Many developers are faced with the task of writing secure web applications with ASP.NET. This article describes what the most important thing to focus on is. In short, input validation is the part that requires the greatest care and effort when implementing security in an ASP.NET application.
Input validation is a crucial part of any secure web application. Good input validation prevents SQL injection and Cross-Site Scripting attacks. SQL injection attacks are extremely dangerous and are often looked for by malicious attackers. Cross-Site Scripting vulnerabilities are extremely common and are some of the most embarrassing. Input validation helps prevent these two types of attacks, which rank #1 and #2 on the OWASP Top 10 list respectively. The importance of input validation is clear and it is a good idea to treat all user input as potentially malicious, but there are other vital parts of a secure application, so why input validation?
The reason that input validation requires extra dedication is that input validation is different for every application. Therefore, there is no standardized library or built-in functionality that can be used as the input validation subsystem. Of course, regular expression functionality greatly simplifies implementing input validation, however it does not provide a plug and play component. The input validation subsystem has to be designed and implemented from scratch specifically for the given application. The quality of the input validation routines will play a significant role in determining the overall security level of the application.
Other important security subsystems include session management, authentication, authorization, communication security, encryption, error handling, and logging. Unlike input validation, these other subsystems can be typically implemented by using functionality built into ASP.NET. The reason for that is that these subsystems have similar requirements in most applications and therefore lend themselves well to a standardized approach implemented by the framework. Encryption is the clearest example of that, since it is much better to use platform APIs instead of implementing your own cryptography. Other subsystems, like session management and authorization are best handled by ASP.NET as well.
Input validation is the security component to invest the most time and effort in, because it needs to be custom to your application. The rewards of good input validation are resilience to dangerous attacks and a high level of information assurance.