Let’s take a look at various security features around web technologies, although I’ll we concentrating on their use in ASP.NET, but the information should be valid for other frameworks etc.
Note: We’ll look at some code for implementing this in a subsequent set of posts.
Authentication and Authorization
We’re talking Identity, JWT, OAuth, Open ID Connect.
Obviously the use of proper authentication and authorisation ensure only legitimate users have access to resources and forcing a least privilege and role based access ensures authenticated users can only access resources befitting their privileges.
OWASP risks mitigation:
- A01 Broken Access Control and improper enforcement of permissions
- A07 Identification and Authentication failures, weak of missing authentication flows
- A02 Cryptographic failures, weak or missing encryption of sensitive data
- A02 Cryptographic failures, sensitive data exposure
- A05 Security misconfigurations, missing TLS or insecure defaults
- A01 Broken access control
- A05 Security misconfigurations
- A08 Software and Data integrity failures such as session integrity
- A03 Injection, such as SQL, NoSQL and command injections
- A04 Insecure design, lacking validation rules
- A05 Security misconfigurations
- A03 Injection
- A05 Security misconfigurations
- A06 Vulnerable and outdated components
- A03 Injection, CSP reduces XSS
- A05 Security misconfigurations, missing headers
- A09 Security logging and monitoring failures, via reporting endpoints
- A07 Identification and Authentication failures
- A10 Server side request forgery (SSRF) limit abuse
- A04 Insecure design, lack of abuse protection
- A05 Security misconfiguration
- A01 Broken access control
- A07 Identification and Authentication failures
- A02 Cryptographic Failures
- A01 Broken access control
- A06 Vulnerable and outdated components
- A09 Security Logging and monitoring failures
- A05 Security misconfiguration
- A02 Cryptographic Failures
Data protection API (DPAPI) / ASP.NET Core Data Protection
This is designed to protect “data at reset”, such as cookies, tokens CSRF keys etc. and providers key rotation and encryption services.
OWASP risks mitigation:
HTTPS Enforcement and HSTS
This forces encrypted transport layers and prevents protocol downgrade attacks.
OWASP risks mitigation:
Anti-Forgery Tokens (CSRF Protection)
This prevents cross site request forgery by validation of user intent.
OWASP risks mitigation:
Input Validation and Model Binding Validation
This prevents malformed or malicious input from reaching the business logic.
OWASP risks mitigation:
Output Encoding
This prevents untrusted data from being rendered, for example covers things like Razor, Tag Helpers, HTML Encoders.
OWASP risks mitigation:
Security Headers
Covers things such as CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and mitigates XSS, click jacking, MIME sniffing and data leakage.
OWASP providers explicit guidance on recommended headers.
OWASP risks mitigation:
Rate limiting and throttling
This is included, but need to be enabled as ASP.NET built in middleware.
This prevents brute force, credential stuffing and resource exhaustion attacks.
OWASP risks mitigation:
CORS (Cross‑Origin Resource Sharing)
This controls which origins can access API’s and prevents unauthorized cross-site API calls.
OWASP risks mitigation:
Cookie Security
Protects session cookies from theft or misuse.
OWASP risks mitigation:
Dependency Management
When using third party dependencies via NuGet, NPM etc. we need to ensure libraries are patched and up to date.
OWASP risks mitigation:
Logging and Monitoring
This covers things like Serilog, Application Insights and built-in logging etc.
Used to detect suspicious activites, as well as support incident response.
OWASP risks mitigation:
Secure deployment and configuration
This covers all forms of configuration, including appsettings.json, key vault, environment seperation etc.
Here we want to prevent secrets being exposed and enforce secure defaults.
OWASP risks mitigation: