Lifelong learning for working professionals
Desktop application security in C#

Desktop application security in C#

Course Summary

Your application written in C# works as intended, so you are done, right? But did you consider feeding in incorrect values? 16Gbs of data? A null? An apostrophe? Negative numbers, or specifically -232? Because that’s what the bad guys will do – and the list is far from complete.

Handling security needs a healthy level of paranoia, and this is what this course provides: a strong emotional engagement by lots of hand on labs and stories from real life, all to substantially improve code hygiene. Mistakes, consequences and best practices are our blood, sweat and tears.

All this is put in the context of C#, and extended by core programming issues, discussing security pitfalls of the C# language and .NET framework.

So that you are prepared for the forces of the dark side.So that nothing unexpected happens.

Nothing.

Delivered onsite for three days, 9-17.00Delivered online for five days, Monday – Friday 9-13.00

  • Understanding Web application security issues
  • Detailed analysis of the OWASP Top Ten elements
  • Going beyond the low hanging fruits
  • Explain approaches in handling security challenges in code
  • Identity security vulnerabilities and their consequences
  • Learn the best practices in how to avoid these mistakes

C# developers working on desktop applications.

General C# development.

Day 1

Security basics

  • What is security?
  • Threat and risk
  • Types of threats against computer systems
  • Consequences of insecure software
  • Constraints and the market
  • Bugs, vulnerabilities and exploits

Categorization of bugs

  • Seven pernicious kingdoms
  • Common Weakness Enumeration (CWE)
  • CWE/SANS Top 25 Most Dangerous Software Errors
  • Vulnerabilities in the environment and the dependencies

Input validation

Input validation principles

  • Blacklists and whitelists
  • Validation with regex
  • What to validate – the attack surface
  • When to validate – validation vs transformations
  • Where to validate – defense in depth

Injection

  • Injection principles
  • Injection attacks
  • CRLF injection
    * Log forging
    – Lab – Log forging
    * Log forging – best practices
  • Code injection
    * Command injection
    – Lab – Command injection
    – Command injection best practices
    – Lab – Command injection best practices
    – Case study – Command injection
    * Script injection
  • Injection best practices
    * Input validation
    * Output sanitization
    – Encoding and escaping the output
    – Encoding challenges

Integer handling

  • Representing signed numbers
  • Integer visualization
  • Integer problems
    * Integer overflow
    – Lab – Integer overflow
  • Signed / unsigned confusion
    – Lab – Signed / unsigned confusion
  • Integer truncation
  • Best practices
    * Upcasting
    * Precondition testing
    * Postcondition testing
    * Using big integer libraries
    * Integer handling in C#
    – Lab – Checked arithmetics
  • Other numeric problems
    * Division by zero

Data structures

  • Data structure sentinels
  • Containers
    * Container error
    * Associative containers
    * Iterators

Files and streams

  • Path traversal
  • Path traversal-related examples
  • Additional challenges in Windows
  • Path traversal best practices
    * Lab – Path traversal
  • Virtual resources

Unsafe reflection

  • Reflection without validation
    * Lab – Unsafe reflection

Unsafe native code

  • Native code dependence
    * Lab – Unsafe native code

Some other input validation problems

– Using vulnerable components
– Assessing the environment
– Hardening
– Importing functionality from untrusted sources

Vulnerability management

  • Patch management
  • Vulnerability databases and scanning tools
  • Vulnerability rating – CVSS
    * Lab – Finding vulnerabilities of used components
  • The build process and CI / CD
  • Dependency checking in Cake

Day 2


Security features

Authentication

  • Authentication basics
  • Authentication weaknesses
  • Case study – PayPal two factor authentication bypass
  • User interface best practices
  • Password management
    * Inbound password management
    – Storing account passwords
    – Plaintext passwords at Facebook
    – Lab – Why just hashing passwords is not enough?
    – Dictionary attacks and brute forcing
    – Salting
    – Adaptive hash functions for password storage
    – Password in transit
    – Password policy
    – Weak and strong passwords
    – Using passphrases
    – Lab – Applying a password policy
    – The Ashley Madison data breach
    – The dictionary attack
    – The ultimate attack
    – Exploitation of the results and the lessons learnt* Outbound password management
    – Hard coded passwords
    – Lab – Hardcoded password
    – Password in configuration file
    – Protecting sensitive information in memory
    – Challenges in protecting memory
    – Storing sensitive data in memory
    – Lab – Storing sensitive data in memory with SecureString

Authorization

  • Access control basics
  • Missing or improper authorization
  • Access control in databases
    * Lab – Database access control
  • Privileges and permissions
    * Permission manipulation
    * Incorrect use of privileged APIs
    * Permission best practices
    – Principle of least privilege
    – Principle of separation of privileges
    – Permission granting
    – Privilege dropping
    – Handling of insufficient privileges

.NET platform security

  • Code Access Security
    * Evidences
    * Permissions
    * The Stack Walk
    – Lab – Code Access Security
  • The transparency model
    * Best practices
    – Lab – Experimenting with the transparency model
  • Role-based security
    * Principal and identity
    * Role-based permissions
    * Impersonation
    – Lab – Role-based security
  • Protecting .NET code and applications
    * Code signing

Information exposure

  • Exposure through extracted data and aggregation
  • System information leakage
    * Leaking system information
    * Relying on accessibility modifiers
    – Lab – Inappropriate protection by accessibility modifier
  • Information exposure best practices

UI security

  • UI security principles
  • Sensitive information in the user interface
    * Lab – Extracting password from the UI
  • Misinterpretation of UI features or actions
  • Insufficient UI feedback
  • Relying on hidden or disabled UI element
    * Lab – Hidden or disabled UI element
  • Insufficient anti-automation

Day 3

 

Common software security weaknesses

Time and state

  • Thread management best practices
    * Thread management best practices in C#
  • Race conditions
    * Race condition in object data members
    – Lab – Singleton member fields
    * File race condition
    – Time-of-check-to-time-of-usage (TOCTTOU)
    – Lab – TOCTTOU
    – Insecure temporary file
    * Database race conditions
    * Avoiding race conditions in C#
  • Mutual exclusion and locking
    * Deadlocks
    – Lab – Locking
  • Synchronization and thread safety
    * Synchronization and thread safety in C#

Errors

  • Error and exception handling principles
  • Error handling
    * Returning a misleading status code
    * Information exposure through error reporting
  • Exception handling
    * In the catch block. And now what?
    * Empty catch block
    * Best practices for catch blocks
    * Overly broad throws
    * Catching NULL pointer exceptions
    * Exception handling in C#
    – Lab – Exception handling mess

Code quality

  • Data
    * Arrays and ToString()
    * Initialization and cleanup
    – Uninitialized variable
    – Class initialization cycles
    – Lab – Initialization cycles
    * Unreleased resource
  • Object oriented programming pitfalls
    * Accessibility modifiers
    * Inheritance and overriding
    * Implementing Equals()
    * Mutability
    – Readonly collections
    – Lab – Mutable object
    * Cloning
    – Cloning sensitive classes – object hijacking
    – Object hijacking – best practices
    * Serialization

Denial of service

  • Denial of Service
  • Resource exhaustion
  • Cash overflow
  • Flooding
  • Sustained client engagement
  • Denial of service problems in C#
  • Infinite loop
    * Lab – Resource exhausting
  • Amplification
    * Network amplification
    * Amplification in databases
    * Other amplification examples
  • Algorithm complexity issues
    * Regular expression denial of service (ReDoS)
    – Lab – ReDos
    * Hashtable collision
    – How hashtables work?
    – Hash collision in case of hashtables
    – Hashtable collision in C#

Wrap up

Secure coding principles

  • Principles of robust programming by Matt Bishop
  • Secure design principles of Saltzer and Schröder
  • Some more principles

And now what?

  • Further sources and readings
  • .NET and C# resources
  • Further labs and challenges to do

 

Course Overview

32 900 kr

3 dagar

Can’t find a (suitable) date, but are interested in the course? Send in an expression of interest and we will do what we can to find a suitable opportunity.

Register interest

Customized Courses

The course can be adapted from several perspectives:

  • Content and focus area
  • Extent and scope
  • Delivery approach

In interaction with the course leader, we ensure that the course meets your needs.

Contact us

Stockholm

  • Tegnérlunden 3
    111 61 Stockholm
  • +46 8 587 116 10

Göteborg

  • Kungsportsavenyen 37
    411 36 Göteborg
  • +46 31 313 94 20

Skicka intresseanmälan för utbildningen

Send an expression of interest for the training