OWASP Mitigations for .NET

This course is included in our On-demand training solution.


The Open Web Application Security (OWASP) Project is an initiative to track and report on the most prevalent and most dangerous web application exploits. This course follows a ‘Defense-In-Depth’ strategy of assessing each layer of your .NET web application and applying the OWASP Top 10 principles to mitigate against these threats. This course is one of a series in the SkillSoft learning path that covers the OWASP Top 10.

Target Audience

Developers wanting to learn about the OWASP Top 10 and how to mitigate against them in .NET.



Expected Duration

180 min.

Course Objectives

Course Introduction

Error Message Security

  • recognize how error message handling can be exploited and how to deal with this
  • Config File Encryption

  • recognize how to encrypt relevant sections of the .NET configuration files
  • NuGet Packages Security

  • recognize how to handle security when using NuGet packages
  • Symmetric Encryption in .NET

  • describe when and how to use encryption in .NET
  • Asymmetric Encryption in .NET

  • recognize how asymmetric encryption works in .NET
  • Command Injection Mitigation

  • describe how to mitigate against command injection at the base .NET Framework level
  • SQL Server Injection Mitigation

  • describe SQL Injection and how to mitigate against it
  • Trusted versus SQL Authentication

  • identify the SQL Server authentication models
  • Insecure Direct Object Reference Mitigation

  • identify mitigations to Insecure Direct Object Reference at the database level
  • Password Hashing

  • describe password hashing and its application
  • Releasing Resources to Avoid Pool Exhaustion

  • describe how inadequately releasing types can lead to Denial of Service
  • CORS Preflight Scrutiny

  • describe CORS Preflight requests and how to secure them in ASP.NET Web API
  • Authorization in Web API

  • recognize where and how to implement authorization in ASP.NET Web API
  • Authorization in WCF

  • recognize where and how to implement authorization in WCF
  • .NET Web Authentication Types

  • identify the authentication types in web-hosted .NET projects and configure them in IIS and in configuration files
  • Insecure Web.config Setting Mitigation

  • recognize the impacts of various web.config file settings
  • SSL and Transport Security

  • describe SSL/HTTPS security
  • Web Parameter Tampering Mitigation

  • describe how to mitigate web parameter tampering in ASP.NET MVC and JavaScript
  • Content Spoofing Mitigation

  • describe JavaScript behaviors that can lead to security breaches and how to mitigate against them
  • Output Encoding

  • describe how to appropriate encode output into a page to avoid script injection, XSS, and other exploits
  • ASP.NET & ASP.NET MVC Validation

  • recognize how the built-in validation capabilities in ASP.NET and ASP.NET MVC protect against attacks
  • Session State in ASP.NET MVC

  • describe how session state works in ASP.NET and ASP.NET MVC
  • Password Policies

  • implement password policies in ASP.NET and ASP.NET MVC
  • Multi-factor Authentication

  • describe multi-factor authentication and how it can be implemented in ASP.NET MVC
  • Appropriate Password Management

  • list appropriate approaches to capturing, storing, validating, and resetting user passwords
  • HttpOnly Cookie Flag

  • describe the HttpOnly Cookie Flag and how to apply it in ASP.NET and ASP.NET MVC
  • Microsoft Anti-cross Site Scripting Library

  • use the Microsoft Anti-cross Site Scripting Library
  • Authorization in ASP.NET MVC Controllers

  • implement authorization in ASP.NET MVC
  • Authenticating with External Logins in ASP.NET MVC

  • allow your users to authenticate against external login providers like Microsoft, Twitter, Facebook and Google
  • Exercise: Mitigate Security