We started the chapter off this way, and it's appropriate to end it this way: ASP.NET MVC gives you a lot of control and removes a lot of the abstraction that some developers considered an obstacle. With greater freedom comes greater power, and with greater power comes greater responsibility.
Microsoft is committed to helping you “fall into the pit of success” — meaning that the ASP.NET MVC team wants the right thing to be apparent and simple to develop. Not everyone's mind works the same way, however, and there will undoubtedly be times when the ASP.NET MVC team made a decision with the framework that might not be congruent with the way you've typically done things. The good news is that when this happens, you have a way to implement it your own way—which is the whole point of ASP.NET MVC.
There's no silver bullet with security—you need to consider it throughout your development process and in all components of your application. Bullet-proof database security can be circumvented if your application allows SQL injection attacks; strict user management falls apart if attackers can trick users into giving away their passwords by exploiting vulnerabilities like open redirection attacks. Computer security experts recommend that you respond to a wide attack surface with a strategy known as defense in depth. This term, derived from military strategy, relies on layered safeguards so that even if one security area is breeched, the entire system is not compromised.
Security issues in web applications invariably come down to very simple issues on the developer's part: bad assumptions, misinformation, and lack of education. In this chapter, we did our best to tell you about the enemy out there. The best way to keep yourself protected is to know your enemy and know yourself. Get educated and get ready for battle.