Desktop Application Security in C# (DASEC-C#) – Outline

Detailed Course Outline

DAY 1

Cyber security basics

  • What is security?
  • Threat and risk
  • Cyber security threat types
  • Consequences of insecure software
    • Constraints and the market
    • The dark side
  • Categorization of bugs
    • The Seven Pernicious Kingdoms
    • Common Weakness Enumeration (CWE)
    • CWE Top 25 Most Dangerous Software Errors

Input validation

  • Input validation principles
    • Blacklists and whitelists
    • Data validation techniques
    • What to validate – the attack surface
    • Where to validate – defense in depth
    • How to validate – validation vs transformations
    • Output sanitization
    • Encoding challenges
    • Validation with regex
  • Injection
    • Injection principles
    • Injection attacks
    • Code injection
      • OS command injection
        • Lab – Command injection
        • OS command injection best practices
        • Avoiding command injection with the right APIs
        • Lab – Command injection best practices
        • Case study – Command injection via ping
      • Script injection
    • General protection best practices
  • Integer handling problems
    • Representing signed numbers
    • Integer visualization
    • Integer overflow
    • Lab – Integer overflow
    • Signed / unsigned confusion
    • Case study – The Stockholm Stock Exchange
    • Lab – Signed / unsigned confusion
    • Integer truncation
    • Best practices
      • Upcasting
      • Precondition testing
      • Postcondition testing
      • Using big integer libraries
      • Integer handling in C#
      • Lab – Checked arithmetics
  • Files and streams
    • Path traversal
    • Path traversal-related examples
    • Lab – Path traversal
    • Additional challenges in Windows
    • Path traversal best practices
  • Unsafe reflection
    • Reflection without validation
    • Lab – Unsafe reflection
  • Unsafe native code
    • Native code dependence
    • Lab – Unsafe native code
    • Best practices for dealing with native code

DAY 2

Security features

  • Authentication
    • Authentication basics
    • Multi-factor authentication
    • Authentication weaknesses – spoofing
    • Case study – PayPal 2FA bypass
    • User interface best practices
    • Password management
      • Inbound password management
        • Storing account passwords
        • Password in transit
        • Lab – Is just hashing passwords enough?
        • Dictionary attacks and brute forcing
        • Salting
        • Adaptive hash functions for password storage
        • Password policy
          • NIST authenticator requirements for memorized secrets
          • Password length
          • Password hardening
          • Using passphrases
          • Lab – Applying a password policy
        • Case study – The Ashley Madison data breach
          • The dictionary attack
          • The ultimate crack
          • Exploitation and the lessons learned
        • Password database migration
      • Outbound password management
        • Hard coded passwords
        • Best practices
        • Lab – Hardcoded password
        • Protecting sensitive information in memory
          • Challenges in protecting memory
          • Storing sensitive data in memory
          • Sensitive data in memory
  • Authorization
    • Access control basics
  • Information exposure
    • Exposure through extracted data and aggregation
    • Case study – Strava data exposure
    • System information leakage
      • Leaking system information
    • Information exposure best practices
  • .NET platform security
    • Code Access Security
      • Code Access Security and Evidence
      • Application Domains and Permissions
      • The Stack Walk
      • Lab – Code Access Security
    • The transparency model
      • Lab – The transparency model
    • Role-based security
      • Principal and identity
      • Role-based permissions
      • Impersonation
      • Lab – Role-based security
    • Protecting .NET code and applications
      • Code signing
  • UI security
    • UI security principles
    • Sensitive information in the user interface
    • Lab – Extracting password from the UI
    • Misinterpretation of UI features or actions
    • Insufficient UI feedback
    • Relying on hidden or disabled UI element
    • Insufficient anti-automation

Time and state

  • Race conditions
    • Race condition in object data members
      • Lab – Singleton member fields
    • File race condition
      • Time of check to time of usage – TOCTTOU
      • Insecure temporary file
    • Database race conditions
    • Avoiding race conditions in C#

Errors

  • Error and exception handling principles
  • Error handling
    • Returning a misleading status code
    • Information exposure through error reporting
  • Exception handling
    • In the catch block. And now what?
    • Catching NullReferenceException
    • Empty catch block
    • Catching and throwing SystemExceptions
    • Lab – Exception handling mess

DAY 3

Cryptography for developers

  • Cryptography basics
  • Crypto APIs in C#
  • Elementary algorithms
    • Random number generation
      • Pseudo random number generators (PRNGs)
      • Cryptographically strong PRNGs
      • Weak and strong PRNGs
      • Using random numbers in C#
      • Case study – Equifax credit account freeze
      • Lab – Using random numbers in C#
    • Hashing
      • Hashing basics
      • Common hashing mistakes
      • Hashing in C#
      • Lab – Hashing in C#
  • Confidentiality protection
    • Symmetric encryption
      • Block ciphers
      • Modes of operation
      • Modes of operation and IV – best practices
      • Symmetric encryption in C#
      • Symmetric encryption in C# with streams
      • ProtectedMemory and ProtectedData
      • Lab – Symmetric encryption in C#
      • Asymmetric encryption
        • The RSA algorithm
          • Using RSA – best practices
          • RSA in C#
          • Lab – Using RSA in C#
        • Elliptic Curve Cryptography
          • The ECC algorithm
          • Using ECC – best practices
        • Combining symmetric and asymmetric algorithms
  • Integrity protection
    • Message Authentication Code (MAC)
      • Calculating HMAC in C#
      • Lab – Calculating MAC in C#
    • Digital signature
      • Digital signature with RSA
      • Digital signature with ECC
      • Digital signature in C#
      • Lab – Digital signature in C#
  • Public Key Infrastructure (PKI)
    • Some further key management challenges
    • Certificates
      • Chain of trust
      • Certificate management – best practices

Common software security weaknesses

  • Code quality
    • Data handling
      • Initialization and cleanup
        • Class initialization cycles
        • Lab – Initialization cycles
      • Unreleased resource
    • Object oriented programming pitfalls
      • Accessibility modifiers
        • Are accessibility modifiers a security feature?
        • Accessibility modifiers – best practices
      • Inheritance and overriding
      • Mutability
        • Lab – Mutable object
        • Readonly collections
  • Denial of service
    • Denial of Service
    • Resource exhaustion
    • Cash overflow
    • Flooding
    • Algorithm complexity issues
      • Regular expression denial of service (ReDoS)
        • Lab – Regular expression denial of service (ReDoS)
        • Dealing with ReDoS
      • Hashtable collision
        • How hashtables work?
        • Hash collision in case of hashtables
        • Hashtable collision in C#

Using vulnerable components

  • Vulnerability management
    • Patch management
    • Vulnerability databases
    • Lab – Finding vulnerabilities in third-party components

Wrap up

  • Secure coding principles
    • Principles of robust programming by Matt Bishop
    • Secure design principles of Saltzer and Schröder
  • And now what?
    • Software security sources and further reading
    • .NET and C# resources