Cloud Application Security in C# for Azure

Cloud Application Security in C# for AzureCASEC-CAZCYCydrillCY-CASEC-CAZ1.0<ul> <li>Getting familiar with essential cyber security concepts</li><li>Understand cloud security specialties</li><li>Understanding Web application security issues</li><li>Detailed analysis of the OWASP Top Ten elements</li><li>Putting Web application security in the context of C#</li><li>Going beyond the low hanging fruits</li><li>Managing vulnerabilities in third party components</li><li>Learn to deal with cloud infrastructure security</li><li>Identify vulnerabilities and their consequences</li><li>Learn the security best practices in C#</li><li>Input validation approaches and principles</li><li>Understanding how cryptography can support application security</li><li>Learning how to use cryptographic APIs correctly in C#</li><li></li></ul>General C# and Web developmentC# developers working on Web applications and Azure<ul> <li>Cyber security basics</li><li>The OWASP Top Ten</li><li>Cloud infrastructure security</li><li>API security</li><li>JSON security</li><li>XML security</li><li>Denial of service</li><li>Cryptography for developers</li><li>Wrap up</li></ul>DAY 1 Cyber security basics <ul> <li>What is security?</li><li>Threat and risk</li><li>Cyber security threat types</li><li>Consequences of insecure software <ul> <li>Constraints and the market</li><li>The dark side</li></ul></li><li>Cloud security basics <ul> <li>Cloud infrastructure basics</li><li>Cloud architectures and security</li><li>The Cloud Cube Model</li><li>Attack surface in the cloud</li></ul></li><li>Cloud data security <ul> <li>Data confidentiality and integrity in the cloud</li><li>Data privacy in the cloud</li><li>Compliance considerations</li></ul></li><li>Cloud deployment security <ul> <li>Hardening cloud deployments</li><li>Security of jump boxes</li><li>Serverless computing and security</li></ul></li><li>Cloud security standards and best practices <ul> <li>SOC compliance</li><li>CSA controls</li><li>Other standards</li></ul></li></ul>The OWASP Top Ten <ul> <li>OWASP Top 10 – 2017</li><li>A1 - Injection <ul> <li>Injection principles</li><li>Injection attacks</li><li>SQL injection <ul> <li>SQL injection basics</li><li>Lab – SQL injection</li><li>Attack techniques</li><li>Content-based blind SQL injection</li><li>Time-based blind SQL injection</li></ul></li><li>NoSQL injection <ul> <li>NoSQL injection specialties</li><li>NoSQL injection in MongoDB</li><li>NoSQL injection in CosmosDB</li></ul></li><li>SQL injection best practices <ul> <li>Input validation</li><li>Parameterized queries</li><li>Lab – Using prepared statements</li><li>Additional considerations</li><li>Case study – Hacking Fortnite accounts</li><li>SQL injection protection and ORM</li></ul></li><li>Parameter manipulation <ul> <li>CRLF injection <ul> <li>Log forging</li><li>Log forging – best practices</li><li>HTTP response splitting</li><li>Header checking in ASP.NET</li></ul></li><li>HTTP parameter manipulation <ul> <li>HTTP parameter pollution</li><li>Variable shadowing</li><li>Value shadowing</li></ul></li></ul></li><li>Code injection <ul> <li>OS command injection <ul> <li>Lab – Command injection</li><li>OS command injection best practices</li><li>Avoiding command injection with the right APIs</li><li>Lab – Command injection best practices</li><li>Case study – Command injection via ping</li></ul></li></ul></li><li>Script injection</li><li>Dangerous file inclusion</li></ul></li></ul>DAY 2 The OWASP Top Ten <ul> <li>A2 - Broken Authentication <ul> <li>Authentication <ul> <li>Authentication basics</li><li>Multi-factor authentication</li><li>Multi-factor authentication best practices</li><li>Authentication weaknesses - spoofing</li><li>Spoofing on the Web</li><li>Case study – PayPal 2FA bypass</li><li>User interface best practices</li></ul></li></ul></li><li>Single sign-on (SSO) <ul> <li>Single sign-on concept</li><li>OAuth2 <ul> <li>OAuth2 basics</li><li>OAuth2 in practice</li><li>Best practices</li><li>Configuration best practices</li><li>Case study – Stealing SSO tokens from Epic Games accounts</li></ul></li><li>SAML <ul> <li>SAML basics</li><li>SAML profiles</li><li>SAML security</li></ul></li></ul></li><li>Password management <ul> <li>Inbound password management <ul> <li>Storing account passwords</li><li>Password in transit</li><li>Lab – Is just hashing passwords enough?</li><li>Dictionary attacks and brute forcing</li><li>Salting</li><li>Adaptive hash functions for password storage</li><li>Lab – Using adaptive hash functions in C#</li><li>Password policy</li><li>NIST authenticator requirements for memorized secrets</li><li>Password hardening</li><li>Using passphrases</li><li>Password change</li><li>Password recovery issues</li><li>Password recovery best practices</li><li>Lab – Password reset weakness</li><li>Case study – The Ashley Madison data breach</li><li>The dictionary attack</li><li>The ultimate crack</li><li>Exploitation and the lessons learned</li><li>Password database migration</li><li>(Mis)handling null passwords</li></ul></li><li>Outbound password management <ul> <li>Hard coded passwords</li><li>Best practices</li><li>Lab – Hardcoded password</li><li>Protecting sensitive information in memory</li><li>Challenges in protecting memory</li><li>Storing sensitive data in memory</li><li>Lab – Using secret-handling classes in C#</li></ul></li></ul></li><li>Session management <ul> <li>Session management essentials</li><li>Why do we protect session IDs – Session hijacking</li><li>Session fixation</li><li>Session invalidation</li><li>Session ID best practices</li><li>Cross-site Request Forgery (CSRF) <ul> <li>Lab – Cross-site Request Forgery</li><li>CSRF best practices</li><li>CSRF defense in depth</li><li>Lab – CSRF protection with tokens</li></ul></li><li>Cookie security <ul> <li>Cookie security best practices</li><li>Cookie attributes</li></ul></li></ul></li><li>A3 - Sensitive Data Exposure <ul> <li>Information exposure</li><li>Exposure through extracted data and aggregation</li><li>Case study – Strava data exposure</li><li>System information leakage <ul> <li>Leaking system information</li></ul></li><li>Information exposure best practices</li></ul></li><li>A4 - XML External Entities (XXE) <ul> <li>DTD and the entities</li><li>Entity expansion</li><li>External Entity Attack (XXE) <ul> <li>File inclusion with external entities</li><li>Server-Side Request Forgery with external entities</li><li>Lab – External entity attack</li><li>Case study – XXE vulnerability in SAP Store</li><li>Preventing XXE</li><li>Lab – Prohibiting DTD</li></ul></li></ul></li></ul>DAY 3 The OWASP Top Ten <ul> <li>A5 - Broken Access Control <ul> <li>Access control basics</li><li>Failure to restrict URL access</li><li>Confused deputy <ul> <li>Insecure direct object reference (IDOR)</li><li>Lab – Insecure Direct Object Reference</li><li>Case study – Authorization bypass on Facebook</li><li>Authorization bypass through user-controlled keys</li><li>Lab – Horizontal authorization</li></ul></li><li>File upload <ul> <li>Unrestricted file upload</li><li>Good practices</li><li>Lab – Unrestricted file upload</li></ul></li></ul></li><li>A7 - Cross-site Scripting (XSS) <ul> <li>Cross-site scripting basics</li><li>Cross-site scripting types <ul> <li>Persistent cross-site scripting</li><li>Reflected cross-site scripting</li><li>Client-side (DOM-based) cross-site scripting</li><li>Lab – Stored XSS</li><li>Lab – Reflected XSS</li><li>Case study – XSS in Fortnite accounts</li></ul></li><li>XSS protection best practices <ul> <li>Protection principles - escaping</li><li>XSS protection APIs</li><li>Request validation in ASP.NET</li><li>Further XSS protection techniques</li><li>Lab – XSS fix / stored</li><li>Lab – XSS fix / reflected</li><li>Additional protection layers</li><li>Client-side protection principles</li></ul></li></ul></li><li>A8 - Insecure Deserialization <ul> <li>Serialization and deserialization challenges</li><li>Integrity – deserializing untrusted streams</li><li>Integrity – deserialization best practices</li><li>Property Oriented Programming (POP) <ul> <li>Creating payload</li><li>Summary – POP best practices</li><li>Lab – Creating a POP payload</li><li>Lab – Using the POP payload</li></ul></li></ul></li><li>A9 - Using Components with Known Vulnerabilities <ul> <li>Using vulnerable components</li><li>Assessing the environment</li><li>Hardening</li><li>Untrusted functionality import</li><li>Importing JavaScript</li><li>Lab – Importing JavaScript</li><li>Case study – The British Airways data breach</li><li>Vulnerability management <ul> <li>Patch management</li><li>Vulnerability management</li><li>Bug bounty programs</li><li>Vulnerability databases</li><li>Vulnerability rating – CVSS</li><li>Lab – Finding vulnerabilities in third-party components</li><li>DevOps, the build process and CI / CD</li><li>Dependency checking in C#</li><li>Lab – Detecting vulnerable components</li></ul></li></ul></li><li>A10 - Insufficient Logging & Monitoring <ul> <li>Logging and monitoring principles</li><li>Insufficient logging</li><li>Case study – Plaintext passwords at Facebook</li><li>Logging best practices</li><li>Monitoring best practices</li></ul></li></ul>Web application security beyond the Top Ten <ul> <li>Client-side security</li><li>Same Origin Policy</li><li>Tabnabbing</li><li>Lab – Reverse tabnabbing</li><li>Frame sandboxing <ul> <li>Cross-Frame Scripting (XFS) attack</li><li>Lab - Clickjacking</li><li>Clickjacking beyond hijacking a click</li><li>Clickjacking protection best practices</li><li>Lab – Using CSP to prevent clickjacking</li></ul></li></ul>DAY 4 Cloud infrastructure security <ul> <li>Container security <ul> <li>Container security concerns</li><li>Containerization, virtualization, and security</li><li>Attack surface of container technologies</li><li>Container security tools</li><li>Docker security <ul> <li>Docker and security</li><li>Docker security features</li><li>Common Docker security mistakes</li><li>Docker security best practices</li><li>Hardening Docker</li><li>Lab – Static analysis of Docker image</li></ul></li><li>Kubernetes security <ul> <li>The Kubernetes architecture and security</li><li>Common Kubernetes security mistakes</li><li>Securing Kubernetes hosts</li><li>Best practices for Kubernetes access control</li><li>Building secure Kubernetes images</li><li>Secure deployment of Kubernetes containers</li><li>Protecting Kubernetes deployments at runtime</li><li>Lab – Scanning a Kubernetes image for vulnerabilities</li></ul></li></ul></li><li>Azure security <ul> <li>Security considerations for Azure <ul> <li>Azure and security</li><li>Azure security features</li><li>The Azure shared responsibility model</li><li>Azure cloud compliance</li><li>Azure hardening</li><li>Security tools for Azure</li></ul></li><li>Identity and access management (IAM) <ul> <li>Identity and access management in Azure</li><li>Azure Active Directory</li><li>Multi-factor authentication with Azure</li><li>Azure RBAC</li><li>Azure Active Directory Federation Services</li><li>Azure Shared Access Signatures (SAS)</li></ul></li><li>Data security <ul> <li>Data security in Azure</li><li>Storing cryptographic keys in Azure</li><li>Protecting data in transit</li><li>Protecting data at rest</li></ul></li><li>Detection and monitoring <ul> <li>Utilizing Azure monitoring for security</li><li>The Azure Application Gateway WAF</li><li>The Azure Security Center</li></ul></li></ul></li></ul>API security <ul> <li>Input validation <ul> <li>Input validation principles</li><li>Blacklists and whitelists</li><li>Data validation techniques</li><li>Lab – Input validation</li><li>What to validate – the attack surface</li><li>Where to validate – defense in depth</li><li>When to validate – validation vs transformations</li><li>Output sanitization</li><li>Encoding challenges</li><li>Unicode challenges</li><li>Lab – Encoding challenges</li><li>Validation with regex</li></ul></li><li>Integer handling problems <ul> <li>Representing signed numbers</li><li>Integer visualization</li><li>Integer overflow</li><li>Lab – Integer overflow</li><li>Signed / unsigned confusion</li><li>Case study – The Stockholm Stock Exchange</li><li>Lab – Signed / unsigned confusion</li><li>Integer truncation</li><li>Best practices <ul> <li>Upcasting</li><li>Precondition testing</li><li>Postcondition testing</li><li>Using big integer libraries</li><li>Integer handling in C#</li><li>Lab – Checked arithmetics</li></ul></li></ul></li></ul>JSON security <ul> <li>JSON validation</li><li>JSON injection</li><li>Dangers of JSONP</li><li>JSON/JavaScript hijacking</li><li>Best practices</li><li>Case study – ReactJS vulnerability in HackerOne</li></ul>DAY 5 API security <ul> <li>Input validation <ul> <li>Files and streams <ul> <li>Path traversal</li><li>Lab – Path traversal</li><li>Path traversal-related examples</li><li>Additional challenges in Windows</li><li>Virtual resources</li><li>Path traversal best practices</li><li>Lab – Path canonicalization</li></ul></li><li>Unsafe reflection <ul> <li>Reflection without validation</li><li>Lab – Unsafe reflection</li></ul></li></ul></li></ul>XML security <ul> <li>XML validation</li><li>XML injection <ul> <li>XPath injection</li><li>Blind XPath injection</li></ul></li></ul>Denial of service <ul> <li>Denial of Service</li><li>Flooding</li><li>Resource exhaustion</li><li>Sustained client engagement</li><li>Denial of service problems in C#</li><li>Infinite loop</li><li>Economic Denial of Sustainability (EDoS)</li><li>Algorithm complexity issues <ul> <li>Regular expression denial of service (ReDoS) <ul> <li>Lab – ReDoS in C#</li><li>Dealing with ReDoS</li><li>Hash table collision <ul> <li>How do hash tables work?</li><li>Hash collision in case of hash tables</li></ul></li></ul></li></ul></li></ul>Cryptography for developers <ul> <li>Cryptography basics</li><li>Crypto APIs in C#</li><li>Elementary algorithms <ul> <li>Hashing <ul> <li>Hashing basics</li><li>Hashing in C#</li><li>Lab – Hashing in C#</li></ul></li></ul></li><li>Confidentiality protection <ul> <li>Symmetric encryption <ul> <li>Block ciphers</li><li>Modes of operation</li><li>Modes of operation and IV – best practices</li><li>Symmetric encryption in C#</li><li>Symmetric encryption in C# with streams</li><li>ProtectedData and ProtectedMemory</li><li>Lab – Symmetric encryption in in C#</li></ul></li><li>Asymmetric encryption</li><li>Combining symmetric and asymmetric algorithms</li></ul></li><li>Integrity protection <ul> <li>Message Authentication Code (MAC) <ul> <li>Calculating HMAC in C#</li><li>Lab – Calculating MAC in C#</li></ul></li><li>Digital signature <ul> <li>Lab – Digital signature with ECDSA in C#</li></ul></li></ul></li><li>Public Key Infrastructure (PKI) <ul> <li>Some further key management challenges</li><li>Certificates <ul> <li>Certificate management – best practices</li></ul></li></ul></li><li>Transport security <ul> <li>Transport security weaknesses</li><li>The TLS protocol <ul> <li>TLS basics</li><li>TLS features (changes in v1.3)</li><li>The handshake in a nutshell (v1.3)</li><li>TLS best practices</li><li>TLS authentication best practices</li><li>HTTP Strict Transport Security (HSTS)</li><li>Lab – Setting HSTS in C#</li></ul></li></ul></li></ul>Wrap up <ul> <li>Secure coding principles <ul> <li>Principles of robust programming by Matt Bishop</li><li>Secure design principles of Saltzer and Schröder</li></ul></li><li>And now what? <ul> <li>Software security sources and further reading</li><li>.NET and C# resources</li></ul></li></ul>- Getting familiar with essential cyber security concepts - Understand cloud security specialties - Understanding Web application security issues - Detailed analysis of the OWASP Top Ten elements - Putting Web application security in the context of C# - Going beyond the low hanging fruits - Managing vulnerabilities in third party components - Learn to deal with cloud infrastructure security - Identify vulnerabilities and their consequences - Learn the security best practices in C# - Input validation approaches and principles - Understanding how cryptography can support application security - Learning how to use cryptographic APIs correctly in C# -General C# and Web developmentC# developers working on Web applications and Azure- Cyber security basics - The OWASP Top Ten - Cloud infrastructure security - API security - JSON security - XML security - Denial of service - Cryptography for developers - Wrap upDAY 1 Cyber security basics - What is security? - Threat and risk - Cyber security threat types - Consequences of insecure software - Constraints and the market - The dark side - Cloud security basics - Cloud infrastructure basics - Cloud architectures and security - The Cloud Cube Model - Attack surface in the cloud - Cloud data security - Data confidentiality and integrity in the cloud - Data privacy in the cloud - Compliance considerations - Cloud deployment security - Hardening cloud deployments - Security of jump boxes - Serverless computing and security - Cloud security standards and best practices - SOC compliance - CSA controls - Other standards The OWASP Top Ten - OWASP Top 10 – 2017 - A1 - Injection - Injection principles - Injection attacks - SQL injection - SQL injection basics - Lab – SQL injection - Attack techniques - Content-based blind SQL injection - Time-based blind SQL injection - NoSQL injection - NoSQL injection specialties - NoSQL injection in MongoDB - NoSQL injection in CosmosDB - SQL injection best practices - Input validation - Parameterized queries - Lab – Using prepared statements - Additional considerations - Case study – Hacking Fortnite accounts - SQL injection protection and ORM - Parameter manipulation - CRLF injection - Log forging - Log forging – best practices - HTTP response splitting - Header checking in ASP.NET - HTTP parameter manipulation - HTTP parameter pollution - Variable shadowing - Value shadowing - Code injection - OS command injection - Lab – Command injection - OS command injection best practices - Avoiding command injection with the right APIs - Lab – Command injection best practices - Case study – Command injection via ping - Script injection - Dangerous file inclusion DAY 2 The OWASP Top Ten - A2 - Broken Authentication - Authentication - Authentication basics - Multi-factor authentication - Multi-factor authentication best practices - Authentication weaknesses - spoofing - Spoofing on the Web - Case study – PayPal 2FA bypass - User interface best practices - Single sign-on (SSO) - Single sign-on concept - OAuth2 - OAuth2 basics - OAuth2 in practice - Best practices - Configuration best practices - Case study – Stealing SSO tokens from Epic Games accounts - SAML - SAML basics - SAML profiles - SAML security - Password management - Inbound password management - Storing account passwords - Password in transit - Lab – Is just hashing passwords enough? - Dictionary attacks and brute forcing - Salting - Adaptive hash functions for password storage - Lab – Using adaptive hash functions in C# - Password policy - NIST authenticator requirements for memorized secrets - Password hardening - Using passphrases - Password change - Password recovery issues - Password recovery best practices - Lab – Password reset weakness - Case study – The Ashley Madison data breach - The dictionary attack - The ultimate crack - Exploitation and the lessons learned - Password database migration - (Mis)handling null passwords - Outbound password management - Hard coded passwords - Best practices - Lab – Hardcoded password - Protecting sensitive information in memory - Challenges in protecting memory - Storing sensitive data in memory - Lab – Using secret-handling classes in C# - Session management - Session management essentials - Why do we protect session IDs – Session hijacking - Session fixation - Session invalidation - Session ID best practices - Cross-site Request Forgery (CSRF) - Lab – Cross-site Request Forgery - CSRF best practices - CSRF defense in depth - Lab – CSRF protection with tokens - Cookie security - Cookie security best practices - Cookie attributes - A3 - Sensitive Data Exposure - Information exposure - Exposure through extracted data and aggregation - Case study – Strava data exposure - System information leakage - Leaking system information - Information exposure best practices - A4 - XML External Entities (XXE) - DTD and the entities - Entity expansion - External Entity Attack (XXE) - File inclusion with external entities - Server-Side Request Forgery with external entities - Lab – External entity attack - Case study – XXE vulnerability in SAP Store - Preventing XXE - Lab – Prohibiting DTD DAY 3 The OWASP Top Ten - A5 - Broken Access Control - Access control basics - Failure to restrict URL access - Confused deputy - Insecure direct object reference (IDOR) - Lab – Insecure Direct Object Reference - Case study – Authorization bypass on Facebook - Authorization bypass through user-controlled keys - Lab – Horizontal authorization - File upload - Unrestricted file upload - Good practices - Lab – Unrestricted file upload - A7 - Cross-site Scripting (XSS) - Cross-site scripting basics - Cross-site scripting types - Persistent cross-site scripting - Reflected cross-site scripting - Client-side (DOM-based) cross-site scripting - Lab – Stored XSS - Lab – Reflected XSS - Case study – XSS in Fortnite accounts - XSS protection best practices - Protection principles - escaping - XSS protection APIs - Request validation in ASP.NET - Further XSS protection techniques - Lab – XSS fix / stored - Lab – XSS fix / reflected - Additional protection layers - Client-side protection principles - A8 - Insecure Deserialization - Serialization and deserialization challenges - Integrity – deserializing untrusted streams - Integrity – deserialization best practices - Property Oriented Programming (POP) - Creating payload - Summary – POP best practices - Lab – Creating a POP payload - Lab – Using the POP payload - A9 - Using Components with Known Vulnerabilities - Using vulnerable components - Assessing the environment - Hardening - Untrusted functionality import - Importing JavaScript - Lab – Importing JavaScript - Case study – The British Airways data breach - Vulnerability management - Patch management - Vulnerability management - Bug bounty programs - Vulnerability databases - Vulnerability rating – CVSS - Lab – Finding vulnerabilities in third-party components - DevOps, the build process and CI / CD - Dependency checking in C# - Lab – Detecting vulnerable components - A10 - Insufficient Logging & Monitoring - Logging and monitoring principles - Insufficient logging - Case study – Plaintext passwords at Facebook - Logging best practices - Monitoring best practices Web application security beyond the Top Ten - Client-side security - Same Origin Policy - Tabnabbing - Lab – Reverse tabnabbing - Frame sandboxing - Cross-Frame Scripting (XFS) attack - Lab - Clickjacking - Clickjacking beyond hijacking a click - Clickjacking protection best practices - Lab – Using CSP to prevent clickjacking DAY 4 Cloud infrastructure security - Container security - Container security concerns - Containerization, virtualization, and security - Attack surface of container technologies - Container security tools - Docker security - Docker and security - Docker security features - Common Docker security mistakes - Docker security best practices - Hardening Docker - Lab – Static analysis of Docker image - Kubernetes security - The Kubernetes architecture and security - Common Kubernetes security mistakes - Securing Kubernetes hosts - Best practices for Kubernetes access control - Building secure Kubernetes images - Secure deployment of Kubernetes containers - Protecting Kubernetes deployments at runtime - Lab – Scanning a Kubernetes image for vulnerabilities - Azure security - Security considerations for Azure - Azure and security - Azure security features - The Azure shared responsibility model - Azure cloud compliance - Azure hardening - Security tools for Azure - Identity and access management (IAM) - Identity and access management in Azure - Azure Active Directory - Multi-factor authentication with Azure - Azure RBAC - Azure Active Directory Federation Services - Azure Shared Access Signatures (SAS) - Data security - Data security in Azure - Storing cryptographic keys in Azure - Protecting data in transit - Protecting data at rest - Detection and monitoring - Utilizing Azure monitoring for security - The Azure Application Gateway WAF - The Azure Security Center API security - Input validation - Input validation principles - Blacklists and whitelists - Data validation techniques - Lab – Input validation - What to validate – the attack surface - Where to validate – defense in depth - When to validate – validation vs transformations - Output sanitization - Encoding challenges - Unicode challenges - Lab – Encoding challenges - Validation with regex - Integer handling problems - Representing signed numbers - Integer visualization - Integer overflow - Lab – Integer overflow - Signed / unsigned confusion - Case study – The Stockholm Stock Exchange - Lab – Signed / unsigned confusion - Integer truncation - Best practices - Upcasting - Precondition testing - Postcondition testing - Using big integer libraries - Integer handling in C# - Lab – Checked arithmetics JSON security - JSON validation - JSON injection - Dangers of JSONP - JSON/JavaScript hijacking - Best practices - Case study – ReactJS vulnerability in HackerOne DAY 5 API security - Input validation - Files and streams - Path traversal - Lab – Path traversal - Path traversal-related examples - Additional challenges in Windows - Virtual resources - Path traversal best practices - Lab – Path canonicalization - Unsafe reflection - Reflection without validation - Lab – Unsafe reflection XML security - XML validation - XML injection - XPath injection - Blind XPath injection Denial of service - Denial of Service - Flooding - Resource exhaustion - Sustained client engagement - Denial of service problems in C# - Infinite loop - Economic Denial of Sustainability (EDoS) - Algorithm complexity issues - Regular expression denial of service (ReDoS) - Lab – ReDoS in C# - Dealing with ReDoS - Hash table collision - How do hash tables work? - Hash collision in case of hash tables Cryptography for developers - Cryptography basics - Crypto APIs in C# - Elementary algorithms - Hashing - Hashing basics - Hashing in C# - Lab – Hashing in C# - Confidentiality protection - Symmetric encryption - Block ciphers - Modes of operation - Modes of operation and IV – best practices - Symmetric encryption in C# - Symmetric encryption in C# with streams - ProtectedData and ProtectedMemory - Lab – Symmetric encryption in in C# - Asymmetric encryption - Combining symmetric and asymmetric algorithms - Integrity protection - Message Authentication Code (MAC) - Calculating HMAC in C# - Lab – Calculating MAC in C# - Digital signature - Lab – Digital signature with ECDSA in C# - Public Key Infrastructure (PKI) - Some further key management challenges - Certificates - Certificate management – best practices - Transport security - Transport security weaknesses - The TLS protocol - TLS basics - TLS features (changes in v1.3) - The handshake in a nutshell (v1.3) - TLS best practices - TLS authentication best practices - HTTP Strict Transport Security (HSTS) - Lab – Setting HSTS in C# Wrap up - Secure coding principles - Principles of robust programming by Matt Bishop - Secure design principles of Saltzer and Schröder - And now what? - Software security sources and further reading - .NET and C# resources5 Tage3750.003750.003750.003750.003750.003750.003750.003750.003750.003750.003750.00