web application security

I have built a few websites, but have not been so conscious on security. I would want be security conscious now in the next web applications I will develop.

I would want to by the best books on web applications security. I am using vb.net

Anthony MatovuBusiness Analyst, MTN UgandaAsked:
Who is Participating?
Giovanni HewardConnect With a Mentor Commented:
You'll want to adopt the concept of least privilege and defense in depth.  Ensure a firewall is blocking all ports except those absolutely necessary (80/TCP, 443/TCP).  For the required ports that remain, consider using an application firewall.   Place a Web Application Firewall in front of the webserver to inspect requests, such as ModSecurity with the OWASP ModSecurity Core Rule Set (CRS).  This product is capable of "virtual patching"-- that is intercepting malicious requests and modifying them to be inert in transit.

Best Practices: Use of Web Application Firewalls

In addition, you'll want to harden your server OS, web server, and web application code.  For web applications see the OWASP Top 10 Vulnerabilities and Securing Web Application Technologies[SWAT] Checklists.

Developer Awareness Training Modules [Videos]

Highly Recommended: http://software-security.sans.org/course/secure-coding-net-developing-defensible-applications

Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

A2-Broken Authentication and Session Management
Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.

A3-Cross-Site Scripting (XSS)
XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

A4-Insecure Direct Object References
A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

A5-Security Misconfiguration
Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.

A6-Sensitive Data Exposure
Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.

A7-Missing Function Level Access Control
Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.

A8-Cross-Site Request Forgery (CSRF)
A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

A9-Using Components with Known Vulnerabilities
Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.

A10-Unvalidated Redirects and Forwards
Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

To harden your OS, see:

Twenty Critical Security Controls for Effective Cyber Defense

Going Beyond Just Anti-Virus Scanning
    How your AV scanners can fail you
    Application whitelisting
    Script and executable signing
    Controlling USB devices
    DEP, ASLR, and SEHOP
    Benevolent Microsoft rootkit: EMET
    Restoring to a pristine OS image
    Virtual Desktop Infrastructure (VDI)

OS Hardening with security templates
    INF vs. XML security templates
    How to edit and apply templates
    Security configuration and analysis
    Security configuration wizard
    Auditing with templates

Hardening with Group Policy
    Group Policy Objects (GPOs)
    Third-party GPO enhancements
    Pushing out PowerShell scripts
    GPO remote command execution
    GPO troubleshooting tools
    Custom ADM/ADMX templates

Enforcing Critical Controls for applications
    Protected Mode Sandboxes
    Metro AppContainer Sandboxes
    Hardening Internet Explorer
    Hardening Google Chrome
    Hardening Adobe Reader
    Hardening Java
    Hardening Microsoft Office

Compromise of Administrative Powers
    Hackers and malware LOVE administrative users
    Partially limiting pass-the-hash attacks and token abuse
    How to get users out of the administrators group
    Secretly limiting the power of administrative users
    Limiting privileges, logon rights and permissions
    User Account Control (making it less annoying)
    Kerberos armoring and eliminating NTLM
    Picture password on touch tablets
    Windows Credential Manager vs. KeePass

Active Directory Permissions and Delegation
    Active Directory permissions
    Active Directory auditing
    Delegating authority at the OU level
    Domains are not security boundaries
    Logging attribute content changes

Updating Vulnerable Software
    Everything must be patched every week
    Patching off-site tablets and laptops
    Identifying rogue devices (BYOD Hell)
    WSUS shortcomings
    WSUS third-party enhancements
    Windows App Store (Metro)
    The future: continuous updates

Why Have a PKI?
    Strong authentication and encryption
    Passwords are dead
    Smart cards, IPSec, wireless, SSL, S/MIME, etc.
    Mobile and BYOD computers
    Code and document signing

How to Install the Windows PKI
    Root vs. subordinate certification authorities
    Should you be your own root CA?
    Custom certificate templates
    Controlling certificate enrollment

How to Manage Your PKI
    Group policy deployment of certificates
    Group policy PKI settings
    How to revoke certificates
    Automatic private key backup
    Credential roaming of keys
    Delegation of authority

Deploying Smart Cards
    Everything you need is built-in
    TPM virtual smart cards
    Smart card enrollment station
    Group policy deployment
    Smart cards on a limited budget

BitLocker Drive Encryption and Secure Boot
    UEFI Secure Boot
    TPM boot integrity checking
    Cold boot and 1394 port attacks
    USB device encryption
    Mounting encrypted VHD files
    BitLocker emergency recovery
    BitLocker network unlock of the PIN

Why IPSec?
    IPSec is NOT just for VPNs!
    More secure than SSL
    User/computer authentication
    Transparent to users
    No user training required
    NIC hardware acceleration
    Compatible with NAT

Creating IPSec Policies
    Require vs. prefer encryption
    Share permissions on TCP ports
    IDS/IPS compatibility options
    IPSec-based encrypted VLANs
    Group Policy management
    Scripting for BYOD stand-alones

Windows Firewall
    Group Policy management
    Metro app and service awareness
    Roaming and VPN compatibility
    Deep IPSec integration
    NETSH and PowerShell scripting

Securing Wireless Networks
    Wi-Fi Protected Access (WPA2)
    Pre-shared key weaknesses
    DoS attack vulnerabilities
    Rogue access point detection
    BYOD and network bridging
    Wireless best practices

RADIUS for Wireless and Ethernet
    Certificate authentication and PKI
    How to use smart cards
    EAP vs. PEAP
    802.1X for Ethernet switches
    Account lockout DoS attacks
    Group Policy configuration of clients

Dangerous Server Protocols
    Eliminate SSL, only use TLS
    Requiring strong ciphers and keys
    RDP man in the middle attacks
    SMBv3 native encryption
    SMB downgrade attacks
    NTLM, NTLMv2 and Kerberos
    Kerberos armoring
    Hardening the protocol stack
    What about IPv6?

Server Hardening
    Server Manager and PowerShell
    Server Core/Minimal/Full
    Security templates and Group Policy
    Preparing for incidents: pre-forensics
    Service account security
    Scheduling tasks remotely and safely

Internet-Exposed Member Servers
    Not every server can be a stand-alone
    Active Directory for the DMZ or the cloud
    Cross-forest trusts and Selective Authentication
    Read-only domain controllers (RODC)
    Firewall design for DMZ or cloud member servers

Dynamic Access Control (DAC)
    Claims-based access control and auditing
    DAC does not require Windows 8
    DAC conditional expressions
    DAC and complying with regulations
    Automatic file classification infrastructure
    User and device identity restrictions
    Auditing without managing SACLs
    Central access policy deployment

Microsoft Baseline Security Analyzer
Microsoft Web Application Configuration Analyzer

The Web Application Security Consortium (WASC) has a list of web application security scanners.
The Open Web Application Security Project (OWASP) Phoenix has a list of various web application testing tools.

I've had good results with NTOSpider.

Here's a sample diagram depicting my recommended approach, as it pertains to the DMZ.

Recommended Topology (DMZ)
Paul JacksonConnect With a Mentor Software EngineerCommented:
A few links to some books on amazon on asp.net security :

A very good entry point book :

Beginning ASP.Net Security

A little bit more advanced and indepth :

Pro ASP.Net Web API Security

Another good indepth book :

ASP.Net Security
SAMIR BHOGAYTAConnect With a Mentor Freelancer and IT ConsultantCommented:

You have to upload your site with only .dll file. It creates at the time of publish your project with creating only one dll file of your whole project. It creates your all code pages into one dll and you just upload the design pages into the website.
Paul JacksonSoftware EngineerCommented:
That answer has nothing to do with web application security, that only protects your application code if the server it is hosted on is compromised.
Web application security is more to do with the security of the data when transmitting information over the internet/intranet and protecting the site from hackers.
Giovanni HewardCommented:
@Modalot - My personal suggestion is #4 (split points), distributed as:
ID: 39714443 - 325 points (accepted as primary-- for future search results)
ID: 39714198 - 125 points
ID: 39716470 - 50 points

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.