Writing secure asp.net applications

Question

I am on a project that involves processing financial information, and so I need to write secure asp.net pages using C# 2008 (https etc)

Can anyone recomment any tutorials then can help me understand more about writing secure asp.net apps?

Thanks

Answer 1

Here is a good place to start:

The Anti Cross Site Scripting library from Microsoft:

http://channel9.msdn.com/posts/Jossie/Anti-XSS-Library-v31-Find-Fix-and-Verify-Errors/

Also, I'd assume you are going use Verisign. Here is a good link from Microsoft:

http://support.microsoft.com/kb/293817

Edit: I should also add, one thing to note. Don't have any Internet facing data that is sensitive. If you don't need it, don't collect or store it on the server that is exposed to the Internet.

Fiddler is a great way to try to spoof data in your own application to see if there is a security hole there are video tutorials on how to do this on the download site: http://www.fiddler2.com/fiddler2/

Here are some more tutorials on security from Microsoft including crypto: http://msdn.microsoft.com/en-us/library/ms978512.aspx

Another good overview on security: http://davidhayden.com/blog/dave/archive/2005/10/23/2527.aspx

One last good link, Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication: http://msdn.microsoft.com/en-us/library/aa302387.aspx

Also, a stackoverflow question that is related: http://stackoverflow.com/questions/923154/what-measures-should-i-take-to-secure-my-multi-tier-asp-net-application

Answer 2

Hi,

If you are interested in using a SSL certificate to secure your site and its pages, keep in mind SSL is a technology that is in place at the Transport layer, meaning it is independent of what programming framework or language you are using. SSL certificates are installed either via IIS or the MMC certificates snap-in on the server/pc.

There are a few steps involved in using an SSL cert with IIS:

1. Generate a Certificate Request in IIS
2. Submit the Cert request to a trusted Certificate Authority (3rd party vendor such as Verisign, DigiCert, Thawte, etc.)
3. Install Certificate provided by vendor on server and apply it to your website

For testing, you can use makecert.exe to generate self-signed certificates. These will work in your browser for testing your app, but should never be used in production. Here's a good stackoverflow answer that suits your needs:

http://stackoverflow.com/questions/496658/using-makecert-for-development-ssl

Once you go into production, you'll need a cert from a real Certificate Authority. Once you chose a vendor they will have specific instructions on how to generate the certificate. I recently used DigiCert and was happy with them.

In addition to implementing a SSL certificate, you of course need to make your actual website/application secure using authentication, roles, etc.

Here's a good primer to the asp.net security features:

http://msdn.microsoft.com/en-us/library/aa302388.aspx

Answer 3

There's a whole book on this topic, Dominick Baier's Developing More-Secure Microsoft ASP.NET 2.0 Applications. It is outstanding, and has a ton of features and techniques that you won't find anywhere else, at least not without a lot of digging. I've used this book for web security design on two projects, and I highly recommend it.

EDIT TO ADD: Second recommendation, Writing Secure Code: Practical Strategies and Proven Techniques for Building Secure Applications in a Networked World. While much of the code in this book is about unmanaged code, the sections on understanding good security development practices, threat modeling, etc., really tell you what you need to be thinking about as you design and evaluate your web site's security issues.