The following links have been provided to assist asp.net developers in coding applications securely.
Ben Sudbury's Presentation on Web Application Security
This presentation covers a number of key vulnerabilities that are often overlooked when developing web applications. There is an explanation of some of the more common exploits and how you can protect against these exploits. There are specific examples that use features in Visual Studio 2005 to overcome some of the vulnerabilities.
http://www.ico.com.au/static/Webappsecurity/intro.htm
The Open Web Application Security Project (OWASP) Top Ten Vulnerabilities.
This is a list of the most common and most important vulnerabilities to consider when developing web applications. It is referenced by many large organisations and security standards and is an excellent starting point for understanding vulnerabilities and coding against them.
http://www.owasp.org/documentation/topten.html
Microsoft Threat Modelling Tool
This tool is a fantastic way to model your system's use cases an an easy visio type environment. Once you have modelled the App, the tool matches your architecture against a range of known threats and gives guidance on how to remove any vulnerabilities that your code might have in realation to the threats.
http://msdn.microsoft.com/security/securecode/threatmodeling/default.aspx
Asp.Net 2.0 Security Practices
Part of the Patterns and Practices initiative by Microsoft (an excellent resource in itself), this document outlines the main issues that you need to be concerned with when coding in asp.net 2.0. It is more focused on asp.net 2.0 and hence more practical in it's nature.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGPractices0001.asp
FxCop
This is a utility that scans through your .net code looking for defects in the areas of:
- Library design
- Localization
- Naming conventions
- Performance
- Security
It can pick up some of the major problems in code but it is not a panacea.
http://www.gotdotnet.com/team/fxcop/
Australian Computer Emergency Response Team
Valuable alerting service for detecting security vulnerabilities early. This is not limited to any particular technology but it is important for guarding against previously unknown vulnerabilities. 2005 Australian Computer Crime and Security Survey are also available here.
http://www.auscert.org.au/
Securing your ASP.Net Application
Threats and Techniques for avoiding them in Asp.Net
http://www.c-sharpcorner.com/Code/2004/Sept/securewebappl.asp
Web Application Security Consortium
More resources for understanding attack types and developing countermeasures. They have a list of Classes of Attack that attempts to categorise all types of Web Application Threats.
http://www.webappsec.org/
How do buffer overflow attacks work?
An excellent resource with interactive demos that helps explain how buffer overflow attacks work and how to guard against them. Though managed .net code is not vulnerable to this type of attack it is a good resource for the high level programmer to understand exactly what a buffer overflow attack is.
http://nsfsecurity.pr.erau.edu/bom/index.html
Howto: Perform a Security code review for Managed Code
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGHT000027.asp