Call Us: +32 2 466 00 16
Email: info@u2u.be
Follow Us:

Web Security Development Techniques

3 days
UWSEC
3 days

Upcoming Sessions

Date:

Format:

Price:

Location:

Book now

Date:

Format:

Price:

Location:

Book now

Date:

Format:

Price:

Location:

Book now

Date:

Format:

Price:

Book now

Interested in a private company training? Request it here.

Security: a Many Pronged Word

Security. This word has many meanings, depending on how you look at things. For some people security means that others should not be able to see the data you are sending or storing. For others this means making sure you know who is using your system and determining what actions they can perform with it. Sometimes it means ensuring the data cannot be changed in transit. Here we will look at all the different meanings of security and discuss 10 rules you should always adhere to.

  • Non-disclosure
  • Authentication
  • Authorization
  • Data-tampering
  • Security Testing is Different
  • Applying STRIDE
  • The Ten Immutable Laws of Security

Privacy

How do you keep prying eyes away from your data? Encrypting data ensures that only the intended receiver of the data can understand it. So how does this work? We will look at symetric keys versus asymtric ones. We will also look at the most used encryption algorithms, what role certificates play and describe how TLS and HTTPS work.

  • What is Encryption?
  • Understanding Symmetric Keys
  • And what about Asymmetric Keys
  • Hybrid Encryption
  • Hashing
  • Properly store Passwords with Hashing and Salts
  • What are Digital Signatures?
  • Certificates, SSL, TLS and HTTPS
  • LAB: Encryption

OWASP Web Security Headers

OWASP defined a couple of special security headers which allow you some control over what the browser will do with your content. In this chapter we will discuss two of these headers.

  • Understanding HTTP headers and their role in security
  • Setting headers in IIS and ASP.NET Core
  • HTTP Strict Transport Security header
  • HSTS options

Understanding Claims-Based Security

What is a given user allowed to do in your application? This most-likely depends on the role that user has in your organisation. This role is now represented with claims. In this chapter you will get a better understanding why claims are better than roles, and how claims are transmitted in a secure way as tokens.

  • Representing the User
  • Introducing Claims Based Security
  • Understanding Tokens
  • Using Claims in .NET
  • LAB: Authenticating a Website with Claims

Modern Web Authentication and Authorization

In the modern web we all want to share stuff. But how do you safely allow one web site to access resources from another web site? With OpenID Connect you can delegate authentication to an identity provider (such as Facebook, Entra ID, Identity Server and others).

  • The Internet and a Way of Sharing
  • Introducing OAuth and OpenID Connect
  • OAuth Fundamentals: Authorization Code Grant, PKCE and Client Credential Grant
  • Implementing OpenID Connect Web Sign-in with Entra ID

Protecting a Web-API with OpenID Connect and Entra ID

Modern web sites and mobile apps often consume REST services. You can use OpenID Connect to authenticate users, after which you can use claims to authorize access to resources stored in a web API.

  • Protecting a Web API's resources
  • Adding permissions to the server side
  • Requesting permissions at the client side
  • Using the Microsoft Authentication Library (MSAL)
  • User consent
  • LAB: Getting an access token and passing it to the server

Web Security Threats and Defences

To better protect yourself against attacks, you should first learn what kind of attacks are common. Once you understand these attacks we can look at defending against them.

  • OWASP - Top 10 security issues
  • Broken Access Control
  • Cryptographic Failures
  • Injection
  • Insecure Design
  • Security Misconfiguration
  • Vulnerable and Outdated Components
  • Indentification and Authentication Failures
  • Software and Data Integrity Failures
  • Security Logging and Monitoring Failures
  • Server-Side Request Forgery
  • Extra: Denial of Service

Finding Vulnerabilities

The best defence is a good offence. In this hands-on module, you are going to put on your black hat and try to exploit as many vulnerabilities as you can in a web application made just for that.

  • Introducing the OWASP Juice Shop
  • LAB: Finding vulnerabilities in a webshop

Cyber security is becoming an increasingly important topic for organizations. The quantity and importance of data entrusted to web applications is growing, and defenders need to learn how to secure them. Imagine your organization making the news, not because of some new world-changing product, but because of a data leak containing all your customers' data, including personal information and credit card details! As a modern web developer mastering these skills is important because you cannot afford not to!

This course takes you through the different security threats and defences and teaches you hands-on how to apply them to ASP.NET Core. Among others, you will learn how to authenticate with OpenID Connect and Entra ID, protect your API with OAuth2 and secure your company data with proper encryption techniques. This course provides in-depth, hands-on experience securing your web-based applications.

This course is meant for developers that have experience with ASP.NET Core and want to make the world a safer place through applied security best practices.

Contact Us
  • Address:
    U2U nv/sa
    Z.1. Researchpark 110
    1731 Zellik (Brussels)
    BELGIUM
  • Phone: +32 2 466 00 16
  • Email: info@u2u.be
  • Monday - Friday: 9:00 - 17:00
    Saturday - Sunday: Closed
Say Hi
© 2024 U2U All rights reserved.