Black Hat Windows Security 2003

Note: if the class is overfilled, you will be contacted should this occur.


Windows 2003 Training
February 24-25 2003
Seattle Sheraton Hotel & Towers

All course materials, lunch and two coffee breaks will be provided.
You must provide your own laptop.
A Certificate of Completion will be offered to students completing the course.

Course Length: 1 days

Cost: US $600
NOTE: this is a one day course offered on Tuesday, Feb 25 only.


One Day Course
Tues, Feb 25
Writing Secure Code
Michael Howard, Microsoft
What to bring:
Before attending this course, students must have development experience with Visual Basic, C, C++, or Java.


This one-day, instructor-led seminar introduces developers to the knowledge and skills required to identify and mitigate security threats. The seminar is divided into three sessions:

Session I: "Writing Secure Code" will highlight common techniques that hackers use to compromise software systems. In addition, the audience will learn strategies and a series of best practices that can mitigate these threats. Threats covered will include buffer overruns, cross-site scripting, SQL injection, canonicalization issues, cryptography hacking, COM safe for script issues, and denial of service attacks.

Session II: "Security and the .NET Framework" will cover the security features of the Microsoft .NET Framework. Topics will include .NET Framework security features, implementing code access and role-based security, cryptography, and securing Microsoft ASP.NET and XML Web services. For advanced learners who are already familiar with these concepts, the first part of the session may be skipped or covered at an accelerated pace. For this audience, the instruction of this session will focus on “Advanced Topics: Tips for Writing Secure .NET Code,” which focuses on best practices when writing secure .NET code.

Session III: "Developing Secure Applications with .NET Enterprise Servers" will cover the security features available with the .NET Enterprise Servers. This session provides a high-level overview of security concepts and Microsoft product features from which managers, network administrators, developers, and architects can benefit. This session is designed to be customized for specific audiences, and trainers should be aware of the background of the audience and their interest in specific products and solutions before delivering this session.

The target audience consists of developers and architects of varying degrees of aptitude and experience who use different programming languages and platforms. To a lesser extent, business decision makers and project managers will also benefit from the seminar.

Main Audiences

  • Software Architect. Experienced architects and designers of software applications typically design and troubleshoot a wide range of application types.
  • Professional Microsoft Visual Basic® Developer. These developers typically build applications based on Microsoft Win32® and occasionally business-tier COM components by using Microsoft Visual Basic 6.0, and are also either interested in or currently working with Microsoft Visual Basic .NET.
  • Professional C++ Developers. These developers build a wide range of applications, including Win32-based applications, Web applications, Mobile devices, COM components, and other highly-productive and -efficient software applications. They are also either interested or currently working with C#.

Secondary Audiences

Business Decision Makers and Program Managers. These audiences do not have the technical background to fully understand all of the content covered in the clinic. However, they are interested in learning enough to make intelligent decisions regarding schedules and resources.

At Course Completion
After completing this course, students will be able to:

  • Implement threat modeling to analyze software vulnerabilities.
  • Recognize the threats of buffer overruns and how to avoid them.
  • Recognize the threats of canonicalization and how to avoid them.
  • Recognize the threats of SQL injection and how to avoid them.
  • Recognize the threats of cross-site scripting and how to avoid them.
  • Recognize the threats of denial of service (DoS) attacks and how to avoid them.
  • Describe the intricacies and benefits of access control lists (ACLs).
  • Describe the complexities of storing secret information.
  • Execute code with least privilege.
  • Create secure Web sites.
  • Implement code access security in the .NET Framework.
  • Describe role-based security in the .NET Framework.
  • Determine security policy settings in the .NET Framework.
  • Encrypt and decrypt data with classes in the System.Security.Cryptography namespace.
  • Secure ASP.NET applications and XML Web services.
  • Implement best practices for writing secure .NET code.
  • Describe current security technologies and standards.
  • Specify the security technologies used in the .NET Enterprise Servers.
  • Secure software solutions built by using the .NET Enterprise Servers.

Before attending this course, students must have development experience with Visual Basic, C, C++, or Java.

Course Length: 1 day

Cost: US $600
NOTE: this is a one day course, offered on Feb 25 only.



Michael Howard is a security program manager on the Microsoft Windows XP team, focusing on secure design, programming, and testing techniques. He works with hundreds of people both inside and outside the company each year to help them secure their applications. He is the author of Designing Secure Web-Based Applications for Microsoft Windows 2000 from Microsoft Press. Prior to working on Windows XP, Michael worked on next-generation Web server technologies and IIS. He has worked on Microsoft Windows NT® security since 1992.

Black Hat Logo
(c) 1996-2007 Black Hat