Foreword by Joel Scambray

I have been privileged to contribute to Improving Web Application Security: Threats and Countermeasures , and its companion volume, Building Secure ASP.NET Web Applications . As someone who encounters many such threats and relies on many of these countermeasures every day at Microsoft's largest Internet-facing online properties, I can say that this guide is a necessary component of any Web- facing business strategy. I'm quite excited to see this knowledge shared widely with Microsoft's customers, and I look forward to applying it in my daily work.

There is an increasing amount of information being published about Internet security, and keeping up with it is a challenge. One of the first questions I ask when a new work like this gets published is: "Does the quality of the information justify my time to read it?" In the case of Improving Web Application Security: Threats and Countermeasures , I can answer an unqualified yes . J.D. Meier and team have assembled a comprehensive reference on Microsoft Web application security, and put it in a modular framework that makes it readily accessible to Web application architects , developers, testers, technical managers, operations engineers , and yes, even security professionals. The bulk of information contained in this work can be intimidating, but it is well-organized around key milestones in the product lifecycle ” design, development, testing, deployment, and maintenance. It also adheres to a security principles-based approach, so that each section is consistent with common security themes.

Perhaps my favorite aspect of this guide is the thorough testing that went into each page. During several discussions with the guide's development team, I always came away impressed with their willingness to actually deploy the technologies discussed herein to ensure that the theory portrayed aligned with practical reality. They also freely sought out expertise internal and external to Microsoft to keep the contents useful and practical.

Some other key features that I found very useful include the concise , well-organized, and comprehensive threat modeling chapter, the abundant tips and guidelines on .NET Framework security ( especially code access security), and the hands-on checklists for each topic discussed.

Improving Web Application Security: Threats and Countermeasures will get any organization out ahead of the Internet security curve by showing them how to bake security into applications, rather than bolting it on as an afterthought. I highly recommend this guide to those organizations who have developed or deployed Internet-facing applications and to those organizations who are considering such an endeavor.

Joel Scambray

Senior Director of Security, MSN
Co-Author, Hacking Exposed Fourth Edition , Windows , and Web Applications

Foreword by Erik Olson

For many years , application security has been a craft learned by apprenticeship. Unfortunately, the stakes are high and the lessons hard. Most agree that a better approach is needed: we must understand threats, use these hard lessons to develop sound practices, and use solid research practices to provide layers of defense.

Web applications are the portals to many corporate secrets. Whether they sit on the edge of the lawless Internet frontier or safeguard the corporate payroll, these applications are a popular target for all sorts of mischief. Web application developers cannot afford to be uncertain about the risks to their applications or the remedies that mitigate these risks. The potential for damage and the variety of threats is staggering, both from within and without. However, while many threats exist, the remedies can be crystallized into a tractable set of practices and procedures that can mitigate known threats and help to guard against the next unknown threat.

The .NET Framework and the Common Language Runtime were designed and built with these threats in mind. They provide a powerful platform for writing secure applications and a rich set of tools for validating and securing application assets. Note, however, that even powerful tools must be guided by careful hands.

This guide presents a clear and structured approach to dealing with Web application security. In it, you will find the building blocks that enable you to build and deploy secure Web applications using ASP.NET and the .NET Framework.

The guide begins with a vocabulary for understanding the jargon-rich language of security spoken by programmers and security professionals. It includes a catalog of threats faced by Web applications and a model for identifying threats relevant to a given scenario. A formal model is described for identifying, classifying, and understanding threats so that sound designs and solid business decisions can be made.

The text provides a set of guidelines and recommended design and programming practices. These guidelines are the collective wisdom that comes from a deep analysis of both mistakes that have been made and mistakes that have been successfully avoided.

{% if main.adsdop %}{% include 'adsenceinline.tpl' %}{% endif %}

The tools of the craft provided by ASP.NET and the .NET Framework are introduced, with detailed guidance on how to use them. Proven patterns and practices for writing secure code, using data, and building Web applications and services are all documented.

Sometimes the desired solution is not the easiest path . To make it faster and easier to end up in the right place, the authors have carefully condensed relevant sample code from real-world applications into building blocks.

Finally, techniques for assessing application security are provided. The guide contains a set of detailed checklists that can be used as guidelines for new applications or tools to evaluate existing projects.

Whether you're just starting on your apprenticeship in Web application security or have already mastered many of the techniques, you'll find this guide to be an indispensable aid that will help you build more secure Web applications.