Table 7.1 recaps the threats and solutions to some common web security issues.
Threat | Solutions |
Complacency | Educate yourself. Assume your applications will be hacked. Remember that it's important to protect user data. |
Cross-Site Scripting (XSS) | HTML-encode all content. Encode attributes. Remember JavaScript encoding. Use AntiXSS. |
Cross-Site Request Forgery (CSRF) | Token verification. Idempotent GETs. HttpReferrer validation. |
Over-Posting | Use the Bind attribute to explicitly whitelist fields. Use blacklists sparingly. |
ASP.NET MVC gives you the tools you need to keep your website secure, but it's up to you to apply them wisely. True security is an ongoing effort that requires that you monitor and adapt to an evolving threat. It's your responsibility, but you're not alone. Plenty of great resources are available, both in the Microsoft web development sphere and in the Internet security world at large. Table 7.2 shows a list of resources to get you started.
Resource | URL |
Microsoft Security Developer Center | http://msdn.microsoft.com/en-us/security/default.aspx |
Book: Beginnning ASP.NET Security (Barry Dorrans) | http://www.wrox.com/WileyCDA/WroxTitle/Beginning-ASP-NET-Security.productCd-0470743654.html |
Free ebook:
OWASP Top 10 for .NET developers |
http://www.troyhunt.com/2010/05/owasp-top-10-for-net-developers-part-1.html |
Microsoft Code Analysis Tool .NET (CAT.NET) | http://www.microsoft.com/downloads/details .aspx?FamilyId=0178e2ef-9da8-445e-9348-c93f24cc9f9d&displaylang=en |
AntiXSS | http://antixss.codeplex.com/ |
Microsoft Information Security Team (makers of AntiXSS and CAT.NET) | http://blogs.msdn.com/securitytools |
Open Web Application Security Project (OWASP) | http://www.owasp.org/ |