Description Day 1 (Wednesday, 5th March 2025)
Day one of the workshop shows how authentication, authorization and security requirements can be implemented using ASP.NET Core and DevOps with different identity providers. Some of the different approaches when implementing these in SPAs, or ASP.NET Core Razor/MVC will be explained, as well as the different OpenID Connect/OAuth flows which should be used or can be used for these types of solutions.
Application Security Overview
The module gives an overview of application security architecture and explains some of the topics from a top-level perspective. The different areas of applications security will be explained as well as best practice for multi factor authentication.
OpenID Connect, OAuth2 flows
This module explains the best practices for implementing OAuth and OpenID Connect in a software. The recommended flows and how they work will be highlighted and the attendees show gain a clear knowledge of when to use which flow for which application type.
DevOps Security
In the DevOps Security part, the focus is on possible attack vectors in the development process and how these can be mitigated in general and detected in relation to the source code using static security testing.
Protecting the session, client
Learn how your session can be attacked even if your authentication flow is perfect. Team up with your browser and learn about important security headers. In the exercises, you will demonstrate multiple attacks on an application and learn how to mitigate them.
API Authorization
This module looks at implementing authorization for APIs, exploring the different ways to secure the APIs, for example cookies, self-contained access tokens or reference tokens and introspection.
Securing SPA applications
Securing single page applications is hard. This is no common recommended best practice for securing SPA applications. This module shows the current recommendations for implementing security in SPAs and things like the backend for frontend architecture (BFF) will be explained.
Description Day 2 (Wednesday, 6th March 2025)
The second day of the workshop looks at how security architecture requirements can be planned and designed using ASP.NET Core and Azure DevOps/github with different identity providers. Some of the different approaches when designing these in cloud solutions, high security architectures will be explained as well as the different OpenID Connect/OAuth flows which should be used or can be used for these types of solutions.
App Architecture security Overview
The module gives an overview of application security architecture and explains some of the topics from a top-level perspective. Things like development security, infrastructure security, governance will be explained and well as how to plan and define requirements for security.
OpenID Connect, OAuth2 flows (Recap)
This module is a recap of the application security module and explains the best practices for OAuth and OpenID Connect. The recommended flows and how they work will be highlighted and the attendees should gain a clear knowledge of when to use which flow for which application type.
App Security architecture
This module explores architecture requirements for application security. The module makes use of application architecture best practices like for example quality attributes and explains what makes a good security context diagram, what type of requirements should be visible in a good diagram.
Choose the correct identity provider, authentication platform
Choosing the right identity provider for your software solution is not easy. This module explains some of the advantages and disadvantages of the different identity provider products and should give you the knowledge to choose the right identity provider for your solution authentication and authorization.
DevOps security Advanced
This module provides an overview of GitHub features with a focus on security features and goes into detail in the context of DevOps security. In particular, in the area of GitHub actions.
Authorization architecture
This module starts by explaining the technical implementation of current best practices when implementing authorization in ASP.NET Core applications. The module then looks at designing and planning application authorization architecture in software solutions.
https://www.isolutions.ch/en/lp/application-security-workshop