When programming one of the aspects that we must take into account is the security of our code, we must maintain a balance between good practices, software performance, and software security.
From ByteHide we want to give you some basic advice to start paying attention to the security of the code you program and make your .NET applications secure.
1. Avoid direct connections to databases.
Many times our applications require databases, the easiest way to use these databases is to use a connector from our application.
In this example of a C# application in .NET we will show the MySqlConnection connector.
To make a connection we would use a code like this 👇
string connectionString =
"datasource=dev.ByteHide.com;
port=3306;
username=root;
password=secret;database=test;";
MySqlConnection databaseConnection = new MySqlConnection(connectionString);
In this way, we are exposing our server, port, username, and password to anyone who has access to the application.
How can we fix it? 🤔
Here we must take into account several aspects, one of them being how our application is structured and its needs.
In a simple way we could apply the following measures 👇
- Don’t use Universal Data Link (UDL) files
- Encrypt the configuration files
- Using Windows Authentication
- Using Azure Key Vault Secret
⚠WARN: If we need complete and advanced security we recommend outsourcing the connections.
2. Data encryption in .NET
Whenever we work with data, whether it is application settings or user information, we must keep the data encrypted at all times.
With this class you will be able to manipulate files with a little more security, for example 👇
//To save a file:
ByteHideSecureFile.WriteAllText("example.txt","The user Pedro has registered in https://ByteHide.com","passwordSecurity1234");
//To load this file:
var data = ByteHideSecureFile.ReadAllText("example.txt", "passwordSecurity1234");
This is a small example to start integrating security and encryption into the data handled by our application, both files, and strings, connections, documents, etc.
In this example we have seen that the password “passwordSecurity1234” is in the code, at first sight, that should not be so, the best option would be to outsource this password and load it in a secure way. As we did for example with the MySQL connection strings using Azure Key Vault Secret.
3. Using the Data Protection API in ASP .NET Core
In ASP .NET Core we could use IDataProtector to protect the information and documents that we manipulate in our applications.
This method is very simple to implement and has several features that make it really good.
In order to use it in the StartUp.cs class of our ASP .NET Core application, in the ConfigureServices method we will add 👇
public void ConfigureServices(IServiceCollection services)
{
services.AddDataProtection();
services.AddTransient<ProtectorHelper>();
}
Then we’ll load it as a parameter in the constructor of the classes in which we want to implement it, so we can use it to encrypt the information, for example:
public Class1(ProtectorHelper protectionHelper){
//This will cause a user's file to be encrypted and expire in 5
hours, i.e. after 5 hours, it cannot be decrypted by anyone.
var usferFile = protectionHelper.Encrypt
fileData,TimeSpan.FromHours(5));
}
Only with these measures, our application will be much safer, now we need to implement it correctly to ensure the safety of our customers.
4. Update the external dependencies and libraries.
This recommendation may be obvious, but not many people take it into account when programming in .NET. We make use of many libraries, usually many of them offered by Microsoft, others developed by users or companies, like many of the NuGet packages.
It is important that we check which libraries are using our application and inform us of any known vulnerabilities or possible security risks they may cause.
It is also important to take into account the versions of the Framework we are using for our application since it could have become obsolete and without maintenance and could be a security risk.
Here we provide you with information about the current framework versions👇
In addition, a table with the known vulnerabilities of the most common .NET libraries 👇
5. Use security systems and code obfuscation.
One of the most effective and simple solutions is to use a tool that takes care of protecting your application.
The above-mentioned security best practices are important for keeping your .NET application secure but are not sufficient to ensure the integrity of methods, connections, and other vulnerabilities.
At ByteHide we offer you the possibility of protecting your applications for free and we provide you with more advanced protections and features so that you can adapt the security to the needs of your applications.
Advantages of using a security system for .NET
Avoid wasting time protecting your applications.
No security knowledge required.
It allows you to use various protections and features.
Incorporate the latest security techniques into your application with a couple of clicks.
Detects and corrects vulnerabilities automatically.
It allows you to focus on development and continuous integration without worrying about security, as it will run on its side.
And other advantages that make a security system save you time and money with the publication of your software.
Another important aspect is that the performance of the team development can be very reduced if we implement the protection manually. Because every time there is an update we will have to protect the application again and the development can become very tedious because the code is more difficult to understand, less practical and less optimal.
In addition, many of the protections that we can incorporate manually are at the level of connections, file manipulation, encryption and good practices in development. But for the software to be secure and to be able to guarantee the integrity of our intellectual property it is necessary to use more advanced methods and algorithms.
For example, ByteHide offers protections such as:
Control flow: Modifies the flow of methods and disorders them so that they cannot be represented.
Constants protection: Encrypts and protects the application constants so that sensitive information cannot be obtained.
Rename: Renames all types, classes, methods, and variables of our application so that the operation cannot be understood.
Top comments (10)
🔒🔒🔒🔒🔒Good content I would be glad to read the second part especially if it dives into encryption, hashing and authentication
Well, we are preparing a very interesting guide, would you like us to send it to you?
yes , sure
Helpful content 🔒🔒🔒🔒🔒
Thanks!
🔒🔒🔒🔒🔒 Sureee, show me more advanced security tips! Thanks :D
We are preparing a guide!
🔒🔒🔒🔒🔒
🔒🔒🔒🔒🔒
Thank you very much, we are glad you liked it!