Apologies that this post is fairly nonsensical. I've put my raw NZ TechEd 2011 notes up here for my reference. I'd like to think that I'll refine them over time, but that probably won't be the case.
TechEd Online
OWASP Top 10 Open Web Security Application Project
SQL Injection
Allowing untrusted user input to reach the database. In the statement rather than the parameters Look for: exec sp_executesql Parametrise queries with SqlParameneters use sp_execute_sql with parameters @ParamName
Cross Site Scripting
Allow untrusted user input to reach the web page Defence in depth Block data on the way in to your server And escape on the way on to your page AntiXss.HtmlEncode(); HTML Context Javascript contact URLcontacts HTML attribute context Encoding must be done close to the view. ASP.NET Use HttpUtility or AntiXSS Html and Attribute Encode Consider the Security Runtime Engine - Safety Net MVC Use Razor views @value Encode using <%: value %> in webforms rather then <%= Sharepoint SPHttpUtility
Auth & Session Management
Don't roll your own ASP.NET SessionID and FormsAuth cookies are pretty good Enforce logout on the server-side **** Expire session on the server rather than just remove the client cookie. Set 'httponly' and 'secure' flags on cookies ****SharePoint SPHttpUtility Prevent user name and password brute-force - temporary suspend account after 5 failed attempts Logging and alerts to system admins - look at logging messages.
Insecure Direct Object References
Users can only access some content:
http://example.com/docs.aspx?docid=7
Defend:
ASP.NET
location/authorization tags in web.config
User.IsInRole("Admin")
Cross Site Request Forgery
Attackers data is posted by the user Use a CSRF token - info the attacker doesn't know. Hidden form field so that they can't assemble the same post data. Defend: ASP.NET ViewStateUserKey set in the OnInit in the base page. Used in addition to the MAC Key to hash the ViewState. MVC HtmlHelper.AntiForgeryToken to every form [ValidateAntiFOrgergyToken] attribute on each action method Sharepoint Use the FormDigest field on every request Call ValidationFormDigest to check it is set correctly
Security Misconfiguration
Windows Update Keep everything up to date Close un-used ports, uninstall / disable unused software Run Best Practice Analyser Encrypt sensitive info in your web config aspnet_regiss -pef
Failure to Restrict URL access
Put the admin site with in the private network.
Transport Layer Protection
Use SSL / TLS for: Login, password change, signup Credit Card Don't include HTTP resources in HTTPS pages Turn off SSLv2, weak ciphers (system admin)
Unvalidated redirects
Ensure that any Redirects or Transfers only go to white-listed domains Check RedirectUrl handling on login pages doesn't allow other URL's
File Uploads
Send the following HTTP headers Content-Disposition: Attachment X-Download-Options: noopen X-Content-Type-Options: nosniff Content-Type: [mime-type]
Trends
Set Content-Security-Policy Server headers Strict-Transport-Security X-Frame-Options
