I spoke to The San Francisco .NET Developers User Group last week on the topic of Practical Web Application Security with ASP.NET / MVC. Following are the some of the links from my talk. For additional links, please see my earlier talk Resources – talk @ 10th Annual SecureIT conference
- Home/MVC/Overview/Chapter 7. Security
- Security Extensibility in ASP.NET 4 (This whitepaper covers the major ways in which security features in ASP.NET 4 can be customized, including: Encryption options and functionality in the <machineKey> element, interoperability of ASP.NET 4 forms authentication tickets with ASP.NET 2.0, configuration options to relax automatic security checks on inbound URLs, pluggable request validation, and pluggable encoding for HTML elements, HTML attributes, HTTP headers, and URL)
- WebGoat @ OWASP
- Preventing Open Redirection Attacks (C#)
- Prevent Cross-Site Request Forgery (CSRF) using ASP.NET MVC’s AntiForgeryToken() helper
- Securing your ASP.NET MVC 4 App and the new AllowAnonymous Attribute
- Security Compliance as an Engineering Discipline
- Asp .Net MVC Security Review Checklist
The code from the talk can be downloaded from here. Also, Jerry Hoff's ASP.NET port of WebGoat is available here. jerryhoff / WebGoat.NET
