Security for applications in .NET – 5 tips to follow right now
When programming one of the aspects that we must take into account is the security of our code, from ByteHide we want to give you these 5 tips to increase the security for applications.
From ByteHide we want to give you some basic advice so that you start paying attention to the security of the code you program.
As we mentioned before, these are basic aspects that any programmer could start to implement today, in this blog you have more articles with solutions and security tips for more advanced .NET applications.
Avoid direct connections with databases of your applications
Many times our applications require databases, the easiest way to use these databases is to use a connector from our application.
In this example of a C # application in .NET we will show the MySqlConnection connector.
To make a connection we would use a code like this:
Loading code snippet...
This may be practical for simplicity, but it is not practical for security.
In this way we are exposing our server, port, username and password to anyone who has access to the application.
What solutions can we adopt?
What solutions can we adopt?
Here we must take into account several aspects, one of them how our application is structured and its needs.
In a simple way we could apply the following measures:
- Do not use Universal Data Link (UDL) files.
- Encrypt configuration files.
- Use Windows Authentication.
- Use Azure Key Vault Secret.
If we need complete and advanced security, we recommend outsourcing the connections.
We are going to continue with these tips to increase the security of the applications.
Data encryption to increase security in your applications
Every time we work with data, whether it is application settings or information about users, we must keep the data encrypted at all times.
For example, if you store files with information they should not be in plain text, here is a basic solution to solve the problem.
With this class you can manipulate files with a little more security, for example:
Loading code snippet...
This is a small example to start integrating security and encryption in the data that our application handles, both files and chains, connections, documents, and so on.
In this example we have seen that the password “SecurePassword1234” is in the code at a glance, that should not be the case, the best option would be to externalize this password and load it safely, as we did for example with mySql connection strings using Azure Key Vault Secret.
Use the security data protection API in ASP.NET Core in your applications
In ASP .NET Core we could use IDataProtector to protect the information and documents that we manipulate in our applications.
This method is very easy to implement and has several features that make it really good.
Here we provide you with a solution to help you implement this class in a simple way.
In order to use it in the StartUp.cs class of our ASP .NET Core application in the ConfigureServices method we will add:
Loading code snippet...
Then we will load it as a parameter in the constructor of the classes in which we want to implement it, then we can use it to encrypt the information, for example:
Loading code snippet...
Only with these measures will our application be much more secure, now we need to implement it correctly to ensure the safety of our customers.
Update dependencies and external libraries to improve the security of your applications
This recommendation may be obvious, but not many people take it into account, when we program in .NET we make use of many libraries, normally many of them offered by Microsoft, others developed by users or companies, like most of the NUGET packages.
It is important that we check which libraries our application is using and inform ourselves about known vulnerabilities or possible security risks that they may cause.
It is also important to take into account the versions of the framework that we are using for our application, since it could have been obsolete and without maintenance and could pose a security risk for your applications.
.NET Framework
Here we provide you with information about the current framework versions:
| .NET Framework 4.8 | .NET Framework 4.7.2 | .NET Framework 4.7.1 | .NET Framework 4.7 |
|---|---|---|---|
| .NET Framework 4.6.2 | .NET Framework 4.6.1 | .NET Framework 4.6 | .NET Framework 4.5.2 |
| .NET Framework 4.5.1 | .NET Framework 4.5 | .NET Framework 4 | .NET Framework 3.5 |
| .NET Framework 3.0 | .NET Framework 2.0 | .NET Framework 1.1 | .NET Framework 1.0 |
You can check the information here: https://docs.microsoft.com/es es/dotnet/framework/migration-guide/versions-and-dependencies
.NET Core
Versions of .NET Core available for download:
| .NET 6.0 | Preview | 6.0.0-preview.2 | 2021-03-11 | |
|---|---|---|---|---|
| .NET 5.0 | Current | 5.0.4 | 2021-03-09 | |
| .NET Core 3.1 (recommended) | LTS | 3.1.13 | 2021-03-09 | 2022-12-03 |
| .NET Core 3.0 | End of life | 3.0.3 | 2020-02-18 | 2020-03-03 |
| .NET Core 2.1 | LTS | 2.1.26 | 2021-03-09 | 2021-08-21 |
| .NET Core 2.2 | End of life | 2.2.8 | 2019-11-19 | 2019-12-23 |
| .NET Core 2.0 | End of life | 2.0.9 | 2018-07-10 | 2018-10-01 |
| .NET Core 1.1 | End of life | 1.1.13 | 2019-05-14 | 2019-06-27 |
| .NET Core 1.0 | End of life | 1.0.16 | 2019-05-14 | 2019-06-27 |
You can check the versions here: https://dotnet.microsoft.com/download/dotnet-core
.NET Standard
| .NET Standard 1.0 | 1.1 | 1.2 | 1.3 | 1.4 | 1.5 | 1.6 | 2.0 | 2.1 |
|---|
Here you have more information: https://docs.microsoft.com/es-es/dotnet/standard/net-standard
In addition, a table with the known vulnerabilities of the most common .NET libraries:
| system.net.http | 5 High Severity |
|---|---|
| system.io.pipelines | 1 High Severity |
| .kestrel.core | 2 High Severity |
| system.net.websockets | 1 Medium Severity |
| microsoft.data.odata | 1 High Severity |
| microsoft.aspnetcore.websockets | 1 High Severity |
| system.security.cryptography.xml | 1 High Severity |
| microsoft.aspnetcore.server. | 1 High Severity |
| system.net.security | 3 High Severity |
| microsoft.aspnetcore.identity | 3 High Severity |
Use security systems and code obfuscation
One of the most effective and simple solutions is to use a tool that is responsible for protecting your application.
The aforementioned good security practices are important to keep your .NET application secure but they are not enough to guarantee the integrity of the methods, connections and other vulnerabilities.
At ByteHide we offer you the possibility to protect your applications for free and we provide you with more advanced protections and features so that you can adapt security to the needs of your applications.
Advantages of using a security system for .NET:
- Avoid wasting time protecting your applications.
- Does not require security knowledge.
- Allows the use of various protections and features.
- Incorporate the latest security techniques into your application with a couple of clicks.
- Detects and fixes vulnerabilities automatically.
- It allows you to focus on development and continuous integration without worrying about security, since it will be on your side.
And other advantages that a security system makes you save time and money with the publication of your software.
Another important aspect is that the performance of team development can be greatly reduced if we implement protection manually because every time there is an update we will have to protect the application again and development can become very tedious because the code is more difficult to understand. , less practical and less optimal.
In addition, many of the protections that we can manually incorporate are at the level of connections, file manipulation, encryption and good practices in development, but for the software to be secure and to guarantee the integrity of our intellectual property it is necessary to use methods and more advanced algorithms.
For example, ByteHide offers protections such as:
- Control Flow: which modifies the flow of the methods so that it cannot be represented.
- Protection of constants: That encrypts and protects the application constants so that sensitive information cannot be obtained.
- Renown: Which is responsible for renaming all the types, classes, methods and variables of our application so that the operation cannot be understood.
We hope this article has been helpful to you, and we invite you to start protecting your applications for free and with a couple of clicks.
