There is a lack of clear specific guidance as to what should, and should not, be done to write secure applications. This is from the OWASP Top Ten security issues:
A04:2021-Insecure Design is a new category for 2021, with a focus on risks related to design flaws. If we genuinely want to “move left” as an industry, it calls for more use of threat modeling, secure design patterns and principles, and reference architectures.
What is a developer supposed to do with that. That’s a semester long class to get started.
Which brings us to my per peeve. When developers ask for guidance the answer usually is “you need to start with these 10 books, then go from there.” On one hand, that’s a valid point. But on the other hand…
You have a project due date, you have a feature list that must be completed, you have too few people already. Delaying the project to the extent this would require is, for a startup, essentially failure.
Add to this the impossibility of finding skilled security programmers. In my last 9 months at Windward we had an open rec for a security programmer. We did not get a single skilled applicant. Not we got some and couldn’t afford them. Not we got some and they weren’t a good fit. We did not receive a single qualified application.
What we need is guidance. Preferably from Microsoft, Google, etc. giving us clear specific suggestions on what we should do. Because, while we can’t pull someone aside for a year to become an expert, we can assign 2 developers with 1 - 2 weeks of work to improve security.
And in that vein, here’s the short list that I’ve built so far:
When creating SQL statements, use SetParameter() or the equivalent.
An ORM like Entity Framework does this for you.
Any user inputted data that is displayed on the page - HtmlEncode it.
Many frameworks, like Blazor, do this for you on any text you write directly.
Never log confidential data.
User a 3rd party library, such as the ASP.NET Core Identity library, for Authentication & Authorization.
For an application where a false login would be bad, require 2FA via an authenticator app. (At the same time, if the website is my comics subscription - there is no need to go overboard.)
Keep credentials and other passwords & keys super safe. On Azure you should:
Use a managed identity for every service that supports it.
For everything else, put it in the Key Store.
Update to the latest release of every library.