• Technical IT

    Solutions delivered throughout the UK
  • Business Applications

    Solutions delivered throughout the UK
  • Professional Best Practice

    Solutions delivered throughout the UK
  • Professional Development

    Solutions delivered throughout the UK

Developing Secure.NET Applications - Mitigating the OWASP Top 10 Security Vulnerabilities

  • Price £1,995.00
  • Duration 4 day(s)
All major credit cards accepted


This course provides the necessary skills and techniques to identify security risks in ASP.NET web applications and mitigate those risks through writing secure code. The course aligns to the OWASP Top 10 most critical web application security risks and takes students through the exploitation of vulnerable code so that they may experience them first hand. It then discusses mitigations in depths and provides students with the opportunity to secure the risks they have just exploited. 

Assumed Knowledge

Delegates should already have experience of using the C# or Visual Basic .NET programming languages, which can be gained by attending one of our C# or Visual Basic .NET programming language courses.Delegates should be proficient with developing ASP.NET web applications with Visual Studio. They should have prior experience of delivering real world web sites although it is not expected that their experience be extensive.Delegates should understand the basics of building either web forms or MVC applications and have an understanding of general web technologies such as HTTP.Delegates should also already have experience of data access and data binding using APIs such as LINQ, ADO.NET and/or the Entity Framework , which can be gained by attending one of our C# or Visual Basic .NET programming language courses.

Course Content

Module 1: Introduction to Web Security

Who’s being hacked and who’s doing the hacking?

The prevalence of website vulnerabilities

Key web application security concepts

Module 2: OWASP

InjectionExploiting SQL injection in a vulnerable website

Whitelist validationCreating parameterised queries

ORMs and stored procedures

Database permissions and the principle of lease privilege

Module 3: OWASP

Cross Site Scripting – XSSExploiting XSS in a vulnerable website

ASP.NET request validation

Output encoding for different contextsNative browser defences

Reflective, persistent and DOM XSS

Module 4: OWASP

Broken Authentication and Session Managemen

tExploiting broken authentication in a vulnerable website

The ASP.NET membership and role providers

Cookieless sessions

Increasing session security

Account management and password resets

Module 5: OWASP

Insecure Direct Object ReferencesExploiting direct object references in a vulnerable website

Implementing access controlsIndirect reference maps

Obfuscated identifiers

Module 6: OWASP

Cross-Site Request Forgery – CSRFExploiting CSRF in a vulnerable website

Leveraging the synchroniser token pattern

The anti-forgery token in ASP.NET MVCNative browser defences against CSRF

Module 7: OWASP

Security Misconfiguration

Exploiting security misconfiguration in a vulnerable website

Using the NuGet package manager to keep frameworks up to date

Correctly configuring custom errors, tracing and debugging

Encrypting configuration data

Module 8: OWASP

Insecure Cryptographic Storage

Exploiting cryptographic storage in a vulnerable website

Creating secure salted hashes

Leverage the ASP.NET membership provider for password storage

Implementing symmetric encryption

Module 9: OWASP :

Failure to Restrict URL Access

Exploiting unrestricted URLs in a vulnerable website

Using authorisation and security trimming

Leveraging the role provider

Employing principle permissions on classes and methods

Module 10: OWASP 

Insufficient Transport Layer Protection

Exploiting insufficient transport layer security in a vulnerable website

Properly implementing SSL on forms authentication

Secure cookies and HSTS

The dangers of mixed content

Module 11: OWASP

Unvalidated Redirects and Forwards

Exploiting unvalidated redirects in a vulnerable website

Whitelisting URLs

Referrer checking

Module 12: Other risks and toolsClickjacking and other risks beyond the Top 10

Employing automated tools to detect vulnerabilities

Module 13: Summary

Going beyond technical controls to ensure application security

Implementing people processes in the secure development lifecycle

Make Enquiry

Course Enquiry

Book Now

Course Enquiry

Find your local training centre