If you're not familiar with the Open Web Application Security Project (OWASP) and you design, develop, or use web applications, then you need to learn about it. Today. The organization works across all web technologies "to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks."
Related: "Top .NET Web App Security Threats: A Conversation with Troy Hunt"
OWASP has a ton of security information available, which are available for free on its website. Although the website's wiki isn't the easiest to navigate (Bing and Google are your friends), there's a lot there to explore. They normally have a lot of projects going on and are pretty much the definitive source of web security information.
I've been aware of OWASP for a few years and have also been an individual member for most of the last two or three years. One of the best projects that they have is the OWASP Top Ten Project, which lists the top ten vulnerabilities for contemporary web applications. If you're at all aware about the latest trends in web security, then nothing on the list will be surprising. The following list is from 2010 as the organization is currently working on and accepting comments for the 2013 update:
- A1: Injection
- A2: Cross-Site Scripting (XSS)
- A3: Broken Authentication and Session Management
- A4: Insecure Direct Object References
- A5: Cross-Site Request Forgery (CSRF)
- A6: Security Misconfiguration
- A7: Insecure Cryptographic Storage
- A8: Failure to Restrict URL Access
- A9: Insufficient Transport Layer Protection
- A10: Unvalidated Redirects and Forwards
This list alone is worth studying, if only to make sure that you're aware of the worst vulnerabilities, so you can make sure that your site doesn't expose them. But OWASP includes plenty of information about each vulnerability, its background, how it affects the security of sites, attack scenarios, and lots of references for addressing the problem.
Related: "ASP.NET Web Security: Protect User Passwords with Hashing and Salt"
One nice thing about the list is that it cuts across all web technologies with technology-neutral resources. So it's great for learning about the vulnerabilities that can affect all websites, no matter how they are written. But that's also a problem. Coming to the list as an ASP.NET developer, it can be hard to figure out exactly how the vulnerability applies to the technologies I'm using. The list is an important first step to learn about the vulnerabilities and understand how attacks that take advantage of them work, but it doesn't really give me all the information I need to write secure ASP.NET applications. How is ASP.NET vulnerable to this or that attack? Does ASP.NET have any built-in protections? If so, are they on by default or do I have to activate them, or write code to make them work? What do I need to know to avoid circumventing any protections, either intentionally or accidentally?
Sure, I can Bing or Google all day on ASP.NET and a particular vulnerability or attack, but that's a bit too random.
That's where my fellow Microsoft Developer Security MVP, Troy Hunt, comes into the picture. Troy decided about three years ago to write a series of blog posts called OWASP Top 10 for .NET Developers, and produced posts on each of the items in 2010's Top 10 list. It was an ambitious undertaking that he finished toward the end of 2011.
Troy has turned the series into a free eBook since completing the series of blog posts, and you don't even have to register to receive it. It also looks there's an excellent Pluralsight course on the subject, which isn't free but that's understandable; he deserves to make a few bucks from all his hard work. He's a very active blogger with frequent new posts about new takes on security issues, often building on and updating the Top 10 information. One example is a really nice post, "Lessons in website security anti-patterns by Tesco," that dug into the topic in great depth from the middle of 2012. Bruce Schneier even mentioned Troy's post saying, "Good post, not because it picks on Tesco but because it's filled with good advice on how not to do it wrong."
The OWASP Top 10 and Troy's application of it to ASP.NET is well worth the time to read and study. And if you want to help further OWASP's mission, then please consider becoming either an individual or corporate member.