Developing secure .NET applications

TABLE OF CONTENTS    .NET Security Basics    .NET Security Features and Mechanisms    .NET Threats and Vulnerabilities    .NET and Web Services    .NET Security Tools    .NET Security Code Samples    Other Useful Resources

.NET Security Basics

[Return to Table of Contents]

• Secure SDLC: Integrating security into your software development life cycle: The first step for boosting application security is integrating security into the SDLC. This detailed tip includes thorough instructions for adopting security measures into your development process.



• Application security with ASP.NET: Web application security is easier once you understand how to utilize the security features built in to ASP.NET. This article explains how to find and use those features.



• Is .NET less vulnerable to security hacks?: Expert Caleb Sima explains how to prevent two common exploits, cross-site scripting (XSS) and SQL injection in .NET applications.



• Comparing Java and .NET security: Lessons learned and missed (PDF): This detailed paper outlines the security features of both .NET and Java and where improvements can be made.



• No clear winner in .NET/J2EE security race
: Both platforms have the same kind of security model, this article explains. However, there are a few differences software developers should be aware of.


• ASP.NET Web Application Security: Thorough, organized site with tips on .NET basics, authentication, authorization and more.



• ASP.NET Web application and Windows authentication –- a case study: The article explains how to secure user permissions using, specifically, "Integrated Windows Authentication."



• Security practices: ASP.NET 2.0 security practices at a glance: This white paper from the Microsoft Developer Network (MSDN) explains how to implement code access security, authorization, validate input and more.

.NET Security Features & Mechanisms

[Return to Table of Contents]

• Discover the power of .NET's code access security: This article details how to secure user privileges and protect important data using .NET's Link Demand and Strong Name features.



• User management and login security controls in ASP.NET: Dan Cornell explains how to use ASP.NET 2.0's built-in Forms Authentication function to secure user management in Microsoft Acess, Microsoft SQL Server, and Oracle.



• Forms Authentication differences in ASP.NET 2.0: What built-in security features does .NET 2.0 have? Dan Cornell explains.



• Limiting user access in ASP.NET: Strong authorization features are included in the ASP.NET 2.0 platform. This Expert Response explains how to use authorization to control user access and protect Admin, Client and Customer directories.



• Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication: Lengthy instructions from MSDN for building security features into your .NET applications.



• How To: Secure an ASP.NET application by using Windows security: Instructions for creating a .NET Web application with robust authentication and authorization.



• Securing a .NET application on the Oracle database: Includes proxy authentication, Windows authentication and even a section on preventing SQL injection.



• Encryption and .NET application security: Many cryptographic features are already built into the .NET platform. Dan Cornell discusses these and other encryption options in this Expert Response.



• .NET encryption simplified: Detailed information on encryption capabilities, including numerous code samples.

.NET Threats and Vulnerabilities

[Return to Table of Contents]

• Threat modeling Web applications: From MSDN, an intensive tutorial on threat modeling and how to apply it to your Web applications.



• Threat modeling enhanced with misuse cases: Proper threat modeling, especially when boosted with misuse cases, can prevent many common and serious application exploits such as SQL injection, brute force attacks and sniffing attacks.



• Secure Coding Practices for Microsoft .NET Applications, 2003 (PDF) : This white paper by Amit Klein addresses common ASP.NET security vulnerabilities such as parameter tampering and SQL injection and offers coding solutions for them.



• Guarding against XSS in ASP.NET: Preventing cross-site scripting attacks in .NET applications is similar to XSS prevention on other platforms. However, there are security features in .NET that boost security against this exploit.



• SQL injection: Developers fight back: Anurag Agarwal provides 10 steps for preventing this common application security attack. Input validation is explored in further detail, and code samples are included.


OWASP resources
Here is a list of tutorials from the Open Web Application Security Project, commonly known as OWASP. Each of these chapters is from the OWASP Guide to Building Secure Web Applications and Web Services.

• OWASP Guide to Building Secure Web Applications and Web Services, Chapter 9: Authentication



• Chapter 10: Authorization



• Chapter 12: Data Validation



• Chapter 13: Interpreter Injection



• Chapter 17: Buffer Overflows

.NET and Web Services

[Return to Table of Contents]

• Why are Web services more vulnerable than other Web apps?: Web application security must be modified to fit the unique needs of Web services. Rami Jaamour explains what these differences are and what extra security steps should be taken.


The importance of WS-Security: Expert Rami Jaamour explains what the Web Services Security standard is and how the measures it recommends surpass mere SSL for more secure apps.

How does WS-Security relate to other WS- standards?: Detailed explanation of the WS-Security standard and other Web Services standards from OASIS.


• Building a universal Web services ID



• Using role-based security with Web Services Enhancements 2.0



• A developer's roadmap to using WS-Security



• Certificate validation callbacks in Indigo



• Attacking Web services: The next generation of vulnerable enterprise apps (PDF)

.NET Security Tools

[Return to Table of Contents]

• Compuware updates ASP.NET security tool


• Get automated security testing for .NET applications


• Generate token for public key in text format


• Digital signature generation


• Developmentor security utilities


• Parasoft .TEST


• Session Viewer


• Token Dump Component


• Visual Input Security


• Professional validation and more


• Samoa: Formal tools for securing Web services

.NET Security Code Samples

[Return to Table of Contents]

• VBCode.com security downloads


• StrongNameIdentityPermission


• Secondary Login from C#


• User Right Enumerator


• IdentitySink Remoting Channel Sink


• Publisher Policy


• Exploring Security WSE 3.0 Hands-on Labs


• Windows Federated Identity Resource Kit

Other Useful Resources

[Return to Table of Contents]

Expert advice on .NET security Do you have a question about .NET security that you're having trouble getting answered? .NET security expert Dan Cornell can help. Read advice he has given or submit your own questions.

• .NET Reference Guide .NET Application Security


• .NET Security Blog


• ASP.NET 2.0 Security Wiki Test Drive (Wiki)


• ASP.NET discussion forum


• Digital Black Belt Developer Security Webcast Series


• Security articles by Michael Howard


• DNZone security articles


• Building Secure Microsoft ASP.NET Applications (Book)


• Hacking the Code: ASP.NET Web Application Security (Book)


• Using Advanced Microsoft .NET Application Security Techniques (Online course)