This month we happen to line up the day before the Microsoft Web Platform roadshow hits town (more info here - mswebday.net). As such we have our own webby topic ready for you and are delighted to have John Staveley coming up from Leeds who will be taking over both sessions with his master class on:
.NET MVC Website Security
The number and frequency of attacks on websites in the news is increasing steadily and effects can be devastating. However for each company that you hear about there are many more who cover up or are unaware of breaches on their sites. Thus what you hear about in the news represents just the tip of the iceburg. This primer session on security focusses on the major risks and the practical steps you can take now in your software development to protect an ASP.Net Mvc website from the major threats in the web today and will include code you can take away and implement in your own sites. Each type of attack will be introduced in a technology agnostic way, then highlighted with some case studies using major breaches as examples, then finally countermeasures which you can use will be proposed for each risk. The attacks I will be looking at are:
- SQL Injection
- Session hijacking
- Password hacking
- Weak account management
- XSS
- Insecure direct object references
- Misconfiguration
- Sensitive data exposure
- Missing Function Level Access Control
- CSRF
- Unvalidated redirects and forwards
- Form overposting
- DDOS
- Social Engineering
A sample code project is included as part of the talk which helps mitigate against all of these threats and more.