Roman Canlas - ASP.NET Core 5 Secure Coding Cookbook

Practical recipes for tackling vulnerabilities in your ASP.NET web applications

Roman Canlas

BIRMINGHAMMUMBAI

Copyright 2021 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author(s), nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Aaron Lazar

Publishing Product Manager: Richa Tripathi

Senior Editor: Ruvika Rao

Content Development Editor: Vaishali Ramkumar

Technical Editor: Karan Solanki

Copy Editor: Safis Editing

Project Coordinator: Deeksha Thakkar

Proofreader: Safis Editing

Indexer: Manju Arasan

Production Designer: Nilesh Mohite

First published: June 2021

Production reference: 2130721

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80107-156-7

www.packt.com

To the reader, I hope I have piqued your interest in writing secure code and you'll learn as much as I have in writing this book.

Roman Canlas

When tackling the topic of security, we should ask ourselves why we make technology and tools in the first place. Do we create for security or for a specific application? Afterall, there is a reason why we call software applications. We are applying purposes to our software. For this wisdom, we look to a woman who knew a lot about software, hardware, and big boats:

"A ship in port is safe, but that's not what ships are built for."

- Grace Hopper

Similarly, your application is built for a reason. But, as Grace implies, security must be achieved, even if it isn't our primary purpose.

In ASP.NET Core 5 Secure Coding Cookbook, author Roman Canlas has set a precedent by writing a book with a title that you have to think about for a few seconds, before you can fully grok its purpose. Much like the title, you'll find yourself pondering and contemplating over the content of this book, finding new ways to apply this wisdom. You'll find practical solutions and detailed explanations, from security coding fundamentals, to fixing issues in injection, authentication, exposed data, and more.

One of the backbones of ASP.NET Core 5 is to provide an application development framework that champions and enables secure coding. It is no accident that Microsoft has provided these tools.

"Security is... our top priority - if we don't solve these security problems, then people will hold back."

- Bill Gates

As Bill Gates once said, there is nothing more important than security. If your code isn't secure, then, as a developer, you will not build a robust application; it will be limited. Likewise, your users will also hold back and will be hesitant to how they might use and trust your application. It's critical that the framework allows secure coding capabilities, and it's equally important that you take this book to heart and implement these patterns, processes, and practices.

Take this book with you in your career, and then refer back to these recipes as often as you can. Just like chefs should review their recipes before they cook their culinary creations, you also should review these recipes before you serve your customers with a masterpiece of your own.

Ed Price Senior Program Manager of Architectural Publishing Microsoft, Azure Architecture Center ()Co-Author of 5 Books, including The Azure Cloud Native Architecture Mapbook and ASP.NET Core 5 for Beginners (both from Packt)

Roman Canlas is a senior application security engineer working at a Fortune 500 company where he successfully established its global application security program from the ground up. His years of experience as a developer have led to him being an expert in secure code reviews and static application security testing, focusing on web technologies.

Roman holds multiple certifications: the GIAC Web Application Penetration Tester (GWAPT), ISC2's Certified Secure Software Lifecycle Professional (CSSLP), and EC-Council's Certified Application Security Engineer in .NET (CASE.NET).

Roman also has a master's degree in information systems and a bachelor's in computer science.

To Doug, Tim, and Chuck, thanks for believing in me and supporting my personal endeavor. To Richa, for believing in the book's topic and giving me the opportunity to write for Packt. To Vaishali, Ruvika, Karan, Nithya, Deeksha, and the rest of the Packt team, I thank you all for your tireless efforts. To Allan Mangune and Hemant Shah, both great technical reviewers, I am grateful for your comments and feedback.

Hemant Shah is a strong advocate of shift left in the industry. His software developer training and background allow him to speak the developer's language in managing AppSec programs and helps the development team understand the value and impact of delivering secure software. He is a cloud and application security professional with a bachelor's degree in information technology with around 15 years of experience in designing, troubleshooting, and securing large-scale applications with sound exposure to OWASP. Secure coding reviews, risk assessment procedures, authentication technologies, policy formation, threat modeling, and design reviews are the key areas he is focused on.

Allan SP Mangune is a certified public accountant and holds a post-graduate degree of Master of Science in computer information systems from the University of Phoenix. He has been writing software since 2000 and practicing secure coding since he gained, in 2008, his Certified Ethical Hacker v5 credential. He has helped clients with their digital transformation journey and digital security. He has delivered Agile project management workshops to large organizations for more than a decade. He is a certified ScrumMaster and holds a Prince2 Agile Foundation certificate. For 10 years, he was awarded Microsoft MVP for ASP.NET and Development Technologies. He used to be a Microsoft Certified Trainer. He builds his own drones during his free time.