Öde Al firması çalışanlarına yönelik planladığımız Güvenli Kod Geliştirme Eğitimini Başarıyla Tamamladık.
Online gerçekleşen eğitim toplamda on iki saat olarak gerçekleşti.
Katılımcıların ihtiyaç ve talepleri doğrultusunda hazırlanan içeriğe göre konular detaylı ve uygulamalı olarak anlatıldı.
Developing Secure Code
Introduction To Defensive Programming
- Anatomy of an Attack
- Risks and Rewards
- Building Security from the Ground Up
- Defense in Depth
- Never Trust Input
- Fail Gracefully
- Watch for Attacks
- Use Least Privilege
- Firewalls and Cryptography Are Not a Panacea
- Security Should Be Your Default State
- Code Defensively
- The OWASP Top Ten
- Moving Forward
- Checklists
.Net Security Best Practices(Writing Secure .Net Codes)
- Layer Based Coding Techniques (Where to Handle Input Validation? Etc.)
Asp.Net Security Best Practices
- How the Web Works
- Examining HTTP
- Requesting a Resource
- Responding to a Request
- Sniffi ng HTTP Requests and Responses
- Understanding HTML Forms
- Examining How ASP.NET Works
- Understanding How ASP.NET Events Work
- Examining the ASP.NET Pipeline
- Writing HTTP Modules
Safely Accepting User Input
- Defining Input
- Dealing with Input Safely
- Echoing User Input Safely
- Mitigating Against XSS
- The Microsoft Anti-XSS Library
- The Security Run-time Engine
- Constraining Input
- Protecting Cookies
- Validating Form Input
- Validation Controls
- Standard ASP.NET Validation Controls
- A Checklist for Handling Input
Using Query Strings, Form Fields, Events,and Browser Information
- Using the Right Input Type
- Query Strings
- Form Fields
- Request Forgery and How to Avoid It
- Mitigating Against CSRF
- Protecting ASP.NET Events
- Avoiding Mistakes with Browser Information
- A Checklist for Query Strings, Forms, Events,and Browser Information
Controlling Information
- Controlling ViewState
- Validating ViewState
- Encrypting ViewState
- Protecting Against ViewState One-Click Attacks
- Removing ViewState from the Client Page Disabling Browser Caching
- Error Handling and Logging
- Improving Your Error Handling
- Watching for Special Exceptions
- Logging Errors and Monitoring Your Application
- Using the Windows Event Log
- Using Email to Log Events
- Using ASP.NET Tracing
- Using Performance Counters
- Using WMI Events
- Another Alternative: Logging Frameworks
- Limiting Search Engines
- Controlling Robots with a Metatag
- Controlling Robots with robots.txt
- Protecting Passwords in Confi g FilesA Checklist for Query Strings, Forms, Events, and
Authorization and Authentication
- Discovering Your Own Identity
- Adding Authentication in ASP.NET
- Using Forms Authentication
- Confi guring Forms Authentication
- Using SQL as a Membership Store
- Creating Users
- Examining How Users Are Stored
- Confi guring the Membership Settings
- Creating Users Programmatically
- Supporting Password Changes and Resets
- Windows Authentication
- Confi guring IIS for Windows Authentication
- Impersonation with Windows Authentication
- Authorization in ASP.NET
- Examining <allow> and <deny>
- Role-Based Authorization
- Confi guring Roles with Forms-Based Authentication
- Using the Confi guration Tools to Manage Roles
- Managing Roles Programmatically
- Managing Role Members Programmatically
- Roles with Windows Authentication
- Limiting Access to Files and Folders
- Checking Users and Roles Programmatically
- Securing Object References
- A Checklist for Authentication and Authorization
Hashing and Encrypton
- Protecting Integrity with Hashing
- Choosing a Hashing Algorithm
- Protecting Passwords with Hashing
- Salting Passwords
- Generating Secure Random Numbers
- Encrypting Data
- Understanding Symmetric Encryption
- Protecting Data with Symmetric Encryption
- Sharing Secrets with Asymmetric Encryption
- Using Asymmetric Encryption without Certifi cates
- Using Certifi cates for Asymmetric Encryption
- Getting a Certifi cate
- Using the Windows DPAPI
- A Checklist for Encryption
Scurely Accessing Databases
- Writing Bad Code: Demonstrating SQL Injection
- Fixing the Vulnerability
- More Security for SQL Server
- Connecting Without Passwords
- SQL Permissions
- Adding a User to a Database
- Managing SQL Permissions
- Groups and Roles
- Least Privilege Accounts
- Using Views
- SQL Express User Instances
- Drawbacks of the VS Built-in Web Server
- Dynamic SQL Stored Procedures
- Using SQL Encryption
- Encrypting by Pass Phrase
- SQL Symmetric Encryption
- SQL Asymmetric Encryption
- Calculating Hashes and HMACs in SQL
- A Checklist for Securely Accessing Databases
Using the File System
- Accessing Existing Files Safely
- Making Static Files Secure
- Checking That Your Application Can Access Files
- Making a File Downloadable and Setting Its Name
- Adding Further Checks to File Access
- Adding Role Checks
- Anti-Leeching Checks
- Accessing Files on a Remote System
- Creating Files Safely
- Handling User Uploads
- Using the File Upload Control
- A Checklist for Securely Accessing Files
Securing XML
- Validating XML
- Well-Formed XML
- Valid XML
- XML Parsers
- Querying XML
- Avoiding XPath Injection
- Securing XML Documents
- Encrypting XML Documents
- Using a Symmetric Encryption Key with XML
- Using an Asymmetric Key Pair to Encrypt and Decrypt XML
- Using an X509 Certificate to Encrypt and Decrypt XML
- Signing XML Documents
- A Checklist for XML
Windows Communication Foundation Security
- Creating and Consuming WCF Services
- Security and Privacy with WCF
- Transport Security
- Message Security
- Mixed Mode
- Selecting the Security Mode
- Choosing the Client Credentials
- Adding Security to an Internet Service
- Signing Messages with WCF
- Logging and Auditing in WCF
- Validating Parameters Using Inspectors
- Using Message Inspectors
- Throwing Errors in WCF
- A Checklist for Securing WCF
- Understanding Code Access Security
- Using ASP.NET Trust Levels
- Demanding Minimum CAS Permissions
- Asking and Checking for CAS Permissions
- Testing Your Application Under a New Trust Level
- Using the Global Assembly Cache to Run Code Under Full Trust
- .NET 4 Changes for Trust and ASP.NET
- A Checklist for Code not Under Full Trust
Securing Internet Information Server (IIS)
- Installing and Confi guring IIS7
- IIS Role Services
- Removing Global Features for an Individual Web Site
- Creating and Confi guring Application Pools
- Confi guring Trust Levels in IIS
- Locking Trust Levels
- Creating Custom Trust Levels
- Filtering Requests
- Filtering Double-Encoded Requests
- Filtering Requests with Non-ASCII Characters
- Filtering Requests Based on File Extension
- Filtering Requests Based on Request Size
- Filtering Requests Based on HTTP Verbs
- Filtering Requests Based on URL Sequences
- Filtering Requests Based on Request Segments
- Filtering Requests Based on a Request Header
- Status Codes Returned to Denied Requests
- Using Log Parser to Mine IIS Log Files
- Using Certifi cates
- Requesting an SSL Certifi cate
- Confi guring a Site to Use HTTPS
- Setting up a Test Certifi cation Authority
- A Checklist for Securing Internet Information Server (IIS)
Security Testing
- Performing a Security Code Review
- A Designer’s Security CheckList
- A Developer’s Security CheckList
- A Tester’s Security CheckList
