What are the best practices for writing a secure application?

Question

What are the best practices for writing a secure application?

David Thielen 3,211

Hi all;

I've read a ton of articles that we need to write applications that are secure. That it's critical to write defensively from the start and implement all best practice secure suggestions.

What I can't find is the list of suggestions. I know about SQL injection attacks. But what else? (And the few articles I've found on this are dated 2010 or thereabouts.)

Very specifically for an ASP.NET Core 6 + Blazor server side application that will run on Azure web services. And will access an Azure SQL Database via Entity Frameworks (so no injection attack worries).

What do I need to do, and not do, to make the app as secure as possible?

thanks - dave

Accepted answer

1 additional answer

Your answer

Answer 1

Hi @David Thielen

ASP.NET Core security topics:

ASP.NET Core enables developers to configure and manage security. The following list provides links to security topics:

These security features allow you to build robust and secure ASP.NET Core apps. For Blazor application, you can refer to ASP.NET Core Blazor authentication and authorization.

To Security in Azure App Service, you can protect your App Service app via the following sections:

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Best regards,

Dillion

David Thielen 3,211 Reputation points

2023-02-14T19:29:20.57+00:00

Thanks for the reply. As I look at all this, I realize that while there's a lot of complaints about the poor state of security in most apps, and legitimately so, getting this right requires such a large body of knowledge, it's understandable that many programming teams say screw it and blow off the whole thing.

Thank you for the link ASP.NET Core Blazor authentication and authorization as that provides what looks like a pretty good synopsis of the basics to follow. That plus the basics I already know should give me enough to be relatively secure without devoting the next 6 months of my life to security.

One final question - is there a web article listing how to use Azure Active Directory in a Blazor app for A&A?

thanks - dave

Answer 2

AgaveJoe 30,126

Security is a vast subject. If you are referring to typically security vulnerabilities found in web applications then see the OWASP foundation. The OWASP Foundation tracks vulnerabilities, provides mitigation suggestions, and provides vulnerability testing tools.

OWASP Top Ten

There are also coding best practices associated with the language or framework you're targeting.

ASP.NET Core Best Practices

ASP.NET Core Blazor performance best practices

David Thielen 3,211 Reputation points

2023-02-09T21:19:12.7633333+00:00

Hi;

Thanks for the links. The best practices ones look really useful although no security items in them. But good suggestions for optimum performance.

The OWASP is good from a general point of view, but it doesn't get in to the specifics that much. For example, diving in it says don't allow directory listings. Good advice. The thing is, hosting an app service on Azure that's already disallowed. In fact, I don't think there's a way to override that on Azure. So not relevant.

And take the case of auto-logout being set to too long a time. Good suggestion. But an Azure app service best practices would list exactly how to set this. And I'm guessing again, that the default for this is something very safe like 5 minutes or less.

So hoping Microsoft has a very straightforward detailed best practices for best security practices for an ASP.NET Core app running on Azure.

thanks - dave

Share via

What are the best practices for writing a secure application?

1 additional answer

Your answer