We recommend using Visual Studio 2017

Foreword by Mark Curphey


Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

patterns & practices Developer Center

Improving Web Application Security: Threats and Countermeasures

J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan

Microsoft Corporation

June 2003

See the Landing Page for the starting point and a complete overview of Improving Web Application Security: Threats and Countermeasures.


When the public talks about the Internet, in most cases they are actually talking about the Web. The reality of the Web today never ceases to amaze me, and the tremendous potential for what we can do on the Web is awe-inspiring. But, at the same time, one of the greatest fears for many who want to embrace the Web — the one thing that is often responsible for holding back the rate of change — is the security of Web technology. With the constant barrage of high profile news stories about hackers exposing credit card databases here and finding cunning ways into secret systems there, it's hardly surprising that in a recent survey almost all users who chose not to use Internet banking cited security as the reason. Putting your business online is no longer optional today, but is an essential part of every business strategy. For this reason alone, it is crucial that users have the confidence to embrace the new era.

As with any new technology, there is a delay from the time it is introduced to the market to the time it is really understood by the industry. The breakneck speed at which Web technologies were adopted has widened that window. The security industry as a whole has not kept pace with these changes and has not developed the necessary skills and thought processes to tackle the problem. To fully understand Web security, you must be a developer, a security person, and a process manager. While many security professionals can examine and evaluate the security of a Windows configuration, far fewer have access to the workings of an Internet bank or an online book store, or can fully understand the level of security that an online business requires.

Until a few years ago, the platform choices for building secure Web applications were somewhat limited. Secure Web application development was the exclusive playground of the highly experienced and highly skilled developer (and they were more than happy to let you know that). The .NET Framework and ASP.NET in particular are an exciting and extremely important evolution in the Web technology world and are of particular interest to the security community. With this flexible and extensible security model and a wealth of security features, almost anything is possible in less time and with less effort than on many other platforms. The .NET Framework and ASP.NET are an excellent choice for building highly secure, feature-rich Web sites.

With that array of feature choices comes a corresponding array of decisions, and with each and every decision in the process of designing, developing, deploying, and maintaining a site can have significant security impact and implications.

Improving Web Applications Security: Threats and Countermeasures provides an excellent and comprehensive approach to building highly secure and feature-rich applications using the .NET Framework. It accurately sets the context — that security considerations and issues must be addressed with application design, development, deployment, and maintenance in view, not during any one of these phases in isolation. It cleverly walks you through a process, prescribing actions and making suggestions along the way. By following the guide from start to finish you will learn how to design a secure application by understanding what's important to you, who will attack you, and what they will likely look for, and build countermeasures to protect yourself. The guide provides frameworks, checklists, and expert tips for threat modeling, design and architecture reviews, and implementation reviews to help you avoid common mistakes and be secure from the start. It then delves into the .NET security technology in painstaking detail, leading you through decisions you will need to make, examining security components and things you should be aware of, and focusing on issues that you cannot ignore.

This is the most comprehensive and well-written guide to building secure Web applications that I have seen, and is a must read for anyone building a secure Web site or considering using ASP.NET to provide security for their online business presence.

Mark Curphey

Mark Curphey has a Masters degree in Information Security and runs the Open Web Application Security Project. He moderates the sister security mailing list to Bugtraq called webappsec that specializes in Web application security. He is a former Director of Information Security for Charles Schwab, consulting manager for Internet Security Systems, and veteran of more banks and consulting clients than he cares to remember. He now works for a company called Watchfire. He is also a former Java UNIX bigot now turned C#, ASP.NET fan.

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.