As a developer, you are expected to be considering the security of the applications you develop at all times. You need to be aware of basic security principles and work regularly to stay educated about security vulnerabilities and how to reduce exposure to your applications.

Secure Programmer's Pledge

1. I will not store sensitive data in plain text, I will protect it in a suitable manner.
2. I will always protect my users' data as if it was my own.
3. I will only use vetted and published algorithms, I will not invent my own.
4. I will not assume that I know better, but instead will try to constantly learn.
5. I will not trust the security of systems that I have not personally examined.
6. I will always try to educate others.

OWASP Top Ten

https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013

Additionally, review each of the items underneath the top 10.

Development Security Standards:

https://mainframe.nerdery.com/docs/article/development-security-standards

Data Security Policy for Developers: https://mainframe.nerdery.com/docs/article/data-security-policy-for-development

This is enabled by default in IIS via machine.config to prevent .config files from being delivered to the user. Additionally, files under the App_Data directory, as well as any files that do not have a MIME type mapping in web.config will not be served to users.

Data files not necessary to be accessed by users SHOULD either be stored in App_Data, or in a directory outside of the webroot.

See the standards on Configuration for more information on configuration files.

In ASP.NET Identity, this is already set to 6 by default. To create a more complex set of requirements, implement a custom IIdentityValidator.

The encryption that ships with ASP.NET Identity uses KDF which meets these requirements.

ASP.NET enables this by default.

Not supported out-of-box by ASP.NET

Use Session.Abandon()

Default time for ASP.NET is 20 minutes, which should be sufficient for most purposes. This can be changed via session timeout: https://msdn.microsoft.com/en-us/library/h6bb9cz9(v=vs.85).aspx

This is enabled by default in ASP.NET and cannot be changed

Set this via web.config

See: http://msdn.microsoft.com/en-us/library/ms228262(v=vs.100).aspx

Enforce SSL by using HTTPS Redirects with the URL Rewrite module and enabling HSTS via HTTP Headers. See this post for more info:

http://www.hanselman.com/blog/HowToEnableHTTPStrictTransportSecurityHSTSInIIS7.aspx

This is enabled by default in ASP.NET Identity

Use MVC validation mechanisms

Use Razor outputs and standard serializers. Avoid using Html.Raw() unless you are very aware of what is being output.

Use MVC validation mechanisms

Use Html.AntiForgeryToken().

When using the anti forgery token, it is important to set a machine key for the application to prevent token decryption failures when the application recycles and to ensure that the token can be decrypted across all machines in a cluster. See https://support.microsoft.com/en-us/kb/312906 for an application that can be used to generate a machine key.

Different machine keys should be used for Staging and Production configurations.

Use Uri.EscapeDataString()

Use the web.config to set the maximum upload size:

<configuration>
  <system.web>
    <httpRuntime maxRequestLength="xxx" />
  </system.web>
</configuration>

Write to a directory in App_Data, cloud storage, or other directory on the file system outside of the web root.

Use standard APIs for interacting with external services rather than inputting raw queries. Avoid string concatenation with user input.

For ASP.NET Identity create a custom IIdentityValidator

For ASP.NET Identity, See http://www.jlum.ws/post/2014/5/27/user-lockouts-in-aspnet-identity-2-with-aspnet-mvc-5

Leverage SQL Server encrypted columns for storage of this data.