Certified Application Security Engineer .NET (CASE)

Module 01: Understanding Application Security, Threats, and Attacks

• What is a Secure Application
• Need for Application Security
• Most Common Application Level Attacks
• Why Applications become Vulnerable to Attacks
• What Constitutes a Comprehensive Application Security?
• Insecure Application: A Software Development Problem
• Software Security Standards, Models, and Frameworks
• BSIMM vs OpenSAMM

Module 02: Security Requirements Gathering

• Importance of Gathering Security Requirements
• Security Requirement Engineering (SRE)
• Abuse Case and Security Use Case Modeling
• Abuser and Security Stories
• Security Quality Requirements Engineering (SQUARE)
• Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

Module 03: Secure Application Design and Architecture

• Relative Cost of Fixing Vulnerabilities at Different Phases of SDLC
• Secure Application Design and Architecture
• Goal of Secure Design Process
• Secure Design Actions
• Threat Modeling
• Decompose Application
• Secure Application Architecture

Module 04: Secure Coding Practices for Input Validation

• Input Validation
• Why Input Validation?
• Input Validation Specification
• Input Validation Approaches
• Input Filtering
• Secure Coding Practices for Input Validation: Web Forms
• Secure Coding Practices for Input Validation: ASP.NET Core
• Secure Coding Practices for Input Validation: MVC

Module 05: Secure Coding Practices for Authentication and Authorization

• Authentication and Authorization
• Common Threats on User Authentication and Authorization
• Authentication and Authorization: Web Forms
• Authentication and Authorization: ASP.NET Core
• Authentication and Authorization: MVC
• Authentication and Authorization Defensive Techniques: Web Forms
• Authentication and Authorization Defensive Techniques: ASP.NET Core
• Authentication and Authorization Defensive Techniques: MVC

Module 06: Secure Coding Practices for Cryptography

• Cryptographic
• Ciphers
• Block Cipher Modes
• Symmetric Encryption Keys
• Asymmetric Encryption Keys
• Functions of Cryptography
• Use of Cryptography to Mitigate Common Application Security Threats
• Cryptographic Attacks
• Techniques Attackers Use to Steal Cryptographic Keys
• What should you do to Secure .NET Applications from Cryptographic Attacks?
• .NET Cryptography Namespaces
• .NET Cryptographic Class Hierarchy
• Symmetric Encryption
• Symmetric Encryption: Defensive Coding Techniques
• Asymmetric Encryption
• Asymmetric Encryption: Defensive Coding Techniques
• Hashing
• Digital Signatures
• Digital Certificates
• ASP.NET Core Specific Secure Cryptography Practices

Module 07: Secure Coding Practices for Session Management

• Session Management
• ASP.NET Session Management Techniques
• Defensive Coding Practices against Broken Session Management
• Cookie-based Session Management
• ViewState-based Session Management
• ASP.NET CORE: Secure Session Management Practices

Module 08: Secure Coding Practices for Error Handling

• What are Exceptions/Runtime Errors?
• Need of Secure Error/Exception Handling
• Consequences of Detailed Error Message
• Exposing Detailed Error Messages
• Considerations: Designing Secure Error Messages
• Secure Exception Handling
• Handling Exceptions in an Application
• Defensive Coding practices against Information Disclosure
• Defensive Coding practices against Improper Error Handling
• ASP.NET Core: Secure Error Handling Practices
• Secure Auditing and logging
• Tracing in .NET
• Auditing and Logging Security Checklists

Module 09 Static and Dynamic Application Security Testing (SAST & DAST)

• Static Application Security Testing
• Manual Secure Code Review for Most Common Vulnerabilities
• Code Review: Check List Approach
• SAST Finding
• SAST Report
• Dynamic Application Security Testing
• Automated Application Vulnerability Scanning Tools
• Proxy-based Security Testing Tools
• Choosing Between SAST and DAST

Module 10: Secure Deployment and Maintenance

• Secure Deployment
• Prior Deployment Activity
• Deployment Activities: Ensuring Security at Various Levels
• Ensuring Security at Host Level
• Ensuring Security at Network Level
• Ensuring Security at Application Level
• Web Application Firewall (WAF)
• Ensuing Security at IIS level
• Sites and Virtual Directories
• ISAPI Filters
• Ensuring Security at .NET Level
• Ensuring Security at SQL Server Level
• Security Maintenance and Monitoring