In the previous chapter, we saw some of the most applied and used principles about software design, design patterns, and the way they are implemented or can be used in the .NET Framework.
In this chapter, we're going to study security issues and recommendations; or measures to take in order to build and deploy secure applications. We'll also look at how these security problems affect .NET applications.
Our starting point will be the OWASP (Open Web Application Security Project) proposal. OWASP is a security initiative that intends to offer, with a certain frequency, the latest on cyber security in terms of the types of possible flows, offering information about the best methods to deal with threats, prevention measures, and so on.
We'll focus our analysis on the definitions and prevention measures for the top 10 security threats published by the OWASP organization, their implications for the developer, and in case it applies, how these measures can be implemented in .NET Framework solutions.
In this chapter, we will cover the following topics:
- The OWASP initiative
- The OWASP top 10
- Injection
- Broken authentication and session management
- Cross-Site Scripting
- Insecure direct object references
- Security misconfiguration
- Sensitive data exposure
- Missing function-level access control
- Cross-site request forgery
- Using components with known vulnerabilities
- Invalidated redirects and forwards.
The official definition of the OWASP is as follows:
"The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted."
Initially, OWASP is thought to be a global set of guides and proposals about security, centralized and published by OWASP.org, a nonprofit organization focused on improving the security of software by making security visible, so organizations and individuals have a starting point that provides practical and impartial information about security issues.
Its official web page can be found at https://www.owasp.org/index.php/Main_Page, and it offers guidelines about application security tools and standards as well as books, controls, and libraries, research on several security topics, worldwide conferences, mailing lists, and a long list of resources.
OWASP official site announces itself as an entity:
"free from commercial pressures", which –in their own words- allow them to "provide unbiased, practical, cost-effective information about application security".