From Guidance Share

- J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Jason Taylor, Rudolph Araujo

Contents 1 Summary 2 What's New in 2.0 3 SQL Injection 4 Cross-Site Scripting 5 Input and Data Validation 6 Code Access Security 7 Exception Management 8 Impersonation 9 Sensitive Data 10 Cryptography 11 Unsafe Code 12 Potentially Dangerous Unmanaged APIs 13 Auditing and Logging 14 Multi-Threading 15 Related Items

Summary

Use security inspection questions for performing code inspections. Questions put you in the right state of mind when analyzing the code. The questions are organized by categories that are both actionable and tend to contain security issues. You can also chunk up your security inspection by the categories for iterative or incremental approaches.

What's New in 2.0

• Does the code take advantage of the improvements to SecurityException?
• Does the code use DPAPI to protect sensitive data in memory?
• Does the code use EncryptedXML to store sensitive data on disk?
• Does the code ensure that SecureStrings are not passed unnecessarily as regular strings?

SQL Injection

• Is the application susceptible to SQL injection?
• Does the code use parameterized stored procedures?
• Does the code attempt to filter input?

Cross-Site Scripting

• Does the code echo user input or URL parameters back to a Web page?
• Does the code persist user input or URL parameters to a data store that could later be displayed on a Web page?

Input and Data Validation

• Does the code validate data from all sources?
• Does the code use a centralized approach to input and data validation?
• Does the code rely on client-side validation?
• Is the code susceptible to canonicalization attacks?
• Is the code susceptible to SQL injection?
• Is the code susceptible to cross-site scripting?

Code Access Security

• Does the code use link demands or assert calls?
• Does the code use AllowPartiallyTrustedCallersAttribute?
• Does the code use potentially dangerous permissions?
• Does the code give dependencies too much trust?

Exception Management

• Is there proper and consistent error checking?
• Do error messages give away too much information?
• Does the application prevent sensitive exception details from being returned to the client?
• Does the application handle errors and exception conditions in the code?

Impersonation

• Does the application use hard-coded impersonation credentials?
• Does the application clean up properly when it uses impersonation?

Sensitive Data

• Does the code store secrets?
• Is sensitive data stored in predictable locations?

Cryptography

• Does the code use custom cryptographic algorithms?
• Does the code use the correct algorithm and an adequate key size?
• How does the code manage and store encryption keys?
• Does the code generate random numbers for cryptographic purposes?

Unsafe Code

• Is the code susceptible to buffer overruns?
• Is the code susceptible to integer overflows?
• Is the code susceptible to format string problems?
• Is the code susceptible to array out of bound errors?

Potentially Dangerous Unmanaged APIs

• Does the code call potentially dangerous unmanaged APIs?

Auditing and Logging

• Does the application log sensitive data?

Multi-Threading

• Is the code subject to race conditions?
• Does the code impersonate?
• Does the code contain static class constructors?
• Does the code synchronize Dispose methods?

Related Items

• Cheat Sheet: .NET Framework 2.0 Security Inspection Questions