[Ultimate Guide] For Every Developer Code Security

Ultimate security guide for developers


This article basically covers .NET security Tips for every developer.

An early days I practiced to write code that require review mainly on security wise - eventually it was an extra work in team to sit and verify the quality and impact of the project.

This was quite long process later on I googled to find -What is the best way to write code in C#, security best practices, secure code library, standard best practice for C# and security concepts etc.

Yes - google did help me on the topic searched. 

And the topics I share here are Industry Standard - Proven - Certified 

These are the main reasons pulled out all tips make it available for you to grab.

Who is the best Developer or Programmer?

Everyone can write code and develop application-agree? but what makes them stand out is how secure is your code, how well you know concepts.


Here you go with glimpse of .Net Framework security Guidelines


The .NET Framework

The .NET Framework is Microsoft's principal platform for enterprise development. It is the supporting API for ASP.NET, Windows Desktop applications, Windows Communication Foundation services, SharePoint, Visual Studio Tools for Office and other technologies.

The .NET Framework is kept up-to-date by Microsoft with the Windows Update Service.

Developers need not to run separate updates to the Framework. 

The .NET Framework guide line covers 3 major topics

General Tips
Data Access 
Encryption
 
 
General Tips

Lock down the config file.

1.Remove all aspects of configuration that are not in use.

2. Encrypt sensitive parts of the web.config using aspnet_regiis -pe (command line help).

3. For Click Once applications the .Net Framework should be upgraded to use version 4.6.2 to ensure TLS 1.1/1.2 support.


  
Data Access 
 Lock down the config file.

1. Use Parameterized SQL commands for all data access, without exception.

2. Do not use SqlCommand with a string parameter made up of a concatenated SQL String.

3. Whitelist allowable values coming from the user. Use enums, TryParse or lookup values to assure that the data coming from the user is as expected.

Enums are still vulnerable to unexpected values because .NET only validates a successful cast to the underlying data type, integer by default. Enum.IsDefined can validate whether the input value is valid within the list of defined constants.

4. Apply the principle of least privilege when setting up the Database User in your database of choice. 

The database user should only be able to access items that make sense for the use case.

5. Use of the Entity Framework is a very effective SQL injection prevention mechanism. 

Remember that building your own ad hoc queries in Entity Framework is just as susceptible to SQLi as a plain SQL query.

6. When using SQL Server, prefer integrated authentication over SQL authentication.

7. Use Always Encrypted where possible for sensitive data (SQL Server 2016 and SQL Azure).


Encryption
1.  Never try to write your encryption - hacked easily 

2.  Use the Windows Data Protection API (DPAPI) for secure local storage of sensitive data.

3.  Use a strong hash algorithm.

 In .NET (both Framework and Core) the strongest hashing algorithm for general hashing requirements is System.Security.Cryptography.SHA512

In the .NET framework the strongest algorithm for password hashing is PBKDF2, 

In .NET Core the strongest algorithm for password hashing is PBKDF2, 
which has several significant advantages over Rfc2898DeriveBytes.
 

4.  Make sure your application or protocol can easily support a future change of cryptographic algorithms.


5.  Use Nuget to keep all of your packages up to date. Watch the updates on your development setup, and plan updates to your applications accordingly


Until here the very basic guidelines given of .NET Framework, it is never too late to learn extras about ASP.NET MVC secure code writing skills

Here is glimpse tips for ASP.NET Web Form application - detailed information will be available in another article.

  • Always use https
  • Implement custom errors
  • Make sure tracing is turned off
  • Remove version header
  • Remove http header in server
  • What to do on Http validation?
  • What to do on Form Authentication?


Summary

So to arrive here, you have seen three aspects of writing secure code tips and resources links. And moving forward ASP.NET Web Forms and ASP.NET MVC Framework to Dos and Don't Dos will be elaborated in depth. 

As a developer - before write code reminding to write a secure code is the best way to go ahead.