DEV Community

loading...

✅ 5 simple security tips for your .NET applications

dotnetsafer profile image Dotnetsafer ・5 min read

security tips

When programming one of the aspects that we must take into account is the security of our code, we must maintain a balance between good practices, software performance, and software security.

From Dotnetsafer we want to give you some basic advice to start paying attention to the security of the code you program and make your .net application secure.

As we mentioned before, these are basic aspects that any programmer could start implementing today, in this blog you have more articles with more advanced solutions and tips.

1. Avoid direct connections to databases.

Many times our applications require databases, the easiest way to use these databases is to use a connector from our application.

In this way, we are exposing our server, port, username, and password to anyone who has access to the application.

How can we fix it?

Here we must take into account several aspects, one of them being how our application is structured and its needs.

In a simple way we could apply the following measures:

  • Do not use Universal Data Link (UDL) files
  • Encrypt the configuration files
  • Using Windows Authentication
  • Using Azure Key Vault Secret

If we need complete and advanced security we recommend outsourcing the connections.

2. Data encryption in .NET

Whenever we work with data, whether it is application settings or user information, we must keep the data encrypted at all times.

With this class you will be able to manipulate files with a little more security, for example:

//To save a file:

DotnetsaferSecureFile.WriteAllText("example.txt","The user Pedro   has registered in https://dotnetsafer.com","passwordSecurity1234");

//To load this file:

var data = DotnetsaferSecureFile.ReadAllText("example.txt", "passwordSecurity1234");
Enter fullscreen mode Exit fullscreen mode

This is a small example to start integrating security and encryption into the data handled by our application, both files, and strings, connections, documents, etc.

In this example we have seen that the password "passwordSecurity1234" is in the code, at first sight, that should not be so, the best option would be to outsource this password and load it in a secure way. As we did for example with the MySQL connection strings using Azure Key Vault Secret.

3. Using the Data Protection API in ASP .NET Core

In ASP .NET Core we could use IDataProtector to protect the information and documents that we manipulate in our applications.

This method is very simple to implement and has several features that make it really good.

In order to use it in the StartUp.cs class of our ASP .NET Core application, in the ConfigureServices method we will add:


public void ConfigureServices(IServiceCollection services)

{

 services.AddDataProtection();
 services.AddTransient<ProtectorHelper>();

 }
Enter fullscreen mode Exit fullscreen mode

Then we'll load it as a parameter in the constructor of the classes in which we want to implement it, so we can use it to encrypt the information, for example:


public Class1(ProtectorHelper protectionHelper){

//This will cause a user's file to be encrypted and expire in 5 hours, i.e. after 5 hours, it cannot be decrypted by anyone.

var usferFile = protectionHelper.Encrypt (fileData,TimeSpan.FromHours(5));

}
Enter fullscreen mode Exit fullscreen mode

Only with these measures, our application will be much safer, now we need to implement it correctly to ensure the safety of our customers.

4. Update the external dependencies and libraries.

This recommendation may be obvious, but not many people take it into account when programming in .NET we make use of many libraries, usually many of them offered by Microsoft, others developed by users or companies, like many of the NuGet packages.

It is important that we check which libraries are using our application and inform us of any known vulnerabilities or possible security risks they may cause.

It is also important to take into account the versions of the Framework we are using for our application since it could have become obsolete and without maintenance and could be a security risk.

Here we provide you with information about the current framework versions:

versions

In addition, a table with the known vulnerabilities of the most common .NET libraries:

versions

5. Use security systems and code obfuscation.

One of the most effective and simple solutions is to use a tool that takes care of protecting your application.

The above-mentioned security best practices are important for keeping your .NET application secure but are not sufficient to ensure the integrity of methods, connections, and other vulnerabilities.

At Dotnetsafer we offer you the possibility of protecting your applications for free and we provide you with more advanced protections and features so that you can adapt the security to the needs of your applications.

Advantages of using a security system for .NET

  • Avoid wasting time protecting your applications.
  • No security knowledge required.
  • It allows you to use various protections and features.
  • Incorporate the latest security techniques into your application with a couple of clicks.
  • Detects and corrects vulnerabilities automatically.
  • It allows you to focus on development and continuous integration without worrying about security, as it will run on its side.

And other advantages that make a security system save you time and money with the publication of your software.

Another important aspect is that the performance of the team development can be very reduced if we implement the protection manually because every time there is an update we will have to protect the application again and the development can become very tedious because the code is more difficult to understand, less practical and less optimal.

In addition, many of the protections that we can incorporate manually are at the level of connections, file manipulation, encryption and good practices in development, but for the software to be secure and to be able to guarantee the integrity of our intellectual property it is necessary to use more advanced methods and algorithms.

For example, Dotnetsafer offers protections such as:

  • Control flow: Modifies the flow of methods and disorders them so that they cannot be represented.
  • Constants protection: Encrypts and protects the application constants so that sensitive information cannot be obtained.
  • Rename: Renames all types, classes, methods, and variables of our application so that the operation cannot be understood.

And many more protections, if you want to know about all the protections that dotnetsafer offers we recommend you go to the section https://dotnetsafer.com/shield/protections and you will be able to obtain more information about each one of them in the Documentation.

Discussion (3)

Collapse
sharpninja profile image
The Sharp Ninja

Why does the product require creating an account to get started with the free version?

Collapse
dotnetsafer profile image
Dotnetsafer Author

Hi!🙂

Artificial intelligence for the analysis and improvement of code security works associated with a Shield project, that is, each time security learns and improves on your code, for this it is necessary that you have an account.

If you want to use the CLI, it is necessary to use an api key that relates to your account and is capable of resolving the dependencies and libraries that your application requires.

To create the account you do not need a credit card or payment method, it is simply an email where you can associate your projects and manage them.

You can read the documentation at:
dotnetsafer.com/docs/product/shiel...
and thus understand why you need an account.

Thanks for your time! 🤗

Collapse
sharpninja profile image
The Sharp Ninja

OK, understood.

Forem Open with the Forem app