.NET, C#, and ASP.NET Secure Development

Module 1: Threat modeling and secure development lifecycle

• Common attack paths for ASP.NET apps and APIs and how to map them
• Secure defaults principle least privilege, fail safe, and defense in depth
• Supply chain basics packages, signing, and dependency health
• Building a lightweight security checklist for each release

Module 2: Secure coding patterns in C#

• Input validation and canonicalization model binding, FluentValidation, data annotations
• Output encoding to prevent XSS Razor, Tag Helpers, HtmlEncoder
• SQL injection prevention with EF Core parameterization and safe raw SQL
• Safe error handling exception boundaries, user messages, and logging without secrets

Module 3: Authentication and authorization in ASP.NET Core

• ASP.NET Core Identity, external providers, and password hygiene
• OAuth2 and OpenID Connect flows, tokens, refresh, and lifetimes
• Cookie and JWT hardening SameSite, secure flags, audience and issuer checks
• Claims, roles, and policy based authorization with custom requirements

Module 4: Session, state, and API surface hardening

• Anti forgery protections, CORS policies, and rate limiting middleware
• Secure headers middleware CSP, X Content Type Options, Referrer Policy
• File uploads and serialization safety size limits, content checks, and safe deserializers
• Minimal APIs and Web API conventions model validation and versioning

Module 5: Protecting secrets and data at rest

• .NET Data Protection API key management, rotation, and key storage
• Secrets management user secrets, environment variables, and external stores
• Encryption at rest with Key Vault or DPAPI and hashing with PBKDF2 or Argon2
• Auditable configuration patterns per environment without leaking PII

Module 6: Transport and platform hardening

• HTTPS, HSTS, TLS versions and cipher considerations
• Reverse proxy and hosting Kestrel, IIS, Nginx configuration highlights
• Identity platforms Azure AD or Entra, managed identities, and service to service auth
• Background jobs and workers resilient retries and protected configuration

Module 7: Observability and incident readiness

• Structured logging with redaction Serilog or ILogger scopes and correlation IDs
• Metrics, health checks, and basic anomaly signals for security relevant events
• Centralized auditing who did what and when with minimal noise
• Backup, restore, and key recovery implications for encrypted data

Module 8: Verification and continuous assurance

• Unit and integration tests for security behaviors auth, authorization, and filters
• Automated checks SAST, dependency scanning, container image scanning
• Build and deploy gates required headers, TLS, and vulnerability thresholds
• Playbooks for triage and safe rollback during incidents