Are we really secure developing applications in ASP.NET MVC?
Almost all applications are vulnerable to attack. According to Gartner, applications and data – not infrastructure – are the focus of modern cyber attacks. And attacks are on the rise. In 2015, companies saw an average of 160 successful cyber attacks per week, more than three times the 2010 average of 50 per week.
Insecure software is undermining financial, healthcare, defense, energy, and other critical infrastructure applications. As digital infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. Companies can no longer afford to tolerate relatively simple security risks like injection, broken authentication and session management, cross-site scripting, or insecure direct object references.
Current frameworks to develop web apps are insecure by default
One of the principal reasons behind this, is the lack of secure software engineering in our web application development. The most common security approach in the software development industry, is based on best practices that developers must be aware of and apply manually. Basically, we are not using a security by design approach and security relies mainly on people (developers), rather than being automatic.
So why not make application security visible?
The Open Web Application Security Project (OWASP) is a worldwide, nonprofit organization focused on improving the security of software. It functions as an online community that creates freely available articles, methodologies, documentation, tools, and technologies. The OWASP Top Ten is a powerful awareness document that is published and updated regularly. It lists the 10 most critical web application security risks, providing a description with examples and guidance for avoiding each threat. Project members include a variety of security experts from around the world who share their expertise to produce this list. More information can be found here.
Companies should adopt this awareness document within their organization and start the process of ensuring that their applications are protected against these flaws.
Are ASP.NET MVC apps vulnerable to OWASP Top 10?
At Hdiv Security we decided to extend the Microsoft Music Store application to make people aware of the existing situation. Development frameworks remain insecure by default and if the features and functionality of applications continue to be more important to software developers than security, applications will remain insecure by default.
Based on the OWASP Top 10, we have created a new section in the Music Store application with examples for each type of risk.
How can we secure our ASP.NET MVC apps?
As we have seen previously there is a very large number of web risks that must be made secure by developers manually. Taking into account the various statistics available on cybersecurity incidents, the best practice based approach does not work in reality. So, even though it should be adopted in all situations, it is clear this approach alone is not sufficient.
So what can we do?
Let’s take an example to explain an alternative approach. At the time when many of us started our professional careers, a common issue within production systems, was related to database connections not being managed properly by developers. They had to open/close connections manually using the database driver. Sometimes they forgot, but fortunately, thanks to the automatic connection management offered by Microsoft, this issue has almost disappeared.
So, what about solving security issues by delegating security to the architecture, following a security by design approach?
This is the approach that we have adopted within Hdiv through the integration of security best practices into the .NET library. In other words, even though developers may not follow the recommended best practices, Hdiv automatically implements a very large group of checks, avoiding many of the most common web risks by default. In the following table we can see the security level offered by Hdiv.
(*) Due to the fact that prevention against CSRF attacks is not automatic, allowing that there is some dependency on developers, we consider that ASP.NET MVC does not cover against this risk, being insecure by default.
Note that Hdiv does not change the original programming model offered by .NET but works in the background without any Hdiv dependant code within the application.