Securing ASP.

NET Web Apps

for .NET developers (mostly applicable on other platforms too)
About EBSCO

Began in 1944 as a small subscription agency

EBSCO Industries, Inc. is in many industries today
EBSCO Information Services (EIS)
Business Systems Engineering
7 development teams

Committed to Lean and CD

Robb Schiefer
8 years of service
Solutions Architect
Who is responsible for security?
Everyone, but management has to drive

Target CEO Gregg Steinhafel resigns following last year's

Officials with the Maricopa County Community College District (MCCCD) voted
to fire Miguel Corzo the director of the district's information-technology
department in July 2014.
The Texas State Comptrollers office fired an undisclosed number of
information security executives.
The governor of Utah fired the head of the states Department of Technology
Services (DTS) Stephen Fletcher

http://www.csoonline.com/article/2859485/data-breach/9-data-breaches-that-cost-someone-their-job.html#slide10
How?

Make security a priority

Test for security
Require regular peer reviews
Perform security scans

Its not as hard as you think!

Top Web Vulnerabilities

Source: Acunetix Web Application Vulnerability Report 2015

Average # of Open Vulnerabilities

Source: WhiteHat 2015 Stats Report

OWASP: The Open Web Application
Security Project

Established in 2001
Open community with Wiki-based site
Incredible resource for security information
https://www.owasp.org/index.php/Category:OWASP_.NET_Project

OWASP is an open community dedicated to enabling

organizations to conceive, develop, acquire, operate, and
maintain applications that can be trusted.
OWASP .NET Cheatsheet

https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet
Troy Hunt (Microsoft MVP), contributor - http://www.troyhunt.com/
Topics
.NET Framework Guidance
ASP.NET Webforms Guidance
ASP.NET MVC Guidance
XAML Guidance
Windows Forms Guidance
WCF Guidance
Install/Updates

Install server updates/patches

Get the latest .NET updates
Migrate to later ASP.NET versions
Update Nuget packages periodically
Take advantage of security improvements in later versions
DEMO: Default ASP.NET Site Security
http://defaultaspnetsite.azurewebsites.net/
https://asafaweb.com/Scan?Url=defaultaspnetsite.azurewebsites.net
DEMO: ConfCore Site Security
http://confcore.azurewebsites.net/
https://asafaweb.com/Scan?Url=confcore.azurewebsites.net
Security atrophy

Enable tracing
Release debug build
Leave ELMAH log enabled
Disable custom errors
Cross-site Scripting (XSS)

XSS = Moving from a data context to a code context.

http://localhost:1771/Presenters?message=test<script>alert('XSS');</script>
http://localhost:1771/Presenters?message=test<script>prompt('Please enter
your Social Security Number:', 'XXX-XX-XXXX');</script>
Validate your inputs against a character white list
<= ASP.NET 4 use Request Validation
ASP.NET Core avoid Html.Raw() unless against validated input
Can also apply to JavaScript text encoding
Other solutions as well (HTTP modules, etc.)
Transport Layer Security (TLS/SSL)

TLS/SSL is required for any secure site.

This isnt a silver bullet.
Check the OWASP Transport Layer Protection Cheat Sheet for many rules
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet
You are not qualified to write some
code
Encryption algorithms
Encryption is incredible complex and few people in the world are qualified to write
it
Leave it to professionals

Authentication code
Authentication or membership code may seem easy but you wont cover all the
bases
Leave it to professionals
Example - Salted Password Hashing
Example - Cross Site Request Forgery
Data Hacks - Validation & Leakage
Validate Model Data

Just because you dont put a field in the UI doesnt mean the user cant
change it
You must validate the data that comes from a user
$("#Biography").after('<input name="UserVotes" value="100"/>')
MVC provides the UpdateModel method on the Controller class
Sequential or Guessable Identifiers

Users are smart and will push the beyond the limitations of your UI
Sequential or guessable identifiers are an invitation
Block unintended usage by validation user access
Published SetParameters Files

WebDeploy Parameterization files should never be published

Mark their Build property to None in MVC 5 or less
Likely not a problem in ASP.NET/MVC Core
App Security Analysis Products/Services

ASafaWeb
https://asafaweb.com/

Acunetix
http://www.acunetix.com/vulnerability-scanner/

Cigital SecureAssist
https://www.cigital.com/services/secure-development/secureassist/
Questions?

Feel free to reach out after the conference to ask more questions or provide
feedback. Thank you!

Robb Schiefer, Solutions Architect at EBSCO Industries, Inc.

@chief7
dotnetcatch.com
bhmdot.net