Académique Documents
Professionnel Documents
Culture Documents
Robb Schiefer
8 years of service
Solutions Architect
Who is responsible for security?
Everyone, but management has to drive
http://www.csoonline.com/article/2859485/data-breach/9-data-breaches-that-cost-someone-their-job.html#slide10
How?
Established in 2001
Open community with Wiki-based site
Incredible resource for security information
https://www.owasp.org/index.php/Category:OWASP_.NET_Project
https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet
Troy Hunt (Microsoft MVP), contributor - http://www.troyhunt.com/
Topics
.NET Framework Guidance
ASP.NET Webforms Guidance
ASP.NET MVC Guidance
XAML Guidance
Windows Forms Guidance
WCF Guidance
Install/Updates
Enable tracing
Release debug build
Leave ELMAH log enabled
Disable custom errors
Cross-site Scripting (XSS)
Authentication code
Authentication or membership code may seem easy but you wont cover all the
bases
Leave it to professionals
Example - Salted Password Hashing
Example - Cross Site Request Forgery
Data Hacks - Validation & Leakage
Validate Model Data
Just because you dont put a field in the UI doesnt mean the user cant
change it
You must validate the data that comes from a user
$("#Biography").after('<input name="UserVotes" value="100"/>')
MVC provides the UpdateModel method on the Controller class
Sequential or Guessable Identifiers
Users are smart and will push the beyond the limitations of your UI
Sequential or guessable identifiers are an invitation
Block unintended usage by validation user access
Published SetParameters Files
ASafaWeb
https://asafaweb.com/
Acunetix
http://www.acunetix.com/vulnerability-scanner/
Cigital SecureAssist
https://www.cigital.com/services/secure-development/secureassist/
Questions?
Feel free to reach out after the conference to ask more questions or provide
feedback. Thank you!