securing asp.net web applications
TRANSCRIPT
![Page 1: Securing ASP.NET web applications](https://reader030.vdocuments.us/reader030/viewer/2022020203/589ee2ef1a28abe5498c0986/html5/thumbnails/1.jpg)
Securing ASP.NET Web Apps for .NET developers (mostly applicable on other platforms too)
![Page 2: Securing ASP.NET web applications](https://reader030.vdocuments.us/reader030/viewer/2022020203/589ee2ef1a28abe5498c0986/html5/thumbnails/2.jpg)
About EBSCO
Began in 1944 as a small subscription agency
EBSCO Industries, Inc. is in many industries today
EBSCO Information Services (EIS)
Business Systems Engineering
7 development teams
Committed to Lean and CD
Robb Schiefer
8 years of service
Solutions Architect
![Page 3: Securing ASP.NET web applications](https://reader030.vdocuments.us/reader030/viewer/2022020203/589ee2ef1a28abe5498c0986/html5/thumbnails/3.jpg)
Who is responsible for security?
![Page 4: Securing ASP.NET web applications](https://reader030.vdocuments.us/reader030/viewer/2022020203/589ee2ef1a28abe5498c0986/html5/thumbnails/4.jpg)
Everyone, but management has to drive
Target CEO Gregg Steinhafel resigns following last year's …
Officials with the Maricopa County Community College District (MCCCD) voted
to fire Miguel Corzo the director of the district's information-technology
department in July 2014.
The Texas State Comptroller’s office fired an undisclosed number of
information security executives.
The governor of Utah fired the head of the state’s Department of Technology
Services (DTS) Stephen Fletcher…
http://www.csoonline.com/article/2859485/data-breach/9-data-breaches-that-cost-someone-their-job.html#slide10
![Page 5: Securing ASP.NET web applications](https://reader030.vdocuments.us/reader030/viewer/2022020203/589ee2ef1a28abe5498c0986/html5/thumbnails/5.jpg)
How?
Make security a priority
Test for security
Require regular peer reviews
Perform security scans
It’s not as hard as you think!
![Page 6: Securing ASP.NET web applications](https://reader030.vdocuments.us/reader030/viewer/2022020203/589ee2ef1a28abe5498c0986/html5/thumbnails/6.jpg)
![Page 7: Securing ASP.NET web applications](https://reader030.vdocuments.us/reader030/viewer/2022020203/589ee2ef1a28abe5498c0986/html5/thumbnails/7.jpg)
Top Web Vulnerabilities
Source: Acunetix Web Application Vulnerability Report 2015
![Page 8: Securing ASP.NET web applications](https://reader030.vdocuments.us/reader030/viewer/2022020203/589ee2ef1a28abe5498c0986/html5/thumbnails/8.jpg)
Average # of Open Vulnerabilities
Source: WhiteHat 2015 Stats Report
![Page 9: Securing ASP.NET web applications](https://reader030.vdocuments.us/reader030/viewer/2022020203/589ee2ef1a28abe5498c0986/html5/thumbnails/9.jpg)
OWASP: The Open Web Application
Security Project
Established in 2001
Open community with Wiki-based site
Incredible resource for security information
https://www.owasp.org/index.php/Category:OWASP_.NET_Project
OWASP is an open community dedicated to enabling
organizations to conceive, develop, acquire, operate, and
maintain applications that can be trusted.
![Page 10: Securing ASP.NET web applications](https://reader030.vdocuments.us/reader030/viewer/2022020203/589ee2ef1a28abe5498c0986/html5/thumbnails/10.jpg)
OWASP .NET Cheatsheet
https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet
Troy Hunt (Microsoft MVP), contributor - http://www.troyhunt.com/
Topics
.NET Framework Guidance
ASP.NET Webforms Guidance
ASP.NET MVC Guidance
XAML Guidance
Windows Forms Guidance
WCF Guidance
![Page 11: Securing ASP.NET web applications](https://reader030.vdocuments.us/reader030/viewer/2022020203/589ee2ef1a28abe5498c0986/html5/thumbnails/11.jpg)
Install/Updates
Install server updates/patches
Get the latest .NET updates
Migrate to later ASP.NET versions
Update Nuget packages periodically
Take advantage of security improvements in later versions
![Page 12: Securing ASP.NET web applications](https://reader030.vdocuments.us/reader030/viewer/2022020203/589ee2ef1a28abe5498c0986/html5/thumbnails/12.jpg)
DEMO: Default ASP.NET Site Security http://defaultaspnetsite.azurewebsites.net/
https://asafaweb.com/Scan?Url=defaultaspnetsite.azurewebsites.net
![Page 13: Securing ASP.NET web applications](https://reader030.vdocuments.us/reader030/viewer/2022020203/589ee2ef1a28abe5498c0986/html5/thumbnails/13.jpg)
DEMO: ConfCore Site Security http://confcore.azurewebsites.net/
https://asafaweb.com/Scan?Url=confcore.azurewebsites.net
![Page 14: Securing ASP.NET web applications](https://reader030.vdocuments.us/reader030/viewer/2022020203/589ee2ef1a28abe5498c0986/html5/thumbnails/14.jpg)
Security atrophy
Enable tracing
Release debug build
Leave ELMAH log enabled
Disable custom errors
![Page 15: Securing ASP.NET web applications](https://reader030.vdocuments.us/reader030/viewer/2022020203/589ee2ef1a28abe5498c0986/html5/thumbnails/15.jpg)
Cross-site Scripting (XSS)
XSS = Moving from a data context to a code context.
http://localhost:1771/Presenters?message=test<script>alert('XSS');</script>
http://localhost:1771/Presenters?message=test<script>prompt('Please enter
your Social Security Number:', 'XXX-XX-XXXX');</script>
Validate your inputs against a character white list
<= ASP.NET 4 use Request Validation
ASP.NET Core avoid Html.Raw() unless against validated input
Can also apply to JavaScript text encoding
Other solutions as well (HTTP modules, etc.)
![Page 16: Securing ASP.NET web applications](https://reader030.vdocuments.us/reader030/viewer/2022020203/589ee2ef1a28abe5498c0986/html5/thumbnails/16.jpg)
Transport Layer Security (TLS/SSL)
TLS/SSL is required for any secure site.
This isn’t a silver bullet.
Check the OWASP Transport Layer Protection Cheat Sheet for many rules
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet
![Page 17: Securing ASP.NET web applications](https://reader030.vdocuments.us/reader030/viewer/2022020203/589ee2ef1a28abe5498c0986/html5/thumbnails/17.jpg)
You are not qualified to write some
code
Encryption algorithms
Encryption is incredible complex and few people in the world are qualified to write
it
Leave it to professionals
Authentication code
Authentication or membership code may seem easy but you won’t cover all the
bases
Leave it to professionals
Example - Salted Password Hashing
Example - Cross Site Request Forgery
![Page 18: Securing ASP.NET web applications](https://reader030.vdocuments.us/reader030/viewer/2022020203/589ee2ef1a28abe5498c0986/html5/thumbnails/18.jpg)
Data Hacks - Validation & Leakage
![Page 19: Securing ASP.NET web applications](https://reader030.vdocuments.us/reader030/viewer/2022020203/589ee2ef1a28abe5498c0986/html5/thumbnails/19.jpg)
![Page 20: Securing ASP.NET web applications](https://reader030.vdocuments.us/reader030/viewer/2022020203/589ee2ef1a28abe5498c0986/html5/thumbnails/20.jpg)
Validate Model Data
Just because you don’t put a field in the UI doesn’t mean the user can’t
change it
You must validate the data that comes from a user
$("#Biography").after('<input name="UserVotes" value="100"/>')
MVC provides the UpdateModel method on the Controller class
![Page 21: Securing ASP.NET web applications](https://reader030.vdocuments.us/reader030/viewer/2022020203/589ee2ef1a28abe5498c0986/html5/thumbnails/21.jpg)
Sequential or Guessable Identifiers
Users are smart and will push the beyond the limitations of your UI
Sequential or guessable identifiers are an invitation
Block unintended usage by validation user access
![Page 22: Securing ASP.NET web applications](https://reader030.vdocuments.us/reader030/viewer/2022020203/589ee2ef1a28abe5498c0986/html5/thumbnails/22.jpg)
Published SetParameters Files
WebDeploy Parameterization files should never be published
Mark their Build property to “None” in MVC 5 or less
Likely not a problem in ASP.NET/MVC Core
![Page 23: Securing ASP.NET web applications](https://reader030.vdocuments.us/reader030/viewer/2022020203/589ee2ef1a28abe5498c0986/html5/thumbnails/23.jpg)
App Security Analysis Products/Services
ASafaWeb https://asafaweb.com/
Acunetix http://www.acunetix.com/vulnerability-scanner/
Cigital SecureAssist https://www.cigital.com/services/secure-development/secureassist/
![Page 24: Securing ASP.NET web applications](https://reader030.vdocuments.us/reader030/viewer/2022020203/589ee2ef1a28abe5498c0986/html5/thumbnails/24.jpg)
Questions?
Feel free to reach out after the conference to ask more questions or provide
feedback. Thank you!
Robb Schiefer, Solutions Architect at EBSCO Industries, Inc.
@chief7
dotnetcatch.com
bhmdot.net
![Page 25: Securing ASP.NET web applications](https://reader030.vdocuments.us/reader030/viewer/2022020203/589ee2ef1a28abe5498c0986/html5/thumbnails/25.jpg)
![Page 26: Securing ASP.NET web applications](https://reader030.vdocuments.us/reader030/viewer/2022020203/589ee2ef1a28abe5498c0986/html5/thumbnails/26.jpg)