Monday, December 19, 2011

Open Web Application Security Project (OWASP) Top 10 for .Net Dev's Series has been eBooked...

Troy Hunt's Blog - Free eBook: OWASP Top 10 for .NET developers

"Writing this series was an epic adventure in all senses of the word:

Duration – 19 months to complete a blog series, for crying out loud!

Content – approaching 50,000 words, not including all the discussion in comments.

Effort – some of the posts, such as transport layer security, probably approached 100 hours of reading, trailing, experimenting and finally, writing and proofing. This is why there was a four month “hiatus” before that post!

But most of all, it was an epic learning adventure for me. Writing the series forced me to know this content in depth, not just the depth that facilitates casual conversation and allows me to send people off to figure out how to fix their flaws, but the depth to really get to grips with these risks, ensure I could exploit them and then make sure I could fix them again.


So I decided to turn it into an eBook. Oh – and give it away for free. No strings attached. So here it is, 255 pages of .NET web development security goodness. Please share it generously, chuck it on your eBook reader, email it to your mates, quote me, force your developers to print and read every page – whatever – it’s all yours:


Here's a snap of the PDF;


What is s this series all about?

OWASP Top 10 for .NET developers part 1: Injection

There’s a harsh reality web application developers need to face up to; we don’t do security very well. A report from WhiteHat Security last year reported “83% of websites have had a high, critical or urgent issue”. That is, quite simply, a staggeringly high number and it’s only once you start to delve into to depths of web security that you begin to understand just how easy it is to inadvertently produce vulnerable code.

Inevitably a large part of the problem is education. Oftentimes developers are simply either not aware of common security risks at all or they’re familiar with some of the terms but don’t understand the execution and consequently how to secure against them.

Of course none of this should come as a surprise when you consider only 18 percent of IT security budgets are dedicated to web application security yet in 86% of all attacks, a weakness in a web interface was exploited. Clearly there is an imbalance leaving the software layer of web applications vulnerable.

OWASP and the Top 10

Enter OWASP, the Open Web Application Security Project, a non-profit charitable organization established with the express purpose of promoting secure web application design. OWASP has produced some excellent material over the years, not least of which is The Ten Most Critical Web Application Security Risks – or “Top 10” for short - whose users and adopters include a who’s who of big business.

The Top 10 is a fantastic resource for the purpose of identification and awareness of common security risks. However it’s abstracted slightly from the technology stack in that it doesn’t contain a lot of detail about the execution and required countermeasures at an implementation level. Of course this approach is entirely necessary when you consider the extensive range of programming languages potentially covered by the Top 10.

What I’ve been finding when directing .NET developers to the Top 10 is some confusion about how to comply at the coalface of development so I wanted to approach the Top 10 from the angle these people are coming from. Actually, .NET web applications are faring pretty well in the scheme of things. According to the WhiteHat Security Statistics Report released last week, the Microsoft stack had fewer exploits than the likes of PHP, Java and Perl. But it still had numerous compromised sites so there is obviously still work to be done.

Moving on, this is going to be a 10 part process. In each post I’m going to look at the security risk in detail, demonstrate – where possible – how it might be exploited in a .NET web application and then detail the countermeasures at a code level. Throughout these posts I’m going to draw as much information as possible out of the OWASP publication so each example ties back into an open standard.

Here’s what I’m going to cover:

1. Injection
2. Cross-Site Scripting (XSS)
3. Broken Authentication and Session Management
4. Insecure Direct Object References
5. Cross-Site Request Forgery (CSRF)

6. Security Misconfiguration
7. Insecure Cryptographic Storage
8. Failure to Restrict URL Access
9. Insufficient Transport Layer Protection
10. Unvalidated Redirects and Forwards


If you build web sites, services, etc, you might want to give this series and eBook a careful read...


(via Alvin Ashcraft's Morning Dew - Dew Drop – December 19, 2011 (#1,222))

No comments: