2. Defeating Injection Attacks

Cross Site Scripting (XSS) Prevention for ASP.NET Core and ASP.NET Applications

by Roland Guijt

Apr 24, 2020 / 25m

25m

Start Course
Description

Cross Site Scripting (XSS) is very dangerous. Attackers gain access to browser features and can steal sensitive information or coerce users in doing unintended actions. In this course, Cross Site Scripting (XSS) Prevention for ASP.NET Core and ASP.NET Applications, you’ll learn what XSS is, why it is dangerous and how to mitigate it. First, you’ll explore the nature of the attacks. Next, you’ll discover how to mitigate them using encoding techniques and more. Finally, you’ll learn how to implement these in all your applications. When you’re finished with this course, you’ll have the skills and knowledge to secure your applications against this dreaded attack.

Table of contents
  1. Course Overview
  2. Understanding and Mitigating XSS

Protecting Against XML External Entity and Deserialization Attacks in ASP.NET and ASP.NET Core

by David Berry

Apr 7, 2020 / 28m

28m

Start Course
Description

When we think of attacks on websites and applications, we often think about things like SQL Injection, Cross site request forgery, or attacks on our authentication layer. However, there are other avenues of attack into our applications and these can occur any time our application has to read in XML or JSON or binary data and deserialize that data. This course, Protecting Against XML External Entity and Deserialization Attacks in ASP.NET and ASP.NET Core, talks about three such attacks: the XML External Entities (XXE) attack, the XML bomb or Billion laughs attack and the Insecure deserialization family of attacks. Two of these attacks, the XML External Entities and Insecure deserialization attack are important enough that they were each placed on the OWASP top 10 list for 2017. When you are finished with this course, you will learn what each of these attacks seeks to do, how they work and most importantly, how to defend your .NET applications against them.

Table of contents
  1. Course Overview
  2. XML and Deserialization Based Attacks

Cross Site Request Forgery (CSRF) Prevention for ASP.NET Core and ASP.NET Applications

by Roland Guijt

Apr 10, 2020 / 22m

22m

Start Course
Description

Cross Site Request Forgery (CSRF) is an attack technique where users are lured into doing actions on websites without them noticing. In this course, Cross Site Request Forgery (CSRF) Prevention for ASP.NET Core and ASP.NET Applications, you’ll learn how CSRF is executed, why it is dangerous, and how to mitigate it. First, you’ll explore the nature of the attacks. Next, you’ll discover how to mitigate them using the newest as well as older techniques. Finally, you’ll learn how to implement these in all your applications. When you’re finished with this course, you’ll have the skills and knowledge to secure your applications against this dreaded attack.

Table of contents
  1. Course Overview
  2. Understanding and Mitigating CSRF

Advanced

In this section, you will learn the more advanced techniques of securing your websites.

Some of the more advanced topics covered in this advanced group will be:

How to configure code analysis to scan an ASP.NET or ASP.NET Core application for security vulnerabilities. Learn about the importance of scanning applications for outdated or vulnerable libraries. Learn how to use the Same Origin Policy and configure Cross-Origin Resource Sharing (CORS) for secure browser access to APIs.

Using Security Analysis Tools to Protect ASP.NET and ASP.NET Core Applications

by Erik Dahl

May 19, 2020 / 1h 20m

1h 20m

Start Course
Description

Scanning your custom web application code for common vulnerabilities and scanning the packages that your applications reference can improve the security of your ASP.NET (Core and Framework) web applications. In this course, Using Security Analysis Tools to Protect ASP.NET and ASP.NET Core Applications, you will learn foundational knowledge of/gain the ability to add these types of scans both into your development setup, and automated build pipelines. First, you will learn static code analysis and how to get a security-focused static code analyzer to scan your application code. Next, you will discover package vulnerability scanning, which will analyze the packages your application relies on against a database of known vulnerabilities. Finally, you will explore how to incorporate both of these types of scan into automated build pipelines. When you’re finished with this course, you will have the skills and knowledge of security application scanning needed to improve the overall security of your ASP.NET and ASP.NET Core web applications.

Table of contents
  1. Course Overview
  2. Applying Static Code Analysis (SCA)
  3. Detecting Vulnerable Libraries
  4. Adding SCA and Vulnerable Library Detection to Build Pipelines

Configuring CORS in ASP.NET and ASP.NET Core

by Nertil Poci

Dec 13, 2019 / 50m

50m

Start Course
Description

In this modern application era, applications that have the client and the server on the same origin are becoming less and less common. APIs are accessed from multiple clients hosted on different origins. In this course, Configuring CORS in ASP.NET and ASP.NET Core, you will learn how to setup CORS for your APIs so only approved client applications can access them. First, you will learn how browsers implement CORS. Next, you will discover how to configure your ASP.NET applications to allow CORS request to origins that you trust. Finally, you will explore the different CORS requests types and configuration options to help us secure and optimize requests coming in from other origins. By the end of this course, you will be able to identify CORS requests, configure CORS for your ASP.NET and ASP.NET Core applications.

Table of contents
  1. Course Overview
  2. Configuring CORS in ASP.NET Core Applications
  3. Configuring CORS in ASP.NET Applications