The number and frequency of attacks on websites in the news is increasing steadily and effects can be devastating. However for each company that you hear about there are many more who cover up or are unaware of breaches on their sites. Thus what you hear about in the news represents just the tip of the iceberg. This primer session on security focuses on the major risks and the practical steps you can take now in your software development to protect an ASP.Net Mvc website from the major threats in the web today and will include code you can take away and implement in your own sites. Each type of attack will be introduced in a technology agnostic way, then highlighted with some case studies using major breaches as examples, then finally countermeasures which you can use will be proposed for each risk. The attacks I will be looking at are:
• SQL Injection
• Session hijacking
• Password hacking
• Weak account management
• Insecure direct object references
• Sensitive data exposure
• Missing Function Level Access Control
• Unvalidated redirects and forwards
A sample code project is included as part of the talk which helps mitigate against all of these threats and more.
This talk has already been presented at DotNetNotts, Derby.Net, LeedsSharp and NEBytes and has had great feedback from the developers who have seen it.