Hands On Hardened Web Service Development using ASP.NET (1 of 2 days)

Presented at AppSec USA 2017, Sept. 20, 2017, 9 a.m. (480 minutes).

Class Summary: This hands on, two (2) day class will help students learn how to write hardened ASP.NET based web services. Day one (1) will start off with the very basics of C# and Visual studio and slowly progress through a variety of topics as they pertain to web service hardening. On day two (2), students will dive into standard web service security, and end with trainees writing their own secure service for a fictional project. Individuals who meet the requirements and write a working hardened web service, are entered into a prize drawing.   Syllabus: 1. Day One (1) -Fundamentals a. Visual Studio - Quick Rundown i. IDE Basics ii. C# Hello World b. Basics of Object Oriented Programming c. Useful 3rd Party Libraries i. JSON.NET (Newtonsoft.Json) ii. PushSharp iii. BouncyCastle d. Basic Web Service writing i. Bindings ii. Database design (quick tutorial) iii. SOAP Services iv. RESTful Services e. Basic Service Security i. Response Encapsulation ii. Input validation and Sanitizing iii. XXE, SQLi, and ‘XSS' mitigation f. Transport Security i. SSL ii. Binding Parameters g. Message Security i. Credential Types ii. Encryption iii. Certificates 2. Day Two (2) - Intermediate Service Security a. Replay Attacks b. Cross Site Request Forgery c. WS-Security (SOAP Services) d. Signature Based Security (RESTful Services) e. Performance and usability vs Security f. Afternoon Hardened Web Service Development   Experience: This would be the first class I've taught on a national scale. I've taught people individually on both coding, and penetration testing. I served as an adjunct teacher while in High School and in College.

Presenters:

  • Kelly Correll - Security Consultant - NTT Security
    I work as a security consultant in NTT Security's Threat Services group. As part of my duties, I perform penetration assessments and social engineering assessments. I also own my own business developing business applications using ASP.NET based technologies. When I'm not working, I enjoy coding, gaming, and tinkering with technology of all sorts. I also have the following certifications: Offensive Security Certified Professional (OSCP) Microsoft Certified Systems Engineer (MCSE)

Links:

Similar Presentations: