Securing .NET Applications

Chapter 1, Secure Computing in an Insecure WorldThis chapter will introduce the concept of software based security and fit it in the context of the application developersSurvey of Various DangersUnderstanding the RisksNo Such Thing as “Secure” Our Goal is DefensibleSecurity is Everyone’s Concern, Especially the DeveloperChapter 2: Overview of Common Attack VectorsIn this chapter we will discuss some of the top attack patterns that frequently plague web applicationParameter Manipulation Various InjectionsSensitive Data Exposure(Other vectors)Chapter 3: Security PrinciplesIn this chapter we will give an overview of various guiding principles for secure programming.   This chapter will include references to other chapters where these concepts are discussed in greater depth of real world examples are showcasedFail SecurelyPositive Security Model (White list)Negative Security Model (Black list)Minimize Attack SurfaceSeparation of DutiesAvoid Security Through ObscurityKeep Security SimpleDon’t Trust ServicesDefense in DepthLeast PrivilegeEstablish Secure Defaults Chapter 4: Validations in PracticeBlessed are the Paranoid for they ValidateIn this chapter we will explore all things validationDon’t Trust UsersDon’t Trust Input Parameters from unknown sourcesDon’t Trust Input Files you didn’t writeDon’t trust data even from your own databaseOverview of the Standard ValidatorsValidators are SQL Firewall Rules Chapter 5: Application Topography for SecurityBlessed are the Lonely for they SeparateIn this chapter we discuss how to structure a distributed application paying attention to what goes inside and outside of the firewallDistributed Application creates a Larger Attack SurfaceSeparate the Database from the Application Server            Properly Handling Connection StringsWhat should stay outside the firewallWhat should stay inside the firewallHow do servers communicateChapter 6:  Mitigating Risk by Minimizing PrivilegeBlessed are the Cautious for they Follow the Principle of Least PrivilegeIn this chapter we will introduce and explore the Principle of Least Privilege.  We will see how this applies to the database specifically as well as to network resources in general.The Database has all the Keys to the KingdomSeparate Key Sensitive Data to a Separate DatabaseIsolate Key Sensitive in the Same Database with Separate LoginsSeparate Transaction Data from Reporting DataUnderstanding Access Control Lists  Chapter 7: Cryptography in PracticeBlessed are the Cryptic for Even Stolen Data is SecureIn this chapter we will discuss cryptography from an application perspective.  We will review the common algorithms used, how they are executed, and we will discuss some best practices for using cryptography.Cryptography can be a Self-Imposed Denial of Service if used wrongSymmetric CryptographyAsymmetric CryptographyDigital SignaturesHashingChapter 8:  Authentication and AuthorizationIn this chapter we will discuss all things related to Authentication and Authorization.  This may be split into 2 chapters not sure yet.Password complexity policiesPassword resets2 Factor AuthenticationIdle TimeoutsLogging OutAuthorization MatrixAccess Control ListsProtected ResourcesStatic ResourcesReauthorizationJWT (JSON Web Tokens) Chapter 9: Securing Web Services In this chapter we will discuss web services, the roles they play in modern web applications and how to properly secure them. Chapter 10 Threat ModelingIn this chapter we will step through the Microsoft Threat Modeling Process.  We will discuss the importance of modeling, review the individual steps, and discuss ways to incorporate this into your development lifecycle Identify Security ObjectivesSurvey the ApplicationDecompose the ApplicationIdentify ThreatsSTRIDEDREADChapter 11 Best Practices This will be a wrap up chapter that will reiterate all the best practices identified though out the book.  Best practices will be grouped by chapter giving the reader a quick link back to where the best practice was introduced so they can quickly get more context.