MOC-2300 Developing Secure Web Applications

TEMARIO Y CONTENIDOS

Developing Security-Enhanced Web Applications

Course 2300—Three days—Instructor-led

Introduction

This three-day instructor-led course provides students with the knowledge and skills that are needed to build Web applications by using security-enhanced coding techniques. Students will learn how to identify Web application security vulnerabilities and understand the trade-offs between functionality and performance when choosing the appropriate security mechanisms for their Web applications. Throughout this course, students will get hands-on experience in creating security-enhanced Web applications.

Audience

This course is intended for students who are responsible for the design and development of Web applications. These students typically have three to five years of experience in developing or designing distributed Web applications. Actual job role titles vary throughout the technology industry, and they may include, but are not limited to:

•

Web Developer: The Web developer is responsible for developing the logic, coding, testing, and debugging of Web applications and Web application software.

•

Solutions Architect: The Solutions Architect is responsible for the design of the technical architecture of Web applications and Web-based software applications

At Course Completion

After completing this course, students will be able to:

•

Define the basic principals of, and motivations for, Web security.

•

Perform a threat analysis of Web-accessible assets.

•

Use knowledge of authentication, Security Identifiers (SIDs), Access Control Lists (ACLs), impersonation, and the concept of running with least privilege to help ensure access to only those system resources that are necessary to accomplish normal request processing.

•

Help protect file system data by using the features in Microsoft® Windows® 2000.

•

Use the Microsoft SQL ServerTM Security model and Microsoft ADO.NET to help protect a Web application against SQL Server injection attacks.

•

Use one of the CryptoService classes of the System.Security.Cryptography namespace to transform a block of data into cyphertext.

•

Help protect the portion of a Web application that requires private communications by using Secure Sockets Layer (SSL), .

•

Use general security coding best practices to help ensure a security-enhanced Web application.

•

Use the Microsoft .NET Framework to build security-enhanced Web applications.

•

Employ a structured approach to testing for Web application security.

•

Use a systematic approach and knowledge of security best practices to help protect an existing Web application.

Prerequisites

Before attending this course, students must have:

•

Familiarity with n-tier application architecture.

•

Experience in developing or designing distributed Web applications.

•

Experience with one or both of the following programming languages:

•

Microsoft C#

•

Microsoft Visual Basic® .NET

•

Experience in writing server-side and client-side scripts by using one or both of the following scripting languages:

•

Active Server Pages (ASP)

•

Microsoft ASP.NET

•

Familiarity with all of the following Microsoft products and technologies is recommended:

•

SQL Server 2000

•

Microsoft Internet Information Services (IIS)

In addition, it is recommended, but not required, that students have completed:

•

Course 2310—Developing Web Applications Using Microsoft Visual Studio .NET

•

Course 1017—Developing Web Applications Using Microsoft Visual InterDev®

Microsoft Certified Professional Exams

There are no Microsoft Certified Professional exams associated with this course.

Student Materials

The student kit includes a comprehensive workbook and other necessary materials for this class.

Course Outline

Module 1: Introduction to Web Security

•

Why Build Security-Enhanced Web Applications?

•

Using the STRIDE Model to Determine Threats

•

Implementing Security: An Overview

Module 2: Planning for Web Application Security

•

A Design Process for Building Security-Enhanced Web Applications

Module 3: Validating User Input

•

User Input

•

Types of User Input Attacks

•

Performing Validation

•

Revealing as Little Information as Possible to the User

Module 4: Internet Information Services Authentication

•

Introduction to Web Client Authentication

•

Configuring Access Permission for a Web Server

•

Selecting a Security-Enhanced Client Authentication Method

•

Running Services As an Authenticated User

Module 5: Securing Web Pages

•

ASP Forms-Based Authentication

•

.NET Code Access and Role-Based Security

•

Overview of ASP.NET Authentication Methods

•

Working with Windows-Based Authentication in ASP.NET security

•

Working with ASP.NET Forms-Based Authentication

Module 6: Securing File System Data

•

Overview of Securing Files

•

Windows Access Control

•

Creating ACLs Programmatically

•

Helping to Protect ASP.NET Web Application Files

Module 7: Securing Microsoft SQL Server

•

SQL Server Connections and Security

•

SQL Server Role-Based Security

•

Securing SQL Server Communication

•

Preventing SQL Injection Attacks

Module 8: Helping to Protect Communication Privacy and Data Integrity

•

Introduction to Cryptography

•

Working with Digital Certificates

•

Management

•

Using Secure Sockets Layer/Transport Layer Security Protocols

•

Using Internet Protocol Security

Module 9: Encrypting, Hashing, and Signing Data

•

Encryption and Digital Signing Libraries

•

Using CAPICOM

•

Using System.Security.Cryptography Namespace to Hash Data

•

Using System.Security.Cryptography Namespace to Encrypt and Sign Data

Module 10: Testing Web Applications for Security

•

Testing Security in a Web Application

•

Creating a Security Test Plan

•

Performing Security Testing