MVC 4.0, Part 07 of 11: Security Concepts

Course description

In this course you’ll explore a wide range of security threats and a variety of features in MVC that help you protect against them. We’ll start with a discussion of critical security concepts, then look at some of the differences between Web Forms and MVC applications from a security perspective. Then you’ll learn various techniques you can use to protect the integrity of application data, including how you can encrypt configuration file sections, use SSL for various security purposes, and hash passwords for storage. I’ll finish up the course by looking at various serious threats that MVC applications face, and explore some of the options available for protecting against them.

Each LearnNowOnline training course is made up of Modules (typically an hour in length). Within each module there are Topics (typically 15-30 minutes each) and Subtopics (typically 2-5 minutes each). There is a Post Exam for each Module that must be passed with a score of 70% or higher to successfully and fully complete the course.

Prerequisites

This course assumes that you are familiar and experienced with Microsoft’s .NET Framework and ASP.NET development tools. You should be familiar with Web development and understand how HTTP and HTML work to produce Web pages for the user. You should have experience writing applications with ASP.NET 4.0 or later Web forms, and be familiar with how ASP.NET processes page requests, and have strong experience with .NET Framework 4.0 or later programming. You should have experience with Visual Studio 2012 for building Web application projects. Experience with building database applications using these tools will be helpful, although not strictly necessary.

Meet the expert

Don Kiely

Don Kiely is a featured instructor on many of our SQL Server and Visual Studio courses. He is a nationally recognized author, instructor, and consultant specializing in Microsoft technologies. Don has many years of teaching experience, is the author or co-author of several programming books, and has spoken at many industry conferences and user groups. In addition, Don is a consultant for a variety of companies that develop distributed applications for public and private organizations.

Video Runtime

153 Minutes

Time to complete

422 Minutes

Course Outline

Security

MVC Security Concepts (22:16)

• Introduction (00:48)
• Critical Security Concepts (08:52)
• Web Forms vs. MVC (02:45)
• OWASP (02:01)
• The OWASP Top 10 List (07:19)
• Summary (00:29)

Encrypting Configuration Files (17:57)

• Introduction (00:41)
• Encrypting Configuration (01:30)
• Protected Configuration Providers (01:20)
• Demo: machine.config (01:39)
• Demo: Encrypt Connection Strings (04:51)
• Demo: Encryption Code (04:16)
• Demo: Encrypt External Files (02:42)
• Summary (00:55)

Secure Communication (29:10)

• Introduction (00:43)
• Secure Communication with SSL (06:57)
• SSL in MVC (01:51)
• Demo: Using SSL (04:45)
• Demo: SSL Port (03:39)
• Demo: Require SSL (02:43)
• Demo: Require SSL Index (04:44)
• Demo: Certicates (03:32)
• Summary (00:10)

Hashing Passwords (16:23)

• Introduction (00:07)
• Hashing Passwords for Storage (03:59)
• Demo: Hashing Passwords (05:00)
• Demo: Salted Hash (03:08)
• Demo: Salted Hash Code (03:45)
• Summary (00:23)

Security Threats

Cross Site Scripting (16:47)

• Introduction (00:45)
• Cross-Site Scripting (XSS) (02:29)
• Preventing XSS Attacks (09:17)
• Anti-XSS Library (03:35)
• Summary (00:39)

SQL Injection (17:59)

• Introduction (00:48)
• SQL Injection (00:29)
• Demo: SQL Injection (07:01)
• Preventing SQL Injection (08:49)
• Summary (00:51)

Cross Site Request Forgeries (32:50)

• Introduction (00:57)
• Cross-Site Request Forgeries (05:58)
• Demo: CSRF (03:59)
• Demo: CSRF Example (03:34)
• Demo: Transfer Headers (05:19)
• Preventing CSRF Attacks (05:22)
• Demo: Anti-Forgery Token (06:40)
• Summary (00:58)