Security Programming in .Net

security image taken from zend.com

These are few tips how to add security programming in  .net app on code level.

Asp.net Version Disclosure

<system.web>
<httpRuntime  enableVersionHeader="false" />
</system.web>

Set Cookie to HttpOnly

<system.web>
<httpCookies httpOnlyCookies="true"/>
</system.web>

Set Custom Error

<system.web>
<customErrors mode="On" defaultRedirect="~/Controller/ErrorPage"></customErrors>
</system.web>

Custom Error Disabled

<system.web>
<customErrors mode="RemoteOnly">
</system.web>

Leaving Tracing Enabled in Web-Based Applications

<system.web> 
<trace enabled="false" localOnly="true">
</system.web>

Disabled Debugging

<system.web> 
<compilation debug="false">
</system.web>

Disabled Cookieless Session States

<system.web> 
<sessionState cookieless="UseCookies"> 
</system.web>

Input Validation :  A set of controls that verify the properties of all input data matches what is expected by the application including types, lengths, ranges, acceptable character sets and does not include known hazardous characters.

If any potentially hazardous characters must be allowed as input, be sure that you implement additional controls like output encoding, secure task specific APIs and accounting for the utilization of that data throughout the application . Examples of common hazardous characters include: < > ” ‘ % ( ) & + \ \’ \”

Output Encoding

1. Encode all characters unless they are known to be safe for the intended interpreter
2. Contextually sanitize all output of un-trusted data to queries for SQL, XML, and LDAP
3. Sanitize all output of un-trusted data to operating system commands

Error Handling and Logging

1. Do not disclose sensitive information in error responses, including system details, session identifiers or account information
2. Use error handlers that do not display debugging or stack trace information
3. Implement generic error messages and use custom error pages

Database Security

1. Use strongly typed parameterized queries
2. Utilize input validation and output encoding and be sure to address meta characters. If these fail, do not run the database command
3. Ensure that variables are strongly typed

HTML Entity Encode: The process of replacing certain ASCII characters with their HTML entity equivalents. For example, encoding would replace the less than character “<” with the HTML equivalent “<“. HTML entities are ‘inert’ in most interpreters, especially browsers, which can mitigate certain client side attacks.

Prevent ClickJacking
More Info:

https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide

https://www.owasp.org/index.php/Secure_Coding_Cheat_Sheet

Hopefully these few tips can be apply to improve security in  programming especially in .net

Here also few post regarding programming that you might interested