Securing .NET Applications

Nick Harrison is a software developer with Vertical Alliance Group, a consultancy in Columbia, South Carolina, USA. He has more than 20 years of experience developing software, starting with Unix system programming and ultimately progressing to .NET. He has expertise in full life cycle development, from initial inception through post-deployment support and has worked on many projects, including a full-featured loan origination system for a prominent mortgage lender and rapid prototypes for small startups. Nick has strategic experience resolving problems identified with data access logic and other performance bottlenecks. He is often found presenting at user group meetings and is the author of many articles and books on a wide range of technical topics, including MVC, T4, Roslyn, Software Metrics, Design Patterns, Web Design, and more.

Chapter 1, Secure Computing in an Insecure World

This chapter will introduce the concept of software based security and fit it in the context of the application developers

Survey of Various Dangers

Understanding the Risks

No Such Thing as "Secure" Our Goal is Defensible

Security is Everyone's Concern, Especially the Developer




Chapter 2: Overview of Common Attack Vectors

In this chapter we will discuss some of the top attack patterns that frequently plague web application

Parameter Manipulation

Various Injections

Sensitive Data Exposure

(Other vectors)




Chapter 3: Security Principles

In this chapter we will give an overview of various guiding principles for secure programming. This chapter will include references to other chapters where these concepts are discussed in greater depth of real world examples are showcased

Fail Securely

Positive Security Model (White list)

Negative Security Model (Black list)

Minimize Attack Surface

Separation of Duties

Avoid Security Through Obscurity

Keep Security Simple

Don't Trust Services

Defense in Depth

Least Privilege

Establish Secure Defaults



Chapter 4: Validations in Practice

Blessed are the Paranoid for they Validate

In this chapter we will explore all things validation

Don't Trust Users

Don't Trust Input Parameters from unknown sources

Don't Trust Input Files you didn't write

Don't trust data even from your own database

Overview of the Standard Validators

Validators are SQL Firewall Rules



Chapter 5: Application Topography for Security

Blessed are the Lonely for they Separate

In this chapter we discuss how to structure a distributed application paying attention to what goes inside and outside of the firewall

Distributed Application creates a Larger Attack Surface

Separate the Database from the Application Server

Properly Handling Connection Strings

What should stay outside the firewall

What should stay inside the firewall

How do servers communicate




Chapter 6: Mitigating Risk by Minimizing Privilege

Blessed are the Cautious for they Follow the Principle of Least Privilege

In this chapter we will introduce and explore the Principle of Least Privilege. We will see how this applies to the database specifically as well as to network resources in general.

The Database has all the Keys to the Kingdom

Separate Key Sensitive Data to a Separate Database

Isolate Key Sensitive in the Same Database with Separate Logins

Separate Transaction Data from Reporting Data

Understanding Access Control Lists



Chapter 7: Cryptography in Practice
Blessed are the Cryptic for Even Stolen Data is Secure

In this chapter we will discuss cryptography from an application perspective. We will review the common algorithms used, how they are executed, and we will discuss some best practices for using cryptography.

Cryptography can be a Self-Imposed Denial of Service if used wrong

Symmetric Cryptography

Asymmetric Cryptography

Digital Signatures

Hashing




Chapter 8: Authentication and Authorization

In this chapter we will discuss all things related to Authentication and Authorization. This may be split into 2 chapters not sure yet.

Password complexity policies

Password resets

2 Factor Authentication

Idle Timeouts

Logging Out

Authorization Matrix

Access Control Lists

Protected Resources

Static Resources

Reauthorization

JWT (JSON Web Tokens)



Chapter 9: Securing Web Services

In this chapter we will discuss web services, the roles they play in modern web applications and how to properly secure them.



Chapter 10 Threat Modeling

In this chapter we will step through the Microsoft Threat Modeling Process. We will discuss the importance of modeling, review the individual steps, and discuss ways to incorporate this into your development lifecycle

Identify Security Objectives

Survey the Application

Decompose the Application

Identify Threats

STRIDE

DREAD




Chapter 11 Best Practices

This will be a wrap up chapter that will reiterate all the best practices identified though out the book. Best practices will be grouped by chapter giving the reader a quick link back to where the best practice was introduced so they can quickly get more context.