Saturday, 15 November 2014

Question about ESAPI for .NET

I was asked recently about 'ESAPI for .NET?' (by XXX, who is an SI customer) and here was my reply


Hi, unfortunately there isn't a simple answer/solution for your question

I would definitely not recommend of using any of the ESAPI libraries, specially the .NET since that is not even in a workable state.

The best security controls out there are actually the Microsoft ones, which when used in secure ways, do provide a lot of security (for example Razor now encodes by default which does a lot to prevent XSS). On the topic of XSS, the Microsoft AntiXSS library is really good, and is now part of .NET 4.5.
For a company as wide as XXX, I would say that the best solution is to create internal controls based on the current XXX best practices, where 'ESAPI like' components are developed and maintained by a cross-team group of developers and architects (i.e. take the ideas from ESAPI, not its code).

In a way, the reason ESAPI really failed to take off (even in Java) is because every major company is different, and there is also a wide range of technologies and workflows at play.

What is more important is to have 'A standard way' to write specific controls. There are multiple ways to create these controls securely, but that  will take time and effort (which is something that should not be done over and over again)

I don't know the specifics of what is happening inside the multiple XXX .NET teams, but I will bet that you already have a good number of security controls (Encoding, Authentication, Authorisation, Logging, Validation, Business-login, Web-Services, REST, SPA (Single Page Apps like AngularJS), etc..) developed and in production today. These are probably your best bets/resources for finding the 'security' controls you are looking for.

In addition to having those controls, I would say that you also should look at:

 - Unit Test coverage and technologies (namely in ways that make the developers day-to-day job more effective and efficient)
 - Secure coding standards
 - SAST (Static Analysis) technology to check those standards (using commercial tools and custom scripts)
 - Mapping of the attack surface (again based on information from the code) and feeding that to DAST and pen-testing teams
 - Mapping of the security issues/vulnerabilities/best-practices of the frameworks used (for example there are number of gotchas with the ASP.NET MVC framework)

On the topic of UnitTests and how to dramatically improve developer's productively, I'm happy to show you (or your teams) what we did on TeamMentor (a .NET app), namely the techniques used to create our powerful 'QA/Security focused' TDD environment (which really provide assurance of TeamMentor's security). After all, we (at SI/TeamMentor) had to deal with the exact problem you are facing: 'How to create a set of secure APIs that promote secure coding, while being easy to use and unit test'

Sorry that I was not able to provide a simpler solution/answer

Hopefully this will help

Dinis Cruz