top of page

Secure Web Application Development and Testing with .NET 8 and C#

Duration

Course Code

3 days

IV-DC-009

About the Course

This hands-on course equips web developers, software engineers, testers, and architects with the skills to build secure, resilient applications using ASP.NET Core 8 and C#. You will learn modern IT security principles, explore server- and client-side protection techniques, and master cryptographic practices in .NET.


Through real-world labs, you’ll mitigate OWASP top ten threats, implement secure authentication and authorization, defend against XSS and CSRF, secure sensitive data, and harden XML processing. By the end, you’ll be ready to design and maintain applications that stand strong against today’s evolving security threats.


Target Audience

Web developers, software engineers, testers, and architects using .NET

Core or C#.


Course Objectives

  1. Understand core concepts of IT security and how they apply to modern web development.

  2. Dive into the security risks and protection mechanisms on the server-side in ASP.NET Core 8.

  3. Understand how to protect the browser and user-side from attacks.

  4. Gain hands-on understanding of cryptographic primitives and how to use them securely in .NET.

  5. Learn how XML can be a source of vulnerabilities and how to mitigate them.


Course Outline


Module 1: Principles of IT Security and Secure Coding


  • Definitions: Security, Threats, Vulnerabilities, Exploits

  • CIA Triad: Confidentiality, Integrity, Availability

  • OWASP Top 10 Overview

  • Secure Software Development Lifecycle (SSDLC)

  • Defense-in-Depth

  • Importance of Least Privilege and Zero Trust

  • Introduction to Secure Coding Principles

  • Common developer pitfalls and misconceptions


Lab: Identify insecure code patterns in C# and correct them using secure coding practices.


Module 2: Web Application Security in .NET 8


  • Authentication vs Authorization

  • Identity and Access Management with ASP.NET Core Identity

  • Secure Configuration and Secret Management in .NET 8

  • Input Validation and Output Encoding (XSS/SQLi)

  • Cross-Site Request Forgery (CSRF) and Anti-Forgery Tokens

  • Secure Session and Cookie Handling

  • Role-based and Claim-based Access Control

  • Rate Limiting, Throttling, and Account Lockout


Lab: Secure a .NET 8 Razor Pages/MVC app against OWASP Top 10 threats.


Module 3: Client-side Security


  • JavaScript Injection and DOM-based XSS

  • Secure use of localStorage , sessionStorage , and cookies

  • Content Security Policy (CSP)

  • Cross-Origin Resource Sharing (CORS) Best Practices

  • Clickjacking and X-Frame-Options

  • Client-side input validation and sanitization

  • Security implications of frameworks like Angular/React


Lab: Implement CSP and mitigate XSS in a Blazor WebAssembly front-end.


Module 4: Practical Cryptography for Developers


  • Cryptographic Terminology: symmetric/asymmetric encryption, hashing, HMACs

  • Secure password storage using PBKDF2, bcrypt, or Argon2

  • Encryption with AES in .NET

  • Digital Signatures with RSA and ECDSA

  • Using Data Protection API in .NET

  • Securely generating and storing keys

  • Common crypto misuse: ECB mode, hardcoded keys, broken random


Lab: Encrypt/decrypt sensitive data using AES-GCM; store hashed passwords securely.


Module 5: XML Security


  • XML External Entity (XXE) Attacks

  • XPath Injection

  • XML Signature Wrapping

  • Secure XML Parsing in .NET

  • Disabling DTD processing and entity resolution


Lab: Exploit and fix XXE in an XML-based Web API.

bottom of page