Open Source Security
By Don Kiely
There is a ton of information floating around about computer, network, software, and Internet security. Even with the security features built in to the .NET Framework and ASP.NET, building secure applications is just too darn hard. Unfortunately, I m not going to solve that problem in this short article but what I will do is tell you about a resource that can provide invaluable information and tools for developing secure Web applications, including ASP.NET apps.
The Open Web Application Security Project (OWASP) is a global community with a mission to make application security visible, so that people and organizations can make informed decisions about application security risks. I ve written in asp.netNOW before about their Top 10 list of the most critical Web application security flaws. Not only is it a list of the flaws, but it is backed by plenty of information about how to avoid the flaws and the risks associated with them. Every Web developer should be familiar with the list and how to avoid security problems in their development tools and technologies of choice. One key takeaway: if you are trusting ANY user input in even the smallest way, you re probably at risk for a few of the flaws. And I bet that most developers would be surprised at the range of things that could be considered user input it s not just what a user types into a text box!
OWASP has many dozens of projects going all the time, of which the Top 10 is just one example. They loosely fall into Tools and Documentation project categories, and there are several worth perusing as an ASP.NET developer. The Top 10 is a great place to start, giving you a feel for the breadth and depth of information OWASP makes available. One interesting, but still young, project is the .NET Project, which focuses on providing information and tools to help .NET developers develop secure applications. The main page for the project is, as I write this in early May 2008, a jumble of links to some useful information. There is some nice information about the dangers of running full trust ASP.NET applications a personal favorite topic of mine, since I ve written so much in asp.netNOW about it and how to develop partial trust applications. This is a great way to stay current on developing secure .NET applications particularly Web applications using ASP.NET.
The Tiger Project is a Windows application you can use to automate testing of various ASP.NET security issues, as well as help you build and send HTTP requests, analyze the responses, and receive notifications of problems. It s an interesting alternative to some of the features of Fiddler.
Many other projects are more general (about Web security using any platform or tools), so it s worthwhile to peruse the Web site and learn new things.
Most, if not all, of the content at http://www.owasp.org is on a wiki, so any member can contribute. There is a very active, passionate community for some of the projects, and there are various mailing lists to support the work. I recommend the free OWASP-dotnet list, although lately there have been a lot of organizational e-mails among the beef.
All the materials are free and available to anyone under an open source license. You also can join the group as a way to make a financial contribution, ranging from $100 for individuals up to thousands for large organizations. Membership brings additional benefits, such as a commercial license for the materials and editing rights on the wiki.
OWASP is a good organization with lots of community support that is trying to make our development lives better. Take a look, take what you need, and contribute what you can!
Don Kiely, MVP, MCSD, is a senior technology consultant, building custom applications as well as providing business and technology consulting services. His development work involves tools such as SQL Server, Visual Basic, C#, ASP.NET, and Microsoft Office. He writes regularly for several trade journals, and trains developers in database and .NET technologies. You can reach Don at mailto:firstname.lastname@example.org and read his blog at http://www.sqljunkies.com/weblog/donkiely/.