ASP.NET SECURITY VULNERABILITIES

How to Remediate Security Vulnerabilities in ASP.NET Applications

Common Security Flaws in ASP.NET Web Applications

Your company might find itself in a situation where a security firm has identified security vulnerabilities in your ASP.NET application and now you need to get those issues resolved quickly.

The good news is that many vulnerabilities can be fixed with minimal code changes. The three most common vulnerabilities that we come across are Broken Access Control, SQL Injection, and Unpatched Libraries:

Broken Access Control

Broken Access Control occurs most frequently on apps leveraging a SPA architecture. It can manifest in several ways, but the most common we see is one where an API accepts a user identifier and returns data to any user making the request with a valid token. A common flaw is that the API does not also check that the data requested belongs to the owner of the token. This can be exploited by a logged-in user accessing another user’s data

SQL Injection

SQL Injection is becoming less and less common as web application developers move towards tools that are designed to prevent them. ORMs such as Entity Framework are designed so the happy path is safe and forces developers to go out of their way to write code which is vulnerable to SQL injection. It can (and does) still happen of course. The solution to this is to switch to using parameterized queries in whatever SQL library you are using and never just concatenate strings together. We commonly use Dapper, a library which helps make parameterization of queries a more natural part of working with SQL queries.

Unpatched and Outdated Components

This is rapidly developing into one of the biggest concerns for maintainers of software. New software vulnerabilities are appearing every day and it is important to keep libraries patched and up to date so that they are not exploited.

There are a number of tools on the web for finding out which of your libraries are vulnerable, but the best way to avoid this problem is to be proactive in updating libraries on a consistent schedule. Updating more often does increase the risk of Supply Chain Attacks however, so it must be balanced with the risk of running outdated components.

Techniques that Developers use in Security Remediation

Security Remediation, simply put, is the process of refactoring code so that it performs the same function while simultaneously removing vulnerabilities.

Developers use a number of techniques when doing security remediation:

• Write unit tests and integration tests first before refactoring the code, so that you can prove that functionality has not regressed during the remediation process.

• Where it makes sense, write tests for the vulnerabilities that assert the vulnerabilities have been fixed.
• Functionality tests should be green (passing) before refactoring, and vulnerability tests should be red (failing).

• Fit remediation into the software using existing used patterns in the codebase.

• Use static analysis tools to analyze the existing code.

ASP.NET Security Remediation: What are the Costs?

Security remediation is a difficult and time-consuming process. But it may not be as expensive as you think. A typical remediation costs in the range of around $5,000 to $20,000, but there are some ways to save money:

• Reach out to a smaller firm of security-minded developers; they can often work out a better deal with you than a huge consulting outfit.

• Find a developer experienced in and aware of security-related concerns.

• Make sure the developer you hire has an environment where they can hit the ground running.