From Guidance Share

- J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Jason Taylor, Rudolph Araujo

Contents 1 Summary 2 What's New in 2.0 3 Auditing and Logging 4 Authentication 5 Authorization 6 Code Access Security 7 Cross-Site Scripting 8 Cryptography 9 Data Access 10 Exception Management 11 Forms Authentication 12 Impersonation 13 Input and Data Validation 14 Sensitive Data 15 SQL Injection 16 Unsafe Code 17 Potentially Dangerous Unmanaged APIs 18 Related Items

Summary

Use security inspection questions for performing code inspections. Questions put you in the right state of mind when analyzing the code. The questions are organized by categories that are both actionable and tend to contain security issues. You can also chunk up your security inspection by the categories for iterative or incremental approaches.

What's New in 2.0

• Does the code ensure that the connection strings configuration section is encrypted?
• Does the code ensure that membership providers use strong passwords?
• Does the code ensure that the roles cookie is encrypted and checked for integrity?
• Does the code ensure that the roles cookie has a limited life time?
• Does the code persist role manager cookies?

Auditing and Logging

• Does the application use health monitoring?
• Does the application log sensitive data?

Authentication

• Does the code enforce strong user management policies?
• Does the code restrict the number of failed login attempts?

Authorization

• How does the code protect access to restricted pages?
• How does the code protect access to page classes?
• Does the code use Server.Transfer?

Code Access Security

• Does the code use link demands or assert calls?
• Does the code use AllowPartiallyTrustedCallersAttribute?
• Does the code use potentially dangerous permissions?
• Does the code give dependencies too much trust?

Cross-Site Scripting

• Does the code echo user input or URL parameters back to a Web page?
• Does the code persist user input or URL parameters to a data store that could later be displayed on a Web page?

Cryptography

• Does the code use custom cryptographic algorithms?
• Does the code use the correct algorithm and an adequate key size?
• How does the code manage and store encryption keys?
• Does the code generate random numbers for cryptographic purposes?

Data Access

• Does the application use SQL authentication?
• How does the application store database connection strings?

Exception Management

• Does the code handle errors and exception conditions?
• Does the code use a global error handler?
• Does the code leak sensitive information in exceptions?
• Does the application expose sensitive information in user sessions?
• Does the application fail securely in the event of exceptions?

Forms Authentication

• Does the code use membership?
• Does the code persist forms authentication cookies?
• Does the code reduce ticket life time?
• Does the code use protection="All"?
• Does the code restrict authentication cookies to HTTPS connections?
• Does the code use SHA1 for HMAC generation and AES for encryption?
• Does the code use distinct cookie names and paths?
• Does the code keep personalization cookies separate from authentication cookies?
• Does the code use absolute URLs for navigation?
• How does the code store passwords in databases?
• Does the code partition the Web site into restricted and public access areas?

Impersonation

• Does the application use hard-coded impersonation credentials?
• Does the application clean up properly when it uses impersonation?

Input and Data Validation

• Does the code validate data from all sources?
• Does the code use a centralized approach to input and data validation?
• Does the code rely on client-side validation?
• Does the code accept path or file-based input?
• Does the code validate URLs?
• Does the code use MapPath?

Sensitive Data

• Does the code store secrets?
• Is sensitive data stored in predictable locations?
• Does the code store sensitive data in view state?
• Does the code pass sensitive data across Web pages?

SQL Injection

• Is the application susceptible to SQL injection?
• Does the code use parameterized stored procedures?
• Does the code use parameters in SQL statements?
• Does the code attempt to filter input?

Unsafe Code

• Is the code susceptible to buffer overruns?
• Is the code susceptible to integer overflows?
• Is the code susceptible to format string problems?
• Is the code susceptible to array out of bound errors?

Potentially Dangerous Unmanaged APIs

• Does the code call potentially dangerous unmanaged APIs?

Related Items

• Cheat Sheet: ASP.NET 2.0 Security Inspection Questions