Security tips for .NET

Security for applications in .NET – 5 tips to follow right now

Dotnetsafer
Dotnetsafer

When programming one of the aspects that we must take into account is the security of our code, from Dotnetsafer we want to give you these 5 tips to increase the security for applications.

From Dotnetsafer we want to give you some basic advice so that you start paying attention to the security of the code you program.

As we mentioned before, these are basic aspects that any programmer could start to implement today, in this blog you have more articles with solutions and security tips for more advanced .NET applications.


1. Avoid direct connections with databases of your applications

Avoid direct connections with databases.

Many times our applications require databases, the easiest way to use these databases is to use a connector from our application.

In this example of a C # application in .NET we will show the MySqlConnection connector.

To make a connection we would use a code like this:

This may be practical for simplicity, but it is not practical for security.

In this way we are exposing our server, port, username and password to anyone who has access to the application.

What solutions can we adopt?

What solutions can we adopt?

Here we must take into account several aspects, one of them how our application is structured and its needs.

In a simple way we could apply the following measures:

  • Do not use Universal Data Link (UDL) files.
  • Encrypt configuration files.
  • Use Windows Authentication.
  • Use Azure Key Vault Secret.

If we need complete and advanced security, we recommend outsourcing the connections.

We are going to continue with these tips to increase the security of the applications.


2. Data encryption to increase security in your applications

Every time we work with data, whether it is application settings or information about users, we must keep the data encrypted at all times.

Data encryption in .NET

For example, if you store files with information they should not be in plain text, here is a basic solution to solve the problem.

With this class you can manipulate files with a little more security, for example:

This is a small example to start integrating security and encryption in the data that our application handles, both files and chains, connections, documents, and so on.

In this example we have seen that the password “SecurePassword1234” is in the code at a glance, that should not be the case, the best option would be to externalize this password and load it safely, as we did for example with mySql connection strings using Azure Key Vault Secret.


3. Use the security data protection API in ASP.NET Core in your applications

In ASP .NET Core we could use IDataProtector to protect the information and documents that we manipulate in our applications.

This method is very easy to implement and has several features that make it really good.

Use the data protection API in ASP.NET Core

Here we provide you with a solution to help you implement this class in a simple way.

In order to use it in the StartUp.cs class of our ASP .NET Core application in the ConfigureServices method we will add:

Then we will load it as a parameter in the constructor of the classes in which we want to implement it, then we can use it to encrypt the information, for example:

Only with these measures will our application be much more secure, now we need to implement it correctly to ensure the safety of our customers.


4. Update dependencies and external libraries to improve the security of your applications

dependencies and external libraries

This recommendation may be obvious, but not many people take it into account, when we program in .NET we make use of many libraries, normally many of them offered by Microsoft, others developed by users or companies, like most of the NUGET packages.

It is important that we check which libraries our application is using and inform ourselves about known vulnerabilities or possible security risks that they may cause.

It is also important to take into account the versions of the framework that we are using for our application, since it could have been obsolete and without maintenance and could pose a security risk for your applications.

.NET Framework

Here we provide you with information about the current framework versions:

.NET Framework 4.8.NET Framework 4.7.2.NET Framework 4.7.1.NET Framework 4.7
.NET Framework 4.6.2.NET Framework 4.6.1 .NET Framework 4.6  .NET Framework 4.5.2
.NET Framework 4.5.1 .NET Framework 4.5     .NET Framework 4  .NET Framework 3.5
.NET Framework 3.0  .NET Framework 2.0 .NET Framework 1.1  .NET Framework 1.0

You can check the information here: https://docs.microsoft.com/es es/dotnet/framework/migration-guide/versions-and-dependencies


.NET Core

Versions of .NET Core available for download:

VersionStatus  Latest release Latest release dateEnd of support
.NET 6.0Preview6.0.0-preview.22021-03-11
.NET 5.0Current5.0.42021-03-09
.NET Core 3.1 (recommended)LTS3.1.132021-03-092022-12-03
.NET Core 3.0End of life3.0.32020-02-182020-03-03
.NET Core 2.1LTS   2.1.262021-03-092021-08-21
.NET Core 2.2End of life2.2.82019-11-192019-12-23
.NET Core 2.0End of life2.0.92018-07-102018-10-01
.NET Core 1.1End of life1.1.132019-05-142019-06-27
.NET Core 1.0End of life1.0.162019-05-142019-06-27

You can check the versions here: https://dotnet.microsoft.com/download/dotnet-core


.NET Standard

.NET Standard 1.0 1.11.21.31.41.51.62.02.1

Here you have more information: https://docs.microsoft.com/es-es/dotnet/standard/net-standard

In addition, a table with the known vulnerabilities of the most common .NET libraries:

system.net.http5 High Severity
1 Medium Severity
system.io.pipelines1 High Severity
.kestrel.core2 High Severity
2 Medium Severity
system.net.websockets
.websocketprotocol
1 Medium Severity
microsoft.data.odata1 High Severity
microsoft.aspnetcore.websockets1 High Severity
1 Medium Severity
system.security.cryptography.xml1 High Severity
microsoft.aspnetcore.server.
kestrel.transport.abstractions
1 High Severity
system.net.security3 High Severity
1 Medium Severity
microsoft.aspnetcore.identity3 High Severity

5. Use security systems and code obfuscation

One of the most effective and simple solutions is to use a tool that is responsible for protecting your application.

security systems and code obfuscation

The aforementioned good security practices are important to keep your .NET application secure but they are not enough to guarantee the integrity of the methods, connections and other vulnerabilities.

At Dotnetsafer we offer you the possibility to protect your applications for free and we provide you with more advanced protections and features so that you can adapt security to the needs of your applications.

Advantages of using a security system for .NET:

  • Avoid wasting time protecting your applications.
  • Does not require security knowledge.
  • Allows the use of various protections and features.
  • Incorporate the latest security techniques into your application with a couple of clicks.
  • Detects and fixes vulnerabilities automatically.
  • It allows you to focus on development and continuous integration without worrying about security, since it will be on your side.

And other advantages that a security system makes you save time and money with the publication of your software.

Another important aspect is that the performance of team development can be greatly reduced if we implement protection manually because every time there is an update we will have to protect the application again and development can become very tedious because the code is more difficult to understand. , less practical and less optimal.

In addition, many of the protections that we can manually incorporate are at the level of connections, file manipulation, encryption and good practices in development, but for the software to be secure and to guarantee the integrity of our intellectual property it is necessary to use methods and more advanced algorithms.

For example, Dotnetsafer offers protections such as:

  • Control Flow: which modifies the flow of the methods so that it cannot be represented.
  • Protection of constants: That encrypts and protects the application constants so that sensitive information cannot be obtained.
  • Renown: Which is responsible for renaming all the types, classes, methods and variables of our application so that the operation cannot be understood.

And many more protections, if you want to find out about all the protections that Dotnetsafer offers, we recommend you go to the section https://dotnetsafer.com/shield/protections and you can get more information about each of them in the documentation.

We hope this article has been helpful to you, and we invite you to start protecting your applications for free and with a couple of clicks.

Summary
5 simple security tips for your .NET applications
Article Name
5 simple security tips for your .NET applications
Description
We show you 5 simple ways to improve security for applications in .NET and avoid reverse engineering attacks and information theft.
Author
Publisher Name
Dotnetsafer
Publisher Logo

0 Comments

Leave a Reply

More great articles

Blazor Desktop

Blazor Desktop: Like Electron for Javascript but… for .NET?

Blazor Desktop: Electron for .NET? 🤔 Not too long ago, Blazor WebAssembly was just a runtime experiment for C# in a Microsoft…

Read Story
Blazor WebAssembly

What is Blazor WebAssembly? The union of .NET 5 and Blazor

Since the last release of .NET 5 at Conf 2020, all of your users have seen first-hand how to take advantage of the…

Read Story
.net 6

.NET 6: The MOST promising FEATURES

Microsoft is putting the batteries and already presents .NET 6 Preview 5. According to what they tell us, they are already…

Read Story
Arrow-up