Developing Secure Web Applications

Prerequisites

Before attending this course, students must have:
  • Familiarity with n-tier application architecture.
  • Experience in developing or designing distributed Web applications.
  • Experience with one or both of the following programming languages:
  • Microsoft C#
  • Microsoft Visual Basic .NET
  • Experience in writing server-side and client-side scripts by using one or both of the following scripting languages:
  • Active Server Pages (ASP)
  • Microsoft ASP.NET
  • Familiarity with all of the following Microsoft products and technologies is recommended:
  • SQL Server 2000
  • Microsoft Internet Information Services (IIS)

Course Outline

Module 1: Introduction to Web Security

This module provides an overview of the terms and concepts of, along with the justification for, Web security.

Module 2: Planning for Web Application Security

This module describes the general process of incorporating security in the Web application planning and design process.

Module 3: Validating User Input

This module explains the methods that can be used for checking user input, along with a discussion of the consequences of not performing those checks.

Module 4: Internet Information Services Authentication

Module 5: Securing Web Pages

This module covers security in the context of Web applications that are built by using the .NET framework.

Module 6: Securing File System Data

This module teaches a Web developer how to help protect file system data that is typically part of a Web application.

Module 7: Securing Microsoft SQL Server

This module will teach students how to help protect Web applications from SQL Server injection attacks.

Module 8: Helping to Protect Communication Privacy and Data Integrity

This module teaches the mechanisms that can be used to help ensure Web communication privacy and message data integrity, along with the guidelines for their proper use. The guidelines are presented as an attempt to avoid the common implementation mistakes that can compromise security and performance.

Module 9: Encrypting, Hashing, and Signing Data

This module explains how to use the cryptographic functionality, supported by Microsoft platforms, to encrypt and sign data.

Module 10: Testing Web Applications for Security

This module will provide students with the skills and knowledge that are required to properly test a Web implementation for security.

At Course Completion

After completing this course, students will be able to:
  • Define the basic principals of, and motivations for, Web security.
  • Perform a threat analysis of Web-accessible assets.
  • Use knowledge of authentication, Security Identifiers (SIDs), Access Control Lists (ACLs), impersonation, and the concept of running with least privilege to help ensure access to only those system resources that are necessary to accomplish normal request processing.
  • Help protect file system data by using the features in Microsoft Windows 2000.
  • Use the Microsoft SQL Server Security model and Microsoft ADO.NET to help protect a Web application against SQL Server injection attacks.
  • Use one of the CryptoService classes of the System.Security.Cryptography namespace to transform a block of data into cyphertext.
  • Help protect the portion of a Web application that requires private communications by using Secure Sockets Layer (SSL)
  • Use general security coding best practices to help ensure a security-enhanced Web application.
  • Use the Microsoft .NET Framework to build security-enhanced Web applications.
  • Employ a structured approach to testing for Web application security.
  • Use a systematic approach and knowledge of security best practices to help protect an existing Web application.