Getting started with writing secure ASP.NET MVC Code

Over the last few years, I have become very focused on writing secure code.  One of the main driving forces for this is the number of security assessments my application has undergone over the last few years as well as the plethora of information now easily accessible.  So where does one start with writing secure code?  More than likely you already have already started.  But this is a question every developer needs to ask themselves and figure out how to keep up with the latest and greatest.

OWASP

Unless you have been living under a rock for the past decade, then you should already know who OWASP is.  But since some still don’t know, OWASP stands for “Open Web Application Security Project”.

https://www.owasp.org

Note:   you cannot access the OWASP website over HTTP.  First lesson about securing your web applications.  Use HTTPS all the time!

Every year OWASP puts out a Top 10 list.

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Troy Hunt

Troy Hunt is awesome! Who is he? Quoting from his web site, Troy Hunt is a “Software Architect and Microsoft MVP”. He writes about security concepts and process improvements for software delivery.

Visit his site (www.troyhunt.com) and follow him on Twitter

I stumbled upon his book in early 2012. I am still amazed at how much information is in this book and the time and dedication he put into it. His book covers the Top 10 OWASP Issues for ASP.NET Web Applications. This awesome book is located here:

http://www.troyhunt.com/2011/12/free-ebook-owasp-top-10-for-net.html

Read it! It is a quick read and will enlighten you to so many topics on security. The book was written for ASP.NET Web Forms; however, it can easily be adopted to ASP.NET MVC. Some of my future topics will cover this.

If you are a member of Pluralsight, you can watch his videos at:

http://pluralsight.com/training/Courses/TableOfContents/owasp-top10-aspdotnet-application-security-risks

Fiddler 2

I love Telerik! Almost as much as my wife and kids. That said, I was nervous when they took over Fiddler. Not anymore. It is still free and they continue to improve it. What is important about Fiddler? Well if you read Troy Hunt’s book or watched his video, then you know how easy it is to test aspects of your application and security using Fiddler. For those of you who do not know about Fiddler, it is a free web debugging proxy which logs all HTTP traffic between your local machine and web application. You can use it to debug traffic on a PC, Max or Linux. You can check cookies, headers and cache directives. You can use it to tamper with client requests and server responses to see how your application is working. Plus many more great features…

You can find fiddler at http://fiddler2.com/.

Code Analysis in Visual Studio

Use it!!! All the time. Make it part of your process when checking in your code. It is very simple to do. The hardest part is making it a solid, consistent habit!

Use SSL

If you have a web application, use SSL. But unfortunately it is not that easy. You also have to make sure your server is configured properly. There HTTPS protocols that are not secure and allow “Man in the middle” attach or can easily be decrypted. To avoid that, you have to configure your server properly and keep up with the latest. Hard to do when you are a developer and should be something your system admins in production handle for you. More on this topic in a later blog…

Great Resources:

https://www.ssllabs.com/

Conclusion

Hope this info is helpful.   More security article to follow very soon!!!