Principles of Secure Coding

Who I am, what I aim to do, and what I think of best practices.

A quick look at the tools we're going to use and a map of the course.

Some definitions of "security", and some clarity on the pain of insecurity.

Who you are, what you can do, and how this goes wrong.

Untangling some security terms from each other and from their common usage.

We'll look at a nuts and bolts example of how serialization can cause problems.

We'll understand how and why the nature of the Internet is fundamentally insecure.

Understanding the bad guys both outside the walls and in.

We'll wrap up the section and review what we talked about.

What it is we're talking about when we say "the security of version control".

Why secrets do not belong in version control, and what we mean by that.

A story about what goes wrong when secrets end up in version control.

Working with secrets managers, and what doing that correctly requires.

How we can avoid secrets and the pain of working with them altogether.

We'll demo a secrets manager and talk about how to manage secrets in Production.

We'll close out the section with a discussion of Tom Scott's legendary YouTube short, "The (Fictional) Day Google Forgot to Check Passwords".

We'll wrap up the section and review what we talked about.

We'll talk about the nature of server-side code and how it can go wrong.

We'll talk about the risks associated with the very common practice of code reflection.

We'll look at some C#-specific solutions to reducing the copies of your sensitive data floating around.

We'll look at the ins and outs of read-only structs and reflect on the other uses of the readonly keyword.

Why SecureString isn't, and what happens to best practices.

Why you're not good enough (and neither am I) to write your own encryption.

One more look at the problems associated with serialization and an approach to deal with them.

What Microsoft says about secure coding.

A look at the role that containers and VMs can play in secure coding.

We'll wrap up the section and review what we talked about.

We'll talk about choosing in security, and another horror story from poor security.

We'll look at a common source of data breaches, and what practices can prevent it.

An in depth look at what we're talking about with hashing and salt.

A look at Microsoft's cloud encryption solution for databases, Transparent Data Encryption.

We'll look at connecting to an Azure Key Vault to manage our secrets.

A discussion of Social Security Numbers and their meaning in security.

How sensitive data gets into logs, and why it happens.

A nuts and bolts example of getting a piece of sensitive data into the logs, and how to keep it out.

We'll wrap up the section and review what we talked about.

An overview of OWASP and what the Top Ten means from year to year.

What happens when users get outside of their intended permissions.

What happens when we fail to protect our data.

What happens when users can execute code we did not intend.

What happens when our system is designed wrongly from the start, in security terms.

What happens when you haven't configured your applications and systems for secure operation.

When updating that package is too much trouble, so you end up with a security breach.

When the basis of your authentication is inadequate evidence that a user is who they say they are.

What happens when our application trusts stuff it shouldn't.

When we don't know what's going on with our system, or can't.

When an internal server is tricked into making a request on the behalf of an attacker.

Working with OWASP's automated scanning tool, ZAP.

Why getting help from security experts can be painful, but is worth it.

We'll wrap up the section and review what we talked about.

We'll wrap up the course and take one last stab at getting some security principles into your bones.

We'll review a few of the big concepts covered in the course and see how much you remember.