ASP.Net Developers Checklist – Security Checklist

In this article we are going to discus some of the Security Related Checklist for ASP.Net Developers. I have four main areas to discus about the security related issues

1. Input Validation and Authentication Checklist
2. Web Services Security Checklist
3. Data Access Security Checklist
4. Client Script Maintainability Checklist

Scope : Input Validation and Authentication Checklist for ASP.Net Applications

1. Use client side validation.
2. Every input must be validated before it is processed by the application.
3. User inputs must be encoded using HTMLEncode and URLEncode to prevent Cross Site Scripting (XSS)
4. If an array is used to pass input to an unmanaged API, check that the managed wrapper verifies that the array capacity is not exceeded to avoid Buffer overflow attack.
5. Values passed as the parameters of unmanaged API must be validated to avoid Buffer overflow attack.
6. Regular expressions must be used for validating the input.
7. Classes must not directly expose fields. Use properties instead.
8. Use only “get accessor” while defining a property, if the property is read only.
9. Authentication information must not be stored on the client.
10. If using cookies, expiry values must be set for all cookies.
11. Hidden fields must not be used for passing security credentials.
12. Avoid hard coding.
13. Only use Secure Sockets Layer (SSL) for pages that require it.
14. Cryptography. If your application only needs to ensure that information is not tampered with during transit, you can use keyed hashing. Although larger key sizes provide greater encryption strength, performance is slower relative to smaller key sizes.
15. Whenever a critical function is being called or a database operation is being performed, user must be re-authenticated.
16. All the database user id and password inside the application parameter is required to be encoded.

Scope : Web Services Security Checklist

1. Check whether web service does not expose restricted operations or data.
2. Check whether callers are authorized.
3. Check that all publicly exposed web methods validate their input parameters before using or passing them to database or component.
4. Use the OneWay attribute on Web methods or remote object methods if you do not need a response.

Scope : Data Access Security Checklist

1. Use Stored Procedures for data access over inline query.
2. Use DataReader for fast and efficient data binding
3. Use ExecuteNonQuery for commands that do not return data
4. Use ExecuteScalar to return single values.
5. Prefer basic types to reduce serialization costs.

Scope : Client Script Maintainability Checklist

1. Adding JavaScript in the body tag of the document should be avoided. The scripts don’t get cached and adds to the page weight. Moreover it is not good for maintainability if we mix HTML and scripting
2. Inline JavaScript should be avoided
3. Use Namespace to avoid functions and variables to be overwritten by the one written by other developers
4. Give unique Ids to DOM elements
5. Always access the DOM elements with there Id
6. If you require a certain version of JavaScript then specify the version as part of the language attribute in the script tag.
7. To avoid confusion always end single JavaScript statements with a semi-colon
8. Use double quotes (") for HTML attributes and single quotes (’) for JavaScript string literals

Conclusion

By following the above mentioned checklist we can make sure that the ASP.Net application created is robust, maintainable and secure. Apart from these items you can also check the ASP.Net Performance Improvement Tips that i will be posting as next article. Happy Programming

Related Posts

1. Checklist/Guidelines for ASP.Net Developers
2. ASP.Net Performance Improvement Tips
3. Handling ASP.Net Controls in JavaScript
4. Search Engine Friendly URL (URL Mapping) in ASP.Net 2.0
5. ASP.Net Tutorial: Wizard Control

Tags: asp.net, asp.net developer checklist, asp.net security checklist, Developer Checklist