dev312 building secure web applications: defenses and countermeasures
DESCRIPTION
DEV312 Building Secure Web Applications: Defenses And Countermeasures. Jeff Prosise Co-founder Wintellect (www.wintellect.com). Holistic Approach To Security. Network. Host. Application. Port blocking Filtering Encryption. Updates Internet Information Server hardening ACLs CAS - PowerPoint PPT PresentationTRANSCRIPT
DEV312 Building Secure Web Applications: Defenses And Countermeasures
Jeff ProsiseJeff ProsiseCo-founderCo-founderWintellect (www.wintellect.com)Wintellect (www.wintellect.com)
Holistic Approach To SecurityHolistic Approach To SecurityPort blockingPort blockingFilteringFilteringEncryptionEncryption
UpdatesUpdatesInternet Information Server hardeningInternet Information Server hardeningACLsACLsCASCASLoggingLoggingLeast privilegeLeast privilegeAccount Account managementmanagement
ValidationValidationHashingHashingEncryptionEncryptionSecrets managementSecrets managementCookie management Cookie management Session managementSession managementError handlingError handling
Spoofed packets, etc.Spoofed packets, etc.
Buffer overflows, illicit paths, etc. Buffer overflows, illicit paths, etc.
SQL injection, XSS, input tampering, etc.SQL injection, XSS, input tampering, etc.
NetworkNetwork HostHost ApplicationApplication
Defend the networkDefend the network
Defend the hostDefend the host
Defend the applicationDefend the application
Defending The NetworkHarden firewallsHarden firewalls
i
Harden routers and switchesHarden routers and switches
Encrypt sensitive communicationsEncrypt sensitive communications
http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh15.asphttp://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh15.asp
Stay current with patches and updatesStay current with patches and updatesBlock unused ports and protocolsBlock unused ports and protocolsUse filtering to reject illicit requestsUse filtering to reject illicit requests
Stay current with patches and updatesStay current with patches and updatesUse ingress/egress filtering to reject spoofed packetsUse ingress/egress filtering to reject spoofed packetsScreen ICMP traffic from the internal networkScreen ICMP traffic from the internal networkScreen directed broadcast requests from the internal networkScreen directed broadcast requests from the internal networkReject trace routing requestsReject trace routing requests
http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT16.asphttp://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT16.asp http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT18.asphttp://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT18.asp
Defending The Host
i
Stay current with service packs and updatesStay current with service packs and updates
Harden Internet Information Server 5 by running Harden Internet Information Server 5 by running IISLockdownIISLockdown
Harden Internet Information Server 5 and 6 Harden Internet Information Server 5 and 6 by installing URLScanby installing URLScan
Disables FTP, SMTP, and NNTPDisables FTP, SMTP, and NNTPRemoves key script mappings such as .idq, .htr, and .printerRemoves key script mappings such as .idq, .htr, and .printerRemoves IISSamples, IISHelp, Scripts, and other virtual directoriesRemoves IISSamples, IISHelp, Scripts, and other virtual directoriesACLs system tools and Web content directories to limit accessACLs system tools and Web content directories to limit accessDisables WebDAVDisables WebDAVInstalls URLScanInstalls URLScan
Logs failed requestsLogs failed requestsLimits request sizes to mitigate DoS attacksLimits request sizes to mitigate DoS attacksMasks content headers revealing IIS type and version numberMasks content headers revealing IIS type and version numberBlocks requests with potentially injurious characters (e.g., dots in path names)Blocks requests with potentially injurious characters (e.g., dots in path names)Canonicalizes and verifies path names to thwart directory traversal attacksCanonicalizes and verifies path names to thwart directory traversal attacksDisables specified verbs (e.g., "DEBUG")Disables specified verbs (e.g., "DEBUG")
http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh16.asphttp://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh16.asp
Defending The HostHarden the Web server’s TCP/IP stackHarden the Web server’s TCP/IP stack
http://msdn.microsoft.com/library/en-us/dnnetsec/html/HTHardTCP.asphttp://msdn.microsoft.com/library/en-us/dnnetsec/html/HTHardTCP.asp
Run ASP.NET using the principle of least privilegeRun ASP.NET using the principle of least privilegeAvoid running as SYSTEMAvoid running as SYSTEMConsider running with partial trustConsider running with partial trust
Limit the size of file uploadsLimit the size of file uploads
<configuration> <system.web> <!-- Limit request length to 128K (default = 4 MB) --> <httpRuntime maxRequestLength="128" /> </system.web></configuration>
Defending The HostDisable unused shares and servicesDisable unused shares and services
Harden user accountsHarden user accounts
Delete nonessential shares and restrict access to othersDelete nonessential shares and restrict access to othersDisable nonessential services and protocols (e.g., SMB and NetBIOS)Disable nonessential services and protocols (e.g., SMB and NetBIOS)Remove or secure Remote Data Services (RDS)Remove or secure Remote Data Services (RDS)
Disable the Guest accountDisable the Guest accountUse strong passwords on all accountsUse strong passwords on all accountsRename the administrator accountRename the administrator accountDisallow null sessions (anonymous logons)Disallow null sessions (anonymous logons)Restrict remote logons to only those who need itRestrict remote logons to only those who need it
Be aggressive about logging and auditingBe aggressive about logging and auditingLog failed logon attemptsLog failed logon attemptsLog failed actions anywhere in the systemLog failed actions anywhere in the systemSecure IIS log files with NTFS permissionsSecure IIS log files with NTFS permissionsAudit access to Metabase.binAudit access to Metabase.bin
Defending The HostUse ACLs to limit access to critical resourcesUse ACLs to limit access to critical resources
Restrict access to the %systemroot%\System32 directoryRestrict access to the %systemroot%\System32 directoryRestrict access to %systemroot%\Microsoft.NET\FrameworkRestrict access to %systemroot%\Microsoft.NET\FrameworkRestrict write access to %systemroot%\System32\LogfilesRestrict write access to %systemroot%\System32\LogfilesRestrict write access to Web content directoriesRestrict write access to Web content directoriesRestrict access to registry keys where secrets are storedRestrict access to registry keys where secrets are stored
See http://msdn.microsoft.com/library/en-us/dnnetsec/html/See http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh19.asp?frame=true#c19618429_025 for information THCMCh19.asp?frame=true#c19618429_025 for information on NTFS permissions required by ASP.NETon NTFS permissions required by ASP.NET
Defending The ApplicationDefending The Application
NeverNever trust user input (validate!) trust user input (validate!)
Access databases securelyAccess databases securely
Store secrets securelyStore secrets securely
Avoid vulnerabilities in forms authenticationAvoid vulnerabilities in forms authentication
Secure ASP.NET session stateSecure ASP.NET session state
Anticipate errors and handle them appropriatelyAnticipate errors and handle them appropriately
i http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh10.asphttp://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh10.asp
Validating InputValidating InputFilter potentially injurious characters and stringsFilter potentially injurious characters and strings
HTML-encode all input echoed to a Web pageHTML-encode all input echoed to a Web page
Avoid using file names as input if possibleAvoid using file names as input if possible
Use "safe" character encodingsUse "safe" character encodings
<globalization requestEncoding="ISO-8859-1" responseEncoding="ISO-8859-1" />
Tools For Validating InputTools For Validating InputToolTool DescriptionDescription
RegexRegex Class in System.Text.RegularExpressions Class in System.Text.RegularExpressions namespace that wraps .NET Framework's namespace that wraps .NET Framework's regular expression engineregular expression engine
Validation controlsValidation controls Set of six controls that validate input on both Set of six controls that validate input on both client and server: RequiredFieldValidator, client and server: RequiredFieldValidator, RegularExpression-Validator, RegularExpression-Validator, RangeValidator, etc.RangeValidator, etc.
HttpUtility.HtmlEncodeHttpUtility.HtmlEncode HTML-encodes input, converting potentially HTML-encodes input, converting potentially dangerous characters such as "<" into harmless dangerous characters such as "<" into harmless escape sequencesescape sequences
Request.MapPathRequest.MapPath Resolves path names and optionally checks for Resolves path names and optionally checks for path names that violate application boundariespath names that violate application boundaries
ASP.NET 1.1 request ASP.NET 1.1 request validationvalidation
Feature of ASP.NET 1.1 that automatically Feature of ASP.NET 1.1 that automatically rejects requests containing certain characters rejects requests containing certain characters and character sequences (e.g., "<script")and character sequences (e.g., "<script")
Input ValidationInput Validation
Accessing Data SecurelyAccessing Data SecurelyUse stored procedures or parameterized commandsUse stored procedures or parameterized commands
NeverNever use sa to access Web databases use sa to access Web databases
Store connection strings securelyStore connection strings securely
Optionally use SSL/TLS or IPSec to secure theOptionally use SSL/TLS or IPSec to secure theconnection to the database serverconnection to the database server
Apply administrative protections to SQL ServerApply administrative protections to SQL Server
http://msdn.microsoft.com/library/enus/dnnetsec/html/SecNetHT18.asphttp://msdn.microsoft.com/library/enus/dnnetsec/html/SecNetHT18.asphttp://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT19.asphttp://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT19.asp
http://www.microsoft.com/sql/techinfo/administration/2000/security/http://www.microsoft.com/sql/techinfo/administration/2000/security/securingsqlserver.aspsecuringsqlserver.asp
Dynamic SQL CommandsDynamic SQL Commands
// DANGER! User input used to generate database query
string sql = String.Format ("select count (*) " + "from users where username=\'{0}\' and cast " + "(password as varbinary)=cast (\'{1}\' as " + varbinary)", username, password);
SqlCommand command = new SqlCommand (sql, connection);int count = (int) command.ExecuteScalar ();
Vulnerable to SQL injection attacksVulnerable to SQL injection attacks
Parameterized CommandsParameterized Commands
// BETTER: Input passed to parameterized command
SqlCommand command = new SqlCommand ("select count (*) from users where " + "username=@username and cast (password as " + "varbinary)=cast (@password as varbinary)", connection);
command.Parameters.Add ("@username", SqlDbType.VarChar).Value = username;command.Parameters.Add ("@password", SqlDbType.VarChar).Value = password;int count = (int) command.ExecuteScalar ();
Less vulnerable to SQL Less vulnerable to SQL injection attacksinjection attacks
Stored Procedures
// BEST: Input passed to stored procedure
SqlCommand command = new SqlCommand ("proc_IsUserValid", connection);command.CommandType = CommandType.StoredProcedure;command.Parameters.Add ("@username", SqlDbType.VarChar).Value = username;command.Parameters.Add ("@password", SqlDbType.VarChar).Value = password;command.Parameters.Add ("@return", SqlDbType.Int).Direction = ParameterDirection.ReturnValue;int count = (int) command.ExecuteScalar ();
Less vulnerable to SQL Less vulnerable to SQL injection attacksinjection attacksAdded security via Added security via EXECUTE permissionEXECUTE permission
The sa AccountFor administration only; For administration only; nevernever use it to use it to access a database programmaticallyaccess a database programmaticallyInstead, use one or more accounts that Instead, use one or more accounts that have limited database permissionshave limited database permissions
For queries, use SELECT-only accountFor queries, use SELECT-only accountBetter yet, use stored procs and grant Better yet, use stored procs and grant account EXECUTE permission for the account EXECUTE permission for the stored procsstored procs
Reduces an attacker's ability to execute Reduces an attacker's ability to execute harmful commandsharmful commands
Creating A Limited AccountCreating A Limited Account
USE LoginGO
-- Add account named webuser to Login databaseEXEC sp_addlogin 'webuser', 'm1x2y3z4p5t6l7k8', 'Login'
-- Grant webuser access to the databaseEXEC sp_grantdbaccess 'webuser'
-- Limit webuser to calling proc_IsUserValidGRANT EXECUTE ON proc_IsUserValid TO webuser
Secure Data AccessSecure Data Access
Storing Data SecurelyStoring Data SecurelySensitive data stored persistently Sensitive data stored persistently should be encrypted or hashedshould be encrypted or hashed
Credit card numbersCredit card numbersLogin passwords, etc.Login passwords, etc.
For maximum security, connection For maximum security, connection strings should also be encryptedstrings should also be encryptedEncryption is easyEncryption is easy
System.Security.Cryptography classesSystem.Security.Cryptography classesWindows Data Protection API (DPAPI)Windows Data Protection API (DPAPI)
Securing decryption keys is notSecuring decryption keys is not
Data Protection API (DPAPI)Data Protection API (DPAPI)Present in Windows 2000 and higherPresent in Windows 2000 and higherProvides strong encryption, automatic Provides strong encryption, automatic key generation, and secure key storagekey generation, and secure key storage
Triple-DES encryptionTriple-DES encryptionPKCS #5 key generationPKCS #5 key generation
Two “stores”Two “stores”User storeUser storeMachine store Machine store GreatGreat tool for ASP.NET tool for ASP.NET programmers!programmers!
Operating system manages keysOperating system manages keys
Building A DPAPI LibraryThe .NET Framework Class Library 1.x The .NET Framework Class Library 1.x doesn’t wrap DPAPIdoesn’t wrap DPAPISee “How to Create a DPAPI Library” See “How to Create a DPAPI Library” for instructions on creating your ownfor instructions on creating your own
http://msdn.microsoft.com/library/default.asp?url=/http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/-SecNetHT07.asplibrary/en-us/dnnetsec/html/-SecNetHT07.asp
Managed wrapper around DPAPIManaged wrapper around DPAPIHandles interop and marshaling for youHandles interop and marshaling for youFeatures DataProtector class with simple Features DataProtector class with simple methods named Encrypt and Decryptmethods named Encrypt and DecryptSupports machine store and user storesSupports machine store and user stores
Encrypting Connection Strings
<configuration> <appSettings> <add key="ConnectionString" value="AQNCMnd8BFdERjHoAwE/Cl+sBAAAA..." /> </appSettings></configuration>
DataProtector dp = new DataProtector (DataProtector.Store.USE_MACHINE_STORE);string val = ConfigurationSettings.AppSettings ["ConnectionString"];byte[] data = Convert.FromBase64String (val);string connect = Encoding.ASCII.GetString (dp.Decrypt (data, null));
PagePage
Web.configWeb.config
Encrypting And ACLingConnection Strings
DataProtector dp = new DataProtector (DataProtector.Store.USE_MACHINE_STORE);RegistryKey key = Registry.LocalMachine.OpenSubKey ("SOFTWARE\\MyWebApp");string val = (string) key.GetValue ("ConnectionString");byte[] data = Convert.FromBase64String (val);string connect = Encoding.ASCII.GetString (dp.Decrypt (data, null));
PagePage
RegistryRegistry
Admins: FullAdmins: FullSYSTEM: FullSYSTEM: FullASP.NET: ReadASP.NET: Read
Encrypting Connection Encrypting Connection StringsStrings
Windows AuthenticationWindows AuthenticationMicrosoft SQL Server supports two Microsoft SQL Server supports two types of authenticationtypes of authentication
Authentication using SQL Server loginsAuthentication using SQL Server loginsAuthentication using Windows identitiesAuthentication using Windows identities
Windows authentication reduces threat Windows authentication reduces threat surface area by eliminating user names surface area by eliminating user names and passwords from connection and passwords from connection stringsstrings
server=localhost;database=pubs;Trusted_Connection=yes
Forms AuthenticationForms AuthenticationProtect login credentials with SSL/TLSProtect login credentials with SSL/TLS
Don't store passwords; store password hashesDon't store passwords; store password hashes
Don't rely on forms authentication to protectDon't rely on forms authentication to protectresources not owned by ASP.NETresources not owned by ASP.NET
Limit authentication cookie lifetimes to minimizeLimit authentication cookie lifetimes to minimizewindows for replay attackswindows for replay attacks
Assume authentication cookies are spoofed orAssume authentication cookies are spoofed orstolen when performing sensitive operationsstolen when performing sensitive operations
http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT16.asphttp://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT16.asp
Protecting LoginsProtecting LoginsPlace login forms in directories protected by Place login forms in directories protected by SSL/TLS to guard against eavesdroppingSSL/TLS to guard against eavesdropping
<authentication mode="Forms"> <forms loginUrl="https://.../LoginPage.aspx" /></authentication>
Encrypted connectionEncrypted connection
Storing Login Passwords
FormatFormat CommentsCommentsPlaintext passwordsPlaintext passwords Exposes entire application if database is Exposes entire application if database is
compromisedcompromisedEncrypted passwordsEncrypted passwords Better than plaintext, but still vulnerable if Better than plaintext, but still vulnerable if
decryption key is compromiseddecryption key is compromised1-way password 1-way password hasheshashes
Better than encrypted passwords, but still Better than encrypted passwords, but still vulnerable to dictionary attacksvulnerable to dictionary attacks
Salted password Salted password hasheshashes Less vulnerable to dictionary attacksLess vulnerable to dictionary attacks
Don’t store plaintext passwordsDon’t store plaintext passwordsStore encrypted passwords or Store encrypted passwords or password hashes for added securitypassword hashes for added security
Password HashesPassword Hashes
string hash = FormsAuthentication.HashPasswordForStoringInConfigFile (password, "SHA1"));
FormsAuthentication.HashPassword-FormsAuthentication.HashPassword-ForStoringInConfigFile makes ForStoringInConfigFile makes hashing easyhashing easy
SHA-1 hashesSHA-1 hashesMD5 hashesMD5 hashes
Generating Salted HashesGenerating Salted Hashes
string CreateSaltedPasswordHash (string password){ // Generate random salt string RNGCryptoServiceProvider csp = new RNGCryptoServiceProvider (); byte[] saltBytes = new byte[16]; csp.GetNonZeroBytes (saltBytes); string saltString = Convert.ToBase64String (saltBytes);
// Append the salt string to the password string saltedPassword = password + saltString;
// Hash the salted password string hash = FormsAuthentication.HashPasswordForStoringInConfigFile (saltedPassword, "SHA1");
// Append the salt to the hash string saltedHash = hash + saltString; return saltedHash;}
Validating Salted HashesValidating Salted Hashes
bool ValidatePassword (string password, string saltedHash){ // Extract hash and salt string string saltString = saltedHash.Substring (saltedHash.Length - 24); string hash1 = saltedHash.Substring (0, saltedHash.Length - 24);
// Append the salt string to the password string saltedPassword = password + saltString;
// Hash the salted password string hash2 = FormsAuthentication.HashPasswordForStoringInConfigFile (saltedPassword, "SHA1");
// Compare the hashes return (hash1.CompareTo (hash2) == 0);}
Authentication CookiesAuthentication Cookies
DefenseDefense CommentsComments
Restrict cookies Restrict cookies to SSLto SSL
Prevents cookie theft (strongest defense)Prevents cookie theft (strongest defense)
Limit cookie lifetimeLimit cookie lifetime Mitigates replay attacks by limiting Mitigates replay attacks by limiting attack windowattack window
Disable sliding renewalDisable sliding renewal Mitigates replay attacks by limiting attack windowMitigates replay attacks by limiting attack window
Forms authentication cookies are Forms authentication cookies are encrypted and validated by defaultencrypted and validated by default
Prevents reading and alterationPrevents reading and alterationDoesn’t prevent theft and replayDoesn’t prevent theft and replay
Preventative measures are required to Preventative measures are required to defend against unauthorized accessdefend against unauthorized access
Auth Cookie LifetimeAuth Cookie LifetimeTemporary authentication cookiesTemporary authentication cookies
Lifetime limited (by default) to 30 minutesLifetime limited (by default) to 30 minutesControlled by <forms> timeout attributeControlled by <forms> timeout attribute
Subject to sliding renewal in ASP.NET 1.0Subject to sliding renewal in ASP.NET 1.0Sliding renewal disabled by default in 1.1Sliding renewal disabled by default in 1.1
Controlled by <forms> slidingExpiration attributeControlled by <forms> slidingExpiration attribute
Persistent authentication cookiesPersistent authentication cookiesDefault lifetime = 50 years!Default lifetime = 50 years!
Longer lifetime = Greater vulnerability to Longer lifetime = Greater vulnerability to replay attacksreplay attacks
Limiting The Lifetimes Of Limiting The Lifetimes Of Persistent Authentication Persistent Authentication CookiesCookiesif (Authenticate (name, password)) { string url = FormsAuthentication.GetRedirectUrl (name, true); FormsAuthentication.SetAuthCookie (name, true); HttpCookie cookie = Response.Cookies [FormsAuthentication.FormsCookieName]; // Set the cookie to expire 7 days from now cookie.Expires = DateTime.Now.AddDays (7); Response.Redirect (url);}
Securing Session StateSecuring Session StateLimit session time-outs as much as possibleLimit session time-outs as much as possible
Avoid using cookieless session state if possibleAvoid using cookieless session state if possible
Disable ASP.NET state service if you're not using itDisable ASP.NET state service if you're not using it
Close port 42424 in firewall if using state serviceClose port 42424 in firewall if using state service
Encrypt connection string if using SQL ServerEncrypt connection string if using SQL Server
Close ports 1433 and 1434 if using SQL ServerClose ports 1433 and 1434 if using SQL Server
http://support.microsoft.com/default.aspx?scid=kb;en-us;329290http://support.microsoft.com/default.aspx?scid=kb;en-us;329290
Session StateSession State
Optionally use SSL/TLS to protect session Optionally use SSL/TLS to protect session ID cookiesID cookies
Optionally use SSL/TLS or IPSec to secure theOptionally use SSL/TLS or IPSec to secure theconnection to the database serverconnection to the database server
Don’t store potentially injurious data (such asDon’t store potentially injurious data (such ascredit card numbers) in session statecredit card numbers) in session state
http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT16.asphttp://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT16.asp
http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT18.asphttp://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT18.asp http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT19.asphttp://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT19.asp
Error HandlingError HandlingAnticipate errors and handle them sensiblyAnticipate errors and handle them sensibly
Use <customErrors> to display custom error pagesUse <customErrors> to display custom error pages
Beware mode="off" and debug="true"Beware mode="off" and debug="true"
Don't reveal too much information in error pagesDon't reveal too much information in error pages
Log unhandled exceptionsLog unhandled exceptions
Be aggressive about logging failuresBe aggressive about logging failures
Logging Unhandled Logging Unhandled ExceptionsExceptions
void Application_Error (Object sender, EventArgs e){ // Formulate message to write to event log string msg = "Error accessing " + Request.Path + "\n" + Server.GetLastError ().ToString ();
// Write the message to Windows event log EventLog log = new EventLog (); log.Source = "My ASP.NET Application"; log.WriteEntry (msg, EventLogEntryType.Error);}
Global.asaxGlobal.asax
Why Is This Code Insecure?
<html> <body> <form runat="server"> <asp:TextBox ID="Input" runat="server" /> <asp:Button Text="Click Me" OnClick="OnSubmit" runat="server" /> <asp:Label ID="Output" runat="server" /> </form> </body></html>
<script language="C#" runat="server">void OnSubmit (Object sender, EventArgs e){ Output.Text = "Hello, " + Input.Text;}</script>
Input is echoed to pageInput is echoed to pagewithout HTML encodingwithout HTML encoding
Input is neither validated norInput is neither validated norconstrained; user can type anything!constrained; user can type anything!
Microsoft Products And Services For Lifelong Learningwww.microsoft.com/learning
AssessmentsAssessments www.microsoft.com/assessmentwww.microsoft.com/assessment
CoursesCourses2310: Developing Microsoft ASP .NET Web Applications Using Visual 2310: Developing Microsoft ASP .NET Web Applications Using Visual Studio .NETStudio .NET2640: Upgrading Web Development Skills from ASP to Microsoft ASP .NET2640: Upgrading Web Development Skills from ASP to Microsoft ASP .NET1905: Building XML-Based Web Applications 1905: Building XML-Based Web Applications 2311: Advanced ASP.NET (scheduled release July 04)2311: Advanced ASP.NET (scheduled release July 04)
BooksBooks
Designing ASP .NET Applications, ISBN: 0-7356-1348-6Designing ASP .NET Applications, ISBN: 0-7356-1348-6Programming Microsoft ASP .NET, ISBN: 0-7356-1903-4Programming Microsoft ASP .NET, ISBN: 0-7356-1903-4Microsoft ASP .NET Coding Strategies with the Microsoft ASP .NET Team, Microsoft ASP .NET Coding Strategies with the Microsoft ASP .NET Team, ISBN: 0-7356-1900-XISBN: 0-7356-1900-XDeveloping Microsoft® ASP.NET Server Controls and Components, ISBN: Developing Microsoft® ASP.NET Server Controls and Components, ISBN: 0-7356-1582-9 0-7356-1582-9 Building Secure Microsoft ASP .NET Applications, ISBN: 0-7356-1890-9Building Secure Microsoft ASP .NET Applications, ISBN: 0-7356-1890-9Building Microsoft ASP .NET Applications for Mobile Devices (Second Building Microsoft ASP .NET Applications for Mobile Devices (Second Edition), Edition), ISBN: 0-7356-1914-XISBN: 0-7356-1914-XMCAD/MCSD Self-Paced Training Kit: Developing Web Applications with MCAD/MCSD Self-Paced Training Kit: Developing Web Applications with Microsoft Visual Basic .NET and Microsoft Visual C# .NET (Second Microsoft Visual Basic .NET and Microsoft Visual C# .NET (Second Edition), ISBN 0-7356-1927-1Edition), ISBN 0-7356-1927-1
Microsoft Products and Services for Lifelong LearningMicrosoft Products and Services for Lifelong Learning
DEV312 Building Secure Web Applications: Defenses And Countermeasures
Jeff ProsiseJeff ProsiseCo-founderCo-founderWintellect (www.wintellect.com)Wintellect (www.wintellect.com)