There's no denying the importance of incorporating security at the application level. While some issues are similar across platforms, .NET developers face their own challenges. The resources here will help you understand the basics of .NET application security. In addition, you'll learn about tools to help you secure your code, sample code for you to use and resources to get even more information if you need it.
Are there other topics you'd like to see learning guides on? Send me an e-mail and let me know what they are. -- Michelle Davidson, Editor.
| TABLE OF CONTENTS
.NET Security Basics
.NET Security Features and Mechanisms
.NET Threats and Vulnerabilities
.NET and Web Services
.NET Security Tools
.NET Security Code Samples
Other Useful Resources
|.NET Security Basics|
- Secure SDLC: Integrating security into your software development life cycle: The first step for boosting application security is integrating security into the SDLC. This detailed tip includes thorough instructions for adopting security measures into your development process.
- Application security with ASP.NET: Web application security is easier once you understand how to utilize the security features built in to ASP.NET. This article explains how to find and use those features.
- Is .NET less vulnerable to security hacks?: Expert Caleb Sima explains how to prevent two common exploits, cross-site scripting (XSS) and SQL injection in .NET applications.
- Comparing Java and .NET security: Lessons learned and missed (PDF): This detailed paper outlines the security features of both .NET and Java and where improvements can be made.
- No clear winner in .NET/J2EE security race : Both platforms have the same kind of security model, this article explains. However, there are a few differences software developers should be aware of.
- ASP.NET Web Application Security: Thorough, organized site with tips on .NET basics, authentication, authorization and more.
- ASP.NET Web application and Windows authentication –- a case study: The article explains how to secure user permissions using, specifically, "Integrated Windows Authentication."
- Security practices: ASP.NET 2.0 security practices at a glance: This white paper from the Microsoft Developer Network (MSDN) explains how to implement code access security, authorization, validate input and more.
|.NET Security Features & Mechanisms|
- Discover the power of .NET's code access security: This article details how to secure user privileges and protect important data using .NET's Link Demand and Strong Name features.
- User management and login security controls in ASP.NET: Dan Cornell explains how to use ASP.NET 2.0's built-in Forms Authentication function to secure user management in Microsoft Acess, Microsoft SQL Server, and Oracle.
- Forms Authentication differences in ASP.NET 2.0: What built-in security features does .NET 2.0 have? Dan Cornell explains.
- Limiting user access in ASP.NET: Strong authorization features are included in the ASP.NET 2.0 platform. This Expert Response explains how to use authorization to control user access and protect Admin, Client and Customer directories.
- Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication: Lengthy instructions from MSDN for building security features into your .NET applications.
- How To: Secure an ASP.NET application by using Windows security: Instructions for creating a .NET Web application with robust authentication and authorization.
- Securing a .NET application on the Oracle database: Includes proxy authentication, Windows authentication and even a section on preventing SQL injection.
- Encryption and .NET application security: Many cryptographic features are already built into the .NET platform. Dan Cornell discusses these and other encryption options in this Expert Response.
- .NET encryption simplified: Detailed information on encryption capabilities, including numerous code samples.
|.NET Threats and Vulnerabilities|
- Threat modeling Web applications: From MSDN, an intensive tutorial on threat modeling and how to apply it to your Web applications.
- Threat modeling enhanced with misuse cases: Proper threat modeling, especially when boosted with misuse cases, can prevent many common and serious application exploits such as SQL injection, brute force attacks and sniffing attacks.
- Secure Coding Practices for Microsoft .NET Applications, 2003 (PDF) : This white paper by Amit Klein addresses common ASP.NET security vulnerabilities such as parameter tampering and SQL injection and offers coding solutions for them.
- Guarding against XSS in ASP.NET: Preventing cross-site scripting attacks in .NET applications is similar to XSS prevention on other platforms. However, there are security features in .NET that boost security against this exploit.
- SQL injection: Developers fight back: Anurag Agarwal provides 10 steps for preventing this common application security attack. Input validation is explored in further detail, and code samples are included.
Here is a list of tutorials from the Open Web Application Security Project, commonly known as OWASP. Each of these chapters is from the OWASP Guide to Building Secure Web Applications and Web Services.
|.NET and Web Services|
- Why are Web services more vulnerable than other Web apps?: Web application security must be modified to fit the unique needs of Web services. Rami Jaamour explains what these differences are and what extra security steps should be taken.
- Building a universal Web services ID
- Using role-based security with Web Services Enhancements 2.0
- A developer's roadmap to using WS-Security
- Certificate validation callbacks in Indigo
- Attacking Web services: The next generation of vulnerable enterprise apps (PDF)
The importance of WS-Security: Expert Rami Jaamour explains what the Web Services Security standard is and how the measures it recommends surpass mere SSL for more secure apps.
How does WS-Security relate to other WS- standards?: Detailed explanation of the WS-Security standard and other Web Services standards from OASIS.
|.NET Security Tools|
- Compuware updates ASP.NET security tool
- Get automated security testing for .NET applications
- Generate token for public key in text format
- Digital signature generation
- Developmentor security utilities
- Parasoft .TEST
- Session Viewer
- Token Dump Component
- Visual Input Security
- Professional validation and more
- Samoa: Formal tools for securing Web services
|.NET Security Code Samples|
- VBCode.com security downloads
- Secondary Login from C#
- User Right Enumerator
- IdentitySink Remoting Channel Sink
- Publisher Policy
- Exploring Security WSE 3.0 Hands-on Labs
- Windows Federated Identity Resource Kit
|Other Useful Resources|
|Expert advice on .NET security
Do you have a question about .NET security that you're having trouble getting answered? .NET security expert Dan Cornell can help. Read advice he has given or submit your own questions.
- .NET Reference Guide .NET Application Security
- .NET Security Blog
- ASP.NET 2.0 Security Wiki Test Drive (Wiki)
- ASP.NET discussion forum
- Digital Black Belt Developer Security Webcast Series
- Security articles by Michael Howard
- DNZone security articles
- Building Secure Microsoft ASP.NET Applications (Book)
- Hacking the Code: ASP.NET Web Application Security (Book)
- Using Advanced Microsoft .NET Application Security Techniques (Online course)
Dig Deeper on Building security into the SDLC (Software development life cycle)