This comes as no surprise, as Cybersecurity Ventures forecasts that the cost of cybercrime will exceed $6 trillion globally every year by 2021. The latest trends also show a massive increase in hacked and attacked web services, so the cybersecurity demand increases in direct relation to the cybercrime rates, every day.

Cybersecurity Weakness: Give Your Enemy a Name and a Face

Companies are often torn between trying to minimize the cost of custom software development and ensuring future application resistance to security threats. Security analysis and testing require additional time within the SDLC, leading to extra costs and delays in the release date, so there is no surprise that many business leaders opt to skimp or completely omit these measures.

Unfortunately, this decision leads to heavy losses in the long run. Here we reach the heart of the problem: how can companies build secure IT products without exceeding the software development budget?

The classification of attacks and vulnerabilities is carried out by the Open Web Application Security Project (OWASP) community – a global non-profit organization focused on enhancing software security on the web. OWASP defined the top 10 most dangerous attacks online, and this list has turned into a technology-agnostic guide for managing the most prevalent website and software security risks.

Following this guide allows you to take preventive measures that protect your customers, your company reputation, and ultimately, your bottom line.

We’ll take a closer look at every security threat separately, analyzing how it can hurt your business and share our best practices on how to prevent it from occurring using Microsoft technologies and tools.

1. Injection

Almost any source of data can be an injection vector, including environmental variables, parameters, queries, external and internal web services, OS instructions, and all types of users. Injection flaws happen when an attacker can send hostile data to a converter.

How can it hurt your business?

Injection vulnerabilities can result in data loss, corruption, or disclosure to unauthorized parties, loss of accountability, or denial of access. In some cases, it can lead to complete host takeover. Will it damage your reputation? Definitely!

How can you prevent it?

To handle security threats associated with injection attacks, our Microsoft experts employ ADO.NET and Entity Framework in combination with other Microsoft tools. Additionally, these classes and frameworks enhance application maintainability, scalability, and efficiency.

2. Broken Authentication

Attackers have access to a myriad of valid username-password combinations for credential verification, default administrative account lists, dictionary attack tools, as well as automated brute force attacks. Session control attacks are well-understood, especially with unexpired session tokens.

How can it hurt your business?

Violators need to gain access to only a few accounts, or even just one admin account to compromise the system. Depending on your industry and application domain, such a breach can result in money laundering, social security fraud, as well as identity theft or disclosure of highly sensitive information.

How can you prevent it?

The overall goal is to leverage the native .NET authentication implementation to the full extent possible. Using .NET technologies for authentication simplifies writing authentication logic, including multi-factor authentication and weak-password checks.

To eliminate the possibility of errors in the codebase, we advocate for regular code reviews. Additionally, there is a built-in session manager that has a server-side session implementation, covering those situations when you need to remove a client session (open the same URL in a new window, browser, etc.).

The .NET authentication technologies that can increase the level of your software protection include:

  • ASP.NET 2.0 Membership Provider
  • ASP.NET 4 Simple Membership
  • ASP.NET 4/4.5 Universal Providers
  • ASP.NET 4.5 One ASP.NET Identity

3. Sensitive Data Exposure

Instead of attacking crypto directly, violators steal keys, carry out man-сinthe-middle attacks, or steal plain-text data right from a server or user client. In this case, a manual attack is generally required, while the previously recovered password databases can be brute-forced by Graphics Processing Units (GPUs).

How can it hurt your business?

Even a minor failure can compromise all data that should have been protected. Typically, it includes Sensitive Personal Identifying Information (PII) such as health records, credentials, personal information, and credit-card records. Maintaining security of this type of data is often defined by laws or regulations such as GDPR or local privacy laws.

How can you prevent it?

We mainly implement the same methods and approaches mentioned above for broken authentication issues.

4. XML External Entities (XXE)

Abusers can embed vulnerable XML processors if they can upload XML files or include hostile content in an XML document, including error-prone code, dependencies, or integrations.

How can it hurt your business?

This type of hacking is mainly used to retrieve data, scan your internal software systems, run a remote query on the server, conduct a denial-of-service attack, as well as launch other attacks. The business impact depends on the protection level of all the target application or even the infrastructure.

How can you prevent it?

There are a lot of different classes for parsing XML in .NET Framework, while default Microsoft XML parsers provide developers with attack-persistent deserialization.

Below is a list of all supported .NET XML parsers and their default safety status:

Finding and using exploits in the access control system is a highly developed skill of most violators. Tools like SAST and DAST can discover the absence of access control, but if access control is in place, they cannot verify whether it’s functional or not. Access control can be detected and recognized manually or through automation due to the absence of access controls within specific frameworks.

5. Broken Access Control

How can it hurt your business?

The main problem is that attackers can act as managers or administrators, meaning they are permitted to create, access, update, or even delete records. With the extensive use of content management systems (CMS) and other off-the-shelf solutions, thousands of businesses are at risk, as most systems don’t even require the use of a second-factor authentication method (2FA).

However, the full extent of the business damage depends on your industry, software domain, and amount/type of data that you collect and store.

How can you prevent it?

With the use of ASP.NET or ASP.NET Core, your dedicated team gains the opportunity to control which websites can send requests to your application. Additionally, there is a particular service for cross-origin resource sharing (CORS) configuration that is easily configurable and manageable.

6. Security Misconfiguration

Hackers are constantly trying to benefit from unpatched flaws or access default accounts, unused pages, unprotected files, and directories to gain unauthorized access or knowledge of the system. Security misconfiguration is one of the main culprits of these types of security breaches.

How can it hurt your business?

The most common examples that we’ve heard from our clients and partners include the use of default or weak passwords, default error messages, predefined directories, among others. These types of security holes provide attackers with unauthorized access to system data or functionality, leading to complete compromise of the system.

How can you prevent it?

There are four methods to prevent security misconfiguration in .NET:

1. Keep all the libraries within your project up-to-date. To make this process less cumbersome, we add them as a library package reference through NuGet.

2. .NET allows you to customize error messages for:

  • The expected behavior of a query string
  • Some very sensitive code structure details (deliberately very destructive…so, you get the idea)
  • The physical location of the file on the developer’s machine (resulting in further application structure disclosure)
  • The entire stack trace of the error (release of internal events and methods)
  • The .NET framework version the app is running on (discloses how the app may handle certain conditions)

All the customizations mentioned above can be efficiently executed and managed in the Web.config file.

3. Opt for Microsoft ASP.NET for your project, as it includes request validation – a feature that examines HTTP requests and recognizes if they contain potentially dangerous content.

4. Encrypt sensitive configuration data using the command ”aspnet_regiis” or classes:

  • RSAProtectedConfigurationProvider uses the RSA Public Key Encryption algorithm to encrypt and decrypt data
  • DataProtectionConfigurationProvider uses the Windows Data Protection Application Programming Interface (DPAPI) to encrypt and decrypt data

7. Cross-Site Scripting (XSS)

This type of security vulnerability is widespread among web applications and means that hackers can insert malicious scripts and data. Today, automated tools can detect and exploit all three forms of XSS (reflected, stored, DOM-based). In addition, there are freely available exploitation frameworks.

How can it hurt your business?

The impact of cross-site scripting vulnerabilities is moderate for reflected and DOM-based XSS and severe for stored XSS. With remote code execution on the victim’s browser, hackers can steal credentials, trace sessions, or deliver malware to the victim.

How can you prevent it?

ASP.NET comes with a Security Runtime Engine (SRE) – an HTTP module that hooks into the pre-render pipeline step and helps us ensure protection. Additionally, ASP.NET Forms and ASP.NET MVC include controls for the auto encoding of the output code. Also, the use of the AntiXSS library within the .NET 4.5 Framework can help you protect legacy software against a widely-used XSS attack.

8. Insecure Deserialization

Detecting and using deserialization is somewhat tricky, as most out-of-the-box exploits can rarely perform without at least some minor changes or tweaks to the backing exploit code.

How can it hurt your business?

The impact of deserialization flaws cannot be underestimated. These types of security holes can lead to DDoS and remote code execution attacks that can have grave consequences for any business, including compromising the entire software system.

How can you prevent it?

The main mitigation strategy for insecure deserialization vulnerabilities is not to accept any serialized objects from unreliable sources. For other situations, .NET allows for conducting a strict type graph inspection and whitelist creation using a custom SerializationBinder. In addition, we recommend using one of the following libraries for secure serialization/deserialization: FastJSON, Json.Net, FSPickler, Sweet.Jayson, DataContractJsonSerializer, Newtonsoft.JSON.

9. Using Components with Known Vulnerabilities

Today, every simple website or application has numerous dependencies, like external libraries or frameworks. Attackers look for vulnerabilities within these components and, considering the popularity of most libraries and frameworks these days, thousands of websites and apps are at risk. Even though it’s easy to get already-written exploits for many generally known vulnerabilities, other critical areas require major effort to develop a custom exploit.

How can it hurt your business?

While some publicly known vulnerabilities and exposures can result in minor problems, some of the biggest breaches to date have relied on exploiting obvious vulnerabilities in components. It’s crucial to evaluate the risk level depending on the type of data that you’re protecting. As a result, this threat can move to the top of your security checklist.

How can you prevent it?

Working with our clients, we make sure that all the components are up-to-date because often, software providers offer important updates and security patches to plug up existing vulnerabilities. Additionally, we recommend integrating trusted libraries and frameworks only. NuGet can make the selection of tools more straightforward, as it shows an owner and rating of any library or framework, letting you choose potentially secure and reliable solutions.

10. Insufficient Logging & Monitoring

On average, it can take up to a staggering 200 days to discover and manage a security breach! Hackers have enough time to cause damage before any measures are initiated. Leveraging insufficient logging and monitoring is the centerpiece of nearly every significant incident.

How can it hurt your business?

Vulnerability probing is often the starting point for most successful security breaches. If you allow these types of probes to continue, the chances of a successful compromise increase to nearly 100%. Considering the response time to most attacks (191 days in 2016), full website or system compromise can quickly become a scary reality for many companies.

How can you prevent it?

There are existing libs for logging with a safety parameterization that are compatible with .NET, including:

  • RSAProtectedConfigurationProvider uses the RSA Public Key Encryption algorithm to encrypt and decrypt data
  • DataProtectionConfigurationProvider uses the Windows Data Protection Application Programming Interface (DPAPI) to encrypt and decrypt data

Additionally, Microsoft helps developers monitor Azure infrastructure with EventFlow – a library that allows you to define what diagnostic data should be collected and where it should be outputted.

The Bottom Line

These days, cybersecurity is one of the biggest concerns and hot topics for business owners, managers, and every-day users. Computer networks have always been the “cherry pie” for criminals, and it’s predicted that the danger from security breaches will only grow in the coming years.

However, the good news is that there are sensible preventive actions that companies can take with the help of cybersecurity analysts and risk management experts. An experienced partner can help you develop a clear strategy and action plan to prevent these types of security breaches by cybercriminals who are in the constant pursuit of easy money and weak web systems.

Due to the complexity of the problem and severity of the consequences, it’s of crucial importance to engage experienced and skilled professionals. All the vulnerability vectors mentioned in this article should be thoroughly analyzed by professional solution architects and security engineers.

TEAM International has been providing customers with cybersecurity assistance using Microsoft technologies for decades. We’ve helped industry leaders protect their customers from hackers’ attacks and data breaches.