Security Recap and Helpful Resources

Table 7.1 recaps the threats and solutions to some common web security issues.

Table 7.1: ASP.NET Security

Threat Solutions
Complacency Educate yourself. Assume your applications will be hacked. Remember that it's important to protect user data.
Cross-Site Scripting (XSS) HTML-encode all content. Encode attributes. Remember JavaScript encoding. Use AntiXSS if possible.
Cross-Site Request Forgery (CSRF) Token Verification. Idempotent GETs. HttpReferrer Validation.
Over-Posting Use the Bind attribute to explicitly whitelist or blacklist fields.

ASP.NET MVC gives you the tools you need to keep your website secure, but it's up to you to apply them wisely. True security is an ongoing effort that requires that you monitor and adapt to an evolving threat. It's your responsibility, but you're not alone. Plenty of great resources are available both in the Microsoft web development sphere and in the Internet security world at large. Table 7.2 shows a list of resources to get you started.

Table 7.2: Security Resources

Resource Url
Microsoft Security Developer Center http://msdn.microsoft.com/en-us/security/ default.aspx
Book: Beginnning ASP.NET Security (Barry Dorrans) http://www.wrox.com/WileyCDA/WroxTitle/Beginning-ASP-NET-Security.productCd-0470743654.html
Microsoft Code Analysis Tool .NET (CAT.NET) http://www.microsoft.com/downloads/details .aspx?FamilyId=0178e2ef-9da8-445e-9348-c93f24cc9f9d&displaylang=en
AntiXSS http://antixss.codeplex.com/ ...

Get Professional ASP.NET MVC 3 now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.